Emergent ChaosYesterday, Nov 17, was the sesquicentenary of the zero-date of the American Ephemeris. I meant to write, but got distracted. Astronomical ephemeris counts forward from this date.
That particular date was picked because it was (approximately) Julian Day 1,000,000, but given calendar shifts and all, one could argue for other zero dates as well. The important thing is to pick one.
There are some who think that this would be a better date to use as a zero-time computer timekeeping than what most of us use presently. It has the advantages that almost all of the Julian/Gregorian calendar skew comes after this (Russia being the major exception) and far enough back that nearly all time-and-date calculations you need to do with quick math can therefore be just adding and subtracting. And it has a nice scientific tie-in.
Other common zero-dates are 1 Jan 1904 (picked because if you pick this date, you can calculate all the way to 2100 assuming that leap years are every four years), and 1 Jan 1970 (picked because this was the last day that The Beatles recorded music in Abbey Road studios -- actually, their last date was Jan 4, but close enough).
Bookmark this post:
And the reason it doesn't work is that just because you're allowed to own something doesn't mean you're allowed to export it. The use, ownership, production, etc. of crypto was never restricted, only its export. In an Intenet-enabled world, export control brings lots of hair with it, which is why it was important to fight export restrictions. I could go on, but I've already ruined an otherwise amusing strip.
Bookmark this post:
I'm really excited about all three announcements: they represent an important step forward in helping organizations develop more secure code.
But I'm most excited about the public availability of the SDL Threat Modeling Tool. I've been working on this for the last 18 months. A lot of the thinking in "Experiences Threat Modeling at Microsoft" has been made concrete in this new tool, which helps any software engineer threat model.
I'm personally tremendously grateful to Meng Li, Douglas MacIver, Patrick McCuller, Ivan Medvedev and Larry Osterman. Each of them has contributed tremendously to making the tool what it is today. I'm also grateful to the many Microsoft employees who have taken the time to give me feedback, and I look forward to more feedback as more people use the tool.
Bookmark this post:
According to The New York Times in, "Surveillance of Skype Messages Found in China," the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like "Falun Gong," "Independent Taiwan," and so on.
A group of security people and human rights workers not only found out that TOM-Skype is not secure, but found the list of banned words because, as usual, someone didn't set up their servers very well. A report can be found here.
Skype president Josh Silverman replied to the issue today in this article. He says that yes, it's happening:
It is common knowledge that censorship does exist in China and that the Chinese government has been monitoring communications in and out of the country for many years. This, in fact, is true for all forms of communication such as emails, fixed and mobile phone calls, and instant messaging between people within China and between China and other countries. TOM, like every other communications service provider operating in China, has an obligation to be compliant if they are to be able to operate in China at all.
He's right: one of the quandaries of business in China is that you have to put your belief in freedom in a trust when you go there. This is why many of us do not like doing business there.
However, he also said:
We also learned yesterday about the existence of a security breach that made it possible for people to gain access to those stored messages on TOM's servers. We were very concerned to learn about both issues and after we urgently addressed this situation with TOM, they fixed the security breach. In addition, we are currently addressing the wider issue of the uploading and storage of certain messages with TOM.
In other words -- it's bad for the Chinese to spy, and bad for people to catch them at it. Oh, naughty Chinese, and shame on you too, Infowar for dragging this into the daylight.
This comes on top of April's flap in which the German and Austrian governments essentially said that they have no trouble listening in to Skype. Skype hasn't commented on that. This is a different issue, as it appears that the surveillance is being done via malware.
Despite the fact that we still don't know what goes on inside of Skype, it appears that the software is basically secure -- or at least the voice parts are. Or was at one time. The noted cryptographer Tom Berson did an analysis of Skype and showed that it was reasonably secure. There were also reverse-engineering analyses done on Skype by Philippe Biondi and Fabrice Desclaux, presented at Black Hat in 2006 that showed it was secure, if eccentric in its design.
