Zeroday 01100100011010010

US customers of game maker Blizzard are up in arms tonight as news of a new policy is set to require all posts on the Blizzard forum to use their Real ID system. That means that every post is accompanied by the real first and last name of the user. People are unsure what to make of this and I haven’t seen any communication from Blizzard stating why they are making this change.
I’m going to make the suggestion that South Korea’s Real Name System [is a driving force behind this decision]*. In 2009 South Korea’s government created a law that was meant to curb online defamation by insisting that all users who comment on sites with greater than 100,000 users per day must use their real name. The first US company to feel the effects of this law was Google. South Korea insisted the Youtube comments require all users to post with their real first and last name. Google got around this law by forbidding anyone with a South Korean IP address from posting to Youtube. Recently South Korea backed down and exempted Youtube from the Real Name system.
Given these facts it might not make sense why South Korea might enforce the Real Name system on Blizzard. My guess would be that the government is very aware of the immense popularity of Starcraft in South Korea. Some have joked it is their national sport. South Korea even has professional SC leagues with sponsors and packed arenas. I don’t think Blizzard can take the Google approach here and just ban South Korean users from posting to their forums. The South Korean market must make a ton of profits for Blizzard and unlike Google they don’t have revenue coming in from other sources.

* edit: fixed that sentence

My notes for the talk I gave to a group of distinguished law professors at the Seventh Annual Works in Progress Intellectual Property (WIPIP)

I am not a law professor
i am and am not a hacker.

the term hacker has undergone significant change in the last two decades so the meaning is ambiguous these days.
let me give you this definition and for the sake of the next 4 mins of my talk consider it to the the authoritative one

hackers are computer users who are adept enough to bend the function of a program to their will.

security researchers are much like the hackers of the 1990’s but unlike what the term has come to mean lately.

when researchers find security flaws in software they will generally contact the manufacturer. they are met with one of three responses:
1) disregard
2) deference
3) contempt

When met with contempt they have been threatened with law suits using a variety of novel legal theories. Reading though our history is like walking through a catalogue of existing IP frameworks. Patent, Trademark, Copyright, Contract and Criminal have all been used in response to an individual making claims that a product contains a security flaw.

examples:
In 2007 Chris Paget of security firm IOActive was going to give a talk at a security conference about the insecurity of HID badges. These badges are ubiquitous in corporate America and the issues he discovered need to be discussed. HID forced his talk to be canceled with the threat of patent infringement.

A few years earlier in 2005, researcher Mike Lynn had discovered a security flaw in Cisco routers. These devices are largely responsible for the backbone of the Internet. Interestingly Cisco had already fixed the flaw yet filed a TRO against Lynn to prevent him from talking about his work to a group of like minded peers at a security conference. In the aftermath of this incident Lynn had to agree to a permanent injunction forbidding him from ever talking about it again.

Lessig famously said that on the Internet “Code is Law”. I would like to reverse that turn of phrase for the real world.
“Law is code”
It is compiled by legislators and debugged by judges

And in this sense what the companies we write about in our paper did was impressive. They hacked the law. The bent these disparate legal frameworks to their will and used seemingly unrelated laws to silence researchers who were making claims that their product was flawed.

what our paper proposes to do is patch the law so that legal hackers can not continue to subvert the legal system anymore. And with that I’ll turn it over to Derek to explain how that would work. [pdf]

While digging through youtube html for another project I came upon this interesting error message.

msg[“koreaFail”] = “본인확인제로 인해 한국 국가 설정시 동영상/댓글 업로드 기능을자발적으로 비활성화합니다. We have voluntarily disabled this functionality on kr.youtube.com because of the Korean real-name verification law.”;

I looked into this a bit more and South Korea seems to have rallied around the death of a popular actress who killed herself due to online comments about her. The new “anti bully” law requires all sites with at least 100,000 users to verify the posters real name.

“The Cyber Defamation Law, as it’s called, went into effect on April 1st. According
to officials at the Korea Communications Commission (KCC), the country’s
broadcasting and telecommunications regulator, the law is an attempt to
quell the cyber-bullying and spread of misinformation on the internet.”

source: readwriteweb

Google is unwilling to collect this kind of data about its users and instead has opted to disable upload (and I assume comment) capabilities from South Korean IP addresses.

U.S. District Judge Michael Davis of Duluth, Minnesota has declared a mistrial in the only win in RIAA’s long legal fight against consumers. He also commented on the laws behind the copyright infringement claims of RIAA stating that they were “unprecedented and oppressive” for

non commercial p2p users

and intended only for operations which sought to compete with record labels.

