mcr at sandelman.ca
Thu, 07 Aug 2008
Bill C-61 and tcpdump -- my concerns
I am concerned that Bill C-61 will make possession of tcpdump, (i.e. having it installed on your computer), illegal.
Here is the thing: despite ample evidence that the TV "scramblers" were easily defeated, satellite TV operators have never actually deployed much security other than security-by-obscurity.
Even the "modern" digital systems, where you need to use a phone line to get pay-per-view, which could TRIVIALLY use public key cryptography to provide security, they do not use such systems.
Instead, they have relied upon ligitation to prevent "theft"
look at: http://en.wikipedia.org/wiki/FTA_Receiver
"Unlike traditional methods of pirate decryption that involve altered smart cards used with satellite receivers manufactured and distributed by the provider, piracy involving FTA receivers require only an update to the receiver's firmware."
"Periodically, the provider will change the processes in which encryption information is sent. "
But, if they are sending the encryption keys inline, then there is no real security. It might as well just be encoded in a complex way
The Radiocommunications act says:
OFFENCES AND PUNISHMENT
Prohibitions
9. (1) No person shall
(a) knowingly send, transmit or cause to be sent or transmitted any
false or fraudulent distress signal, message, call or radiogram of
any kind;
(b) without lawful excuse, interfere with or obstruct any
radiocommunication;
(c) decode an encrypted subscription programming signal or encrypted
network feed otherwise than under and in accordance with an
authorization from the lawful distributor of the signal or feed;
(d) operate a radio apparatus so as to receive an encrypted subscription
programming signal or encrypted network feed that has been decoded
in contravention of paragraph (c); or
(e) retransmit to the public an encrypted subscription programming
signal or encrypted network feed that has been decoded in
contravention of paragraph (c).
but the act does not define encryption. As the Supreme Court found that satellite systems were in fact "encrypted", and therefore protected (cf: http://scc.lexum.umontreal.ca/en/2002/2002scc42/2002scc42.html)
that tells me, that if I decode (not just "decrypt" as cryptographers would think) a signal, then I may be enfringing copyright.
That's okay so far, as it's been the act of infringing that was illegal, so as long as I do not "decrypt" the wrong signals, then I'm okay.
But, C-61 makes possession of such tools illegal.
Note that tcpdump/wireshark not only decodes dozens of protocols (including some which have never had published specifications), but it also, provided with the keys, will decrypt IPsec ESP (VPN) packets.
I even wrote the ESP code --- because I needed it to debug VPN code. It's still very secure, because I have to provide the keys "out-of-band", but there are dozens of protocols which is not secure.
For instance, all of the emails that you send, web pages that are communicated between my server and your computer (including this one) have an implicit copyright. If I look at them transitting the internet, I may be violating your copyright! (Am I violating your privacy? Did you have an expectation of privacy? I'm not sure.)
references: http://en.wikipedia.org/wiki/Pirate_decryption http://en.wikipedia.org/wiki/FTA_Receiver http://www3.sympatico.ca/dylan.reid/satellitetv.html http://scc.lexum.umontreal.ca/en/2002/2002scc42/2002scc42.html http://laws.justice.gc.ca/en/ShowFullDoc/cs/R-2///en
posted at: 14:53 | path: /legal | permanent link to this entry
Sat, 30 Dec 2006
Many people in Ottawa have been getting ADAD's calling them offering them cruises. You push 9 to talk to an operator.
These calls come from Fantasy Tours + Travel from Orlando, Florida.
Let me say that again for google: Fantasy Tours + Travel.
*69 said the call was from 613 232-7437, but I think I've also gotten
calls on my cell phone which were dead air from 613-232-7627.
Make no mistake --- these calls are illegal. They are made by "Automatic Dialing and Announcing Devices", which are not to be used for sales.
See: http://www.crtc.gc.ca/eng/INFO_SHT/t1022.htm
Automatic Dialing and Announcing Devices (ADADs):
ADADs are equipment that store and dial telephone numbers automatically. They
may be used alone or with other equipment to deliver a prerecorded or
synthesized voice message to the telephone number called.
