Rick Falkvinge's Blog, page 5

The World Wide Web Consortium (W3C), which used to develop standards for the Web, has been captured by the copyright industry. In a doubly controversial vote, the W3C decided that media companies and not the user should be in control, ending their longstanding commitment to openness and the Internet’s core values. The open question is what new body web developers will choose to follow for future generations of standards.

This week, the World Wide Web Consortium (W3C) formally adopted Digital Restriction Measures (DRM) as part of the Web, thereby ending a policy of “the user is in control of their experience” and replacing it with “the copyright industry is in control”. The standard in question is called EME — Encrypted Media Extensions — and was pushed by all the pre-internet giants with vested pre-internet interests and Netflix.

Why is this bad? For all the reasons.

The W3C is — was — the body that defined standards for the World Wide Web, which browser developers implemented in turn into web browsers like Firefox, Chromium, Opera, and Safari. Having a third party publish the standards meant that no one browser team is in charge of standards development at the same time as they are making a browser, thereby encouraging interoperability between different browsers.

Now, having Digital Restriction Measures (DRM) as part of the Web means a number of very bad things, both principal, technical, and legal. First and foremost, on the principle level, the control of the experience has always been with the user. You don’t like a particular website’s color scheme? Turn it off. You don’t like ads? Turn them off. You’re blind? Have the page read out loud to you instead of displayed. The page scripts are annoying? Disable their scripts. The notion that the information is served, complete with a suggested layout, but with yourself as final arbiter as to how the website is allowed to show on your screen, has always been front row center to the development of the Web. Until this week, that is.

It’s important to realize that this encryption is not to the benefit of the user, like https is, but to the benefit of the copyright industry. In Cory Doctorow’s words, when somebody gives you a locked piece of data without the key, that lock is never there for your benefit.

From a technical perspective, this means that attacks delivered over the web — which are most of them today — can now be delivered in a standardized encrypted format, which means virus and malware checkers can’t intercept and prevent infection the way they can today.

From a legal perspective, it’s even worse, because it’s now illegal to research and prevent such attacks that are delivered over a channel protected by Digital Restriction Measures (DRM) in some of the biggest economies, like the United States and Europe. All other related research that seeks to circumvent the copyright industry’s control to the benefit of the user is also illegal, like providing accessibility to blind people (no, the standards don’t require it).

So why all this fuss just for a delivery channel of movies, in practice, which everybody gets from their favorite “unofficial sources” anyway?

Because there’s nothing limiting this delivery channel to just a movie. In theory, the entire web experience could be encrypted using new layers of technology. Yes, that includes mandatory advertising. Mandatory. Advertising. Yes, on your screen. The principal shift here, to put the media companies in control instead of the user, is the most important one with far-reaching ramifications.

When the RIAA calls a decision “a victory for common sense”, you know you’ve got it exactly wrong, W3C. — John Sullivan, FSF

This happened in a doubly controversial vote. Doubly because first, up until today, standards were never decided by vote, but by consensus, a threshold quite far above simple majority; and second, the vote passed by a mere 58%.

To quote John Sullivan, director of the Free Software Foundation, who tweeted at the W3C: “When the RIAA calls a decision ‘a victory for common sense’, you know you’ve got it exactly wrong, W3C.”

This is a textbook example of Regulatory Capture, this which just happened. The W3C was captured by the copyright industry.

Regulatory Capture is a term describing a form of government failure that occurs when a regulatory agency, created to act in the public interest, instead advances the commercial or political concerns of special interest groups that dominate the industry or sector it is charged with regulating. When regulatory capture occurs, the interests of firms or political groups are prioritized over the interests of the public, leading to a net loss to society as a whole. Government agencies suffering regulatory capture are called “captured agencies”. (Quote from Wikipedia.)

Seeing this regulatory capture firsthand, taking place against its formal objections, the Electronic Frontier Foundation immediately resigned from the World Wide Web Consortium.

The concept of regulatory capture is not an easy nut to crack. During the drafting of the U.S. Constitution, the Founding Fathers complained about this problem, which they called factions, and discussed how they could prevent the capture of regulatory bodies by those who would be regulated by it. In the end, it was one of the problems the Founding Fathers didn’t solve in creating the United States of America, and so it remains unsolved.

