Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Slashback

Slashback: Imagination, Evasion, Watermarks 155

Posted by timothy from the ok,-you-only-learn-something-new-*some*-days dept.
Whaddya wanna hear? a) Microsoft's licensing practices, while never to everyone's taste, perhaps, seem to have mellowed at least a bit from the projected future of pay-per-reinstall. 2) The SDMI boycott you read about here lately has lost a key proponent; the reasons are unclear and so is the eventual outcome. iii) If Linux is too cool, BSD too smug, Windows too ridiculous, perhaps you need ... a truly infernal OS. N) Yet more proof that Carnivore and its ilk may be annoying and a threat to the average user, but hardly a sting to a wired criminal worth his salt. All below.

Frankly, this would have been just too silly. steveha writes: "Microsoft just changed their 're-imaging' payment policy. Companies buying computers that come with Windows installed can once again re-image the system hard disk without Microsoft demanding an extra license payment. Here is the official Microsoft document. Computer Reseller News had the story."

Burn baby burn. rpeppe writes: "briefly, you can download Inferno here, for free.

you might remember from a month or so back that the UK firm Vita Nuova obtained rights to Inferno, a next-generation virtual/embedded OS created by the likes of Rob Pike, Ken Thompson and Dennis Ritchie. Inferno uses many of the ideas from Plan9 but, unlike Plan 9, there are no restrictive hardware requirements - it runs as a "virtual OS" under Linux, Windows, Plan 9 and others, mapping the resources provided by the host OS into a standard form for programs running within Inferno, which will run without change on any platform running it (including on bare hardware, such as SA1100 or MIPS)

we've just made free downloads available (for any use) for Linux, Windows and Plan 9. the actual kernel is not open source, but the download includes open source for all the user-level code in the system (applications, libraries, etc), plus unix-style documentation so there's plenty to tinker with.

this is a system that is genuinely trying to address the problems that are "too deep for unix to fix" and includes all sorts of interesting takes on some of the original unix philosophy (after all, it represents 30 years of evolution from the unix original). plus it's a really nice environment in which to write genuinely (and elegantly) portable programs."

Taking the meat from the jaws of Carnivore. An unnamed correspondent writes "Found a nice article on the circumvention of Carnivore which details steps one can take to avoid big brother. Article is nicely written which has a strange reference to the NSA's Verona project of World War II."

Nothing here may be all that new or surprizing to those already interested in online privacy or cryptography in general, but if you ever need ammunition in an argument about the nice government versus slithering heroin-dealing kiddie-porn terrorists, it'd be nice to point out how accessable these methods are to all involved.

OK, who has what up their sleeves, and why? Fervent writes "Interesting twist in the SDMI boycott -- Don Marti's backing down a bit. Apparently he and Leonardo Chiariglione, executive director of the SDMI, talked and found ways to get along about secure music. The article is here."

I'll be impressed if the music industry or anyone else can come up with a high-quality music format which can't be effectively copied with a modicum of hassle. "Anything that can be read," etc. Thta's not about to stop them from trying on both technological and legal fronts. Of the two, I'll take technological any day.

This discussion has been archived. No new comments can be posted.

Slashdot: Imagination More

Slashdot: Imagination

Comments Filter:
  • Anyone remember http://www.atheos.cx ? It seems to have a lot of promise. It seems to be very light and hopefully, fast.
    Has anyone tried it?
    OSes seem to be getting bigger and bigger these days (I'm going by base installs, not kernel/whatever), something quick and small that stays out of your way is good. That was always the nice thing about DOS.
  • The court cases seem to hinge on whether or not you have an "expectation of privacy". This can get fuzzy, as in search and seizure of an automobile and its contents.
  • Carnavore would sit upstream from hushmail. Do you even know how Internet e-mail works?

    If you send the email to another Hushmail user, it never leaves their servers. They themselves admit that the email is no longer secure if you send it to someone outside of Hushmail. Do you know how Hushmail works?

    --

  • This can't be done if the vendors of the soundcards sign their drivers with a universal "secure music" key, and the SDMI music refuses to use anything other than a signed driver. These drivers of course will prohibit simultaneous sound in and out.

    This would not sell...
    Preventing simultaneous In/Out is called Half Duplex and today if your not full duplex (in and out at same time) your dead.
    This feature is needed for teleconphrencing and is used by on-line games for live verbal communication...
    This means the majority of Hackers, Games and busness people would reject it... thats about 100% of the markets that drives technology sales....
    Plus this dosn't prevent users from using TWO soundcards (Windows prevents it Dos, Linux and everyone else allows it so just don't tell Windows about the second card)

    Also mass market sound cards are 5 year old high end market cards. The new cards are allways for the high end market and eventually reach the mass market with many clones etc using same or slightly improved chip sets.
    Given this most card makers are not intrested in rewriting sound card drivers.. if SDMI dosn't work on the hardware allready on the market it's allready dead....

    Burocrats don't reproduce.. they just attempt to reproduce a lot... and throwing bricks at the equipment makes them only want to reproduce more on our freedoms than they do allready

    Signal11 holding a press confrence.. hmmm hay it works for Bill Gates... why not....
  • Is it one of the new LCD terminals that you shove slashdot on?
  • Well then why hasn't someone bothered to say decompile the windows executables and then take a look at the raw assembler make some raw C or C++ code from that and then modify it and then recompile it to give them what they need?
  • Heh. If you suspect that you are under surveilance by the FBI using carnivore (and that suspicion will either be paranoid or very very hard without well-paid judges) then there is of course, an infinitely easier way to circumvent it: Get a new ISP for the love of god. Or use public internet access. Or even just STOP DOING whatever illegal activity it is that you're doing. And I don't mean warez. The FBI doesn't care about that.

    Script kiddies. Sheesh.

    ---
  • Bravo. That's absolutely right.
  • >Obfusicating object code? Puhlease.
    Your right.. but people do it anyway...
    Oh BTW.. thats why Soft ICE exists... otherwise a normal decompiler would do the job FINE..
    So this only means you can't use a simple brain dead decompiler to rip out the source code and lay out out like an animal gutting open it's kill...
  • Why, to guard against insomnia, of course. Otherwise they could be sued by someone whose health has suffered because of lack of sleep while hacking at a truly advanced OS.

    Plus, unix-style docs are a good source of job security. Can you imagine how many techs would be on the dole if their bosses ever learned how to administrate their own computers? But one glance at unix docs is enough to send any PHB into convulsions.
  • You can't decompile Command.Com and make it open source becouse it's Copyright Microsoft..
    It's allready been cloned however.. more than once... the only thing preventing an open source clone of command.com is... why bother...
    Oh wait... FreeDos... Hay maybe they did it...

    Decompiling is pritty clean and easy to do adding libarys just shows up as "this libary linked here" it dosn't really effect anything...
    Obfuscating the code btw only screws up decompilers... Debuggers and hacking tolls are pritty much immune...
  • >The FBI really doesn't do Perry Mason-type investigations any more. They only have two tools in their kit, informants and wiretapping.
    >That's why they're so worked up about Carnivore, it's their only hope.

    In a sense, it should be easy to see that an incompetent FBI is a greater threat to average innocent citizens. viz. Steve Jackson Games, if nothing else.

    That said, anyone actually committing crimes who relies on the methods in the linked article is a damned fool and deserves what happens to them. The FBI may not be as immensely clever as the movies would have us believe, but law enforcement relies on more than one method to close a case, and isn't averse to hiring people who do know what they're doing to go over the evidence.
    ----
  • I suspect the carnivore system might be smart enough to ignore the last few lines of your emails, to get around deliberate tagging. The obvious solution is to build into mozilla something that adds html comments to html e-mail, so it doesn't bother the reader on the other end (if they have an html mail reader) which have complete sentences that sound really subversive and hit the right keywords. That way the comments can be hidden throughout the message, so the scanner doesn't see them clumped and ignores them. You'd have to be careful about the sentence generator, and make sure it uses some fictional noun in each sentence, so it's obvious it's only a joke. Now, I think that's a system that would be pretty powerful for clogging them up.
  • You're not thinking of corona are you? ;>
  • The material was intercepted during the war and cracked and exploited after the war.
  • Get a good digital camera, and send out a lot of pictures to your friends. Some may have messages. Most don't.
    A truly elegant little pearl in the rough, that .. this is an example of what hams like to refer to as a "fuzzy" mode, one that conveys the message but does it in a way that's not strictly digital encoding (especially if the original message is handwritten on a Big Chief tablet..) and not strictly analog either. These are *damn* hard to convert back into analyzable text -- really a non-trivial task, and one virtually guaranteed to either eat up a huge amout of CPU or require the intervention of some human eyes.

