Slashdot Log In
Keep It Legal To Embarrass Big Companies
from the safe-legal-and-rare dept.
Bennett Haselton is the founder and head of Peacefire, an activist group to support the free-speech rights of young people. He suggests that you might want to download the X-Stop "smoking gun" evidence (4MB) before the company has a chance to remove it from their server.
The feature below was written by Mr.Haselton.
X-Stop is an Internet censoring program with an encrypted database of 370,000 URL's blocked under various categories: Sex, Drugs, Rock `n' Roll, etc. Their competitors like SurfWatch and Cyber Patrol also do not publish their blocked site lists; the officially given reason is to keep kids from using the lists to find smut on the Internet. This is silly, given how easy it is to find Internet porn without the aid of X-Stop's secret database (although if you still want to, you can download our codebreaker, follow the instructions to get the X-Stop list and decrypt it, and help yourself). But for the next part of our report, after we decoded the URL list, we looked at the first 50 URL's in the .edu domain that were still valid, and found that 34 of them were regular student home pages with nothing offensive (hence the "68% error rate" t-shirt slogan). None of those 34 students who responded to our e-mails could think of why X-Stop would want to block their pages.
X-Stop admits on their Web site that their database is put together by a Web spider called "Mudcrawler" and not by human reviewers, but even for a machine, a 68% error rate is pretty bad. And even though the real reason why these lists are encrypted is obviously to keep competitors from stealing them, this also makes it much harder for third parties to find out what the programs really block. In fact, X-Stop had once claimed that every URL on their list was reviewed by a human before getting blocked, but cyber lawyer Jonathan Wallace called them on it when he published "The X-Stop Files" in 1997, asking why X-Stop blocked several sites like the Quakers home page, the AIDS Quilt, and parts of Jonathan's own e-zine, The Ethical Spectacle. Peacefire also put up a page in 1998 about sites blocked by X-Stop, including an affirmative action site and a blind children's hospital. But these examples were all found through trial and error; today is the first day that the entire list of URL's has been made public. And to determine the 68% figure, it was necessary to have a copy of the entire list, so that the first 50 blocked sites could be used as a random sample.
So far, this is more or less the same story that took place in 1997 with another blocking program, CYBERsitter, right down to Jonathan Wallace posting a page about CYBERsitter and getting his site blocked. First, several people posted articles criticizing CYBERsitter's policies, and slowly CYBERsitter's public image deteriorated as word got out that they were blocking sites which criticized their company (even Time magazine got blocked, and then posted an article about how they found themselves on CYBERsitter's list). Then in April 1997, Peacefire released a program that broke the encryption on CYBERsitter's list of blocked URL's. CYBERsitter sent Peacefire a threatening letter demanding that we take down the program and remove all of our links to CYBERsitter's Web page. Jim Tyre, a volunteer lawyer and future founding member of the Censorware Project, sent CYBERsitter a reply telling them they had no case, and we never heard from them again. But UCITA, the Digital Millennium Copyright Act, and the two court injunctions against the right to post DeCSS, didn't exist in 1997. If we had released the CYBERsitter codebreaker today, would CYBERsitter actually file a lawsuit?
The outcome of the DeCSS court cases could, in fact, determine the rights of a private citizen to embarrass a big software company by reverse engineering their products and catching them in a lie. It's easy to forget the importance of legal protection for reverse engineering, because sometimes public opinion is enough: RealNetworks never sued Richard Smith when he revealed that copies of RealPlayer included a "globally unique identifier" to track user's listening habits, and Microsoft never sued Andrew Schulman when he discovered that Windows 3.1 threw up fake error messages about DR-DOS. These were large companies that would have been crucified if they had tried to sue someone for discovering something that the public thought they had a right to know anyway. But legal protections are still important, because sometimes public opinion isn't enough - when the software company doesn't have much of an online reputation to worry about, or when then they have a reputation but they don't care about it.