However, despite the security of the voice parts, the text parts are obviously not secure. And we have this uncomfortable set of circumstances:
The problem here is one of labeling, and the market effects. I'm sophisticated enough to know that when Josh Silverman says:
... Allowing the world to communicate for free empowers and links people and communities everywhere.
that he is stating that free (as in beer) is important, even if he's unable to do a lot about free (as in speech) in repressive countries and in the face of law enforcement technologies.
But Skype has always touted itself as a secure technology. The reason that it became popular for free (as in beer) conversations was that we thought and were assured that it was also free (as in speech). Skype themselves paid for a security analysis.
Skype thus became not only the proverbial eight-hundred pound gorilla, but (it seems) the proverbial dog in the manger. Skype's presence has actively hindered other secure-voice technologies. Phil Zimmermann's Zfone, for example, has had to answer the question, "why do we need you when there's Skype?" It seems that he'll be answering that question less. Josh Silverman needs to do something to show us the basic integrity of the system. Presently it appears that he has empowered us to have communities everywhere but China, or Germany, or any place with a sophisticated and powerful government. At the very least, he should protect eBay's investment, because if people conclude that Skype is not secure, eBay may wish they'd invested that $1.6 billion in mortgage-backed instruments instead.
Bookmark this post:
While Babs' vocal stylings may be an "acquired taste", today I have a new appreciation for the Streisand Effect.
Thanks to Slashdot, I learned that Thomson Reuters is suing the Commonwealth of Virginia alleging that Zotero, an open-source reference-management add-on for Firefox, contains features resulting from the reverse-engineering of Endnote, a competing commercial reference management product.
Turns out that while I am pretty happy with Bibdesk, it's not the perfect solution for me. I had never heard of Zotero, so I downloaded it and played around. Color me impressed. If you are looking for a browser-integrated citation and reference management tool, I'd give Zotero a look.
Bookmark this post:
Bletchley Park, the site in the UK where WWII code-breaking was done, has a computing museum. The showpiece of that museum is Colossus, one of world's first computers. (If you pick the right set of adjectives, you can say "first." Those adjectives are apparently, "electronic" and "programmable.") It has been rebuilt over the last fourteen years by a dedicated team, who have managed to figure out how it was constructed despite all the plans and actual machines having been dismantled.
Of course, keeping such things running requires cash, and Bletchley Park has been scrambling for it for years now. The BBC reports that IBM and PGP have started a consortium of high-tech companies to help fund the museum, starting with £57,000 (which appears to be what the exchange rate is on $100,000). PGP has also set up a web page for contributions through PayPal at http://www.pgp.com/stationx, and if you contribute at least £25 (these days actually less than $50), you get a limited-edition t-shirt complete with a cryptographic message on it.
An interesting facet of the news is that Bletchley Park is a British site and the companies starting this funding initiative are each American companies. Additionally, while PGP is an encryption company and thus has a connection to Bletchley Park as a codebreaking organization, one of the major points that PGP and IBM are making is that Bletchley Park is indeed a birthplace (if not the birthplace) of computing in general.
This is an interesting viewpoint, particularly if you consider the connection of Alan Turing himself. Turing's impact on computing in general is more than his specific contributions to computers -- he was a mathematician far more than an engineer. He was involved in designing Colossus, but the real credit goes to Tommy Flowers, who actually built the thing.
If we look at the history of computing, an interesting thing seems to have happened. The Allies built Colossus during the war, and then when the war ended agreed to forget about it. The Colossi were all smashed, but many people involved went elsewhere and took what they learned from Colossus to make all the early computers that seemed to have names that end in "-IAC."
(A major exception is the work of Konrad Zuse, who not only built mechanical programmable computers before these electronic ones, but some early electronic ones, as well.)
This outgrowth from Colossus also seems to include the work that turned IBM from being a company that primarily made punched cards and typewriters to one that made computers. It is thus nice to see IBM the computing giant pointing to Colossus and Bletchley as a piece of history worth saving along with the cryptographers at PGP. It is their history, too.
I think this dual parentage makes Bletchley Park doubly worth saving. The information economy has computers and information security at its core, and Colossus sits at the origins of both. Please join us in helping save the history of the information society.