ADADs are permitted when there is no attempt to sell, such as:
* calls made for public service reasons, including emergency and
administrative purposes by police and fire departments, schools,
hospitals, or similar organizations,
* calls to collect overdue accounts, market or survey research calls or
calls to schedule appointments.
ADADs used for the purpose of solicitation are prohibited, including calls
made on behalf of a charity, radio station promotions, or calls referring the
called party to a 900/976 service number.
Today, I managed to get Bell to actually take the complaint.
All my attempts to get the CRTC involved have been met with: "call the phone company". Bell told me that I should call the police, but they aren't interested.
I did not get a ledger number for my complaint, I will be calling back to attempt to get that. I will post that if I can.
I called 611 to get make a complaint.
posted at: 15:18 | path: /legal | permanent link to this entry
Fri, 11 Aug 2006
Changes to carry-on luggage rules
I have several responses to the recent changes to carry-on items.
First, if I am unable to get water in sufficient quantities on-board an aircraft, then I will not fly. I already try to avoid it for all short-haul trips, but the lack of investment in inter-city rail, and the lack of connectivity between airports and rail stations in Canada severly restricts this. For instance, there is no reason for an airplane to ever travel between Ottawa and Montreal.
Not having the right to provide myself with enough water is a public health issue. Water is critical to being comfortable when flying. Many airlines have clued in and come through with water at frequent intervals, but not often enough.
Since Transport Canada is permitting the number of flight attendants to be decreased (1:75 instead of 1:50, I believe it is), the amount of water will decrease. Airlines therefore MUST provide more water. For the sake of the environment, I am happy to bring my own container, but that may be hard to audit.
Second, I am primarily a business traveller. I travel with my laptop computer. I avoid Air Canada whenever possible, since they simply do not provide enough space between seats to operate my laptop. I'm tall, but not overweight, and I don't fit in the seats. If you want to know why people get air-rage, look to the size of the seats.
My laptop, however is a far greater risk than water. Having me turn my laptop on is not very effective: less than 50% of the space in the case of my laptop is devoted to the electronics that turn it on.
Thirdly, as a business traveller I understand that sometimes people want to have their wheelie case on board. It makes them feel important --- that they showed up at the last minute, and changed their ticket so quickly that they couldn't check their baggage.
Nonsense. We don't let people do that anymore, and if we do, I would suggest that this is an even greater risk.
People regularly put their bags above *OTHER PEOPLE*s seats. I say that they should banned as far too hard to search properly.
Finally, it used to be in Canadian airports, one was lucky to have a water fountain on the secure side of the airport. None of this shopping mall stuff. We've changed. We've given up large amounts of security so that we can shop. That's a significant security concern for me.
At Heathrow, you go through a second set of scanners before getting on the airplane. Maybe we should just move the scanners there, and stop pretending that the airport-shopping malls have any security at all.
posted at: 16:46 | path: /legal | permanent link to this entry
Fri, 21 Jul 2006
http://news.bbc.co.uk/2/hi/technology/5203146.stm
quotes:
"Our position is simple: DRM doesn't add any value for the artist, label (who are selling DRM-free music every day - the Compact Disc), or consumer, the only people it adds value to are the technology companies who are interested in locking consumers to a particular technology platform." Dave Goldberg, the vice president and general manager of Yahoo Music urged record labels reconsider their stance on DRM technology earlier this year.
Wow. I couldn't say it better.
posted at: 15:44 | path: /legal | permanent link to this entry
Wed, 19 Jul 2006
The ISO layers of the legal code
{This entry written over a course of several weeks}
I attend a group called the "Gaggle", see http://www.goslingcommunity.org/ where I often argue, sometimes loudly (it's a sports bar, so everything is loud) with Russell McOrmond (http://www.flora.ca/russell/ ). Russell is my best friend, business partner and we were each other's best men.
So, it's often surprising how violently we can disagree. It's even more surprising when we are often violently agreeing. One problem that both Russell and I have, is that often we argue with each other, often thinking that we are in fact arguing with the "enemy". It's kind of like honing one's skills, but often it gets in the way to actually communicating new ideas to each other.