Except maybe not in this case, because the W3C has no formal authority. Its recommendations are — were — followed only based on trust in having done the right thing up until this week. It was a leader in the truest sense; somebody who others voluntarily chose to take advice from. The W3C was a standards body, but nobody is coerced into following their standards.

Therefore, the field is now open for a new publisher of web standards, one that doesn’t bend the knee to the copyright industry, and more importantly, a standards body that continues to put the user in control of their own computer and experience.

For once the developers see where the path goes when you put the copyright industry in charge of the experience, they will balk at that and do something else.

Failing that, there’s the next level of safety valve, the users themselves, which are likely to reject such an experience and lack of control altogether — just remember how Adblock started out as a niche plugin for Firefox, then gradually spread to a plugin for all browsers, and are now working its way into the mainline browser distributions. When many enough users say that they’ve had enough of something, that also counts for something.

In any case, the field is now open for somebody to step up to the plate and take charge of the future of web standards, with users front row center where they belong. The EFF themselves, perhaps?

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Activism: On October 10, an important committee in the European Parliament will vote on future copyright law. It hangs in the balance, and ordinary people like you and I contacting Members of the European Parliament can really make a difference, like you’ll remember we did with ACTA five years ago and won. You don’t have to contact your representative; such a thing only exists in the US and UK. Rather, you should write a friendly mail to all of them.

The European Union is revising copyright legislation.

As usual, the copyright industry — indeed the entire Industrial Protectionism (IP) industry — has managed to get all sorts of absurd things into the future of copyright law. Even if you don’t live in Europe, this concerns you, for a harshening in these monopolies in a major economy tends to be contagious to other places in the world. The European Parliament will vote some time in the coming year, but the next and important vote is on October 10 in the Legal Affairs committee, JURI, which is responsible for matters such as these.

At the same time, there are some good proposals in the mix, put there by people of the net generation among the Members of the European Parliament (MEPs).

Christian Engström, MEP 2009-2014, writes: “The outcome of the votes in JURI [Legal Affairs committee] hangs in the balance, and several important issues are too close to call. If there are enough emails from ordinary citizens that demonstrate that there are people out there who care, we have a good chance of achieving at least some improvements to copyright. But if nobody shows an interest, there is an overwhelming risk that the copyright lobby will win, and will introduce further restrictions and even more absurdities into copyright on the internet. Right now, you as an individual can make an actual and real difference.”

There are two really bad proposals: a mandatory upload filtering, effectively censorship, and a link tax which makes it impossible to link to oldmedia articles (articles 13 and 11).

At the same time, there are also three really good proposals: mandatory freedom of panorama (nobody can own a view), freedom to remix, and freedom to datamine for everybody.

Read more over at Christian Engström, who has links in turn about what these different proposals mean, and pick one or two subjects you’re passionate about. Then, write to JURI, the Legal Affairs committee: this mailing (“mailto”) link will create a mail to all 46 delegates of JURI for you, where you can express your points.

As Christian writes: be polite, be your own words, and be brief like a Facebook comment where you make a point.

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Global: New research shows how a mobile phone can be turned into a passive indoor ultrasound sonar, locating people with high precision indoors using multi-target echolocation, and is even able to discern a rough selection of activities. It does this by overlaying imperceptible ultrasound sonar pings into played-back music, measuring the reflections coming back to the phone’s microphone. The privacy implications are staggering.

By emitting inaudible ultrasound pings as part of normal music playback, a phone can be turned into a passive sonar device, researchers from the University of Washington show in a new paper. It can track multiple individuals at an indoor precision of 8 centimeters (3 inches), and detect different types of activity by the people in its detection zone — even through barriers, all using a normal smartphone.

People with military technology background will recognize this as next-generation passive covert radar systems, radar systems which don’t transmit, but which detect objects in the sky from changes to reflection patterns from everpresent civilian transmitters such as radio and TV towers. The primary advantage of passive covert radars is that they can’t be detected, as they only contain very sensitive receivers, no transmitters. This phone research appear to be using the same kind of technology, except it is also used as a transmitter of ultrasound pings; however, it would be trivial to separate the transmitter of pings from the receiver of the reflected patterns.

“We achieve this by transforming a smartphone into an active sonar system that emits a combination of a sonar pulse and music and listens to the reflections off of humans in the environment. Our implementation, CovertBand, monitors minute changes to these reflections to track multiple people concurrently and to recognize different types of motion, leaking information about where people are in addition to what they may be doing.”