Bookmark this post:
A voting system used in 34 states contains a critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point, the manufacturer acknowledges.So reports the Washington Post. Wow.The problem was identified after complaints from Ohio elections officials following the March primary there, but the logic error that is the root of the problem has been part of the software for 10 years, said Chris Riggall, a spokesman for Premier Election Solutions, formerly known as Diebold.
When Congress acts in haste, a la the HAVA fiasco, we all repent at leisure.
Bookmark this post:
Uncle Harold (not his real name, not our real relationship, and I never even called him "Uncle") was a cool guy who always fixed his own cars. Most of my life, Uncle Harold has been complaining. It used to be you could actually fix a car. You could put things in, take them out, adjust them, tune them, and so on. As time has gone on, cars got electronics in them, then computers, and nowadays an auto mechanic is as much a computer tech with grease under his nails as a mechanic.
I never was much into mechanics as a kid. My father wasn't, either, and discouraged me from ever being a mechanic. If he were to read this, he'd deny discouraging me, but he did. All he did was point out that some bit of automotive fluff that caught my eye would literally be high-maintenance, and either you do that yourself or you pay someone else.
I eventually did buy a pre-1968 bit of automotive loveliness as part of a quarter-life (okay, third-life) adjustment. The 1968 date is important because that's when the US started requiring pollution controls, safety equipment, and so on that caused the transit of the gloria of Uncle Harold's mundi.
For a technologist, a pre-'68 car is utterly amazing because of sublime lack of technology in it. It needs petrol to burn, water to cool, oil to lubricate, and enough electricity to drive the spark plugs. That's it.
The first time I tuned a pair of SU carbs, it was amazing fun. I could really understand Uncle Harold's irritation. The tenth time it was far less fun, partially because I'd gotten good at it. It was just a chore. I could really understand my father's point of view even better. Eventually, the antique bit of fluff got sold and I got a modern fun car that has computers that run everything from engine to brakes.
It's really sort of sad that I can't tune the carbs (which of course I don't have; it's all fuel-injected). It's even amusing that if you pull the power from the car, the computers lose their state and they they have to re-tune the ignition system, over the next few miles you drive -- in a wtf sort of way. I mean, haven't these people heard of flash? How much space does it take to store ignition settings and radio presets? (Yes, Uncle Harold, a real radio stores its presets mechanically. Thanks.)
But it's really wonderful that I don't have to tune the carbs. There are reasons why those wonderful old systems were replaced. The new ones really are better. Uncle Harold thinks the world has gone to hell in a hand basket. I see the merit in what he says, but when it comes right down to it, I prefer my present hell to Uncle Harold's heaven.
The brilliant Ivan Krstić has recently written about the transit of his own personal gloria, the OLPC project. In part of his essay, he shows clearly about how some open source people, in particular RMS, have become Uncle Harold, insisting that if you can't tune those metaphorical carbs, it's like forcing people to be crack addicts. (And this is paraphrasing, not misquoting RMS.)
Krstić also talks about the same Haroldisms. He says:
About eight months ago, when I caught myself fighting yet another battle with suspend/resume on my Linux-running laptop, I got so furious that I went to the nearest Apple store and bought a MacBook. After 12 years of almost exclusive use of free software, I switched to Mac OS X. And you know, shitty power management and many other hassles aren't Linux's fault. The fault lies with needlessly secretive vendors not releasing documentation that would make it possible for Linux to play well with their hardware. But until the day comes when hardware vendors and free software developers find themselves holding hands and spontaneously bursting into one giant orgiastic Kumbaya, that's the world we live in. So in the meantime, I switched to OS X and find it to be an overwhelmingly more enjoyable computing experience. I still have my free software UNIX shell, my free software programming language, my free software ports system, my free software editor, and I run a bunch of free software Linux virtual machines. The vast, near-total majority of computer users aren't programmers. Of the programmers, a vast, near-total majority don't dare in the Land o' Kernel tread. As one of the people who actually can hack my kernel to suit, I find that I don't miss the ability in the least. There, I said it. Hang me for treason.