Sort of like when the angry feminist goes into some store and asks to buy some bullets, and the clerk says, "I can't sell you those bullets." and the woman gets mad, assuming that the clerk is some kind of misogynist. The clerk finally explains, "No, it's not because you are a women, it's because I don't have any in stock."
An on-going argument is about the end-to-end issues on the Internet, and what constitutes "upload" vs "downloading".
In general, I hate the terms. People who use the terms uploading and downloading are from the Bulletin Board Systems days, and from that kind of thinking. Unfortunately 99% of the users of the internet came to it sufficient late, and via dialup and "residential high speed", that they actually have never really experienced the Internet of the 1980s, and the early 1990s.
Russell is also concerned about end-to-end issues.
(Please correct me if I am using any loaded terminology)
Russell explains that in Canada, "downloading" copyrighted works (such as an MP3) is not illegal, particularly if it gets put onto a levy'ed media such as a CDrom.
What is illegal is "uploading". So, the theory goes, I am permitted to receive materials, but I am not permitted to send them. I can make a private copy — so I can borrow your CD, and I can copy it. That's permitted. You can't take your CD, make a copy and give it to me. That's not permitted.
There is a lot of question of intent.
My major concern is that of enforcement.
At present a large number of "residential" ISPs (Rogers, Bell Sympatico) have a policy of "no servers", and they regularly block various ports, sometimes blocking all incoming packets with the "SYN" bit set. A TCP SYN packet is what is used to start communication with a "server". Any ISP that puts their customers behind a NAT, or encourages their customers to install NATs by not providing them with enough IP addresses is effectively blocking TCP SYN packets. Bell Sympatico GIVES people the NATs. (Who owns and controls them? That's the topic of another article)
It's not limited to residential services. A huge number of business people think that NATs have some kind of useful security function. The reality is that they simply cut of 50% of the functions of the Internet, which sometimes means that they cut out 50% of the security holes present in some desktop operation systems. Of course, you can cut out 100% of the holes by powering the desktop down as well. Since the NAT improves security by preventing legitimate uses, any measure that improves security, even if it prevents legitimate users, would by the arguments above, be legitimate. So, I would conclude that the power switch is much more secure than the NAT.
However, I do not believe that we need to prevent legitimate uses to improve security. Often we can improve one module's security profile, by moving appropriate functionality to another: for instance, exchanging files by FTP or SFTP is much smarter and more secure than doing it by email, but we don't do that because residential desktops do not have permanent identities on the network, and oh. yeah... that NAT. And people who exchange files are, by definition, evil.
As I explained that Friday (2005-05-27), I can't tell, as a network operator, looking at the layer-3 part of the packet (the IP header) if the traffic is an "upload" or a "download", or if it is a TCP SYN packet or not. (The two are not equivalent. I can certainly identify the TCP SYN packet, but the upload/download involves knowing intent, which requires much deeper packet inspection.)
The layer-3 information is the only information that a network element needs to look at. I claim that this is the only part of the packet that a network element is permitted to look at.
To understand my claim you need to have some history about phone taping. Since 1984 in the US the pen register was formally defined. See http://en.wikipedia.org/wiki/Pen_register for a good history.
This is important --- access to the Pen Register is not considered a search, but at the same time, it isn't public knowledge. From the above page:
Ten years later the Supreme Court held that a pen register is not a search because the "petitioner voluntarily conveyed numerical information to the telephone company." Smith v. Maryland, 442 U.S. 735, 744 (1979).
That's why the law in 1984 was necessary.
The question is then: what parts of the TCP/IP stack are covered by Pen registry legislation, and what parts are not? The US Congress even talked about this a bit:
(search for "Pen Register". This from September 25, 2001, about the Patriot act. I don't know why it shows up under Canada.usembassy.gov...)