    Combine the major inconvenience with the dilution effect of sending *all* (or most) of your messages this way, and you're looking at a method that's crackable, but not in a practical way. It has the added advantage of being fun. ;-) Be forewarned, though, FBI agents are notoriously immune to humor ..

  • Re:SDMI (Score:2)

    by Kaa ( 21510 )
    This can't be done if the vendors of the soundcards sign their drivers with a universal "secure music" key, and the SDMI music refuses to use anything other than a signed driver. These drivers of course will prohibit simultaneous sound in and out.

    First of all, you can write a driver that keeps the original, signed driver in a handy closet and when the request for authentication comes, just pulls it out of the closet, shows it to whoever asked, and puts it back in.

    In other words, there ain't no such thing as a secure local client. Just ask people running multiplayer servers :) Or Bruce Schneider (www.counterpane.com).

    Not to mention that two PCs side by side nicely solve the problem of prohibiting the sound card to do simultaneous in and out (which is called full-duplex and is highly useful in real life).

    but sound card manufacturers could always monitor voltage drop on their boards and shut down if it increased suspiciously.

    You are confused. It's the RIAA that is paranoid. Sound card manufacturers want to sell hardware and tend to dislike boondoggles which increase the cost of the card while decreasing its usefullness.

    [re SoftICE solution] I hear they obfuscate the object code and include commands to crash browsers, meaning that this is not a skript kiddie task.

    It only has to be cracked once...

    5. Audio cable connected between INPUT and OUTPUT of soundcard.

    See above about signed drivers.

    See above about two PCs.

    Kaa
  • Not really. Those are just the same links that appear in the text, grepped out automatically, plus a few generated by keyword matches (e.g. Linux, Wired, etc.)

    Links to the original articles only appear under Related Links if timothy or the submitter included them.
  • There's a conventional copy-protection scheme, which is the first line of defense.

    SDMI is supposed to allow to *cough*securely sell digital music online. How do you copy-protect a file that you just downloaded?

    This watermarking is supposed to survive speaker/microphone transfer, but that remains to be seen.

    It may survive the speaker/microphone transfer, but I doubt it'll survive an attack specifically directed at it. Selective attack at a watermark is going to be orders of magnitude more effective than just adding random noise.

    The idea is that either you have a 100% SDMI-compliant system, or a 0% SDMI compliant system; nothing in between will work.

    That requires everybody in the world to throw out all their old hardware and buy new, and not just any new hardware, but SDMI-compliant only. I think the SDMI designers have a very good crack dealer.

    It's not that it's uncrackable, it's that cracked content only plays on special systems useful for little else.

    No, you got it wrong. It's the uncracked content that only plays on special systems.

    That's actually (yet another) big hole in this whole scheme. If I have a system that is able to crack SDMI (e.g. through soldering leads to my speakers' drivers), I can produce non-SDMI music files, say, plain-vanilla MP3. Then I can throw them out onto the net (Usenet, Freenet, etc. etc.) for people to use. Anybody will be able to play them. Only people with 100%-pure SDMI systems will be able to play SDMI files. Guess which format is going to be more popular...

    Kaa
  • I know legal consent is 15 in some states. I always found the intolerance of pedofilia very strange, as the human species sexually matures in the early teens. There are a number of studies that are dead and buried (although they once flourished over the net) covering the topic. It doesnt seem very sick to me. Then again, I prefer women with big hooters.

    Often wrong but never in doubt.
    I am Jack9.
  • In order to get the driver signed by Microsoft to be SDMI compliant, Creative will disable "what-u-hear" when playing SDMI audio. That's one of the requirements of gaining a digital signature that allows access to the Secure Audio Path of Microsoft Windows Media Digital Rights Management.
    <O
    ( \
    XGNOME vs. KDE: the game! [8m.com]
  • No, you type it into a java applet running locally on your browser, which communicates with hushmail's servers over some public-key-exchange encrypted channel (likely RSA, but that's a guess).

    So there are three points of attack:

    1) compromise your browser/vm.
    2) compromise the hushmail server.
    3) compromise the bytecodes intransit.

    Obviously number 3 is the easiest way to go. Interestingly, microsoft's ideas with signed binaries would be a [partial] solution to that. You would then have to

    4) compromise signer's certificate

    and as soon as that happens, basically the attacker needs to compromise the whole infrastructure, which we assume is impractical.
  • After reading the faq on thier website, I wouldn't trust this, especially with Carnivore -

    For one thing, it apparently 'shreds' the message after it has been read. Leaving aside the question of it truly deletes the message from evey machine it is stored on to the point that it could never be recovered, I thought that Carnivore is more a packet sniffer, and would intercept the message as it is being transmitted. Even though it is not using smtp it is still probably not enough to stop carnivore from realizing that data is being sent from a target machine. Yes, the data is encrypted but my second point, and most important in my eyes, is that they give absolutly no information as to how the message is encrypted. They use smoke and mirrors in there faq about 'level of encryption', quote : 'Unfortunately, there is no straightforward answer to this question, because "level" doesn't mean anything in the encryption world. ', instead of dealing with the real issue - that of the algorithm(s) they use. They obviously have some patent issues to deal with, but you would think that after the patent has been applied for they should be able to publicize the algorithms used in order to show that they really are secure. No encryption system should be considered secure for public use unless the algorithm is public.

    So, as far as I'm aware from thier faq, SafeMessage is little more than some proprietry email protocol combined with some proprietry encryption protocol(s) that has not faced any public scrutiny into thier actual effectiveness. Maybe I'm wrong, and it's the most secure communication system since crypto was invented, but untill I see proof (and more detailed information from thier website), I wouldn't touch it with a barge pole.

    TK
  • Just from a legal standpoint . . . where are you guaranteed privacy under (US) federal law?
    Strictly speaking, the burden is upon the government to prove that it has a right to acquire private information. One of the first principles of a constitutional republic is that the government posesses no "rights" or "powers" that are not delegated to it. The question is not whether we're guaranteed privacy - the question is where and how was the government authorized to violate our privacy?

    This is why many people argued against the Bill of Rights. Not because they opposed the right to a free press, but because they feared a legal culture would emerge that assumed only enumerated rights exist, and that other rights are not guaranteed. What do you think the 10th amendment is for?

    Of course, that's how it works in theory. Most people will let the government do whatever it damn well pleases as long as they've got a job and their house isn't being sacked by roving gangs.

  • That's what's so amusing about this whole debate. Everyone's screaming as though some big corporation is witholding water from drought-starved 3rd world countries. But in actual fact its the world's elite whining because the new geek toys might no work exactly how they want them to.
  • 2) The SDMI boycott you read about here lately has lost a key proponent; the reasons are unclear and so is the eventual outcome.

    Apparently, Slashdot likes to post trolls.

    OK, who has what up their sleeves, and why? Fervent writes "Interesting twist in the SDMI boycott -- Don Marti's backing down a bit. Apparently he and Leonardo Chiariglione, executive director of the SDMI, talked and found ways to get along about secure music. The article is here."

    This is not what the article says.
  • Holy christ that all sounds far too complicated. Um, sorry if I sound archaic, but WTF is wrong with simply recording it to a cassette tape and using your walkman/tape deck/ghetto blaster etc.? It's how 99% of the world's population still does it. Are tapes are "too low class" for your bourgeois tastes? Sheesh, what a bunch of spoilt brats you all are.
  • Ok so it's disabled in the driver.. It's still in the hardware..
    With Dos the driver is in each application... just run a Dos recorder under windows and you've bypassed the whole mess..
    In the mean time Mac, Linux, BSD, etc sound drivers are not signed and are full duplex at all times.
    New Linux sound drivers are allowing multi app accss to sound cards so more than one sound card can tap the card at once..