My theory is that technical people, especially when younger, get a particular thrill out of dicking around with their software. Much like case modders, these folks see it as a badge of honor that they spent countless hours compiling and configuring their software to oblivion. Hey, I was there too. And the older I get, the more I want things to work out of the box. Ubuntu is getting better at delivering that experience for novice users. Serious power users seem to find that OS X is unrivaled at it.
I used to think that there was something wrong with me for thinking this. Then I started looking at the mail headers on mailing lists where I hang out, curious about what other folks I respect were using. It looks like most of the luminaries in the security community, one of the most hardcore technical communities on the planet, use OS X.
And lest you think this is some kind of Apple-paid rant, I'll mention Mitch Bradley. Have you read the story of Mel, the "real" programmer? Mitch is that guy, in 2008. Firmware superhacker, author of the IEEE Open Firmware standard, wrote the firmware that Sun shipped on its machines for a good couple of decades, and in general one of the few people I've ever had the pleasure of working with whose technical competence so inordinately exceeds mine that I feel I wouldn't even know how to start catching up. Mitch's primary laptop runs Windows.
I know exactly what he means. Once, long ago, I'd fire up my GosMacs session in the morning and close it down when I'd go home. I and my colleagues had so customized our editors (which we lived in) the we said that using someone else's emacs was like using someone else's toothbrush. It's just not done.
When the Story of Mel came out, one of my coding buddies read it and it really creeped her out. She sent out an email to all of us that said, "Oh, my God, that's my *DAD*!"
I once patched a running CVAX just to watch it fly. I admit that I did it because of the smart remark in Dungeon. And I've changed my unices so many times I don't know what I look like.
Like me, Ivan's stopped being Uncle Harold with computers. I like being able to get grungy, but I also hate having to. The last remnant of my Uncle Haroldism is my main server that's running FreeBSD. I am especially glad this week that I listened to Ben and didn't put Ubuntu on it. I'm even chafing at that system and asking myself why I don't just outsource the whole damned thing. I'd tell you, but then you'd see my tinfoil hat. (Oh, all right. If you run your own mail server, they can't NSL your sysadmin. I know what you're going to say. I've said it myself. Hush.)
Nonetheless, the Uncle Harolds of the world have a point. It's nice to be able to change your kernel. It's nice to be able to recompile everything. It's just a drag to have to. When Open Source realizes that, it will make great strides to getting back people as non-technical as Ivan. And yeah, Ubuntu's getting close, I know that. I actually do love puttering around, but another prop has occupied my time.
Photo courtesy of Light Collector.
Bookmark this post:
Microsoft Office 2008 for the Macintosh is out, and as there is in any software release from anyone there's a lot of whining from people who don't like change. (This is not a criticism of those people; I am often in their ranks.)
Most of the whining comes because Office 2008 does not include Visual Basic. In some respects, this is welcome change because Office never should have had Visual Basic. VBA is what enabled the Macro Virus. Furthermore, Office 2009 (for Windows) is not going to have VBA, either.
However, not shipping VBA in Office 2008 means that people who want to have cross-platorm documents that are pseudo-applications have to deal with it in 2008, not 2009. That's worth complaining about.
The reason, according to El Reg is blink-inducing:
Microsoft argued that the technical problems involved in porting Visual Basic at the same time as revamping Mac Office to work on Apple's Intel platform would have meant further delays.
I have demonstrated the absurdity of that argument in my headline. Please, I'm a technologist. I can imagine the real reasons. It was a pain in the butt; it would have required hiring another person or two; it seemed futile to port it when Office 2009 is going to get rid of it. I understand. Don't insult my intelligence. Don't lie to me.
The truth is that you didn't want to, because it would suck. And what are we customers going to do, anyway? So that means you don't have to do it because you don't want to.