The RIAA, with their campaigns against MP3 technology and reverse-engineering SDMI, is an example of an organization that doesn't care about their online image - and why should they, since we all download our music for free anyway. CYBERsitter is another good example - they do care about their reputation, but in 1997 their image was that of a children's guardian angel and an ally in fighting government censorship, almost immune to criticism. It took an enormous amount of bad press - letters from CYBERsitter's CEO threatening ISP's and flaming people in general, and at one point actually mail-bombing a lady who sent them a complaint - before even advocates of blocking software started distancing themselves from the company. Even today, CYBERsitter's public image is fairly rosy, and their campaigns of legal harassment hardly affected their reputation at all. (What had you heard about CYBERsitter before you read this article?) It's hard to imagine Microsoft, for example, filing a similar lawsuit without embarrassing themselves and turning their intended target into a martyr. The real threat to "reverse engineering for the public good" is from medium-sized companies, small enough that not everything they do will get in the news, but still big enough to afford lots of lawyers.
This threat affects not just programmers, but even journalists who get anonymous tip-offs - like Brock Meeks and Declan McCullagh, who were threatened with an FBI investigation by CYBERsitter in 1996, after they published their "Keys to the Kingdom" article about sites that CYBERsitter and other "censorware" programs blocked. The part of the article that got them in so much trouble was this excerpt from CYBERsitter's bad- word file:
[up][the,his,her,your,my][ass,cunt,twat][,hole]
[wild,wet,net,cyber,have,making,having,getting,giving,phone][sex...]
[,up][the,his,her,your,my][butt,cunt,pussy,asshole,rectum,anus]
[,suck,lick][the,his,her,your,my][cock,dong,dick,penis,hard on...]
[gay,queer,bisexual][male,men,boy,group,rights,community,activities...]
[gay,queer,homosexual,lesbian,bisexual][society,culture]
[you][are][,a,an,too,to][stupid,dumb,ugly,fat,idiot,ass,fag,dolt,dummy]
If this now counts as a "trade secret" under the Digital Millennium Copyright Act, then our list of the 50 .edu sites blocked by X-Stop - and the study that found the 68% error rate - could be declared illegal. And under UCITA, CYBERsitter could even claim the enforceability of these excerpts from their license agreement:
Reverse Engineering Prohibited
Unauthorized reverse engineering of the Software, whether for edcucational, fair use, or other reason is expressly forbidden. For the purposes of this license the term "reverse engineering" shall apply to any and all information obtained by such methods as decompiling, decrypting, trial and error, or activity logging.Non-Disclosure
Unauthorized disclosure of CYBERsitter operational details, hacks, work around methods, blocked sites, and blocked words or phrases are expressly prohibited.
So any CYBERsitter user who even discusses what the program blocks, would be in violation. Not that CYBERsitter would enforce this against everybody, but they probably would have liked to enforce it against Brock and Declan.
At this point, we don't know how X-Stop will respond to our report. But we do know that for all of their bluster, CYBERsitter never actually sued Brock, Declan or Peacefire. Given that CYBERsitter pursued the matter for months (and the fact that Brock and Declan had actual money), if CYBERsitter gave up, it's because they had no case. If the Digital Millennium Copyright Act, UCITA, or the DVD court rulings change that situation, then it will become much harder to criticize blocking software - or any kind of software - except for the user interface and other things that users can "see" without looking under the hood.
Like I've said before... (Score:4)
(Those with keywords on the brain have a rare, but fortunately treatable, disease called Greperitus. The cure for this is to hit yourself over the head with a salami sandwich, repeating "Grep is not all-powerful. Grep does not out-rank The Great Linus.")
Nor does it make any sense to filter everything for every user of the software. What is wanted, IMHO, is an ability to selectively control what is filtered and what isn't, maybe by nature, relying on volunteer-maintained databases and/or filters of what fits into the category you don't want. (Sort of like a super-Junkbusters, but not restricted to just banner ads.)
I e-mailed a couple of organisations involved in promoting filter software, to see why they promoted such packages. I did NOT get the usually claimed line of "it's for the children". What I DID get was "if you go into a bicycle shop, you expect to see bicycles. Why should public Internet terminals be any different?" Now, -that- is a line of argument I can have some sympathy for, which is why I think self-selective censorship makes much more sense than blanket, keyword stuff.
