De Novo Mutations of Communism in North Korea During the Cultural Revolution

This was originally a paper I wrote in 2008 for a class on the history of Korea. I’m republishing it now because it seems novel and I haven’t heard anyone describe North Korean communism this way.

In historiographical terms the political ideology of a nation is analogous to the genetic material of an organism. Richard Dawkins was one of the first to make the connection between ideas and viral behaviors. He called viral ideas memes. Tracing the history of communism we can see influences of both Russian and Chinese communism injected into North Korea. however certain aspects of DPRK communism are de novo1 mutations. The mutation of communism in the Democratic Peoples Republic of Korea [DPRK] is a blend of Leninists Socialism and Chinese Maoism developed over a framework of the Northern Korean peninsula. This framework produced interesting and unique anomalies to the meme of Communism because of environmental effects and objective based decisions of Kim Il Song.
This paper will explore the use of Communism by DPRK and the mutations detected from activities of the PRC Cultural Revolution. The unofficial end date of the Cultural Revolution extends to the mid 1970’s however it was officially ended in 1968. This paper will focus particularly on the events between 1965-1968 and the changes brought about in the Sino-DPRK relationship as a direct result of the mutations described herein. The paper will begin with a brief background on North Korean society, the Chinese Cultural Revolution between 1965 and 1969 and finally conclude with a comparative look at Chinese and North Korean versions of Communism from 1965-1968. A brief look at some interesting examples which occur after 1969 will follow to help summarize the elements of this paper.
The North Korean party state was “made in the image of a guerrilla war with a tightly knit core bound by personal connections to the leader and a social inclusiveness that depended particularly on the support of the poorest segment of peasant society. North Korean historiography traces the DPRK’s linage to “the founder of Korea, the (probably mythical) Tangun through Old Choson to Koguryo. It is in this vein that the proposed DPRK unification plans call for the formation of “a confederated Korean state to be called Koryo Yongbang Konghawguk (Federation of the Koryo Republic).[Oh, Hassig p 3] Oh and Hassig also note the undoubtedly strong elements of Confucianism in the Kim ruling style [p 4]. Even the adopted title of Kim Il Song (oboi suryong2) as something that holds a distinctive Confucian tone.
It important to recall that during the time period for which this paper is intended to study the economic race between the two Koreas was being won by the North. It is also important to recall that the atrocities of the Japanese colonial rule were still very fresh in the minds of Koreans. Park [p 504] touches on this briefly as a deep underlying humiliation that drove the leadership of the DPRK. The de facto rule by Kim was in no small part due to his fight against the Japanese.
He also notes that Juche was evolved around this sentimentality and the South constantly criticized for their reliance and accommodation to foreign powers. [505] These years represent a significant power shift in the EA sphere. Anything prior to 1965 is just background information and anything after [the end of the CR] needs “decoding”. DPRK had instituted its own cultural revolution in the 1940’s. They used an “all-round thought movement for nation-building (kon’guk sasang ch’oqdongwon undong).” What this meant, in practice, was that all literature had to promote party policy. In 1966 the General Committee declared that although, “the bourgeoisie has been overthrown, it is still trying to use the old ideas, culture, customs, and habits of the exploiting classes to corrupt the masses, capture their minds, and endeavor to stage a comeback”. The “Four Olds” were to be destroyed on sight and by everyone in the country. This included Old Customs, Old Culture, Old Habits, and Old Ideas.
There are mirrors of this sentiment throughout DPRK history however there exists a significant and interesting difference. While China was trying to eliminate the elements of monarchy the North Koreans were eliminating traces of their previous colonial ruler. So in this sense both versions of Communism were attempting to achieve the same goal. However the goals could be further abstracted so that they are both attempting to remove elements of the previous rule. This difference is so simple yet powerful. In the case of the DPRK removing Japanese elements did not preclude the adoption of previous Korean models such as Confucianism.
In 1967, Party members accuse rivals of “counter-revolutionary activity” through out this year. It was a period of deep self criticism. The First Five-Year Plan was to run from 1963 through 1967, but Americans in the Agency for International Development (AID) mission did not like it, and refused to certify it for foreign lending. From 1967 to 1971 not one of 306 administration-sponsored bills was rejected in the National Assembly. Foreign firms like the Gulf Oil Corporation kicked in large amounts just before elections ($1 million from Gulf in 1967 and $3 million in 1971, plus another $4 million from Caltex Petroleum, according to Senate hearings in the mid-1970s3
Daewoo did not exist until 1967, and the other big chaebol did not go into heavy industry until this formative period. but in the decade 1967-78, Korean debt grew fifteen fold, 1967 Kim Woo Chung borrowed $18,000 from his family and friends to found a small trading company, which he called Daewoo4.
In 1968, the anti Japanese aspects of their culture (ch’in il p’a means Japan lovers) is one of the forces behind the current shape of Juche and one of the cores of the DPRK style of communism5. They promoted “the already-adored Mao Zedong to god-like status” and Lin Biao was made the Party’s Vice-Chairman. Lin Biao was Mao’s “comrade-in-arms” and “designated successor”.
The criticisms of the South’s greed were not without a seed of truth. The DRP and KCIA had “literally tens of millions of dollars to throw around”. In 1968 the KCIA kidnapped several Koreans living in West Germany