OpenOffice sucks. No, really, it does. I have co-workers that use it and watching them always brings a smile of schadenfreude to my lips. When trying to bend Word or PowerPoint to my will makes me want to put my fist through the screen, nothing makes me feel better faster than strolling into someone's office and saying, "I dunno, maybe I ought to switch. How do you do XXXX in OpenOffice?" It's cruel; it is the equivalent of seeking out someone with no feet because you have no shoes. But hey. I admit and argue the necessity of using Office, but I am Mordaxus, not Pangloss.
Pages is cute and nice for new work, but people don't send me Pages documents, they send me Word documents. Keynote rocks — it got Al Gore both an Oscar and the Nobel Prize — but when someone says, "Would you look at this deck" it's a ppt.
There will be those who are scrolling for the reply button to tell me that Pages and Keynote can import Office documents. They can. I still need Office, because they import Office document, not interoperate with them.
Longer work is another issue. Over the last couple of years, I've become a LaTeX expert again. The irony is that I stopped doing most of my work in LaTeX because Word 3 was better for so many things. Nonetheless, nothing is as drop-dead gorgeous as a TeX document.
This weekend, a friend who writes books recommended Scrivener to me as an alternative for long documents. Scrivener is more or less a project manager for large documents. I'm going through the tutorials, which are amusing. It reminds me in other ways of the wonderful Notebook by Circus Ponies.
Nonetheless, the friend who pointed me there uses Word.
This brings us back to the matter at hand. As painful as it is for Microsoft, they are a monopoly. Not using Office is not an option. Sure, I can screw around with beautifully designed, fun to use productivity managers, but you have to use Office. (Or LaTeX.)
The plus side of being a monopoly is that you are ubiquitous, and money doesn't do anything as plebeian as grow on trees for you. The minus side is that when a tree falls in the forest on some power lines, you hear it, and you have to fix it!
Forget duty, let's talk self-preservation. Microsoft, if you don't want to go the way of Western Union, AT&T, IBM, Bessemer Steel, or The Railroads, you have to at least pretend you like us, your customers. Getting rid of VBA is a great idea. It was an abomination in the first place, breaking the data/code separation that security needs. But if you're going to can it in 2009, you have to can it in 2009, not 2008. The result is that we're going to get more hair-pulling for another year.
Bookmark this post:
Last night I was talking with a certain analyst from a large company that we've all heard from and we got into a discussion about most security people not understanding encryption at all, to the point that it is assumed to be a cure-all. In fact, with the exception of encrypting data at rest (and in many cases not even then), use of encryption serves as nothing more than providing a false sense of security.
This is particularly true in the case SSL. SSL is probably the most deployed, least useful security technology since tin foil underwear. Gene Spafford (as usual) put it best years ago, and nothing has changed:
"Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench."
Take a look through the various breach databases. Is there a single case where the breach could have been prevented by the use of transport level encryption? I have yet to find one.
But what about CA1386 and it's brethren? Or PCI? They mandate encryption. PCI dropped the requirement with the move to 1.1 so clearly they didn't see any real benefit of it. As for CA1386 and the like, although use of encryption does provide one with a get out of jail free card, all of the practical ways of applying encryption to online systems means that hacking the server means you have access to either the encryption keys or that the database is already decrypted for use.
Which brings us to data at rest. Encryption is only as good as the password/passphrase that protects the keys. Users are notoriously bad at selecting good passwords. This combined with the fact that the more popular disk encryption programs automatically decrypt the data for you on the basis of your login credentials (EFS, Bitlocker, FileVault, etc) so in many cases again one actually isn't that well protected. On the plus side, tools like PGP, BitLocker and others are well suited for protecting data at rest when they are separated from their keys. Particularly USB drives and the like.
So when doing a risk assessment, please don't assume something is secure because it uses encryption and please don't assume that whatever issues there are can be fixed by adding encryption. After all it is just security theater.
[Edit: Corrected a typo. Thanks Gavin.]
Bookmark this post:
John Backus, leader of the Fortran team has died at the age of 82, according to The New York Times. Fortran itself celebrates its fiftieth birthday this year, and you can still write it in any other language, even Haskell. Even Lisp.