The researchers are straightforward about the privacy threat that this technology poses: “There are privacy leaks possible with today’s devices that go beyond the ability to simply record conversations in the home. For example, what if an attacker could remotely co-opt your television to track you as you move around, without you knowing? Further, what if that attacker could figure out what you were doing in addition to where you were? Could they even figure out if you were doing something with another person?”

The researchers have tested five different indoor environment and over thirty different moving individuals, and show that even under ideal conditions, the people typically could not detect the tracking.

“We evaluated CovertBand by running experiments in five homes in the Seattle area, showing that we can localize both single and multiple individuals through barriers. These tests show CovertBand can track walking subjects with a mean tracking error of 18 cm and subjects moving at a fixed position with an accuracy of 8 cm at up to 6 m in line-of-sight and 3 m through barriers.”

It’s conceivable that malicious apps with access to the speakers and microphone will be able to use this. It’s also conceivable that apps already are. Among many smartphone devices, the researchers also implemented their CovertBand demonstrator on a 42-inch SHARP television set.

“Even in ideal scenarios, listeners were unlikely to detect a CovertBand attack.”

Your privacy remains your own responsibility.

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Privacy: Hardware maker Sonos has a new privacy policy, and is telling users that unless they agree to it, their devices may cease to function entirely. Of course, since people bought these objects, they’re those people’s property. And since Sonos is taking an action that they know will break these devices, Sonos is effectively saying they’ll willfully destroy your property unless you comply and give up your privacy. This is a new low.

Sonos is a high-end sound system maker, famous for being the first brand to have synchronized music in different rooms with an off-the-shelf device system. This week, they announced a new privacy policy, where they say they’ll be collecting a lot of data about you, including listening in to your room and (in a roundabout way) recording it. People were justifiably quite upset. It is in response to this community reaction that Sonos does the unforgivable: Sonos states that if people don’t accept “the new privacy policy” — meaning give up their privacy in their own home completely — Sonos is going to willfully destroy those people’s property.

“The customer can choose to acknowledge the policy, or can accept that over time their product may cease to function,” the Sonos spokesperson said, specifically.

Sonos is particularly sneaky about the part where they record sound. They say in their blog post that they “don’t keep the recordings” of sound recorded in your home, with the new Voice Assistant. However, they point out that they share their collected data with a large number of parties, the services of which you have “requested or authorized” — where people tend to read “requested”, but where “authorized” is the large part. Further, they point out that they share recorded sound with Amazon under all circumstances, and Amazon is already known to keep recordings for later use by authorities or others, so the point is kind of moot. “We don’t keep the recordings, we let others do it for us” would be a more straightforward wording.

As ZDNet notes, the community’s reaction has been quite hostile to the manufacturer who threatens to destroy their property, and not without justification.

For my personal purchasing choices, behaving like this is enough to get on my blacklist of manufacturers, just like when Sony willfully infected its customers with rootkit malware in 2005, and Sony made it onto my blacklist. (It’s a high bar to get there, and still, hardware makers keep inventing new audacious ways to clear that bar.)

Syndicated Article

This article was previously published at Private Internet Access.

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Activism: The German newspaper Die Zeit has a long feature this week about IMSI catchers and their countermeasures, words that were long heard only in countersurveillance cultures at Black Hat and Defcon. Observing this phenomenon make the jump from the obscure to the mainstream tells us a lot about the years to come: surveillance and countersurveillance will be a cat-and-mouse game for quite some time.

Most people have heard of their IMEI, their phone’s unique identifier. It’s short for International Mobile Equipment Identity, and a lot of people learn how to read this number. Originally, it was produced by typing ×#06# on your phone, a sequence that amazingly still works, but it’s also on the phone receipt, in the menus, and in a number of friendlier places. This is the number you can insure, and this is the number you can report stolen to brick the phone.

A more secretive number is the IMSI, the Subscriber Identity, which identifies not the phone but the SIM card inside the phone. In most parts of the world, you’re expected to buy these separately from the phone, and you can replace the SIM card to change carriers but keep the same phone. In some other parts of the world, where telco carries have exercised regulatory capture and have a dysfunctional market, the SIM is typically card prebaked into the phone, and in these countries, you might never have seen it – but it’s still there, identified by the IMSI.