Another interesting link:
http://www.interesting-people.org/archives/interesting-people/200204/msg00112.html
And another: http://www.volokh.com/2003_05_04_volokh_archive.html#200272201
[Orin Kerr, 12:47 PM] New decision on surveillance of Internet search terms: During the debate over the USA Patriot Act, some opponents of the Act argued that the amendments to the Pen Register statute (18 USC 2701-11) gave the government the power to monitor the terms that users entered into Internet search engines with only a Pen Register order. As the Electronic Frontier Foundation warned in its analysis of the Patriot Act: Be careful what you put in that Google search. The government may now spy on web surfing of innocent Americans, including terms entered into search engines, by merely telling a judge anywhere in the U.S. that the spying could lead to information that is "relevant" to an ongoing criminal investigation. As I explained in a recent law review article, this criticism is off-base (if you're really interested, look at pages 644-648). Whether the government may collect search terms that appear in URLs depends upon whether the search terms are "contents" under the Wiretap Act, and does not involve the Pen Register statute. Whether search terms are "contents" remains unclear, I noted, and the Patriot Act unfortunately did not clarify whether the government needs a Wiretap Order to conduct such monitoring. But the Patriot Act did not lower the privacy protection offered to search terms. (This hasn't stopped reporters from repeating EFF's claim as simply a factual statement about what the Patriot Act does, but that's another matter.) I mention all of this because yesterday the First Circuit decided a case applying the Wiretap Act to the Internet that seems to conclude that URL search terms are in fact "contents" under the Wiretap Act. You can read the opinion here; read my summary of the case here. There are some analytical weaknesses in the opinion and its scope isn't entirely clear (see the case summary for the details), but the opinion supports the view that the Wiretap Act protects URL search terms-- and it does so by interpreting language in the Wiretap Act that was unchanged by the Patriot Act. In other words, the opinion suggests that URL search terms are protected by the Wiretap Act, not the Pen Register statute, even after the Patriot Act.
So, back to end-to-end.
If it is the case that only numbers disclosed to the ISP for routing are part of the Pen Registry, then I read this very clearly: the IPv4 header contains that information.
The TCP header (in which the SYN flag, and the port numbers are) do not.
Anyone filtering on TCP headers without the permission of both parties is performing an illegal search.*
Subsequent to when I started writing this entry, Sympatico announced they were amending their user agreement to get this kind of permission. That's might be okay. We'd need to ask some critical questions before allowing citizens to give up their rights: did they have a choice? If all ISPs force citizens to do this, then perhaps there is a cartel? Some kind of collusion?
But, I have a simpler solution: any ISP that wants to do this is no longer a common carrier. They are now responsible for ALL content. Including the child porn found on a web server in Zealand that crosses their network.
But, back to "uploading" and "downloading".
In Spain recently, it was reported in IRC (I do not have a good official reference, but would welcome one):
(12:17:38) quanttrom: talking about P2P : Section_Ei8ht writes "Spanish Congress has made it a civil offense to download anything via p2p networks, and a criminal offense for ISP's to allow users to file-share, even if the use is fair. There is also to be a tax on all forms of blank media, including flash memory drives. I guess the move towards distributing films legally via BitTorrent is a no go in Spain."
In Canada, we already have the tax on blank media, and generally this has permitting "downloading" to be legal, while "uploading" to not be legal.
Let's say that Canada passes a law making it a "civil offense to upload".
And let's say someone wants to enforce this law. How can (technically) they do it? Simple: do not let TCP SYN packets to end users. Oh, wait. That requires a search warrant.
So the law enforcement agency has to have probable cause, and has to present a search warrant. That's okay, since they had to have probably cause for a specific end-user, they can't just let out a dragnet.
This is why I claim that nobody can tell (without a search warrant) if I am uploading and downloading, and thus, effectively, there can be no technical difference between the two operations.
Being able to enforce a law is one of the critical questions that law makers are supposed to ask. I conclude: you can not enforce such a law without violating everyone's privacy rights.
posted at: 23:24 | path: /legal | permanent link to this entry
Thu, 25 May 2006
Peace Tower clocked killed by DMCA?