Back in the days when I would rather have died than work for IBM, in part because of their dress code, but also in part because of their dress code, but also because of the influence that Ted Nelson had on me, I remember being impressed with Backus's way of flouting form. IBM employees were required to wear suits; Backus always wore a denim suit. I remember the picture of him in the newspaper. It's a little thing, but it meant a lot to me. I'm glad that the photo I found of him on IBM's site has him in denim, and glad that I can explain why dressing in denim was at one time radical.
I also think it important that even the NYT today wrote "Fortran" and not "FORTRAN." Writing it as a proper noun and not an acronym was an annoying eccentricity of mine in those days as well.
Bookmark this post:
Arthur wrote recently about an NYT article about dangers of the iPhone. The NYT has a bizarre policy about articles which makes them available for only a few days, so likely you'll have to take my word about that article.
I liked this article a lot because it mentions eMusic. I'm an eMusic customer and have been for years. They have a great product and are constantly ignored. In my cynical moments, I think that they are ignored because the news is often driven by company X complaining about Apple's ITMS and its DRM. The problem isn't that it's DRM, but that it's Apple, who have the nerve to make products that people want, instead of forcing buyers to want the product that they make. eMusic doesn't DRM their music, but they do watermark it so that it's known to be yours.
For me, the problem with computerized music is that it has an attitude about music that predates 78 rpm albums. Part of why I buy what I buy is not the music per se, but the metadata. Album covers, liner notes, and so on. The biggest problem with most digital music is that you don't get all the metadata. I have bought CDs from Amazon that I could have downloaded for free from eMusic (you get N downloads per month, and it's use them or lose them), because I want the liner notes.
I did not like the article because although it was news, it wasn't good journalism. The headline was "Want an iPhone, Beware the iHandcuffs." It wasn't about the iPhone at all, it was about the iTunes Music Store, and Apple's FairPlay DRM system. The news wasn't about the iPhone, it was about a lawsuit challenging the legitimacy of FairPlay. I'm all for discussing the idiocy that is DRM, but putting an iPhone headline on a DRM article is a technique better known as bait and switch.
The actual news in the story is that a woman named Melanie Tucker is suing Apple over DRM. She argues that supporting no other DRM mechanism makes the iPod "crippleware." The reporter, Randall Stross, uses this as a launching point for his own editorial, a summary of which is that DRM is ipso facto crippling the device.
Somewhere between the two of them, the article discusses the difference between Apple's go-it-alone DRM strategy and Microsoft's licensing strategy. This would be an interesting discussion except for the fact that Microsoft abandoned not only its own old DRM system, PlaysForSure, and the new one on the Zune. Along with the deliciously ironic abandoning of PlaysForSure is an abandonment of Microsoft's previous partners and customers.
Along with never discussing the iPhone, the article also never discusses customers. I'm an intelligent consumer, and when I want to buy some music, I (shock horror) shop around. It is not uncommon that I can find something on eMusic, ITMS, or Amazon. I recently did, and could get it for $9.99 from ITMS, or $13.99 from Amazon, or twelve tracks from eMusic. I subscribe to eMusic at a rate where I get 40 tracks per month for $9.99, and can buy 30 tracks for 15.99. That means that that album costs me somewhere between $3.00 and $6.40 from them.
Superficially, eMusic is cheapest in this case, although that's not always true. For example, I recently bought a Chopin CD with 33 tracks. It would cost twice as much on eMusic as on Amazon. That is, however, merely an exception worth noting. In the typical case, where an album has ten-ish tracks, if I have to choose between eMusic and ITMS, eMusic is the clear winner. It's not only much cheaper, but there's no DRM (although there is watermarking, and that changes the security equation). However, if I buy the album from Amazon, I get a physical object that I can rip at any quality I like with neither DRM nor watermarking, as well as the liner notes. Often, I get the CD, despite it having the greatest cost because it has the greatest value. Price is what you pay, but value is what you get.