    Mac has similer issues plus Linux and Mac normally allow many sound cards so you can bypass this problem with two cards should they ever find a way to lock the single card into play only.. you use annother card for record...

    Older Macs and Sun Sparcs often have more than one sound chip.. one built in one on sound card.. both accessable...

    (the sound card is an upgrade from the older simper chip)

    I don't suppose BeOS "The" multimedia os would skip the ability to access more than one card...
    Ok so it's just one more thing Windows users can't do that everyone else using ANYTHING else can do..
    Oh wait... Dos.. yeah well I guess OFFICALLY Windows users can't do it... unoffically... muahahaha
  • Charon does so accept cookies, and it does that just fine. Why would you say it doesn't? It doesn't do Java or some of the more complex Javascript.
  • Fervent posted this [slashdot.org] before. He was criticized harshly for misinterpretting the article. So then he goes and submits it as an article??? What an ass.
  • Then send this and rely this to all of your friends in big ISPs eventually you will get a knock on the door. Seriously if I use pgp/gpg aren't I immune from the actual evesdropping since my communications originated and end encrypted? Hasn't this already been done with packet sniffers and the like?
  • Why copyleft?

    The alternative was worse?

    --

  • The really nice thing about DOS was that, because it was so simple, it was very, very fast. The V2_OS guys are trying to regain those magic days (although writing the whole OS in assembler is just insane). This Inferno might be fast on an embedded processor, but it sounds like it needs hosting inside another OS on a PC, which is a shame.

    I looked up AtheOS the other day. It does look interesting. Nothing revolutionary though - just seems like a slimmer Linux to me.

  • perhaps jane.something@sampleisp.com can't argue invasion of privacy as a law in the us (assuming you are correct about that). she could however argue on an illegal search and siezure(sp?) as they have searched the entire network and potentially seized information from her without probable cause (since they were, of course, looking for 'jondoe' and not 'jane.something'). protection against illegal searches and siezures *is* guarranteed in the us constitution. of course you'd have to have an excellent lawyer to argue that as courts seem to have something against information and computers currently.

    of course i am not a lawyer, but this is how it would seem to me.

    doktor eric
  • I'm pretty sure this is based on Forever Knight, the Vampire/Cop Show that premired on CBS's Crime time after prime time and ran a bit on SCI-FI.
  • Sorry, yeah, I meant that AtheOS is nothing revolutionary.
  • A SMDI player can refuse to play because your Audio channel isn't "secure" from end-to-end.

    Barring some radical new advance in speakers, I can just put a resistor in series with a tap, and hardwire it into the voice coil of the speaker, and run that back into the audio input of my soundcard. No worries.

    --

  • Translating asm to C or C++ is almost impossible. In the compalation process, there are a lot of one way translations, variable and function names are lost, etc.

  • I still am fond of ROT26.

  • My question is, what's to prevent one person who owns a copy of "BandX Live" from comparing a direct rip off their CD to the downloaded version and just locating the watermark that way.

    If the watermark is totally inaudible, what's to stop BandX from putting the SDMI watermark on the released studio album?

    Alex

  • I imagine that a SDMI watermark is generated on the fly. The watermark probably encodes the owners info, the duplicate level, and other permissions. Perhaps on the CD, there would be some sort of default watermark that would just say "This is a first generation master; it may/may not be duplicated X generations", but I imagine for DL'd music or music you duplicate yourself, the Watermark would have to change. Just like on a Minidisc where it keeps track of what level the duplicate is and prevents X generation copying, that has to be altered each time a copy is made.

    So again, if you can see where the watermark is changing, can't you still excise that location? Or is the watermark somehow checksum'ed? Perhaps if each copy permutes the entire song, it would be more difficult.

    Of course, if the Watermark *is* generated on the fly each time, that makes having a standard diff of the watermarked track difficult, but still not impossible.

  • Charon accepts cookies just fine. um, you did read the man page, right? RIGHT?!? `man charon`, buddy. it's got problems with some JavaScript (thanks to crappy standards and Netscape and IE pretty much ignoring them anyway), and no Java at all (thank God), but it's got cookies, and is quite usable. i'm using Charon to post this, logged in and all.
  • > The FBI isn't stupid.
    They built a box that needs to run unmaintainned and unobsured for long piriods of time....
    and used Windows...

    There are quite a few operating systems that could do this job quite nicely... including Dos...

    The FBI may not be stupid but whomever designed this box isn't the first person I'd turn to when it comes to turnning on a flash light....
  • Nothing. However, it'd be dramatically less useful. If everyone buys a watermarked track online, they can identify the individual who released it. If you rip the CD and use that, all they know is that one of the 500,000 people who bought the CD did.

    (Note that this assumes buying things online actually works this way. It's extremely likely that someone will figure out a way to compromise that scheme and there is always the "Give a wino some booze after he buys it for you" approch, involving either those kiosks they've been talking about or an Internet cafe.)

  • There are three parts to the SDMI scheme.
    • There's a conventional copy-protection scheme, which is the first line of defense.
    • SDMI audio is watermarked so that SDMI-compliant devices, including USB speakers, won't play it without authorization from the authentication system. This watermarking is supposed to survive speaker/microphone transfer, but that remains to be seen. (If that really works, we may see watermarked live performances.)
    • There's a handshake scheme so that all peripherals (and maybe everything on the LAN) have to do a cryptographic SDMI handshake before any protected content will play. The idea is that either you have a 100% SDMI-compliant system, or a 0% SDMI compliant system; nothing in between will work. The SDMI designers figure that while building a 0% SDMI system is possible, few people will bother, and it will be so nonstandard it won't be very useful.
    Anyway, that's the concept. It's not that it's uncrackable, it's that cracked content only plays on special systems useful for little else.
  • I think the artical assumes Carnivore is a Windows box not an FBI agent...
    If all Carnivore dose is log all data... he's toast..... If it accually dose some work then it's brain dead easy to bypass a simple scanner...

    Someone else made a recomendation that bypasses even an active log.... (Same thread right here) good thinking guy... :)

    How? Get an new ISP... blah
    and one my mother wants to do anyway...
    Get a free account (for herself not for me.. I like my radio IP...)

    Yeah... now how to tap my line... I"M USING A RADIO IP for cripes sake it's pritty braindead to read every packet I transmit

  • Re:SDMI (Score:2)

    by adamsc ( 985 )
    This one-level of analog that the sound passes through is NOT the kind of lossy problem that people try to make it into. It's just a piece of wire that the signal passes through, not a cassette tape or anything that adds appreciable distortion.
    I'd go so far as to say that unless you used the cruddiest cables you could find, most people would never know the difference. Besides, MP3 conversion will be far more noticeable and it's still acceptable to most of general populace.
  • Maybe you should think about this one a little harder; the NSA is smart enough to know that ignoring any part of the data they capture would make it the ideal covert channel. -- the clueless American pigdogs with their sig parser will never see this message. Attack at dawn.
  • Cause your 2400 baud modem is too slow. Do you feel Echelon owes you a faster modem?

    Oh yeah, and your comment is pure abstract crap. Don't disregard extant solutions without a valid one of your own.
  • Don't forget the value of steganography. It'd be exceedingly difficult to tell that one person's random-looking grep bait is generated according to the data they want to transmit while the other 99.9% of the people sending messages with X-Echelon-Bait headers are generated from /dev/random. Since a good encryption system's output will be close to random, even a very simple system using a custom dictionary could sent 6-10 bits of encrypted information with each word choice. More complex systems would be much harder to track.
  • sure thing, job 13...

    ;)
    eudas

  • Re:Carnivore Avoidance Methods (Score:1)

    by Anonymous Coward
    HAHAHAHAHA! I have been communicating my secret plans with my fellow terrorists by sending innocuous sounding messages about the weather and my cats, with our plans appended after the "-- "

    --
    send the uranium to secret meeting place #4 for final device assembly! The cities of the infidel americans will drown in the blood of the unholy tonight!

  • If you send the email to another Hushmail user, it never leaves their servers. They themselves admit that the email is no longer secure if you send it to someone outside of Hushmail. Do you know how Hushmail works?

    I happen to know that the data you type in to your email does not just magically jump through the air through TCP/IP by Magic Fairy, and therefore the data itself, as well as the face you were connected to hushmail, is obvious to anyone sniffing traffic. What's the security? https? Yeah right.

  • angstridden wrote:
    Frankly, I was quite underwhelmed with the suggestions. They all basically add up to cheap, low-tech encryption or security by obscurity methods. Some were flat-out wrong. Going through an email proxy doesn't help if they're sniffing your connection by IP address. I'm not convinced that Carnovore doesn't do this (nor am I convinced that it does. But I wouldn't base my security strategy on the weaker assumption). Likewise, forging an email address is not going to trick the system. The FBI isn't stupid.

    Hear, hear. Almost nothing is known about Carnivore's technology. Just about the only thing that is known is that it is installed under a warrant, the same as a telephone wiretap. In order for this to happen, the FBI will have to have had sufficient circumstantial evidence already in order to lay out their case to a judge. They will have made the decision to dedicate scarce manpower and equipment to the investigation of a particular individual, you. If Carnivore is sniffing you, as a practical matter, they must already suspect you of a crime.

    In this case security by obscurity is nonsense, as is any kind of chaff or spam. The reasonable assumption is that the design of the system includes user specificity -- that is, even if you make the assumption that this hearsay about Carnivore is correct, and it searches by keyword, that keyword is very unlikely to be "bomb", and instead is very likely to be "youremail@thisisp.com", if it's a mail sniffer; and your.logon.IP.address if it's an IP sniffer. I'm guessing from what I've read that it's more the former than the latter, but both are equally technologically possible.

    Thus, if you are possibly the target of an investigation, it would be reasonably prudent to assume that all your email (or possibly IP traffic) is logged at whatever choke point. This leads, of course, to desperation measures: move all criminal communications and activity to the Big Blue Room Backchannel; or use strong encryption, or just possibly steganography on what you do send. Either is risky, since Carnivore's presence means that they are trying to build a case against you, and once that case is built, they will have no compunctions about seizing the equipment you used to send those communications. Commonly, of course, that will give them all the evidence they will ever need -- the standard level of security, as most slashdotters should know, for almost anywhere, being "hoping nobody ever looks", or password="password" or foldername="stoleninfo". The wily criminal will have used Blowfish or equivalent to completely secure files, but even Blowfish has vulnerabilities, because Windows and other computers have pesky needs to write files on different parts of the disk while they're in use.

    No, if you even have an inkling of a suspicion that the FBI is pointing Carnivore at you, best to melt your hard drive before they can get to you. One day, whether because of your computer, or because everyone has talky friends, they'll get a warrant to at least see what the hell you've been doing.

    Now to the greater question, the legitimate worry that privacy advocates have regarding Carnivore's overspill capability. That is, just like the White House lost months worth of e-mail archives because of a sloppy search parameter (whether that was intentional I'll leave up to the reader), Carnivore could very easily accidentally log traffic that does not belong to the target of the investigation.

    Once again this information will be standard internet e-mail. E-mail contents may be obscured, but e-mail recipients and senders cannot be -- and you can tell a lot about e-mail just by who sends or receives it. Those mails to "patrick naughton" just may not go unnoticed. It would be illegal to do so, but it wouldn't be the first time a law enforcement agency developed a lead based on illegally-obtained information. In short order you'd be back in the original situation: whatever you do being logged, whatever you send, even if encrypted, being noted for its circumstantial nature.

    Bypassing Carnivore is technically possible, even if they're doing packet logging. Encrypted VPN, SSL, and other techniques could allow you to connect to a remote system and do what you need to there. Again, however, the where is easily determined, and the remote system would become the focus of the investigation.

    Really, I don't think that there's an easy "defense" against Carnivore. The defense is in not attracting suspicion in the first place, and if that's too late, by pathologically practicing probably-impossible levels of security both in communications and on the node systems. It's like suggesting there's a defense against the cops staking out your house. All you can do is move the allegedly criminal activity elsewhere.

    Note that none of the above assumes that you are involved in actual criminal activity. I know someone who works for an attorney who is under federal indictment for a fraudulent land sale that was arranged by a client, and who involved my friend via a forged signature. I know that my friend is completely innocent, although I can't with certainty say the same about the attorney. Mostly, it looks like it was a tax investigation of the client that ballooned into a fishing expedition and found this one thing. Anyway, I wouldn't be surprised if the FBI had used Carnivore at some point in this investigation, as some documents were exchanged by e-mail. Possibly my friend's personal e-mail. Possibly, thereby, my e-mail between myself and my friend. Innocent activity, all of it, but still subject to investigation. Frustrating as hell, and arguably a form of harassment, but probably completely legal. Now, in practice, they haven't seized any computers here -- I'm just saying that this is an example where they could very easily have obtained a Carnivore warrant.
    ----
  • Anyone know what this one is based on?

    Looks like episode 117 of Forever Knight [fkfanfic.com]...
  • I know this is a joke, but:

    10. Write a device driver that emulates a soundcard. Dump output to disk. Optional - sending to the real soundcard. Bonus points if you use DirectSound.

    This can't be done if the vendors of the soundcards sign their drivers with a universal "secure music" key, and the SDMI music refuses to use anything other than a signed driver. These drivers of course will prohibit simultaneous sound in and out.


    9. Attach leads to the DAC of the soundcard, design daughterboard to resequence for raw wave output. Optional: 64MB stick of RAM and a memory overlay for copying back out to the system. Estimated cost to hire an EE to do this: $25k


    An impractical idea, but sound card manufacturers could always monitor voltage drop on their boards and shut down if it increased suspiciously. Don't think anyone's seriously going to do this though, not in mass quantities.


    8. SoftICE, a pack of mountain dew, and an SDMI decoder.


    I hear they obfuscate the object code and include commands to crash browsers, meaning that this is not a skript kiddie task. And what if the obfuscation differs between each copy of the SDMI binary on each users machine? Eventually this becomes a big pain in the ass and not sufficiently general to pirate music.


    7. 15 minutes alone with developers of SDMI and a backpack full of bricks.


    Yes, I believe there is a backdoor in there somewhere. Probably would work. It's criminal, but hell, they'll be passing laws chopping of the right hands of MP3 traders pretty soon, so where's the risk differential?


    6. 45 minutes alone with legislators who signed DMCA into law, backpack full of bricks (note: bricks may be damaged by contact with thick heads of legislators - Aim lower)


    Unfortunatley, beaurocrats seem to spawn asexually.


    5. Audio cable connected between INPUT and OUTPUT of soundcard.


    See above about signed drivers.


    4. Hold press conference. Compare SDMI to DivX. Drop plenty of rumors so retail outlets won't carry it without large cash advances.


    Attention The World At Large! Signal11 sez...


    -konstant
    Yes! We are all individuals! I'm not!
  • Wow, he ripped that one entirely!

    Thanks, I probably should have been able to figure that out; I watched Forever Knight a few times, and I thought it was alright, and somewhat similar to the Highlander TV Series.

    ...I just couldn't figure out what this one had to do with the usual topics; Microsoft, Open Source, and whatnot. At least it had Natalie Portman, eh? :)
    ---
    pb Reply or e-mail; don't vaguely moderate [ncsu.edu].
  • And extremely easy for them to crack/fix. (P.S On a related note there seems to be a web hosting/internet access company that I saw caled Echelon hmmm...) Basic statistics would indicate that if you have say 20 keywords in one single message and that they are all the same type of words that it would be a little suspicious wouldn't it? Also even if you wanted to clog the system what prevents the NSA from actually using beowulf techniques and analyzing data at a later date? Here is what I would do if I were the NSA: 1. Get a whole bunch of programmers who are paid well (and threatened sufficiently) that they code an adaptive system to look for keywords. 2. Get say 10,000 computers in several buildings and in fact place monitoring computers all over in various areas which you wouldn't syspect them to be like walls and various government contractor locations. 3. Get a nice OS like Plan 9 or Inferno and create a distrtibuted app around the one in 1. 4. Divide the network traffic to analyze from 3 and divide in amongst thousands more computers in a distributed fashion. If a computer dies it's work will be picked up by another computer. In this manner it would be trivial to get most of the major perpetrators who are too stupid to use encryption or are using weak encryption.
  • Remember - if they ignore anything, you can communicate with it. If they started ignoring sigs, someone will work out a scheme to send data using random-looking words. They can't afford to ignore even things like email headers - someone could send data using the hostnames in the Received: header, where the hostnames are valid but the choice conveys some meaning.
  • I believe he means your computer hardware, stereo and speakers will all need to be SDMI capable with some way to verify this to the player, or it won't play.

    Now, did you ever hear about how guitar players used to get that super distorted, screaming guitar sound at a reasonable volume level? It involved a sealed (soundproofed) box with a speaker and a microphone. Remember, it only has to be cracked once...
  • Cops lie...take this account Hosting a kegger at my house 2 days before classes start here at UK [uky.edu] (America's next great university). I'm the only smoker living in the house so I am outside with a few other people smoking and drinking a beer.

    Lexington PD rolls up, says they received a noise complaint, funny, the neighbors on all sides are here, and I had just came from the street, stereo was inaudible. They ask where the keg is, I lead them around the backside of the house, they ask have you been serving minors "no of course not officer, please check the IDs on the people that were outside with me" (12 21+ year-olds.)

    They ask can we come in, I mention that they don't have a search warrant, they cite me on a bullshit charge

    126.90 to Fayette county, just because I don't smoke in my house

  • Bear with me on this, but the Watermark is supposed to be hidden in the audio signal of the track, correct? And this form of security-through-obscurity approach basically prevents you from removing the Watermark because you don't know where it is.

    Well, assuming I'm BandX and I record my new CD "BandX Live" and I want to release my hit single "It's Not Goatse.cx" for paid download as a SDMI-watermarked track. So, I take my CD, rip the track, slap the watermark on the track and release it.

    My question is, what's to prevent one person who owns a copy of "BandX Live" from comparing a direct rip off their CD to the downloaded version and just locating the watermark that way. Once that is done, I imagine you can generate a list of altered bytes. Package that list into some form of standard format compatible with a de-SDMI program (call it "The SoDMIzer") that can take a track and the byte list and remove the watermark.

    So all you need is an on-line repository of the byte-lists (or whatever, I'm sure there's a more elegant way of diff'ing the tracks) and the problem goes away.

    It's an extra step, but not a big one. What's the catch?

  • troll wrote:
    PROVE it works. It has never been shown to work.

    Good gravy, man, I could write a Carnivore sniffer myself sitting in the vanity room. It's dead simple to log traffic, and Carnivore aside, there are hundreds of tools that already do it.

    The fact that the government is using it is, by itself, evidence that it works to at least their satisfaction.

    You may be confusing Carnivore with Echelon. Echelon scans broad swaths of public traffic looking for things to listen to or read carefully. Carnivore, though, is aimed at specific users. The difference in scale is tremendously important.
    ----
  • The only reason they get away with it is because nobody plays SDMI music.

    Vendors are still free to provide 'non-certified' drivers on their websites that are fully functional, except for the fact that the SMDI player can refuse to use them. (Most clueful people run with the more up-to-date non-certified drivers, so this should be enough user pain to prevent SDMI from making any traction in the short term.)

    A side effect of all this is that you'll probably never see a SDMI player for any open source OS (including Apple Darwin/OSX?!).

  • Hee, it's sure a hot operating system!

    Oops, the great heat is already burning out my brain, and extremely bad puns are dribbling out of the charred remains.

  • It's a convience thing. Dedicated MP3 computer plugged into the stereo let's me easily play all the music in my collection, in any order I want, with no annoying lags for a CD changer to swap discs or for me to get up and physically replace a tape. If I want a custom mix for the car it's a helluva lot easier to sort a dozen songs on the computer in the order I want and burn them to CD. MP3/Vorbis type technologies give the user far greater control over how he/she is able to listen to music. Plus I don't even own a tape deck.

  • It took me 10 minutes the other day at work to find and get connected to a local free internet service. (wanted to do something the firewall doesn't allow)

    I had to fill out some marketing questions but there was no way to check to see if I was lying about who I was.

    There are so many of these free internet connections avalible now that it would be tough to monitor them all looking for a particular user.

    If you had a laptop with a modem and were willing to move around it would be even harder.

  • I have thought about it. Most keyword bait .sig files consist of a long list of words devoid of any semblance of grammatical structure, and probably 90% of them are copies of someone else's .sig. The vast majority of them could be mechanically discarded by anyone with a basic background in natural language parsing -- and I rather suspect the NSA has plenty of those.

    The point is that in a battle between automated systems, the better programmers generally win. Outsmarting automated systems requires intelligent, creative thought. Lazy, automatic work, even if done by a human, is vulnerable to automated attack.

    -- the clueless American pigdogs with their sig parser will never see this message. Attack at dawn.

    This would get through once, be flagged by a human reviewer as harmless nonsense, and not show up on their monitors again. Come up with an automated .sig generator, and you will be repeatedly flagged until you cross a critical threshold, at which point automated systems will just ignore you until you exhibit some novel behavior, like encrypted .sigs or unusually long contents. Even then, a flexible and adaptable monitoring system will be able to filter you out.

    I rather doubt the NSA does very much keyword filtering for the same reason that keyword-based search engines are increasingly useless on the web. It is more likely that they use some fairly sophisticated natural language parsing engines and n-gram analysis, or something on that order.

    --

  • I have thought about it. Most keyword bait .sig files consist of a long list of words devoid of any semblance of grammatical structure, and probably 90% of them are copies of someone else's .sig. The vast majority of them could be mechanically discarded by anyone with a basic background in natural language parsing -- and I rather suspect the NSA has plenty of those.
    Yes. Nobody is seriously proposing just putting the plaintext message in a sig, as that would be too easy to catch. However, consider if I built a list of a few hundred bait terms and had a perl script generate the word list to embed a few bits of a message in each word choice; if they weren't even analyzing anything which appeared random, they'd never even look further. Of course, if you were using some sort of encryption first it'd probably be impossible to prove that it was a covert channel unless someone screwed up while implementing it. With a sufficiently large quote file you could have a random, innocent sig used as a codeword, which would be inconvenient for most people but certainly workable for a well-organized but geographically-dispersed group.

    Still, if you ignore it, people will use their .sigs to pass data. If you analyze them, you'll have a huge amount of chaff to search and only be able to hope that the people you're looking for screwed up on implementation. Bit of a lose-lose situation, really.

  • Here's an interesting idea. What about running Windows under something like VMWare in linux?

    As far as windows can tell everything is legit. You could hack up the Linux surrounding it to let you do whatever you want.

  • Depends whether VMWare emulates the real hardware of a certified soundcard, or uses a non-certfied 'dummy' driver to talk to the Linux sound device.
  • Do you have an analog amplifier or speakers? Whoops! A SMDI player can refuse to play because your Audio channel isn't "secure" from end-to-end. Makes it hard to play the music you want to if you have to buy all new equipment and a new OS...

  • You are apparently misunderstanding SDMI. SDMI is a watermarking system. Basically, they use a form of steganography to embed an identifying mark in the music to say who originally bought it. This identifying mark is supposed to survive all attempts at copying at a reasonable fidelity, even analog ones.

  • Comment removed based on user account deletion
  • I seriously doubt any sound card manufacturers will want to cripple their products in such a manner, and so wont release SDMI signed drivers, leading to the death of SDMI.

    It's happened:

    Microsoft digitally signs drivers that pass the Windows Hardware Quality Lab (WHQL) tests to assure consumers that they are using the highest-quality drivers. This practice is standard and guarantees the authenticity of components because the signature cannot be forged, nor can the code be modified without destroying the signature. To learn more about Windows Hardware Quality Labs, see the Windows Hardware Quality Labs page at the Microsoft Web site.

    Source [microsoft.com]
  • Your points are quite valid. I didn't mean to suggest that it was impossible to pass messages under the nose of the NSA using steganography and encryption, just that most naive techniques for mucking up the works of NSA automatic monitoring tools are probably fairly easy to filter out, especially with the kind of brainpower the NSA has working for it.

    Hard work and careful thought no doubt could muck up the works. The benefit of success is that you begin to receive tell-tale signs that you've pissed someone off: your ISP mysteriously loses your account -- six times in as many days; your computer seems to be suffering from some kind of high-intensity, highly-focused EMF interference; bland-looking guys in black suits move into the next apartment over, etc. ;-)

    --

  • Worse-case instructions for defeating SDMI (Score:4)

    by adolf ( 21054 ) <flodadolf@gmail.com> on Thursday September 21, 2000 @11:29PM (#763018) Journal
    Warning: This post may (at the present time, or some future point) voilate the DMCA.

    It's easy to record SDMI-protected music, even with 'digital' speakers that use bullet-proof encryption, and tamper-resistant enclosures.

    All speakers, even 'digital' ones, at some point produce an analog signal.

    All speakers of the dynamic type (read: cheap, common) have fly leads heading to the voice coil, which sit directly beneath the cone, that carry this analog signal.

    Tools required:
    1 beer, any size
    1 printed copy of the SDMI spec
    1 printed copy of the DMCA
    1 drill
    1 large drill bit
    1 sharp knife
    2 alligator clip-equipped wires, per speaker
    1 suitable connector, per speaker

    Optional: Variable potentiometer, and/or large-value resistor

    Instructions:

    Determine where the driver/cone (whichever you want to call it) is located inside the speaker enclosure. Drill through speaker grill in the approximate center of te driver. Having done this, the dustcap of the driver should be visible, and perhaps the fly leads as well.

    If you can see the end of the fly leads (they look like two small bumps, encased in goop), skip this paragraph. Else, cut away the dustcap using your knife to expose the flyleads.

    Now, also using the knife, scrape off the glue which entombs the fly lead ends until you find substantial bare metal.

    Attach one alligator-equipped wire to each lead. Consider one lead to be positive, the other negative (it is beyond the scope of this document to describe methods for determine which is which), and connect (via the suitable connector) to the desired non-SDMI-compliant audio recording device's analog input. Optionally, use a resistor or potentiometer in series with this circuit for level control.

    Push play and record at the same time, and have a beer while the song transfers.

    When done transferring, use the consumed beer to piss all over the printed SDMI and DMCA papers.
  • Well, I am no kind of Uber Hacker, but I have followed this entire digital music story very closely. Further, I live in the L.A. area where the topic is much discussed, and I know a variety of struggling musicians. I am not pretending to be an expert (I do that during the day), but I know a little about this issue.

    Just to go against the tide, I don't think there is any need to fight or boycott SDMI technology development. (Although I admire the idea.) In fact, it is possible that an effective SDMI technology may actually hasten the decline of the music oligopoly.

    Here are my main thoughts:

    1. The market will speak. Given the choice of today's CD's versus some kind of "secure" format with its many limitations, who would buy it? I think the music suits have underestimated how tech saavy today's consumers are becoming. Sure, they may eventually pull "classic" CD's off the market, but that will only increase used sales and copying of them. (Question - how long before an attempt is made to actually outlaw the sale of classic CD's and/or players as some kind of piracy tool?)

    2. Today's CD's won't go away, at least for years. As we have learned, one CD and any modern computer can generate an almost unlimited number of virtually perfect digital copies. Even if suddenly tomorrow I wake up and no more classic CD's are sold, the 15 billion or so that are out there and the millions of players will last for years and years to come. Further, once Napster and its ilk are shut down via legal challenges, people will simply become more sophisticated and private with their digital music swapping. The year or so of Napster has provided a music swapping foundation that will continue for years to come.

    3. How much new music do we really need? OK, let's say all new music by the big labels is sold on secure CD's, until a time when they can try and make you pay for music every time you listen to it without even selling CD's. Hey, I can live just fine without ever hearing Ricky Martin's next album. With c. 250,000 CD's in print I personally could live the rest of my life just discovering more of what is already out there. Even being a big music fan, a week does not go by that I don't discover something new from the past. No one likes this argument because it seems anti-creative, but it will simply be a market response. If "new" digital music has all sorts of costs and restrictions on it, "classic" digital or even analog work will seem more attractive by comparision.

    4. More performers will bypass the labels. As more and more people have high speed connections, music by downloading will become commonplace. More and more performers will be able to distribute their music directly to fans, instead of giving away their first child in a standard music industry contract. Sure, there may be fewer multi-millionaires overall, but so what? Just like open source, some will always create music for the love of doing it, not just to make money and groupies. In the creative world, there is often not a correlation with talent and financial reward, contrary to the constant copyright owner claims that "Artists won't create if they won't get paid" This may be true for hacks, but not for artists in the true sense of the word. I mean, do we really need another Stephen King novel?

    5. Free music will flourish. No one seems to be saying this, but clearly there will be tons of free as in beer music for download. There seems to be an idea among some that anything amatuer or
    DIY is junk, and sure, much of it may be to some. But to me, there is a lot of junk in any music store these days as well. Music creation software will continue to improve, and no matter how much DIY material is posted, the "buzz" of what is good will spread among friends, much like undergroud Metallica tapes did some 20 years or so ago. People will also see that you don't have to live in New York, L.A. or Nashville to be talented and have a reasonable chance of being discovered.

    So in summary, whether we like it or not, the big music industry has the money to buy U.S. legislation to suit its current goals. But that's OK. If anyone wants to buy a secure copy of Britney Spears's latest CD five years from now, that will be their choice. But there will also be a lot of lower cost choices as well that will possibly give you even better (in the sense of matching your personal tastes) music.

    TWR

  • Re:SDMI (Score:4)

    by orpheus ( 14534 ) on Thursday September 21, 2000 @06:26PM (#763033)
    Since SDMI is more a watermarking than an encryption method, I'll assume you're speaking of means to 'break' commercial audio encryption methods in general. I think you're missing the simplest method for future digital copying:

    Use digital USB speakers, and tap/copy the signal. either in hardware or software.

    While I am not at all sure that USB speakers will replace the soundcard/analog combination, they are likely to become too big a market share for RIAA to ignore, just like those annoying integrated sound chips that audiophiles deride, but that still manage to live in millions of budget and office systems.

    True, it is possible to encrypt the signal to the speakers, and use decrypting speakers, but there is unlikely to be enough market clout to force speaker manufacturers/system integrators/buyers to adopt encrypted speakers to support SDMI. I think that we are too far along the USB audio roadmap for it to be easily diverted now

    Recall, a format that doesn't catch on means lost time/money/opportunity for the RIAA, as well as the manufacturers and buyers.

    ------------------

  • Most of SDMI that is being tested is per-sale-watermarking. That means, you buy a song online and supposedly there's something hidden in the audio waves that uniquely identifies it to you. Something that should be almost impossible to find and remove.

    So all some mp3 release group would have to do to steal the music is make the watermark tie to someone else.

    Since the theory is to sell it online, which in this world means it has to be done quickly, do you really think they're going to require more information from you than your credit card number and billing address?

    Credit Card numbers get stolen every day. People buy things with them all the time. Some of them get caught. So, the record company finds out someone is distributing a copyrighted song. They expend the effort to track the person who purchased that song down. And they track it down to a credit card that was cancelled as stolen a week after the purchase.

    It's not that hard to be untraceable over the Internet, if you really want to spend the time to do it. So all they would have is a dead-end credit card number and some IP Addresses to some machine in North Korea.

    That'll stop music theft. Sure.