There are many good technical reasons to keep this number a secret. For example, any reconfiguration instructions sent to the phone from the carrier – so-called Over-the-Air provisioning — must be signed cryptographically with the IMSI of the current SIM card, in order to prevent fraudulent configuration. It’s also the number used when the phone contacts the carrier network, and therefore, anybody intercepting that handshake will see the IMSI.

This is the technology used in so-called IMSI catchers. When there is a large number of people in an area that the regime — police or other forces — want to keep tabs on, they deploy high-powered fake celltowers that the phones connect to, believing that these fake celltowers are their carrier’s. The fake towers then contact the real ones in turn, performing what we call a man-in-the-middle attack, which is just what it sounds like, sitting between the phones and the real cellphone towers.

This is a fairly sophisticated attack, one made by law enforcement in a highly dubious legal area. That’s why it’s really interesting to see mainstream media cover the topic now.

It’s particularly interesting as law enforcement won’t immediately get identities out of this attack — it will merely read which IMSI numbers were in the area at the time of the man-in-the-middle attack. Some of the time, this could conceivably be translated into people’s actual names, by means of subpoenas or similar to the carriers. A lot of the time, it won’t (think anonymous prepaid SIM cards).

While this attack can be used to track an individual’s movements once you have their IMSI — and has been used for this, notably with the American-made Stingray devices — it’s more alarming that law enforcement is increasingly using the attack to keep a catalog over which people, or at least their phones, are present at a certain type of protest.

Die Zeit’s article also covers countermeasures to the IMSI catcher attack, and mentions that while there are numerous apps that detect IMSI catchers, the better ones can only detect about 90% of those attacks.

We can expect this to escalate in the coming years.

Syndicated Article

This article was previously published at Private Internet Access.

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Bitcoin: In 2011, I went all-in into bitcoin. As I described in a blog post at the time, I took all my savings and my entire credit line and put it into the fledgling currency, once I had realized its disruptiveness, and I did so at about $3 valuation (to simplify events a bit). People mocked me relentlessly.

I tend to be good at predicting events five years out that the large majority considers unforeseeable black swans. I’ve done so twice now for particular high-profile events: once when founding the Pirate Party – which was a “career ending decision” according to some colleagues, until I had succeeded wildly in what I had set out to do, sending people to the European Parliament on basically no budget using a novel set of leadership techniques. The other time was when I predicted the massive breakthrough of cryptocurrency in 2011, and said I predicted bitcoin to increase in value hundredfold-to-thousandfold over the next three to four years. (Do note that the actual breakthrough has not happened yet.)

Coindesk's price index broke $3,000 today, June 11 2017.

In both these cases, people basically said I was mad, even though I made no secret of going all-in into bitcoin — I’m not the “haha, I got rich five years ago with my secret method” type of person. Rather, I announced to the entire world that I was going all in, and being very specific about my reasons, giving anybody who wanted the ability to copy my actions. (A lot of people did; I get people coming up to me today saying I got them into bitcoin with these posts. Good for us, good for all of us.)

A key to these kinds of high-risk decisions, of course, is to trust your own intelligence and judgment when you know you’re going against the grain and against common wisdom. If you try to do something halfway, it’s the equivalent of taking the average between two sidewalks and walking in the middle of the road. I quickly lost count of how many times various well-meaning people told me to “sell and collect profits and come out ahead” – but that simply wasn’t the analysis I had made. Most people didn’t even try to be well-meaning, but instead had fun at and mocked my decision to go all-in outright.

To illustrate this, this is the highest-voted comment — not a random comment, but the highest-voted comment — from the Reddit thread six years ago when I announced I was going all in. Particularly note that this is a comment made by, and voted to the top, by bitcoin enthusiasts.

[image error] “I can’t even begin to comprehend the depths of the stupidity of that kind of reasoning”. To be fair to the commenter, it took a little over five years to get there, and not my estimated three to four years.

It’s quite funny in hindsight, actually, that even the people who were most devoted to the technology expressed themselves like this at the time.

In any case, as a followup to the original post, I just wanted to highlight that it reached the target I predicted. I was, as people say, right on the money.

Or maybe I should say that bitcoin reached the first target I predicted. Today, I refrain from making predictions for bitcoin until scaling is properly resolved with good engineering, and the obstructing company Blockstream has been kicked out of the community; the currency really has no future until this event has taken place as Blockstream has negated all the utility I originally pointed out through insanely tone-deaf non-business, but cryptocurrency as a whole remains extremely disruptive, be it the first-mover variant (bitcoin) or a second-mover variant.

If you love Blockstream and/or Bitcoin Core, but started doing so after I went all-in, I would urge you to consider the rational possibility that my analysis holds water this time too.

(Oh, and the market cap total for cryptocurrency just hit a hundred billion US dollars. And it’s still just the beginning. When cryptocurrency is ready, it won’t make sense to measure it in US Dollars any longer.)

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Politicians do not understand the Internet. It is not so much that the politicians in power today in their 60s weren’t born with it, even if that’s also true. It’s more that politicians as a profession are institutionally incapable of understanding it, just because it functions without – even despite – political interference.

Businesspeople are not much better in this regard. Where politicians understand power in terms of what they can regulate, businesspeople understand power in terms of ownership. But the Internet is neither; it cannot be owned nor regulated. As pointed out succinctly by Searls and Weinberger, the Internet is an agreement. It is a technical agreement between billions of people how to get a packet of data from point A to point B, where no point is worth more than any other.

In this, the Internet is best understood like a language, shared by billions. While there are certainly those who try to describe languages with authority, and publish dictionaries that some follow to the letter, at the end of the day, users of a language speak however they want, regardless of any attempts to correct them or make them do otherwise. In this, a language is an agreement between millions or billions of people, and no regulation is going to change the agreement; no governmental threat of force against any person or group of persons is going to change the meaning of a word, and no user of a language has more power over it than any other user, except by voluntary following from other users of the language, voluntary being the key word.

To understand how this contrasts utterly and completely with the worldview of a politician, we need to look at some specific present-day cases where they have been, and are, involved. Let’s take autonomous cars, autonomous delivery drones, and Hyperloop constructions.

In each of these cases, long-term planning is required to first relax the present regulations enough to allow for trials of autonomous vehicles (on road, in air, and on new rail), land zoning may be required for air and rail, investments must happen in cooperation with banking or rich companies, after which trials can proceed, and political committees can evaluate the results against some sort of safety criteria established by experts which is added to the value systems of the politicians in charge. Once the results are evaluated, the politicians may allow – allow! – mass market adoption of the new, disruptive technology. This is the worldview of a politician, this is how everything they know has come into being.

Now, compare this with the Internet, where no politicians at all were involved in its coming into being, with the possible exception of Al Gore. Politicians who are used to cooperating with state-owned, state-controlled, or at the very least state-subsidized media are finding themselves circumvented by something they didn’t allow, something that just emerged.

This is why I’m getting questions from most politicians, when I claim fiber is a necessity, why “this download speed is not enough”. For users of a language, it’s not enough to be able to listen; you must also be able to talk. One of the fantastic things about the Internet’s good connections is that download is on equal footing with upload — nobody’s a consumer, everybody’s an equal participant. Politicians absolutely do not get this, and therefore, good connections (where upload speed is equal to download speed) are still rare, even in 2017.

Everything exists only on the edges. There is no center point. There is no bottleneck. From a regulation standpoint, there is no chokepoint which can be regulated. “The Internet interprets censorship as [technical] damage to the network and routes around it.” In this context, “censorship” is any undesired regulation.

I could think of only one Internet regulation necessary at the moment, and that’s net neutrality. Still, even that is regulation only necessary to patch up previous bad regulation – a lack of competition in the telecommunications market – and one needs to be very careful to avoid so-called regulatory capture, where telco insiders take over the agency regulating them through a selection of means. (Wouldn’t it be better if you just had a selection of two dozen service providers? Bad actors like Comcast would be dumped like a bad habit.)

It’s therefore important to realize that the need for net neutrality regulation is a consequence of the telecommunications industry having been created through the political regulatory process described above. Where there are internet service providers who are not also telecom providers, where internet entrepreneurs leapfrogged the entire telecom industry and don’t have last-century luggage, the concept of net neutrality is an absolute no-brainer. (“It’s the whole service and the entire point of the service, why would we want to sell a substandard service?”.) In contrast, the telecom industry will be utterly disintegrated by the Internet — who would want to pay by the minute for 9.6 kilobits-per-second of bandwidth that can only be used with one mediocre voice application, when you have 100 general-purpose flatrate megabits-per-second in the wall? — and so, the telecom industry has every strategic incentive to delay and prevent the utility of the Internet.

Privacy remains your own responsibility, especially in the face of clueless politicians.

Syndicated Article

This article was previously published at Private Internet Access.

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Copyright Monopoly: Denmark’s ISPs are collectively putting their foot down and will no longer surrender identifying subscriber information to the copyright industry’s lawyer armies. This follows a ruling in neighboring Norway, where the Supreme Court ruled that ISP Telenor is under no obligation to surrender subscriber identities, observing that the infraction of the copyright distribution monopoly is not nearly a serious enough issue to breach telecommunications privacy. This has the potential to end a long time of copyright industry free reign in Denmark, and will likely create a long series of court cases.

Denmark has long been an ugly stepchild when it comes to civil liberties online, giving the copyright industry basically everything they want in their efforts to prop up a crumbling distribution monopoly at the expense of any and all liberties. Denmark was the first country to re-introduce governmental censorship just to censor The Pirate Bay off the net, it was where the copyright industry’s plan was devised to use horrifying child abuse imagery as a battering ram against net neutrality, with the end goal of censoring any and all sites they felt threatened their established analog-era business.

Partially as a result of this, some of the more innovative legal defenses also popped up in Denmark first, among them the open wireless defense, which states that you can’t be held liable for something that happened on your open wireless network. When the first case of this type was ruled on by a court, extortion letters in Denmark from the copyright industry and their troll lawyer armies dried up overnight.

Regardless, the extortion attempts have continued against people sharing knowledge and culture with each other — which, in the eyes of public perception, is not and should not be a crime. This is one of the areas where public perception of justice collides hardest with the old analog world which insists on maintaining its analog privileges at any cost to society and the digital generation’s liberties.

And so, in the past year alone, the demands on Denmark’s ISPs to identify subscribers have risen by 250 per cent, according to Danish ITWatch.

On April 26, the Supreme Court in neighboring Norway ruled that the telecoms provider Telenor is not under any obligation to surrender identifying information to the copyright industry, justifying its ruling that simple sharing of culture and knowledge was not nearly aggravating enough to breach the telecommunications privacy.

Last week, after this ruling in the neighboring country, the Danish Internet Service Providers are collectively putting their foot down and not giving the copyright industry’s trolls who engage in so-called “speculative invoicing” — an action that would be prison-time criminal in any other industry — any more time of day. The ISP have decided that their customers are more important to them than obeying the tantrums of an obsolete distribution industry on its last legs.

What’s really puzzling is how ISPs could even consider it any other way; at any other time or in any other place — not standing up for your customers, and taking their enemies’ side instead, is simply not very good business.

Regardless, the ISPs will still have your identity and may be compelled by a court of law to surrender it, which is why a no-log VPN (or a no-log ISP, if you can find one) remains a very good defense.

Syndicated Article

This article was previously published at Private Internet Access.

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Old World: Britain’s hospitals have been brought to a standstill because of ransomware infecting obsolete and unpatched Windows XP systems. The same obsolete operating system is powering Britain’s nuclear weapons arsenal. Is it prudent to ask if the British nuclear weapons submarines have been patched against this ransomware, or even hit by it?

As reported in January of last year, Britain’s nuclear submarines still run Windows XP. This is the outdated Microsoft operating system that was vulnerable to ransomware, and which is the reason that practically Britain’s entire healthcare is currently nonfunctional and at a standstill: they ran Windows XP, they did not upgrade, and they did not patch.

(A security patch for this vulnerability has been out since March. Getting hit in May is therefore inexcusable.)

I would argue that hospitals and nuclear weapons platforms are both “mission critical” for a government. It can be safely argued that one is more dangerous than the other, but in terms of how important to society it is to upgrade them and keep them current, they are playing in roughly the same division.

In other words, seeing how Britain has failed to patch its Windows XP systems in mission-critical hospitals, I do not have faith that they have patched all other mission-critical systems – specifically including their nuclear weapons platforms.

Of course, this would all be classified and nobody would ever admit to something like this happening, except possibly fifty years later. But we do know that Britain’s nuclear submarines run Windows XP, and that they had a contract for support which expired in July of last year, and which had an option to extend to July of this year. We also know that Microsoft has issued the security patch whether you are on support or not, so a support contract makes no difference in this case.

We’ve observed that the NSA has a catastrophic conflict between its mission and its methods: it cannot keep a nation safe by simultaneously keeping it unsafe (refusing to fix vulnerabilities).

We’ve also observed that NSA tools will leak to whomever may want them.

We’ve also observed that mission-critical systems routinely go unpatched.

We’ve observed that military systems are supposed to be kept separate from the Internet, but that this is frequently ignored. Besides, the same is largely true for mission-critical medical systems. Yes, those at the now-brought-to-standstill hospitals.

Let’s reword this to drive the point home. How likely is it that the United States NSA, through its persistent interest in keeping us unsafe, has managed to hand control of Britain’s nuclear weapons platforms to unknown ransomware authors, perhaps in Russia or Uzbekistan?

Of course, this is just speculation; it is not even hypothesis level. There would be no way for a civilian of knowing whether the subs are vulnerable, or worse, hit.

But given what has already happened, it is not rather relevant speculation that forces a few inconvenient questions?

Photo of the British HMS Vanguard submarine provided by the UK Government.

Syndicated Article

This article was previously published at Private Internet Access.

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)

Copyright Monopoly: The copyright industry keeps pounding a simplistic message to legislators – that copyright law is simple and that nobody honest could ever break it, and that it’s easy to “tell right from wrong”. But when you look at the deeds of the copyright industry instead of their words, they don’t seem very eager to follow their own rules themselves – if nothing else, demonstrating in deed that those rules are outdated, silly, or both.

The copyright industry has been pushing for tougher penalties since at least 1905, and against access for the public to culture and knowledge since at least 1849, when they opposed public libraries in the UK. The message from this industry has been remarkably consistent. However, the actions of this industry are as consistently hypocritical as that lobbying message. Here are some of the worst recent examples:

Number six: The movie studios themselves are torrenting at a large scale all the time.

The news site TorrentFreak used a service that matched torrent swarms to the public IP addresses of the big movie studios, and found that basically every movie studio – not to mention every company in the copyright industry – is engaging in large scale piracy themselves. While this is presumably individual employees using company resources, and not official actions of the company, it’s still impossible for the IT sysadmins of these companies to not notice.

[image error] Here’s what TorrentFreak found Paramount Studios sharing. Credit: TorrentFreak.

Yes, this is the very behavior they argued that people should have their Internet access revoked for, that they engage in themselves on a large scale from their very headquarter offices.

Number five: Voddler, an early competitor to today’s Netflix, used a video player client that itself violated copyright.

Voddler, called Spotify-for-video at its heyday and frequently mentioned as a poster child in political debates about the copyright distribution monopolies, always pounded on the table saying how copyright was extremely important for blah, blah, and blah. Apparently, that importance only concerned Hollywood’s copyright, and not that of people who couldn’t defend themselves in a court of law.

(This was before Netflix had really shifted to what it is today, and video-on-demand over the Internet was not associated with the company Netflix at all.)

When Voddler put together its video player client, it did so by assembling code from the XBox Media Center – XBMC – and other free-software video repositories like ffmpeg and mplayer. However, these repositories were licensed under the free-software GNU Public License (GPL), which meant that anybody may use and reuse the code – but only under certain conditions. Specifically, any reuse must provide the same freedom-to-reuse in their turn, the freedom that they were offered to get there.

Voddler did not do this. They published something resembling a piece of source code for their client (equivalent to a Netflix player), but nobody was ever able to compile it, which makes whatever-it-was clearly not meet the licensing terms of the GPL.

The free-software community was outraged, Voddler got hacked and took its offerings down “for maintenance”, and tried to relaunch but never recovered from doing one thing and saying another entirely.

Number four: The lobbyist material to push the European Parliament to vote for ACTA, a draconian copyright-and-more treaty, was itself pirated.

ACTA was a global treaty designed to give the copyright industry a lot more power, pretty much like SOPA/PIPA was in the United States. It had been ratified across the globe, with only one major body still needed to approve it: the European Parliament. Predictably, the copyright industry went into overdrive in every committee meeting to have the Members of European Parliament give them stronger protectionist measures. This poster was used:

[image error] The pro-ACTA poster used in the European Parliament, itself a pirate copy.

The problem with this is that the poster contains artwork which wasn’t licensed, making the high-profile pro-copyright campaign in the very European Parliament a blatant copyright violation. Multiple people traced the origins of that photo; Jéremie Zimmermann of LQDN found it to be a publicity photo which was permitted to use only under certain conditions which were not met, and an unnamed Danish reporter even tracked down the shipping line, their image repository, and the individual photographer to find out if it had been licensed. It hadn’t.

Number three: Pirating the music for a famous anti-piracy video ad.

One of the most famous, and also most parodied, anti-piracy ads of all time used its music without permission to do so. In other words, it was a widely distributed pirate copy of that music, all while trying to push the message that downloading is “stealing” (which is itself a blatant lie, at least according to the US Supreme Court, which can be said to have some authority on that particular matter).

[image error]You would if you could.

The music for this ad was created in 2006 by the Dutch composer Melchior Rietveldt, and it was to be used exclusively at a local film festival. To his surprise, he discovered it was also used on an anti-piracy ad on a Harry Potter DVD the following year – and in thousands, if not millions, of other places, which went completely against the licensed rights.

In another twist on this story, when Rietveldt demanded royalties for the illegal use of his composition, the local copyright industry (represented by Jochem Gerrits) demanded that the composer signed up under Gerrits’ own label if he wanted to see a single cent, and Gerrits would also personally take one-third of the already-owed fees and fines in exchange for allowing Rietveldt to receive anything at all. The “offer” appeared to be business-as-usual in the copyright industry; anywhere else, we’d call it corruption and racketeering, if not outright fraud.

Number two: The logo of the French official anti-piracy authority was pirated.

Around 2008, the copyright industry was heavily pushing the concept of “three strikes” – that your entire household should be cut off from the Internet, sending you into exile from modern society, on three accusations – accusations – of sharing music and movies outside the monopolized channels. From collective punishment to presumption of innocence, this violated a whole truckload of principles of due process. Nevertheless, the copyright industry pushed ahead and managed to get it installed in one European country – France – before the European Parliament outlawed the practice completely as part of the so-called Telecoms Package.

The French authority responsible for cutting off citizens from the Internet when they had violated the monopolized distribution channels was called Hadopi, which in French tradition is an acronym for something like High Authority for Pretending We Are Very Important. When the authority for protecting copyright and standing tall for these monopolies was unveiled, amid pomp and trumpets, it turned out that their very logo was a pirate copy.

[image error]

Specifically, they had used a font which had been exclusively licensed only to France Telecom, and which nobody else therefore had the right to use. This included the French Government and their authorities, such as the caught-with-the-hand-in-the-cookie-jar Hadopi.

So according to this very authority, its act of overt piracy should lead to the French Government having its Internet access revoked. You get one guess on whether that happened, or whether the copyright industry considers copyright law only to apply to the low common plebs and not to themselves.

Number one: Sony willfully planting pirated remote-control malware on millions of computers to “protect the concept of property rights”.

In 2005, computers had this thing called “autoplay” for CDs inserted into them: in order to be user-friendly, they would automatically run any code named Autoplay. Windows computers would also always run with Administrator privileges when any random user was logged in. This was not a very good combination.

Sony used this to distribute music CDs that were actually mixed-mode CDs — they contained both a small data track and the music they claimed to hold. And the small data track, when inserted into any Windows CD, immediately installed remote-control malware that let Sony control how the computer was used, from there on out. Specifically, it would refuse to do certain things with the Sony music that was inserted in the drive, for no obvious reason. It would also steal data from the computer and send that data to Sony.

This was the first time a major copyright studio willfully distributed a rootkit — a malicious remote-control program running invisibly with root privileges — with the objective to willfully infect its customers. It infected millions of computers. Sony distributed over 20 million CDs with the deliberate malware.

When they were held to answer for this, they first denied any wrongdoing whatsoever, claiming “we are doing this to protect the legitimacy of property rights” (!!), and later feigned ignorance: “The customers probably don’t know what a rootkit is anyway, so why should they care about it?”. Under immense public pressure, they published a removal program, which only made the problem worse.

At the end of this story, Sony was sentenced in a class-action lawsuit to distribute promotional material for its upcoming catalog as remedy for having willfully infected millions of computers, sending themselves data from those computers, and giving themselves administrative access to them.

Bruce Schneier has one of the best writeups on Sony’s malicious behavior, and also notes that Sony pirated GPL-licensed code when writing their malicious rootkit, as the icing on the cake of this story.

In summary, the copyright industry has been consistent experts at one single thing in the past decade: demonstrating in action that copyright law either shouldn’t be followed at all, or that the law only applies selectively to those who can’t afford to have protectionist law written on request to serve their interests.

Syndicated Article

This article was previously published at Private Internet Access.

(This is a post from Falkvinge on Liberty, obtained via RSS at this feed.)