Well, not literally, but Howard Knopf jokes about this in his blog at:
http://excesscopyright.blogspot.com/2006/05/knopf-v-speaker-of-house-of-commons.html
The original point of the article: http://www.canada.com/components/print.aspx?id=891da412-8d83-418b-8617-c12c0533acdc&k=53721
posted at: 19:47 | path: /legal | permanent link to this entry
Fri, 19 May 2006
I too am not very happy with what ATI and Nvidia have done with their binary drivers only.
http://www.fsf.org/blogs/community/rms-ati-protest.html
http://www.zmag.org/content/showarticle.cfm?ItemID=9350
(curiously, ZNet says:
ZNet has begun to explore the possibility of converting to free software. If you would like to help in this effort, please go to the Free ZNet Project forums, register, and introduce yourself.
and give the link: http://znet.2y.net/zbb/index.php )
It seems that the correct approach for companies that want to make pieces of hardware that offload work from the CPU is for them to create open specifications about how to interface to their hardware --- at the system level, and publish these.
DirectX and OpenGL, for instance, are two such specifications. They are unfortunately at the level of C-API, rather than PCI register definitions. As such, they need a driver part for the backend. If the video manufacturers could see their way to making it a higher level interface, there would be many advantages, including an obvious way to run accelerated video over networks.
My company http://www.xelerance.com/ is involved in making a better specification for interfacing to hardware cryptographic accelerators. This is called OpenBSD Cryptographic Framework (OCF), and we are proposing extensions that we call OCF level2. Unfortunately our interface is also at the C-API level, and we have to deal with the question: would we want to permit binary-only drivers?
posted at: 15:40 | path: /legal | permanent link to this entry
Fri, 12 May 2006
http://www.theregister.co.uk/2006/05/12/french_drm_concessions/ reports on Apple iTunes vs the French government.
It's interesting that the french government gets the concept that computer and network protocols must be open, and must be cross-platform. This is more than the Canadian government does ( http://www.sandelman.ca/mcr/blog/2006/05/03#canadian_online_census_violates_privacy ).
This is really very good news. I don't know much about the bill or the proposals to force DRM to be that way. I'm not clear that one can really have an open source DRM implementation --- if the DRM is actually well designed, then one would need to have some kind of private key embedded in the application, such that it can decrypt things, and the public key part would need to be signed by some industry consortium. So, the source code might be public, but the private key would have to be... private. I'm not sure how this can work, since the private key could trivally be reverse engineered out.
The alternative is that every citizen needs to get online and ask for session keys that permit the citizen to decode the content. That doesn't scale, and more importantly, there is little incentive for the citizen not to share the key.
posted at: 18:47 | path: /legal | permanent link to this entry
Wed, 03 May 2006
The story of his life:
http://www.wired.com/wired/archive/10.04/farnsworth.html
and how RCA screwed him over for his patents:
http://righttocreate.blogspot.com/2006/05/invention-of-television.html
posted at: 19:18 | path: /legal | permanent link to this entry
Sun, 23 Apr 2006
http://righttocreate.blogspot.com/2006/04/model-railroading-patents-update.htm
This was forwarded to me, and I found it interesting.
I gather, because I didn't read all the links, that there is some program that let's you control model trains with a computer.
I'll tell you what got me into computers: wanting to do exactly that. I was perhaps 8 or 9. I had a model railroad. I saw an issue of Model Railroader where they had a TRASH-80 as the block controller for a large model railroad. That was cool.
http://www.modelrailroader.com has back issue index. Hmm. Net is too slow to bother with their http://trains.com login, etc.
The pages are like: http://index.mrmag.com/tm.exe?opt=I&MAG=MR&MO=0&YR=1979
The site is frustratingly slow. What do you expect for "tm.exe", clearly this Windows 'server' box isn't optimized for "server" applications.
I looked through 1978,1979, and 1980. I didn't find what I was looking for. It was a big, perhaps Chicago based club that had this.
Sheesh, the MIT Tech-Model railroad club ought to have tons of prior art. Question is: did they actually publish something.
posted at: 00:34 | path: /legal | permanent link to this entry