    So, music release groups of tomorrow will be doing something a little more illegal than they are now: credit card fraud, various electronic crimes...

    But has that ever been enough to stop all the young kids that make up most of these scenes? The 14 year old script kitty with a credit card list he stole from a porn site?

    So they manage to lock some kid up for doing something dumb and the music he released is still out there.

    How ... effective.

  • SDMI (Score:5)

    by Signal 11 ( 7608 ) on Thursday September 21, 2000 @03:16PM (#763037)
    "He glanced around at the motley collection of thugs, pimps, and record company executives that skulked on the edges of the dim pools of light with which the dark shadows of the bar's inner recesses were pitted. They were all very diliberately looking in any direction but his, carefully picking up the threads of their former conversations about murders, drug rings, and music publishing deals. They knew what would happen now and didn't want to watch in case it put them off their drinks."
    -- Douglas Adams, So Long, And Thanks for All The Fish

    Top 10 Ways to Hack SDMI
    ------------------------

    10. Write a device driver that emulates a soundcard. Dump output to disk. Optional - sending to the real soundcard. Bonus points if you use DirectSound.

    9. Attach leads to the DAC of the soundcard, design daughterboard to resequence for raw wave output. Optional: 64MB stick of RAM and a memory overlay for copying back out to the system. Estimated cost to hire an EE to do this: $25k

    8. SoftICE, a pack of mountain dew, and an SDMI decoder.

    7. 15 minutes alone with developers of SDMI and a backpack full of bricks.

    6. 45 minutes alone with legislators who signed DMCA into law, backpack full of bricks (note: bricks may be damaged by contact with thick heads of legislators - Aim lower)

    5. Audio cable connected between INPUT and OUTPUT of soundcard.

    4. Hold press conference. Compare SDMI to DivX. Drop plenty of rumors so retail outlets won't carry it without large cash advances.

    3. Hold shareholder conference. Compare SDMI to DivX. Using the rumors created in #4, draw on their fears that SDMI will collapse into a dense black hole, taking their profits with them.

    2. Use genetic algorithms (GA) to predict prime numbers without using brute force. Optional - for speed, do it using an analog computer. Send result to spook@nsa.gov, move to antarctica, dig hole in ground, call up UUNet, ask for net feed under an alias.

    1. Go to local high school, offer the kid with thick glasses in the computer lab $20 to crack SDMI. Return after lunch to pick up detailed documentation of program, and the program itself which was ported to 8 platforms and has bilingual support. Thank kid.

    | Permission is granted to distribute this document |
    | in any medium, provided this notice is attached. |
    | Copyleft, 2000 Signal 11 |

    --

  • Carnivore Avoidance Methods (Score:5)

    by angst_ridden_hipster ( 23104 ) on Thursday September 21, 2000 @03:18PM (#763038) Homepage Journal
    Frankly, I was quite underwhelmed with the suggestions. They all basically add up to cheap, low-tech encryption or security by obscurity methods.

    Some were flat-out wrong. Going through an email proxy doesn't help if they're sniffing your connection by IP address. I'm not convinced that Carnovore doesn't do this (nor am I convinced that it does. But I wouldn't base my security strategy on the weaker assumption). Likewise, forging an email address is not going to trick the system. The FBI isn't stupid.

    Obviously, strong encryption is the best solution. Although there is a precedent for having passwords *not* protected as free speech under the 5th amendment, it does give you your best shot at keeping communications secure.

    Steganography's also probably a reasonable choice. Get a good digital camera, and send out a lot of pictures to your friends. Some may have messages. Most don't.

    Chaffing models might be good, but might not.

    Also, techniques like the old "saturate Echelon" approach, where you *always* tag on keywords like semtex, Nidal, West Bank, UN, ammo, NSA, NRO, ZOG, etc. to your messages. If everyone did it, and varied the list, it'd clog their system eventually...

    -
    bukra fil mish mish
    -
    Monitor the Web, or Track your site!
  • First of all, M$'s licensing agreements change more frequently than the coloring on most chameleons/octopi (whichever you prefer), so a single change that allows reimaging isn't as big a deal as a change that would allow people to view their source code and openly mock it for the cobbled together garbage that it is.

    Second, Microsoft isn't completely evil, thanks to good hardware such as the Explorer mouse, which holds the place of honor on my desk; the good gaming hardware at good prices (the original M$ Gamepad, the first FF Joystick that worked w/ many games); and the timely support that they give to new hardware, thanks to their marketing efforts. Thanks to the >75% margin of Windows 9x on desktops, most hardware manufacturers include a windows driver, while few put linux drivers inside the box.

    While Linux may be technically superior, Windows is still the only operating system that can give rise to a good game of Half-Life: Counterstrike. (Lest you count the dedicated server for linux)

    Tell me what makes you so afraid
    Of all those people you say you hate

  • I read the blurb on Inferno with a great amount of joy.
    A freely downloadable OS that seemed to be focussing on the lacks of all the OSs it ran upon. A nice little tool if ever I saw one, and one that I'd greatly love to try.
    Then I read the licence.
    You may not: 2.6 use the "Inferno®", "Styx®", "Dis®" and "Limbo®" trade marks without the following trade mark notice - "Inferno® ,Styx® , Dis® and Limbo® are the registered trade marks of Vita Nuova Holdings Limited". YOU may only use these trademark as permitted by and in strict compliance at all times with VITA NUOVA's third party trade mark usage guidelines which are posted at www.vitanuova.com/trademark.htm.
    2.7 use the "Inferno®", "Styx®", "Dis®" and "Limbo®" trade marks other than in relation to the LICENSED SOFTWARE and/or ADAPTATIONS of the LICENSED SOFTWARE.
    Well, for starters, the trademark.htm URL doesn't exist, so there is no guideline for use of these 'trademarks'.
    What is a classicist to do then? "I'm sorry, you can't have your lecture on Greek mythology, as all the names are currently trademarked..".
    Looking at some of the names that go alongside this project, I'm much more inclined to believe they've just got the company lawyers to stamp out a quick default boilerplate, but, in the current times of acquisitions of companies by larger, predatory ones, this boilerplate could be a huge pain in the butt if someone decided to try and enforce it as stands.
    Hey, I'll just go out and trademark the word 'Binary'... That'll really put the cat amongst the pigeons.
    Well, that's about it for the rant.. Not yet checked the software, 'cos I don't agree to it's licence (I don't agree not to use all those trademarks, unless using them in context to the inferno OS)..
    Wake up guys, and be sensible with your trademarking!!!

    Malk
  • I read the blurb on Inferno with a great amount of joy. A freely downloadable OS that seemed to be focussing on the lacks of all the OSs it ran upon. A nice little tool if ever I saw one, and one that I'd greatly love to try. Then I read the licence.
    [...]
    Well, for starters, the trademark.htm URL doesn't exist, so there is no guideline for use of these 'trademarks'.

    that's true, the URL doesn't exist - we're fixing that. but... i think your worries about the rest of the license are somewhat misconceived.

    Well, for starters, the trademark.htm URL doesn't exist, so there is no guideline for use of these 'trademarks'. What is a classicist to do then? "I'm sorry, you can't have your lecture on Greek mythology, as all the names are currently trademarked..".

    these are trademarks - we haven't sidelined a portion of the english language; we're just preventing other companies from trading using those names (and in fact it's not even as restrictive as that, as the trademarks only apply in, i think, certain sectors of the computer industry).

    think about it! does the world stop talking about windows in buildings because Windows® is a trademark?? i don't think so. similarly, unless you are trying to market another OS called Inferno, or a protocol called Styx, the fact that those names are trademarked is completely irrelevant.

    so have a look at the software! we have tried to make the license as unrestrictive as possible, so i hope you shouldn't have any problems with it.

    cheers, rog.

  • Re:SDMI (Score:3)

    by Bogatyr ( 69476 ) on Thursday September 21, 2000 @05:21PM (#763052) Homepage
    The music business is a cruel and shallow money trench, a long plastic hallway where thieves and pimps run free and good men die like dogs. There's also a negative side.
    - Hunter S Thompson
  • It's dangerous to label an agency that, collectively, has done stupid things as being stupid. There are some very intelligent people who work for the FBI (or just about any other organzation).

    If you're trying to protect information, you should never make the mistake of assuming you're trying to hide it from an idiot.
    -
    bukra fil mish mish
    -
    Monitor the Web, or Track your site!

  • MS Licensing & Imaging (Score:5)

    by LauraLolly ( 229637 ) on Thursday September 21, 2000 @03:29PM (#763058)
    There's one small problem in the phrasing of the license: "Identical"

    This means that if Joe MCSE decides to re-image some OEM boxes, and re-images them in a manner both different from the OEM boxes and the rest of the network boxes, either Joe's company is in license violation, or someone needs to cough up the moola.

    This is one case where it's difficult to enforce a license. You have an X seat license for X users. You hire more workers and buy OEM boxes w/Win2K.

    You want to give them a newer better configuration with the original software? Too bad. This looks as though the license change is publicised as a customer relations thing, but is actually an enforcibility thing. Show the license, show the number of new OEM boxes, you're fine, as long as they all have the same installation. I work in an academic situation where we reimage all the time. This license appears to remove one major financial pain, and exchanges it for a finicking pain.

  • Links to previous stories? (Score:5)

    by djw ( 3187 ) on Thursday September 21, 2000 @03:38PM (#763059)
    Why not provide links to the stories these SlashBacks correct or update? Like this:

    OK, who has what up their sleeves, and why? Fervent [mailto] writes "Interesting twist in the SDMI boycott -- Don Marti's backing down a bit. Apparently he and Leonardo Chiariglione, executive director of the SDMI, talked and found ways to get along about secure music. The article is here [zdnet.com]."

    I'll be impressed if the music industry or anyone else can come up with a high-quality music format which can't be effectively copied with a modicum of hassle. "Anything that can be read," etc. Thta's not about to stop them from trying on both technological and legal fronts. Of the two, I'll take technological any day.

    Previously reported:
    Set Digital Music Free [slashdot.org]
    Boycott of Music Industry's Hacker Challenge Urged [slashdot.org]

  • Microsoft has always gotten it (Score:3)

    by Devil Ducky ( 48672 ) <slashdot@devilducky.org> on Thursday September 21, 2000 @03:42PM (#763060) Homepage
    No, a company does things like this (users complain, they fix the problem) when they have real competition. When a company doesn't have competition it won't do anything (except maybe laugh) when you complain about something they are doing.

    1997:
    User: Hey Microsoft, I don't agree with your license on this issue...
    Microsoft: HaHaHaHa <CLICK>

    1999:
    User: Hey Microsoft, I don't agree with your license on this issue...
    Microsoft: We are not a monopoly, we have lots of competition... here's one of our competitors now, Bob, He makes an OS that <CRACK> Virus Detected! Now running suspected executable for you. <BSOD>

    Soon (hopefully):
    User: Hey Microsoft, I don't agree with your license on this issue...
    Microsoft: We are soory for the inconveince how may we solve this problem? Please don't use one of our competitors...
    User: <CLICK> <Calls new number> Hello, I'd like to buy the new BobOS 2.1, but I don't agree with this part of the license...
    Bobsoft: <CLICK>

    And the cycle continues.

    That was fun.

    Devil Ducky
  • OK, someone needs to take a deep breath here. Anonymous Coward (I'm beginning to think it's the same guy each time): Slashdot is not a war or an attack on your religious beliefs. It's a place to post ideas and argue the benefits and detractions. You seem to focus on the negatives a bit too much, friend.

    First, in response to a lot of people's complaints about my wording of the article, read here [slashdot.org] and here [slashdot.org]. I also submitted that Slashback article several days ago, so it hasn't aged well.

    To the response I am simply a "troll" (which I don't agree with in the slightest) read here [slashdot.org]. This is another article I recently submitted and got accepted.

    Remember, deep breaths.

  • So the test begins. With a proxied Netscape browser we find proxy.foo.com and slightly obscure our information and change our hostname to whatever@wherever.com. In theorum mail is being sniffed to the account in question johndoe@sampleisp.com in which they have their warrant and not whatever@wherever.com which makes any information they gather obsolete. Well, after some legal mumbo jumbo obsoletes their methods and what information they gathered along with the terms of the warrant.

    The DOJ and assorted federal branches have been pushing for greater liberties in pursuing 'cyber-criminals' including the extension of warrants to include all computers connected to the network through which the data could have traveled.

    Even if they can't get something from your own ISP, they may soon be able to get it from another computer.

    --

  • Your comment could very well have been this:

    Why do you have to rank on those of us who happen to have a preference for rape? The good
    thing about technology is that it is blind, that it allows those of us who don't fit into society's mold to have a fair say and a fair chance at having our opinions heard.

    And what does rape have to do with terrorism or heroin? You degrade rapists and don't
    seem to think anything about it. A comment like that about homosexuals, Jews, blacks, or any other
    minority would have an angry mob at your door real quick.

    As a member of a currently socially unacceptable group, I realize that I must fight for my rights in every way I can, and get people to realize that I'm not bad or evil, I am what I am, and everyone will just have to accept that!

    For the record, I am gay. The problem with your lifestyle is that the "love" of children assumes that children are capable of understanding sexual relationships. I admit that some are and some aren't. I was sexually active when I was 12. But the psychological evidence of sexual abuse of children compels me to reject pedophilia as something abusive and evil. And no, I don't "just have to accept" your lifestyle.

    I have a feeling you will try and label me a hypocrite. That won't work. You'll do much better to try and show me that whatever psychological evidence I've seen is invalid (much like the psychological evidence against homesexuality has been shown to be invalid).

  • Ok, so I have had a look at the announcement, and the first thing that sprang out at me was the qualification requirement. In order to qualify for the "relaxed" rules, you need to be a MS select or Enterprise Agreement licencee - normal mortals (and my employer flies under this flag even though we have over four hundred PCs in use) get all their licences bundled with the machines, and only replace OSs when they replace machines. However, our site *also* has a full set of custom apps, so ghost-rollout of a new installed-base of replacement machines (hardware upgrade, needed for the new generation of MS office apps) is needed, in about blocks of fifty....
    --
  • In fact, the Hack SDMI site has exactly that. A given file has three samples, two of tune A and one of tune B. One of the tune A samples is clean, one is watermarked. Tune B is watermarked. Your challenge is to remove the watermark from tune B.

    Go ahead, and let us know how you make out.


    ...phil

  • Also, techniques like the old "saturate Echelon" approach, where you *always* tag on keywords like semtex, Nidal, West Bank, UN, ammo, NSA, NRO, ZOG, etc. to your messages. If everyone did it, and varied the list, it'd clog their system eventually...

    Nah. 99.999% of the people who did that crap stuck it in their .sig file. You think the NSA's not smart enough to write a parser that ignores keywords after the last "--" at the beginning of a line in an email? In the battle between any randomly chosen half-assed programmer and lazy, pseudo-libertarian wisecrackers, I'll back the half-assed programmer.

    --

  • Hey if they're monitoring johndoe@sampleisp.com and sniff the whole network then jane.something@sampleisp.com should be able to hold them liable for invasion of privacy. Thats something I can't speak on since I'm not a lawyer.

    Just from a legal standpoint . . . where are you guaranteed privacy under (US) federal law?

  • Another oddball way of conveying messages whether or not encrypted is to send a message written in binary with something as lame as:
    [sil@stigmata] echo "I need help with this math problem:
    [sil@stigmata] 43 61 72 6E 69 76 6F 72 65 20 63 69 72 75 6D
    [sil@stigmata] 76 65 6E 74 69 6F 6E 20 74 65 73 74 20 70 68
    [sil@stigmata] 61 73 65 20 31 0A" | mail -s hello somebody@somewhere.com

    Um . .. that's hex . . .

    Kinda hard to take the rest of the article as an autoritative source . . .

Slashdot Top Deals

Two can Live as Cheaply as One for Half as Long. -- Howard Kandel

Close