Songbun, (Korean term which replicates ‘older brother’ Confucian term and used by Choson era Confucians to validate their mimicry of the Chinese system. Also used later by Japanists during their accommodation of colonizers.) (study of classical Chinese by the yangbun) (interpretation of communist thought in DPK: see aquariums source) this is an interesting parallel because of the throwback to Choson era times when only nobles were allowed to read and write. This social norm was enforced by using Chinese as the primary language which required years of arduous training to understand. In Aquariums, we see a different mechanism for enforcement. Although anecdotal the scene in the concentration camp during the New Years celebration shows the modern form of intellectual compartmentalization. The prisoners are read words (likely paraphrased) from Kim. It isn’t that the prisoners don’t understand Korean or that they do not know how to read Hangul. It was believed that the prisoners did not have the potential to understand the purity of the words. The idea of nobility is obviously inverted from the days of Choson such that those of “red” blood are celebrated instead of those with “blue” blood.
By 1969 the international positions of the two major communist powers had shifted radically. Both China and Russia had built significant military forces along the Sino Russian border. This had a great effect on relations with the DPRK. Sino-DPRK relations had deteriorated throughout the CCR and were now at their lowest point ever. China’s infamous Red Guard went so far as to label Kim Il-song as a “fat revisionist”. [KF: PP]. Pyongyang was unable to choose between the two powers and was left with no choice but to estrange itself from both powers equally. [park 505] It is well known that both sides criticized each other, but not how the dispute changed their relationship in any fundamental way.
Perhaps the most telling of Confucian adaptations by the DPRK but slightly out of the scope of this paper is the succession of Kim Il Song. Kim Il Song had two sons and according to most sources the second was the most popular and charismatic. However Kim Il Song chose to appoint the eldest son to rule over North Korea. Oh and Hassig note that Kim Jong Il has nearly replicated the rule of his father and connote this with the “Confucian duty to obey his father’s wishes”.
Dynastic rituals of leadership prevents radical shifts for adaptation. China’s split with Maoism occurred in 89 when Deng Xiao Peng injected capitalism to repair the economy. this is another mutation of communism by china to repair a broken aspect of the pure ideology of Maoism. The current succession ranks in DPK lacks the ability to alter the national foreign policy to invigorate the economy as China did. This autarkic model will only be reversed when someone outside the immediate linage ascends (or is voted in by a democratic election). This mutation, as argued by this paper, is the most significant in relation to the major Communist powers of the past. And today it is the most striking underlying difference that keeps two of the very few remaining Communists states left estranged.
In conclusion, the k’ung k’ung k’ung of Kim Chi Ha’s poem is a sound that can be heard on both sides of the Yalu river. Although open criticism of the Theory of the Three Represents is taboo, there have been reports of private unease from within the Communist Party of China. Criticism of Juche is also taboo within North Korea. The Chinese communists were able to easily exchange culture because of their commonality in Asian ancestry. The Taiwanese, according to most scholarly sources, adapted well to Japanese rule however culturally resistant islanders saturated themselves in “chineseness”. So it is possible that like the Taiwanese they developed their sense of national identity out of necessity, and interestingly because of the same colonial force, to compensate for the over bearing culture forced upon them. Unlike the Taiwan situation the Koreans never switched to a new language. Aside from what are generally considered regional differences they remain unified in both written and verbal communication. The Taiwanese have not only created their own dialect but reverted to traditional script. It would be impossible for north Koreans to also revert without using Chinese characters themselves.

Sources of Korean Tradition, Ch 34-35
“Koreas Place in the Sun”, Ch 6
Aquarariums of PyongYang
North Korea Through the Looking Glass, Ch 1-2
Park, Han S. “North Korean Perceptions of Self and Others: Implications for Policy Choices” Pacific Affairs, Vol. 73, No. 4, Winter 2000-2001
Koh, B. C. “The Impact of the Chinese Model on North Korea.” Asian Survey, Vol. 18, No. 6 June 1978
Simon, Sheldon W. “Some Aspects of China’s Asian Policy in the Cultural Revolution and Its Aftermath” Pacific Affairs, Vol. 44, No. 1 Spring 1971
Zagoria, Donald S. “Korea’s Future: Moscow’s Perspective” Asian Survey, Vol. 17, No. 11 November 1977
Lee, Hong Yung “Korea’s Future: Peiking’s Perspective” Asian Survey, Vol. 17 No. 11 November 1977

1 those that are not present in either of the parents
2 supreme and benevolent leader, teacher, father
3 [kpits_ch_7]
4 [kpits_ch_6]
5 [nk_revolution_ch6]

“The FBI Reports A Break In Every 15 Seconds” Scam

“The FBI reports a break-in every 15 seconds” is how each call begins. The recorded message goes on to say “Let us place a small sign in your yard and we will install a new security system for free.” There has been a little coverage on this scam from smaller local news outlets. [1] The scammers always call from different numbers [2] and with an irregular frequency. Almost every post I’ve read about these calls says that they, like me, are on the Do Not Call list. This post is an attempt at catharsis. How much can I find out about this company and what resources will I need?

I’m starting with some basic sleuthing and complaint filing. I phoned my cell phone carrier and reported the numbers. The customer service representative said she’d forward all of the information I provided to their “Scam Department”. I’m not sure if there is such a thing at cell phone providers but I do hope it’s real.

What was different about this phone call was that when I pressed “1” for more information I didn’t get an immediate rep. I was disconnected and received a phone call a few minutes later [2]. I wasted my time with the scammer today just trolling her but next time I’m going to pump her for information. So I tried looking up the second number that called me and the area code matches Colorado Springs, Colorado. I called Sprint and TMobile to see if the number matched one of their customer records. Each customer service agent denied that the numbers belonged to any of their customers and one gave me a clue on what to look for next. “This number belongs to a landline with SMS capabilities.”

When I searched for landline providers in Colorado Springs I found Century Link is the largest provider. I called their residential customer service center and after speaking with a few different agents was told that the number didn’t match a residents number but it doesn’t mean that the person with that number isn’t a customer. It could be that the phone number belongs to a batch of numbers that are part of a small business account. She was nice enough to give me the number of their small business accounts but they were closed for the night.

I’ll keep at this in my spare time because now I’m curious if I can uncover these scammers without the resources used of law enforcement or the government. My guess is they are using a call center’s ability to mask ANI so each of the numbers in the second footnote are fake however the number that called me back today seems real enough. My guess is this person is a sales rep working for the scammer and if anyone presses “1” during the initial robocall they get a notification and call back.


[2] 4047210540
817-725-8612 Received personally by author

[2] 719-355-6263

Pulling My Digital Pants Back Up

A recent Ars Technica article on ASUSGATE pointed to this blog and named me as a blogger who was caught with his digital pants down. I wanted to capture some of my incident response procedures now that some time has passed and my stress levels are back to normal. As noted in the article the first thing I did was shut down all non-necessary services such as FTP and Samba. Luckily for me I never liked the idea of AiCloud so that service was already off. Next I ran a port scan on my external IP address from an server outside of my home network to make sure that no ports were left opened. My goal was to ensure that literally 0 ports were open to the outside world and my router didn’t respond to uninitiated packets sessions. I ran an nmap scan that checked ports 1-65534 and found a port in the very high ethereal range (something like 32000) and dug back through the ASUS interfaces until I found the culprit. Apparently I had forgot to turn off the VPN pass through option from my time working at Akamai. I ran the scan again focusing only on the port that was found in the previous scan and it was off.

I’m still concerned that I have a known IP address though. At the very least anyone who doesn’t like me could send a DDoS (or just a DoS with a strong enough connection) and make sure I don’t see the internet for a while. From the research I’ve done cable companies like Comcast dole out IP addresses using DHCP but the leases can be for years. The only time they change them is when the MAC address changes so my next step is to disconnect my ASUS and connect a laptop running a liveCD directly to the cable modem in hopes of getting a new IP address.

When ASUS contacted me they sent notes on the best practices they were announcing to existing customers and details of a beta patch that was rolling out. What I didn’t see was that the FTP service would explicitly not be open on the WAN interface and require authorization from the user to open up their files to the internet. Those victims that put a username/password on their FTP should not use default credentials like “admin/admin” since they are well known and, as stated above, the IP address of the router probably hasn’t changed.

Lastly I want to nitpick on the editor’s choice of describing my folly as being “caught with my pants down”. I think this was a great way to spice up the story but the analogy doesn’t work that well. I didn’t expose anything that I would be ashamed of. The image of my pants being down is my genitals are exposed and that’s something I don’t show in public and so a more apt analogy would be that my digital fly was down. Anyone in the world could get a peek into my digital pants, and it’s certainly embarrassing, but since I don’t walk around “commando style”[1] I was covered underneath that undone zipper.

[1] Military commandos who operate in the jungle often do not wear underwear because of the health issues associated with increased moisture and lack of air flow.…

So This Is What Getting Pwned Is Like

EDIT: NullFluid points out that they aren’t the group that performed the intrusive scan but are only hosting the text file. [0]

There was a definite sense of dread when I started reading the txt file [1] disclosing a massive flaw in Asus routers. I’ve had an RT model ASUS for nearly two years now and recently hooked up a giant USB hard drive to it so I could stream movies from my blueray player. But I thought there was no way I was affected since I went through the settings for the FTP service and disabled all outside access. I did leave the FTP security set to anonymous because I thought anyone not logged into my WPA2 protected wifi couldn’t even see the service.

Out of curiousity I entered ‘ftp://[my external ip address]’ into my browser and sat wide eyed when I saw the contents of my media server show up. I reasoned it must be because I’m already inside the network (which doesn’t even make sense really) but panic was starting to set in. So I pulled out my phone and turned off the wifi connection and tried it there. Now I was worried.

I started downloading the torrent of directory listings and quickly turned the FTP service off. I checked the pastebin with all the IP addresses that had the dir listing bug [2] and there was my IP address. Worry was now turning to fear. After the torrent finished I looked for my IP address and found that it was under ‘partial listings’.

There’s no point in my denying that I got pwned because in the file listings are things like ‘OLIVER_DAY_GMAIL_COM_201401052241083414.pdf’ which is a copy of a boarding pass I downloaded. I’d started pushing stuff from my Downloads folder onto the media drive for convenience sake. I’m not worried about what’s on that drive however I’m terrified by the idea that someone replaced a file with some malware and then I opened it assuming I was safe.

I’m also going through memories of flaky wifi in the last month plus some weird issues with the drive itself and wondering if it was due to others accessing my drive at the same time I was. It’s a really sickening feeling although I got off pretty lucky. In my life I’ve had friends who were pwned by rival hackers and had entire mail spools dumped, financial information leaked, etc. All I lost was a directory listing and some face.

Going through the file listings of other IP addresses I see insanely personal items like whole backups of laptops, family photos, porn collections, and tax documents. Anyone that has the list of IP addresses can potentially download any of those files. I wrote some python to walk through the list of IP addresses and check to see if logging in anonymously is still possible. I’m not bothering to look at anything just see if ftp.login() works and recording the statistics. The numbers are not reassuring. The code is also on pastebin for those who want to run it and help report the numbers. [3]

While I’m not entirely opposed to the idea of full disclosure I’m not sure I agree with nullfluid’s Brothers Grim, et al dump of vulnerable IP addresses. Even though this act caused me to discover the vulnerability in my own hardware I’m not okay with the idea that he took a snapshot of my FTP directory and made that part of the torrent. What was the point in that? It would have been just as effective to list the IP address and I would have reacted and benefited the same. All he’s they’ve done is made certain people way bigger targets because the listing shows movies, or music, or porn, or very very personal files. If nullfluid Brothers Grim, et al is going to poke into everyone’s drives anyway why not leave a note in the root of the FTP directory warning the user of the vulnerability? That’s the biggest problem I have with his their approach is he they told the world but he they didn’t tell the victims. Fine I’ve patched my Asus router and now question whether I should keep it at all. I agree it was a very poor decision on Asus’s part to make those default settings the way they were and I doubt I’ll turn the FTP service back on anytime soon. But including full directory listings of all these victims is on you nullfluid Brothers Grim, et al. It was a mistake on your part and you should apologize to us all.

[0] The text file lists the following as the crew that performed the scan: The Brothers Grim, Chuck Palahniuk, Gargamel, Debra Morgan, Gollum, Voldemort, Skeletor, Duke Igthorn

Evangelism and other Definitions

I’ve been looking for a new job recently and found a position with an organization that does amazing work. They advertised for a security evangelist so I looked into the position. I’ve heard of the term before and never developed an opinion of them one way or the other. Frankly I didn’t really know what they did until a few days ago when my research began.

The first blog that popped up on Google is from a security evangelist at He based a lot of his article on an article by krypt3ia who ranted about how bad it is to use the term evangelist.

I read krypt3ia’s article with an open mind but I always worry when someone starts a written argument with a literal definition from an actual dictionary. That was what I did in high school when I didn’t know how else to start a paper and it’s an appeal to authority that isn’t very useful in this type of discussion. Languages evolve and definitions change all the time and pretending otherwise isn’t a winning strategy. I think the actual problem he has with the term ‘evangelist’ is shown about 3/4 of the way through his rant where he talks about the term ‘heretic’:

“Perhaps this is all we know, we people who still follow a book so closely that now has the masses up in arms about the issue of people of the same gender wanting equality … A book mind you, written by people barely able to understand nature around them so they made stories up to fill in the gaps. Really? 21st century? Yeah.. Right.”

I get his argument against religion (and I’m assuming the Bible) and I don’t disagree with him on this point[1] but I think getting this worked up over the term evangelist doesn’t make sense. The wikipedia article for the more generic term “Technology evangelist” has this opening definition:

“A technology evangelist is a person who builds a critical mass of support for a given technology, and then establishes it as a technical standard in a market that is subject to network effects.”

The article goes on to establish the link to the word evangelism by suggesting it is “due to the similarity of relaying information about a particular set of beliefs with the intention of converting the recipient.” Think Steve Jobs or even today Vint Cerf.

This part rings pretty true for me. Infosec [2] is a cloudy term that encompasses a lot more people than it did when I learned it in the 1990’s, however; most of us do hold beliefs about security. These beliefs translate into practices like “hardening a server” or “using passphrases instead of passwords”. So a security evangelist is someone who tries to convert those with poor security practices to our way of life.[3]

Perhaps I have an easier time dealing with portmanteaus or even updating definitions as words find their way into computer specific lexicons. I fought similar fights when I was at Akamai and trying to implement biostatistical analysis and epidemiological methods to make the company more secure. I was told that the words I used were medical jargon (eg. Sensitivity and Specificity) and it was too confusing for them. But our industry specific language has dealt with this for a long time and I doubt it will stop anytime soon. [4]

So how do people, especially those that hate the term ‘evangelist’, feel about the term ‘virus’? Want a link to the Wikipedia article or an OED definition? You probably won’t find anything related to non-biological organisms unless you look at ‘Computer Virus’. Or how about ‘sales engineer’?

Again citing Wikipedia, an engineer is “a professional practitioner of engineering, concerned with applying scientific knowledge, mathematics, and ingenuity to develop solutions for technical problems. [5] What do SE’s build again? I’ve been an SE in my career and other than sales demos there wasn’t much I did to really deserve the E part of my title.

Krypt3ia isn’t alone in his disgust with the term however. As I scanned through Twitter I found other notables (particularly Space Rogue of curmudgonley fame) saying one should never ever admit they were an evangelist. There is a hint of anti-charlatanism in their tone that can’t be missed. [6] I think the real answer to the animous against this term lies here. The sense I’m getting is those opposed to the term think security evangelists are those that don’t have the skills to be real hackers/infosec professionals and therefore listening to them is both a waste of time and potentially dangerous. I think nothing displays that more than this anigif.

[1] At the best of times I’m an atheist but occasionaly I’m just agnostic.

[2] I don’t know if someone has written about the transition of the 1990’s hacker to infosec so I’ll leave this here as a reminder to write about it if an article isn’t already extant.

[3] I do this all the time without thinking about it. Last month it was when speaking with the CFO of my nonprofit when she asked about using online banking. My advice was to boot up a liveCD and bank from there.

[4] The biggest push back I got was using the term “computer disease” instead of malware/badware/trjoan/etc. It makes a lot of sense if you think about it.

[5] In case you’re wondering “engineer is derived from the Latin roots ingeniare (‘to contrive, devise’) and ingenium (‘cleverness’).”

[6] Anyone who knows him understands that he isn’t shy about opining on what is right or wrong and who in the industry is an actual charlatan.

Wireless Mic Research

During Source Boston I became fascinated by the idea of using SDR to listen in on wireless mics. It occurred to me that corporate meetings in hotels with lots of sensitive information are probably vulnerable to that type of eavesdropping. I looked into encrypted wireless mics but they are very expensive and I can’t imagine a lot of people outside of the Fortune 10, military, and some parts of the government can afford them.
My first find was a page of wireless mics that were in the 700Mhz range and now banned by the FCC for intruding upon emergency communications. [1] @0xabad1dea pointed out rather quickly this wasn’t the list I thought it was. But I had also scraped together another list from product pages I’d browsed the previous evening.
G1 Band 470-530 Mhz
H4 Band 518-578 Mhz
J5 Band 578-638 Mhz
L3 Band 638-698 Mhz

Once I get a better grasp of GnuRadio I can probably cobble together a wireless mic scanner for the next conference I visit. Or maybe just hang around hotel lobbies and look for stray conversations.


Is Korean Law Driving Policy at Blizzard?

US customers of game maker Blizzard are up in arms tonight as news of a new policy is set to require all posts on the Blizzard forum to use their Real ID system. That means that every post is accompanied by the real first and last name of the user. People are unsure what to make of this and I haven’t seen any communication from Blizzard stating why they are making this change.
I’m going to make the suggestion that South Korea’s Real Name System [is a driving force behind this decision]*. In 2009 South Korea’s government created a law that was meant to curb online defamation by insisting that all users who comment on sites with greater than 100,000 users per day must use their real name. The first US company to feel the effects of this law was Google. South Korea insisted the Youtube comments require all users to post with their real first and last name. Google got around this law by forbidding anyone with a South Korean IP address from posting to Youtube. Recently South Korea backed down and exempted Youtube from the Real Name system.
Given these facts it might not make sense why South Korea might enforce the Real Name system on Blizzard. My guess would be that the government is very aware of the immense popularity of Starcraft in South Korea. Some have joked it is their national sport. South Korea even has professional SC leagues with sponsors and packed arenas. I don’t think Blizzard can take the Google approach here and just ban South Korean users from posting to their forums. The South Korean market must make a ton of profits for Blizzard and unlike Google they don’t have revenue coming in from other sources.

* edit: fixed that sentence

Pax Musicana

Over the years friends have asked what I have against music services like iTunes. A week or two ago the term Pax Musicana crept into my subconscious and it captures the issue perfectly. My general disdain for digital services like iTunes, Amazon Kindle, and the like is that I am locked into a service and should I decide to wander to the next big thing I would have to rebuild my collection from scratch. I would have to abandon all the value I stored in that service because they refuse to let me take my purchases with me.
The term Pax Musicana came to me as a concept of what these services should be. If I buy a song from one vendor my “license” to listen/download/stream that song should extend to all legitimate online services. even has an article advising ISPs to start music/media stores to lock customers in and reduce their churn rate. The dying copyright bastions like Sony, EMI, Warner, Vivendi, et al are laughing their collective asses off because consumers who wish to stay legal have to repurchase the same album from iTunes, Walmart, or wherever they go next instead of repurchasing when media formats change (cassette -> cd, etc). The article implies that disgruntled customers will stick around just so they don’t lose the value they invested into those songs.
Sure they could export those mp3s to their computers but what exactly is the point? As we all move into the cloud it would make more sense for users to have the ability to log in and stream their music from wherever they are in the world. And should they decide that the next big thing in music store surpasses their current one all their licenses should move with them.
The music industry has made a big deal about the sale of music being more a licensing agreement than a transfer of property. You don’t own the album you just paid for so much as have a right to listen to the music (privately). As we extend this metaphor to movies and books this concept becomes far more powerful.
When a friend of mine got a Barnes and Noble Nook for his birthday I had to hold my tongue as he showed it off. None of the titles he purchased on his Kindle would transfer over. I suppose pax mediacana would be more apt for this post’s title but it doesn’t have quite the same ring.
Interestingly the Wikipedia article on the original term “pax romana” says that the “Romans regarded peace not as an absence of war, but the rare situation that existed when all opponents had been beaten down beyond the ability to resist.” So perhaps we are there already. It seems that consumers today are so beaten that they will accept whatever terms are dictated to them. They buy media online without thought to the limitations of how far that media can travel with them. They sign (click) away all their rights to resell the media when it is no longer interesting to them (see First Sales Doctrine). I hope this changes soon. Until it does don’t expect a penny from me in terms of this disposable media. It simply isn’t worth it.

My speech at the Works in Progress of Intellectual Property Conference

My notes for the talk I gave to a group of distinguished law professors at the Seventh Annual Works in Progress Intellectual Property (WIPIP)

I am not a law professor
i am and am not a hacker.

the term hacker has undergone significant change in the last two decades so the meaning is ambiguous these days.
let me give you this definition and for the sake of the next 4 mins of my talk consider it to the the authoritative one

hackers are computer users who are adept enough to bend the function of a program to their will.

security researchers are much like the hackers of the 1990’s but unlike what the term has come to mean lately.

when researchers find security flaws in software they will generally contact the manufacturer. they are met with one of three responses:
1) disregard
2) deference
3) contempt

When met with contempt they have been threatened with law suits using a variety of novel legal theories. Reading though our history is like walking through a catalogue of existing IP frameworks. Patent, Trademark, Copyright, Contract and Criminal have all been used in response to an individual making claims that a product contains a security flaw.

In 2007 Chris Paget of security firm IOActive was going to give a talk at a security conference about the insecurity of HID badges. These badges are ubiquitous in corporate America and the issues he discovered need to be discussed. HID forced his talk to be canceled with the threat of patent infringement.

A few years earlier in 2005, researcher Mike Lynn had discovered a security flaw in Cisco routers. These devices are largely responsible for the backbone of the Internet. Interestingly Cisco had already fixed the flaw yet filed a TRO against Lynn to prevent him from talking about his work to a group of like minded peers at a security conference. In the aftermath of this incident Lynn had to agree to a permanent injunction forbidding him from ever talking about it again.

Lessig famously said that on the Internet “Code is Law”. I would like to reverse that turn of phrase for the real world.
“Law is code”
It is compiled by legislators and debugged by judges

And in this sense what the companies we write about in our paper did was impressive. They hacked the law. The bent these disparate legal frameworks to their will and used seemingly unrelated laws to silence researchers who were making claims that their product was flawed.

what our paper proposes to do is patch the law so that legal hackers can not continue to subvert the legal system anymore. And with that I’ll turn it over to Derek to explain how that would work. [pdf]

Repercussions of bad German laws on security research

This month I’m conducting some research into web hosting security issues and ran into the aftermath of the German law passed in 2007 banning security research publication. The policy has had the effect of silencing security researchers from that country. While investigating issues in PHP security I came upon the Month of PHP Bugs website and when I attempted to download a proof of concept to illustrate what type of security issues PHP had back in 2007 I got an explanation from security researcher Stefan Esser explaining why he no longer feels comfortable publishing results to the Internet.

Instead of summarizing his explanation I’m going to repost it here:

Dear Visitor,

since Friday 10th, August 2007 a new and very troubling law is enforced in

It is no longer legal to create and/or distribute so called hacking tools in
germany. This includes port scanners like nmap, security scanners like nessus
or simple proof of concept exploits like the MOPB exploits. They are now illegal
because someone COULD use them to commit crimes.

Until today I had hoped that our Bundespresident would stop this insane law with
a last minute veto, but now it is official and our government has rendered germany
more or less defenseless against the threats from outside germany.

Unfortunately our government has been deaf to the warnings from lots of experts
that tried to explain how important these so called hacking tools are not only
for the current generation of security consultants to do their daily job, but
also how important they are for the education of the next generation of
researchers and consultants.

If you do not know how to attack, you will never know how to defend yourself.

Stefan Esser

This is incredibly frustrating for someone like me who is doing legitimate research into security problems that are plaguing the Internet. Security research is a rare and valuable skill set which should be cultivated not destroyed. Yet the German law is likely driving away people from this profession due to the impossibility of publication on the Internet without fear of criminal charges. At best the researchers who are turning away in Germany are finding other less beneficial avenues to explore. At worst they are publishing underground only.

I had largely forgotten about this law being passed in 2007 because I too had assumed the President in Germany would come to his senses and repeal it. Germany has had a remarkable history with hackers (see Chaos Computer Club) so it is very surprising they went in this direction.

Some old articles about this:
ars technica
article about aftermath

I need to do some more follow up on this but so far the results look grim.