Zeroday 01100100011010010

The super-seed feature in S-5.5 and on is a new seeding algorithm designed to help
a torrent initiator with limited bandwidth “pump up” a large torrent, reducing the
amount of data it needs to upload in order to spawn new seeds in the torrent.

When a seeding client enters “super-seed mode”, it will not act as a standard seed,
but masquerades as a normal client with no data. As clients connect, it will then
inform them that it received a piece — a piece that was never sent, or if all
pieces were already sent, is very rare. This will induce the client to attempt to
download only that piece.

When the client has finished downloading the piece, the seed will not inform it of
any other pieces until it has seen the piece it had sent previously present on at
least one other client. Until then, the client will not have access to any of the
other pieces of the seed, and therefore will not waste the seed’s bandwidth.

This method has resulted in much higher seeding efficiencies, by both inducing
peers into taking only the rarest data, reducing the amount of redundant data sent,
and limiting the amount of data sent to peers which do not contribute to the swarm.
Prior to this, a seed might have to upload 150% to 200% of the total size of a
torrent before other clients became seeds. However, a large torrent seeded with a
single client running in super-seed mode was able to do so after only uploading
105% of the data. This is 150-200% more efficient than when using a standard seed.

Super-seed mode is *NOT* recommended for general use. While it does assist in the
wider distribution of rare data, because it limits the selection of pieces a
client can downlad, it also limits the ability of those clients to download data
for pieces they have already partially retrieved. Therefore, super-seed mode is
only recommended for initial seeding servers.

On 4-20-2006 University officials closed Farrand Field from 12 Noon 
until 5 PM. The field was closed off with barricades, yellow jacketed 
"event staff" personnel and police officers.

Approximately 40 signs were posted on all sides of the field 
advising that the field was closed and that video and photographic 
survellience was going to be used on and around  the field that 
day. A photo of one of the signs is shown to the right.


Those individuals who are pictured below and on additional pages were 
photographed on  the field during the closure hours as posted on the signs. 

I think it should be documented that the above notice was NOT on their
webpage earlier in the day. Only when I checked back in the later evening
was it added to the page. I have to assume they received some bad press
over this move. Some background first:
April 20th is 4/20 in shorthand. The number 420 is explained
here to mean:

The term was shorthand for the time of day the group would meet, at the 
campus statue of Louis Pasteur, to smoke pot. Intent on developing their 
own discreet language, they made 420 code for a time to get high, and its 
use spread among members of an entire generation. 

Fast forward to 4/20/2006 (or rewind technically) and a group of students
decide to meet in a field to have a rally/smoke out. This is pretty common
on college campuses nationwide and it would seem that most just look the
other way. It is understandable since it is really difficult to imagine a stoner rally getting “out of control” in any way.
Questions I have for UCPD:
1) Why was the field shutdown in the first place?
It is peculiar that the area was closed specifically on 4/20 and only between noon and five which is when this rally was being held. Why didn’t the police intervene while they were smoking?

2) The sign (preserved below) states that surveillance is being used but where does it mention that all surveillance will get posted to the Internet?
The only real penalty mentioned here is being summoned to the office of judicial affairs?

3) Does the UCPD have any history of wrongful behavior?
My initial search found this article which describes a protest gone wrong.

Initially peaceful, the demonstration degenerated into a 
confrontation between protesters and CU-Boulder police 
officers. Three individuals were arrested following the 
incident, which included the use of chemical spray by both 
sides.

Chemical spray? How did the protest go from peaceful to chemical spray?

4) When did shame come back in vouge?
I remember as kids we always joked about things going on our permanent record. It’s even in a Pink Floyd song. Now it’s come true. The internet remembers EVERYTHING. Caching and file sharing technologies ensure that any piece of media published that is interesting will never go away. The UCPD has ruined the lives of all of these kids. There is now a very real limitation on the types of jobs that they can apply for. Wall Street? I’m sure it’s fine for them to work there. Any federal job? Not a chance.
Despite what I’ve heard from some in the IRC channels (who work for DHS) smoking pot is a federal crime. (as an aside Colorado is a decrim state according to politech which makes what these kids are doing, possession of a controlled substance of less then 1 oz, a misdemeanor at worst and likely an infraction. These photos will follow them forever and I will bet that they are already all over the net in various pages joking about pot smoking. Here’s the real punch line. Even if UCPD decides, or is ruled against, this was the wrong thing to do, they CAN NOT undo it now. There is no Ctrl-Z for internet publishing.

 (A) to transport, transfer, or otherwise dispose of, to another, for purposes of 
commercial advantage or private financial gain, as consideration for anything of value;  
or 
 (B) to make, import, export, or obtain control of, or possess, with intent to so 
transport, transfer, or otherwise dispose of; and 
(B) the term “financial gain” includes the receipt, or expected receipt, of 
anything of value. 
 

This sounds like it was gleaned from narcotics law (also note the ability to “confiscate” or impound computers). I want to assume they are talking about real pirating operations that have warehouses of duplicated media ready to ship. But the laws pushed by the RIAA have generally been to battle online pirates. When is the last time you read about a major pirating operation involving real CDs? So if this assertion were true as to the online nature of this law then how exactly does anyone determine “intent to so transport”?
Narcotics law likes to lump criminals into two neat catagories. Consumers and Suppliers.
In zero tolerance states it’s a no win situation if possession is provable. States with softer laws generally let the little fishes (users) go without much harsh prison time. If you are a dealer then pack up the soap on a rope. Take the example of someone who was busted for possession of an illegal drug. Let’s say they have 10 ounces of this drug. If the 10 ounces are all in one container then the amount (this of course depends on the drug) could be considered “personal use” and fines are levied and community service mandated. This of course is a best case scenario. If the authorities discover the suspect has the 10 ounces of illicit substance divided into 10 neat little bags then the punishment is different. Now the person is a dealer and has “intent to distribute”. Where is the little baggy in the computer piracy world? If I burned a copy of the CD does that prove intent? How about just having the music in my “shared” folder for whatever p2p application I’m using. Does this constitute intent?

This is a really interesting technology that makes it difficult (if not impossible) to determine who is hosting a particular file. After reading the latest changes to the DMCA we may really need something like this. I’ll blog more about those changes next.

An anonymous person will use Noisechain, to break the 'FILE' into 5 parts. Here's what 
Noisechain does. XOR is a commutative operator, so we need few parenthesis:

   1. generate 4 files: A, B, C, D, with completely random data in each.
   2. calculate X = (A XOR B XOR C XOR D) which is random; see (b)
   3. calculate E = (FILE XOR X), which is random; see (b)
   4. we now have A, B, C, D, E, which are all random, **but** have the property: (A XOR B 
XOR C XOR D XOR E) = X XOR E = FILE
   5. permute A, B, C, D, E randomly, to lose track of which come from step '1', and which 
comes from step '3'.

So, from a 'test.zip' file, noisechain will output 5 separate files, 'test.zip.[1-5].noise' which 
can then be hosted independently by 5 people.

Of course, it would be quite stupid to require 5 URLs for downloading the files. That is 
why, with each 'noise' file, you get a 'chain' file that points to the next URL.

Anyhow, it is mandatory to download *all* 5 files. If you have only 4 files, you have 
random data that gives **zero** information about the file. If the 5 people are in different 
countries, it it a nice bonus.

update 10/1/07: s/insures/ensures/g;

[b] http://alerts.symantec.com/default.asp?R...('XSS')
[b] https://tms.symantec.com/formslogin.asp?...('XSS')
[b] hurm...
[i] bah its just xss
[b] should be ">
[b] yes but it is before login
[b] and isnt this a security minded service?
 it's embarassing if nothing else.
[i] are these internal? or external?
 also very funny !
[j] external
[o] tms is deepsight/threat management system i believe
[i] oh
[i] hahah
[i] nice work ;)
[t] i thought it was internal
[b] deepsight
[b] just got my account this morning
[b] XSS everywhere
[b] I wonder if I sent out a POC to the internal mailing list if I would get fired
[i] only one way to find out!
[d] there's an internal mailing list ?
[s] i think you should just blast it across worldwide GSS like happens when there's a need for staffing
[i] hhehe
[m] make sure to recommend that the ARIS (tm) threatcon be increased to at least 3 also

I lost the timestamps on this particular IRC log but sufficed to say it was after the Symantec acquisition of @stake. I’ve removed peoples handles lest they get in trouble for what is said here. If you are reading this from the security community it might be easy to criticize this. “Who cares about XSS vulnerabilities?” It’s a valid point and one that I’m not ignoring here. If I had evidence of more egregious violations I may be uncomfortable posting them on a public blog. I think even with the minor severity of a XSS vulnerability the underlying issues are the same. Employee [b] found a vulnerability in corporate intellectual property. He found a flaw. It would be the right and just thing for him to report this violation. He felt uncomfortable doing even that.
A read through the RFP disclosure policy gives the average reader an idea of the timeline that has been accepted among most researchers as both responsible and fair. Of course the roles of the “researcher” and the “company” in the RFP policy assume that there is no link. What if the researcher works for the company? Remember that in the US a company can fire any member in it’s employ for nearly any reason. So long as civil rights are not violated the employment of the researcher is fair game.
I would be remiss if I didn’t mention the Yankee Group report “Fear and Loathing in Las Vegas: The Hackers Turn Pro” by Andrew Jaquith. In this report he describes the constant attack that security product companies find themsevles under. Following the report Symantec announced that the @stake team, recently acquired, was already looking into these types of flaws. Most of us in the Cambridge office scratched our heads and muttered when this annoncement came out. No one had heard of this program and in the following weeks nothing was mentioned. If one were to look back through the email archives of the @stake team during this time and the months preceeding it would be interesting to see how many product flaws were found. Many of the researchers, still a bit unhappy with the acquisition, made discoveries in Lotus Notes (the new defacto mailing system by parent company Symantec) and other Symantec related products. It’s unclear how many of these “discoveries” either made it back to their respective companies or ever saw the light of day. It is almost certain that Symantec sits on a mountain (or perhaps it’s a hill) or 0day vulnerabilities discovered by the remaining all stars picked up in the @stake acquisition such as Ollie Whitehouse and Isaac Dawson.

[oday@zero oday]$ ssh localhost
oday@localhost's password:
Last login: Fri Oct 15 12:44:48 2004 from 10.1.8.141
 
----------------------
Welcome to the Wayback
 (bring your own A/C)
----------------------
 
5 May 04: Sorry the SSH daemon has been flaky today.  I upgraded it to
OpenSSH 3.8p1 last night, but apparently some interoperability problem
with PAM/LDAP authentication caused many people not to be able to log
in at all.  We're now running 3.6.1p2 which is obviously not ideal,
but still much better than 2.5.2p2, which is what was installed up
until yesterday!
  --root
 
 
[1] ircii
[2] BitchX
 
Select: 2
BitchX - Based on EPIC Software Labs epic ircII (1998).
Version (BitchX-1.0c17) -- Date (19990221).
Process [8744]
Using terminal type [xterm]
[BitchX-1.0c17 by panasync]                    
??? BitchX: Created directory /tmp/.BitchX
??? BitchX: Auto Response is set to - oday
??? Connecting to port 6667 of server 127.0.0.1 [refnum 0]
[0]  *** Looking up your hostname...
[0]  *** Checking Ident
[0]  *** No Ident response
[0]  *** Couldn't look up your hostname
??? BitchX: For more information about BitchX type /about
??? Welcome to the Internet Relay Network oday (from wayback.atstake.com)
??? Your host is localhost[localhost/6667], running version 2.8/hybrid-6.0
          (from wayback.atstake.com)
[0]  *** Your host is localhost[localhost/6667], running version
          2.8/hybrid-6.0
??? This server was created Fri Jun 29 2001 at 23:31:14 EDT (from
          wayback.atstake.com)
??? wayback.atstake.com 2.8/hybrid-6.0 oiwszcrkfydnxb biklmnopstved
??? [local users on irc(16)] 67%
??? [global users on irc(8)] 33%
??? [invisible users on irc(16)] 67%
??? [ircops on irc(0)] 0%
??? [total users on irc(24)]
??? [unknown connections(0)]
??? [total servers on irc(2)] (avg. 12 users per server)
??? [total channels created(5)] (avg. 4 users per channel)
??? Current local  users: 16  Max: 19
??? Current global users: 24  Max: 27
??? [Highest client connection count(20) (19)]
??? 127.0.0.1  No such server
??? Mode change [+iw] for user oday
Channel      Users   Topic
#@stake          6   *** Please migrate over to the #symantec
#aol             1
#gs              1
#symantec       14
??? oday [~oday@127.0.0.1] has joined #symantec
??? [Users(#symantec:15)]
[ oday      ] [ pnguyen   ] [ mhammond  ] [ mlevine   ] [ vik       ]
[ patmadden ] [ txs       ] [ mmiller   ] [ imelven   ] [ idawson   ]
[ gmeltser  ] [ kdunn     ] [ jbailey   ] [@ceng      ] [@ChanServ  ]
??? Channel #symantec was created at Tue Oct 12 18:28:12 2004
??? BitchX: Join to #symantec was synched in 0.039 secs!!

In a dark corner of the Internet the newzbin servers were compromiz^Hsed.
s/the/teh/gi;

Interestingly, half of the mailboxes there are nothing to do with Newzbin and are innocent 
third party users on the personal machine that was compromised two years ago. Strange how 
they've posted those too. What exactly are they trying to achieve here?

StormPay in rendering themselves next to useless shocker [ 21 comments | View | Add a Comment ]
Written by Admin Caesium at 12:30AM -- Friday March 24 2006 GMT

Directly quoted from StormPay site:

In early 2000 I conceived of a company called “Digital Knox” which would provide secure encrypted storage. It fell into the SSP market (storage service providers). It was late in the Internet boom so raising VC funding was difficult. We (the DK team) watched as other SSP players like “Network Storage” (the only company to trade on NASDAQ) fall. There were several problems with the SSP model in the enterprise market and I think they will be difficult to overcome in the consumer market as well.

1) Trust.
Let’s face it. I don’t trust Microsoft. I don’t think of them as evil or out to get me. I just don’t think they have my best interests in mind. So let’s take their example they give in the marketing spiel:

“With Live Drive, all your information—movies, music, tax information, a high-definition videoconference you had with your grandmother, whatever—could be accessible from anywhere, on any device.”
Starting with the first two items, just how difficult do you think it would be for RIAA or MPAA to search through all those drives. Microsoft *loves* those organizations, or they appear to, because of the alliances they are forging. (think DRM) If I own a bunch of DVDs and decide to rip them to my hard drive and store them online via Live Drive am I suddenly liable?
This example is somewhat easy to pick apart but the next one really should strike fear into your heart. Tax information. Personal identifiable information. What about my digitized health records? If only 10% of adults stored their tax information with Microsoft then how long would it take before hackers mounted an attack to copy it?

2) Capacity.

Most of these companies use the same tag lines which sound great in marketing but have no basis in scientific reality. “Unlimited Space” and “Unlimited Bandwidth” is a fabrication at best. Obviously they wouldn’t offer this to a business for two reasons. Companies are capable of needing petabytes of storage and can handle massive amounts of upload (in the MB/s range). Consumers on the other hand can be lied to because it’s difficult to call the bluff. Most commercial broadband solutions don’t allow more then 45 KB/s and if one removes things like MP3 collections and such they probobly won’t have more then a 1/2 terabyte of personal data. Again the big question I would pose to any cyber lawyer is, “Could I legally upload and store my legally purchased music and movies?”
And at what point could industry groups such as RIAA and MPAA legally search those files to ensure compliance with Federal copyright law?

HACKING IN BRAZIL
=================

Before talking about hacking here, it’s good to describe the conditions
of living. Right now, the country is a mix of Belgium and India. It’s
possible to find both standards of living without travelling long
distances. The Southern part of the country concentrate most of the
industry, while in the west one can find Amazonia jungle. There are many
Brazils, one could say.

Beginning with the hacking and phreaking.

Hackers and computers enthusiasts have several different places for
meeting. When this thing started, by the time of that film “Wargames”,
the real place to meet hackers and make contacts were the computer
shops, game-arcades and “Video-texto” terminals. The computer shops were
a meeting place because many of those “hackers” had no computers of
their own and the shop-owners would let them play with them as part of
a advertising tool to encourage people buying it for their kids.

Today that is no longer needed, since prices dropped down and people
make a team already at schools or sometimes just join a BBS (most people
who buy a modem, end up thinking about setting up a BBS). By the way,
most schools are advertising computer training as part of their
curricula, to charge more, and like everywhere, I guess, people no
longer learn typewriting, but computer-writing, and many brazilian
newspapers dedicate a section on computer knowledge once a week, with
advertising, hints, general info and even lists of BBS’s.

A few years ago, the “Video-texto” terminals were also big meeting
places. That was part of a effort to make popular the use of a
computer linked by modem to get services like msx-games, info on
weather, check bank account and so on. Just like the Net, one could do
e-mail, by some fancy tricks and other things that could be called
hacking. The difference was that it was made by the state-owned
telephone company and each time the trick was too well know, it was
changed. The only way to keep in touch was keeping in touch with the
people who used the system like hell. It’s no different than what it
happens with the computer gurus. The protocol used for that, X-25 is the
same used for the banking money transfers, but don’t think it was
possible to do anything more than checking how much money one had and a
few other classified data. People who used that at home (not too many,
since the company didn’t think it would be such a hit, and didn’t
provide for it) could spend their fathers money discovering funny things
about the system, like messing with other people’s phones and so. One
could also use the terminals at the Shopping Centers to make phone
calls to their friends without paying. The guy at the other end would be
heard by the small speaker.

Phreaking here in Brazil is something secret. Apart from the trick
described in the section “Letters to read by” at the summer 1994 of the
2600 Magazine, where one would call through locked rotatory telephone,
little is known about phreaking. One thing is that people who enrolled
in Telecommunications Engineering could call Europe and USA with ease,
but they would not tell you how. It must be said that all public phones
have metal cables around the cables and that the phone machines are
quite tough to break down. I guess it wasn’t for beauty.

The phones use some sort of metal coins called fichas, which must be
bought somewhere. The trick is to use a coin with a string, so it would
not be collected. But if the police caught… The police doesn’t follow
rules about that. Either they put a fine on the guy for that, or arrest
him for vandalism or anything else they think of at the moment. It is
hassle, anyway. My friend who was doing electrical Engineering told me
that boxing in Brazil was impossible. The system is just not good enough
to be boxed. Another friend of mine told me that in the Northeast part,
where people are a little bit different and more easy-going, the phone
system can be boxed, because some top-brass asked the company to let
that feature implemented. The Phone company doesn’t admit any knowledge
about that.

Internet access is something quite hard to get today. Until a few weeks
ago, the system would not let the creation of a Internet site that was
not part of some research project. So, only Universities and like were
capable of putting people in the Net Universe. In the University of Sco
Paulo, people in the post-graduation courses could get it with ease, but
graduating students would have to show some connection to a research
project. That in theory, because the students found out that one could
use the IBM CDC 4360 to telnet without a Internet account. Also, all the
faculties that had computer rooms full of AT 386 which where linked by
fiber optics to this computer. Another one did the file transfers
between the accounts and the computer at the computer rooms and that
ftp was also possible without an account, but only to a few sites, like
oakland and so. That lasted for about a year, until that thing was
fixed in the router, but only at the Politechnik School. Says the legend
that the guys were downloading too much GIF and JPG pictures of Top
Models from a ftp site nearby. That spent so much bandwidth that the
site started to complain and both things happened: the site stopped to
store GIF’s of wonderful women in swimsuit and the router was fixed to
prevent ftp without a Internet account. One can still today connect the
outside world via telnet and many people have accounts in Internet BBS
like Isca BBS, Cleveland Freenet and like. The Bad Boy BBS was “in”,
until it went out of business. This kind of access is not good, though,
for it is very slow, sometimes. Also, it is hard to download something
bigger than 60 kbyte. The way I devised, downloading the file inside
the bbs and uuencoding it. This way you could list the file and capture
the screen listing, uudecode it after some editing and have a working
.exe or .zip file.

By these means one could, inside the Campus, do all downloading one
wanted, from anywhere in the world. Outside the campus, it is possible
to do it by phone lines, but: the Modem will not go faster than 2400
without character correction (no Zmodem at all). Which makes quite hard
to download compressed files. One could an account: that would be
possible by these means, but the amount of trash during the phone
connection would make it real hard to type in passwords and like. To try
doing any kind of thin g but reading letters by modem is some kind of
torture. The real thing is to do it by “linha dedicada”, a special line
for computer transmission. It’s much more expensive though, but if you
have the money to spend with that…

Perhaps the best way to get access to an Internet account though is to
be part of the research project “Escola do Futuro” that among other
things get schools linked by the Net. That’s what I did and they pay me
quite well to search for data in the Net, for the students of those
schools. The University of Campinas is said to give all students a
Internet account regardless of knowledge of what-it-is, as soon as the
guy(girl) gets in. Of course here there’s BITNET also. That’s doomed for
extinction, but this or that reason keeps people from closing it down.
Most teachers use it, guess there’s even some post-graduation work
written about that. It’s easier to access via modem, also. Old habits
die hard.

Outside the Campus, for common people, there are few opportunities. The
only thing you can get, at least until the opening of commercial
internet sites, something about to happen one of these days, is access
by mail. You join one BBS with Internet access, and your mail is sent by
a Internet account later during the day. This is not a direct access,
as one can see, but it’s a easy way to access by modem. Problem is that
you have to pay if you use it too much. The BBS’s that do it don’t do it
for free, also. Connection to the Compuserve is also possible, but it
also costs a lot of money, for my point of view.

Because of the newspapers, the knowledge about Internet is spreading
fast and the number of sites is growing the same way everywhere else in
the world. Even the military people are starting with it. There are plan
s to enhance it and make better connections, and some informative
material is being translated in Portuguese, like “Zen and the Art of
Internet” and made available in the gopher.rnp.br. There are many
mirrors from many famous sites, like Simtel20 and at least one Internet
BBS, the “Jacare BBS” (Alligator bbs, available by telnetting
bbs.secom.ufpa.br – 192.147.210.1 – login bbs. World Wide Web sites are
becoming sort of popular also, but still available only to a few people
who are lucky enough to get the access. Brazilian hackers are not very
fond of sharing the knowledge of how to get access and other things,
sometimes because of fear of losing it, sometimes because the greed of
it would overcharge the system. There’s no hacker magazine here, yet,
and very few people confess their curiosity about hacking for knowledge
for fear of not finding jobs. Anyway most would-be hackers either get a
job and stop hacking for fun or keep their activities secret in order to
pursue their objectives.

Today, Brazilian Hacker Underground did change a little. Lots of
magazines, dealing only with Internet Issues, are being published. There
is a hacker zine, the now famous “Barata Eletrica”. This and the hacker
list I created is starting to unite the computer rats, here. But I had
to stop hacking in order to write the e-zine. Too famous to do that.
Another guy just started the thing. He did not learn with my mistake and
is signing it with his name, also. Received lots of letters, even as far
as Mozambique, praising the material, which is very soft, for fear of
losing my net access. Twice my account was “freezed”. The people at my
site are paranoid. Suffered too much from break-ins already. Most BBS’s
are trying to turn themselves in Internet providers or else, to get
e-mail access. There was a fear the State would control the thing, like
they did with the Phone system. Can any of you guys imagine what it is,
to pay 4.000 US$ dollars for a phone line? In the City of Sao Paulo,
(look like L.A., one can say), that’s the average price. Cellular is
cheaper. Motorola rules. The public phone system was changed again. No
more “fichas”. At least for long distance calls. It’s a small card that
looks like plastic one side and magnetic material in the other. m still
trying to do 2600 meetings. Oh, once in a while, there is a break-in
here and there, and a hacker is interviewed in TV, but people are only
now making the difference between the good guys (hackers) and the bad
guys (crackers). With Win95, people are losing fear of exchanging
virus-sources files. The lack of philes in Portuguese makes it dificult
for people to learn about hacking. People who know about it, don’t have
enough time to write. I started to unite some guys to do a translation
of “hacker crackdown”, but that’s another story. I shortened the name of
the book to “crack.gz”. Guess what’s happened? My account is blocked up
to this day. They told me I’ll get my access back. One of these days.
One of these days I’ll re-write this article, and tell the whole thing
in detail.

Any Portuguese speaker that does not know about my e-zine,
try a ftp.eff.org mirror. The URL:
 ftp://ftp.eff.org/pub/Publications/CuD/B…

Music was such a simple concept before digital came along. A person bought a professional copy of the songs pressed onto an album. No one really thought about distribution and copy “rights”. Now it seems that everything everyone does is illegal. In other parts of the world consumers are just now getting the right to transfer music to their mp3 players.

The music cartels cry wolf so often now that nearly everyone thinks they are lying about their losses. Everyone except their lobby arm, judicial puppets, and the senators they keep in their pockets. RIAA slaps on new restrictions to consumer usage without giving anything up in return. In a balanced equation both sides must transact for the balance to work. For instance, Digital Rights Management (DRM) is a new assault on how consumers may interact with their purchase. In the past music was NON-RETURNABLE because a consumer could theoretically make a copy of an album (since the cassette days and especially with CD’s) and the assumption of honesty was never (ever) extended. DRM is supposed to make the latest music impossible to mass produce (only limited backups are possible) yet consumers are still not able to legally return purchased music if they are not satisfied. A balanced approach might be to allow the return of any DRM “protected” CD.

Due dilligence is normally required of any and all legal transactions on the part of a corporation. If a lawsuit were to be launched against a customer then overwhelming evidence must support and justify the suit. Yet RIAA has launched over 18,000 law suits on the basis of network traffic from a hired 3rd party (bayTSP, media enforcers, etc). It is not possible that RIAA conducted a fair amount of due dilligence before issuing all those “settlement offers”.

Software developers and consumer electronics makers must hire out armies of legal help just to figure out if they will find themselves in a legally “actionable” position. Note that I did not say they needed to know if what they were doing was illegal. This is of course an issue but sometimes what seems legal doesn’t matter since RIAA has a massive war chest to fund “expeditionary legal attacks” in civil courts