Full quote from the Thomas ruling[pdf]:

While the Court does not discount Plaintiffs’ claim that, cumulatively, illegal downloading has far‐reaching effects on their businesses, the damages awarded in this case are wholly disproportionate to the damages suffered by Plaintiffs. Thomas allegedly infringed on the copyrights of 24 songs ‐ the equivalent of approximately three CDs, costing less than $54, and yet the total damages awarded is $222,000 – more than five hundred times the cost of buying 24 separate CDs and more than four thousand times the cost of three CDs. While the Copyright Act was intended to permit statutory damages that are larger than the simple cost of the infringed works in order to make infringing a far less attractive alternative than legitimately purchasing the songs, surely damages that are more than one hundred times the cost of the works would serve as a sufficient deterrent.
Thomas not only gained no profits from her alleged illegal activities, she
sought no profits. Part of the justification for large statutory damages awards in
copyright cases is to deter actors by ensuring that the possible penalty for
infringing substantially outweighs the potential gain from infringing. In the case
43 of commercial actors, the potential gain in revenues is enormous and enticing to potential infringers. In the case of individuals who infringe by using peer‐to‐peer networks, the potential gain from infringement is access to free music, not the possibility of hundreds of thousands – or even millions – of dollars in profits.
This fact means that statutory damages awards of hundreds of thousands of
dollars is certainly far greater than necessary to accomplish Congress’s goal of
deterrence.
Unfortunately, by using Kazaa, Thomas acted like countless other Internet
users. Her alleged acts were illegal, but common. Her status as a consumer who
was not seeking to harm her competitors or make a profit does not excuse her
behavior. But it does make the award of hundreds of thousands of dollars in
damages unprecedented and oppressive.

From Ars Technica:

Jones wrote in his opinion that equating each download with a lost sale is a faulty assumption. “Those who download movies and music for free would not necessarily purchase those movies and music at the full purchase price,” Jones wrote. “[A]lthough it is true that someone who copies a digital version of a sound recording has little incentive to purchase the recording through legitimate means, it does not necessarily follow that the downloader would have made a legitimate purchase if the recording had not been available for free.”

Fellow Free Culturist Kevin Driscoll calls out Soulja Boy in this Youtube recording after he received a takedown notice for a video entitled “Crank dat ROFLCon” (I think this is another copy). The irony here is that Kevin is also a grad student at MIT studying hip hop and music video. The video in question literally shows part of his ROFLCon presentation where Kevin explains the phenomenon of Soulja Boy and his rise in popularity due to spreadable media. Has Soulja Boy truly forgotten his roots? Kevin makes the claim that Soulja Boy would never have risen to fame without the thousands of remixes created showing people dancing to “Crank dat” and posted virally all over the Internet. For evidence see [1,2,3,4,5] as a very short list of the thousands out there. Does Kevin have a point? I have to agree that the takedown of his particular video seems strange and could in fact be the result of his label taking actions on his behalf. If Soulja Boy reads this he should email Kevin and let him know that he doesn’t intend to be played by his label and will tell them to back down from aggressive takedowns.

In a 1963 Supreme Court decision Justice Hugo Black opined that every defendant in a criminal case must have access to a lawyer. The right to a fair trial in an adversarial system such as US law depended on both sides having competent representation. Today a story broke about the recent RIAA cases here in Boston where a judge is mirroring the same sentiments. What is interesting about this is the cases in question are civil and not criminal. The RIAA has opted for civil prosecution in the majority of the file sharing lawsuits and for good reason. Civil cases have lax rules surrounding evidence and the defendant is not guaranteed a right to counsel. Judge Gertner remarked that “there is a huge imbalance in these cases. The record companies are represented by large law firms with substantial resources. [The] … counsel representing the record companies have an ethical obligation to fully understand that they are fighting people without lawyers… to understand that the formalities of this are basically bankrupting people, and it’s terribly critical that you stop it….” [warning: pdf]

Maybe its time for another “Gideon” to petition the US Supreme Court. How many thousands have capitulated to the RIAA because they can’t afford an attorney? Despite being tried in a civil court aren’t these cases criminal in nature? Judge Gertner seems to suggest that defendants in RIAA cases are not receiving fair trials which is supposed to be guaranteed by the 6th Amendment. While the 6th Amendment is about criminal law the spirit of it seems to suggest cases where the defendants lives are on the line. At the time of the framing I doubt any civil case could deprive citizens of all their money and possessions. The RIAA’s end run around our legal system is denying defendants “meaningful access to the courts”. How long will this country allow the RIAA to make a mockery of our legal system?

Three students have been sued by MBTA over research that was to be presented at Defcon this weekend. The complaint by the MBTA lists over (7) counts for damages including “affect[ing] a computer system used by the government entity for national security purposes”.
What is unclear is whether or not the researchers provided or attempted to provide the MBTA with access to the research first. According to the article at the Register they did. The complaint alleges otherwise.

One of the more amusing parts of the complaint is (61) where the MBTA says that Ron Rivest (a professor of these students) and the undergrads are bound by the MITnet Terms of Service and those apply to “key systems in the Commonwealth, such as the MBTA computerized Fare Media systems.”

More on this to come.

Use of application “Scrabulous” has been restricted

We’re sorry, but this application is not available to you. Please visit the Application Directory to find other applications.

Peter Suber has written a great post that should be read by anyone interested in education, open source, or what is known as Open Access. In my younger days I listened to the mantra of hacker lore, “Information wants to be free” and so the ideals of Open Access are quite appealing. This mantra seems to have mutated for me and today I personally believe that “Knowledge wants to be free”. Peter points out that, “In the age of print, publishers could control access to research they did not conduct, write up, sponsor or purchase. One reason is that publishers controlled all the effective channels of distribution; but that has changed.”