Many of the discussions (or more properly, whining) about whatever DRM system appear to be written by people who have no knowledge of digitized music. They don't seem to understand at all that the vast majority of music players can play music that you rip from a CD. If you're in the US, this is the best value. (If you're not in US, you have the added thrill of thumbing your nose at The Man, which is arguably priceless.) Perhaps I am unique, but no one has ever held a gun to my head and forced me to buy DRMed music. They have distributed content that I couldn't get any other way and I've fallen for that, but I went willingly into that transaction, no matter how stupid it may have been.
Liberty itself may be defined as the right to be stupid. You don't need liberty if you're doing the smart thing. This is similar to the observation that you don't need free speech if you're a nice person.
It would be smart of Apple to do what Ms Tucker would like, allowing her to play other DRM forms of music in order to make iPods, already the dominant music player, even more ubiquitously useful. I mean heck, at this point, having music that only plays on an iPod is kinda like having music that only plays on a CD player. I know that my CDs don't play in my cassette player, and I don't care.
But who are we to force them to be smart? Do we then move to a court-ordered parity between Blu-Ray and HD-DVD? Do we require Apple Corps Ltd to make their music available electronically (which rumor says is going to happen at The Super Bowl)? Their so-far aversion to digital music seems to be saying, "No thanks, this new medium is scary and we're rich enough." They're not even sure of this whole web thing, as you will see if you look at their web site. This behavior is self-destructive, if you believe that it is the obligation of a company to maximize itself.
If you don't like DRM at all, FairPlay is the scariest of all DRM systems because it's the most, um, fair. You can do more with an ITMS song that you can do with your own content on a Zune. Despite my being an enthusiastic eMusic customer, I worry worry more about my eMusic content than my ITMS content, because of the watermarking. Suppose my cats (or worse, my teenager) were to put my eMusic stuff up on the net. I don't approve, but it can be tracked back to me, and that is a security risk! Security is all about threat models, and if your threat model includes cats with a love for LimeWire, watermarking is worse than DRM. If you have music that is available to people you don't exactly trust, then DRM is safer than watermarking. No DRM is still better, but only if you want to look the other way.
Despite all of that, no one is holding a gun to anyone's head here. Liberty is all about being stupid, and Menken perhaps is up there with Madison. Perhaps a better way to say that is that there's a fine line between stupid and clever. While I may not share someone's cleverness, I think they have a right to it.
I was looking for a suitable picture to attach here, and most of what I found demonstrated a level of ignorance that I thought would be an embarrassment to the person I'd take it from. These people actually seem to think that you can only play DRMed music on an iPod.
The iPod is the easy target, but the same thing applies to nearly every player. You can use "smart" formats like MP3, AAC, OGG, etc., or the "dumb" ones like FairPlay, PlaysForSure, and so on. The dumb ones are a dumb consumer choice, and I think they're headed the way of your favorite extinct animal. I believe that those two are connected. They're heading to extinction because they're a dumb consumer choice. That's why I ultimately selected the megasloth for my pic. But hey, sometimes consumers, including me, are stupid. I really like that live, hard-to-find performance I bought from ITMS. It's no stupider than my copy of The White Album on white vinyl. While the latter is actually a valuable collector's item, I don't listen to it, and buying an album you've never played because it's it's on white vinyl is right on the line between clever and stupid. It's both at the same time.
Megasloth courtesy of Mark Witton.
Bookmark this post:
Joanna Rutkowska of Blue Pill fame, gave a presentation at the recent Chaos Communication Congress on "Stealth malware - can good guys win?". Unfortunately, I couldn't make it to the presentation in person, but the powerpoint slides are a great read. I highly recommend it. Definitely food for thought.
[Image is Hypervisorus Blue Pillus from invisiblethings]
Bookmark this post:
Back in July, I posted about online code searching and static analysis in "Meet The Bugles". Google has now seriously upped the ante and released Google Code Search which I am constitutionally required to mention includes full regular expression support. Now I was going to post an analysis of the cool things that one could do with this, but then I saw that Aaron Campbell had done a far better of job over on Arbor's blog with "Static Code Analysis Using Google Code Search". Check it out...
Bookmark this post:
