Zeroday 01100100011010010

It is often times hard to take serious the small slights of willful and petty companies like Comcast when much larger issues are presenting themselves in other countries. The Open Net Initiative has just released a report on the total suspension of Internet and cellular services in the country of Burma. [pdf] The military junta which rules the country cut off all access to the internet and cellular towers on September 29th. Internet connectivity was then brought back online but only during daylight hours around October 4th. This may seem an odd time but the country has around a one percent Internet penetration rate. This means that most citizens will get their connectivity from cyber cafes. With martial law in effect it is much easier to pinpoint and surveil antagonists uploading damaging information. Full service is thought to be restored but it is surely still heavily monitored and censored.

There was nothing fancy in the way that Burma shut down access. It simply shut down all inbound and outbound connections in the country. The technical team at ONI used AS (autonomous system) reporting to track peering announcements from the neighbors of the two ISPs.

source: Pulling the Plug report from the Open Net Initiative.

Comcast has be shown by the AP and others to engage in willful blocking of Bittorrent seeding. It does not matter if the seed is completely legal or not. Comcast has decided that a unilateral blocking approach is what they want. Comcast will send RST (reset) packets in both directions if a new seed is detected using technology from Sandvine.

A blog entry at TorrentFreak has some ideas on how to get around these blocks. It is still uncertain what the contractual ramifications here are for Comcast subscribers. Does Comcast stipulate that no Bittorrent traffic is permitted on their network? If they don’t then is it against the ToS to use features of the protocol to simply outwit them? Only time will tell on this.

from TorrentFreak:
1. Quite a few Comcast users report that forcing protocol header encryption completely eliminates the problems. This is the easiest solution since most BitTorrent clients support encryption. Please note that simply enabling encryption is not enough, it has to be forced. More details on how to do this can be found over here.

4. One of the best options, if possible, is to switch to another ISP.

The next Beansec! will be Nov 21st @ the Enormous Room in Central Square.

BeanSec is a once a month security professional meet up in Cambridge, MA.

You can subscribe to the event calendar here.

Unlike other meetings, you will not be expected to pay dues, “join up”, present a zero-day exploit, or defend your dissertation to attend.

Here is a map in case you don’t know where to find the ER.

Look for the red elephant and head upstairs!

I’m always amused at how certain attorneys will wave the sword of copyright on behalf of their client. In a post from CL&P Blog a story is unraveled where a scam busting site has set its sights on a company called Direct Buy, Inc. I haven’t looked into the case of Direct Buy nor plan to. However the last paragraph of the C&D (pdf) sent by Mr Donald E. Morris, Esq. of Dozier Internet Law is extremely amusing. His letter states:

“Please be aware that this letter is copyrighted by our firm, and you are not authorized to republish it in any manner. Use of this letter in a posting, in full or in part, will subject you to further legal causes of action.”

While the FBI letters may be able to enforce silence on inquiries or demands I don’t think that Cease and Desist letters hold quite the same sway. To quote Justice Ginsberg in his Eldred V. Ashcroft opinion, “the fair use defense allows the public to use not only the facts and ideas contained in a copyrighted work, but also expression itself in certain circumstances”.

Those circumstances were defined in his opinion as “criticism, comment, news reporting, teaching, scholarship or research”. If the CL&P blog were attempting to resell the PDF as a boilerplate C&D to others who are hoping to squelch bad publicity I might not believe that their republication falls within the contours laid out by Ginsberg. Their republication of the letter within their blog entry appears to fit very neatly into the categories of criticism and comment. The republication is also used as a needed reference point to their response (pdf).

Dozier oddly has responded by putting their claims on their website and posting a direct response to CL&P. A quick look at the Dozier website shows a link to Cembrit Blunn Ltd & Anor v. Apex Roofing Services LLP & Anor. Dozier purports that this case shows “a court finding that protects the copyright of an attorney letter”. While this may seem interesting at first blush a more detailed look will disappoint. First the finding is in the England and Wales High Court. Second the issue of the letter was determined to be the republication outside of the Dansk group of companies of an internal communication containing confidential data.

“In my judgment the Letter was clearly a private internal communication written by Mr Jorgensen to Mr Fisher and Mr Bailey of Cembrit UK. It contained an expression of Dansk’s views about Apex, the reasons for the problems with the slates and the tactical approach which Mr Jorgensen thought should be adopted and it recorded his concern that litigation should be avoided, particularly if the claimants had a bad case. I accept the submission advanced by the claimants that it was plainly not intended for circulation outside the Dansk group of companies.”

The Cease and Desist letter was not some internal document sent between Dozier and Direct CD, Inc. It was an external document sent to those who were running the scam busting websites. All the facts of the C&D were known to the public so neither facet of the case they present are relevant to their claim.

note: The pdfs are hosted at citizen.org and I am linking directly to them. If those of you at citizen.org wish me to stop linking directly to you please contact me and I will stop.

I do a lot of web scraping. Sometimes I need to send the data to other people and the fun non-ASCII characters I scrap will really freak other applications out. I needed a quick and dirty way to just screen out non-ASCII code. Enter Regular Expressions.
I’ve had a fondness for regexp since I first learned Perl. And my current language of choice implements all the goodness of Perl regexp.
The pattern is this simple
/\x20-\x7E/ #ascii range
to filter out all the characters outside this range simply put this pattern inside brackets and denote “not”
[^\x20-\x7E]

my filter function simply states
text = text.gsub(/[^\x20-\x7E]/,’?’) # I like ruby

This trick was found on another Rails blog post which talked about using regex to enforce good passwords.

A few years ago I wrote a paper on contract rights constricting federally granted consumer rights (iTunes ToS forbids resale of legally purchased music). Essentially

ToS > “first sales doctrine”

A new AT&T ToS has gone a step further. In it’s new ToS the telecommunications giant has stated that those who harm their reputation will have their services suspended.

AT&T may immediately terminate or suspend all or a portion of your Service, any Member ID, electronic mail address, IP address, Universal Resource Locator or domain name used by you, without notice, for conduct that AT&T believes (a) violates the Acceptable Use Policy; (b) constitutes a violation of any law, regulation or tariff (including, without limitation, copyright and intellectual property laws) or a violation of these TOS, or any applicable policies or guidelines, or (c) tends to damage the name or reputation of AT&T, or its parents, affiliates and subsidiaries.

emphasis mine

Is it possible that:

ToS > free speech?

Free speech can be traded away by contract and the process is very common. I have signed numerous Non Disclosure Agreements stating that I would not reveal certain information to anyone else. However the commitment to silence was normally in exchange for a large paycheck and established through a separate legal document. Here the value exchange seems to be “you get to continue using the Internet and pay us for the privilege”. It is also really odd to see this placed within the bowels of a ToS. I have a feeling that this clause is never mentioned to prospective customers when they sign on and it is unthinkable that it could be forced onto existing customers.

In the early days of the Internet this would not be a big deal. There were so many ISPs that leaving one was a minor inconvenience of reconfiguring ones TCP/IP settings or dial up number. But as the consolidation of ISPs has come to a climax we consumers find ourselves with very few choices. In some cases a consumer subscribed to AT&T may have *no* other choices. This presents an interesting tension where a consumer who wants to voice dissatisfaction of service with AT&T may censor themselves in order to stay on the Internet. While it is still difficult to argue that the Internet is required in day to day life (such as other utilities like water, electricity, etc) it would not be a stretch to say that it is vital enough that bandwidth providers should be prevented from making these types of self serving clauses. One has to admit this seems like the behavior of a monopolistic actor in the marketplace.

It would seem that only companies with that much sway could proscribe “bad press” in a ToS. Others have remarked that the language itself is also extremely vague and would require no proof on the part of AT&T. Even a backhanded comment about speed on a blog could be construed as a violation of the ToS. Even worse all the parent companies and subsidiaries are covered. Would this mean that a blog about the dissatisfaction of a consumers cell phone plan (under AT&T Wireless) could result in the suspension of Internet services? It would certainly be within their contractual rights.

Even this blog entry is suspect under the rules of the ToS and I am very happy to say that I am not signed up with AT&T right now. It will be interesting to see how AT&T defends or spins this story now that the national attention of legal and tech geeks has been turned to this document. Let us hope that the person who reported it doesn’t lose their Internet service for letting everyone else know.

EDIT: I have made a pdf of the ToS in the event that sheer embarrassment causes AT&T to silently modify the online document.