To make sure this is on-topic, I can't say I sympathise with companies that provide encrypted dictionaries with network software. If they didn't want you to have access to the dictionary, they could just as easily have the filter software connect to a database at THEIR end. Ergo, they are not -really- serious about not letting you access their dictionaries. Ergo, reverse-engineering is being implicitly permitted, because they are not taking obvious, simple measures to prevent it.
Embarassing such companies, IMHO, is a good idea. Force them to declare where they stand, and make them act on their beliefs. The more these companies are forced to actually -occupy- the moral high ground, rather than merely claim it, the better. Anyone can claim anything, but morality cannot co-exist with dictatorship. The sooner these companies are made to be moral, the sooner they will stop trying to be thought-police.
Can't these utilities protect themselves? (Score:3)
1) continue, and forfeit any right to pursue the hosting site;
or 2) exit, without evidence that the program contravenes the DMCA;
leaving only the option of reverse-engineering the access control mechanism itself to prove anything?
Hamish
Rights (Score:3)
until you don't have the right to complain that they have taken away your rights.
Maybe sell smut files? (Score:5)
Of course, it did not get far beyond the joking stage. I do suspect that a few people at the company kept copies of the porn lists for their own use. ;). And no, I was not one of them.
It's a little hard for a company to keep a straight face when selling a list of porn site (or publishing porn themselfs) and selling an internet filter or blocker. It's along the line of a virus protection software company also selling a virus writing kit.
CyberPatrol does have a page to check their list [cyberpatrol.com] to see if a site is on it. It does not do much good for seeing how good their list is, but at least you can check if your own site is on it.
User-agent "Mudcrawler" (Score:3)
Do you get the feeling that even the programmers know that their software is pretty much useless?
Re:User-agent "Mudcrawler" (Score:5)
Have fun if you have brains. If you do not you shall be filtered. Resistance is futile. Isn't technology wonderful?
Almost forgot - the described technologies do not consititute reverse engineering and as such do not fall under the provisions of the UCITA and the DMCA.
So this is how we must do... (Score:4)
On a web site hosting, for example, deCSS. Put the words "Any similarity between this program and any commercial products is purely coincidental. Reverse enginering of this program, wether by looking at the source or observing the operations of the program, for the sole purpose of finding such similarities is not permitted"
Let the system fight itself!
Ye gods! (Score:4)
DOH! Color me porn!
Funnily enough airwindows.com is not on any list I've ever checked. I say that because in the fiction section is at least one completed novel with adult themes, one short story with adult themes, and an unfinished novel with even more adult themes. All are basically sci-fi or fantasy and none are really gratituous- the closest that I get to gratituous is the last one mentioned, 'Aquarius', which is sci-fi and deals with a society so advanced in genetic engineering that you have 'races' of cat-people, dog-people, wolf and fish and fox ad infinitum people- and the springboard for the adult theme is this: what if humans went into heat? More, what if this was socially unacceptable and got fixed through surgery and medication, but the untreated condition also brought the ability for sharper concentration and fits of intensely hard work? (not to mention the obvious 'private benefits'- and even here, there's a dark side, as in heart attack risks and added stress)
I don't know how many Slashdotters have done serious literary writing, or how many people with 'geek values' are also writers. I _do_ know that I've walked a fine line of MY OWN CHOOSING in writing these things- wanting to deal with the fascinating concepts (it's a very geeky trait of mine that even sex is something to intellectually study in fascination rather than just wallow in), but not wanting to be pigeonholed as a tacky porno writer. As a result, I've had to work quite hard (but am pleased to do so), because if you're writing decently about this subject it _must_ be sensed and felt. Fiction is not a HOWTO, but neither is it a scholarly essay. If I'm setting up tensions they must be felt, they must involve- and interestingly, there seems to _never_ be any reason to use 'dirty keywords' or phrases- it's a lot more effective to take the time and energy to write up such a scene properly. And 'effective' does mean inflaming the imagination- that's what fiction is _for_.
It's ironic- I've never been a particularly prurient writer. I've never written outright porn (this despite the fact that I know where I could sell it for a damned decent price, I might add). My fine line of decency is discreet enough that, even when I write about adult topics, I tend to delicately slip away from the focus of the matter. And yet, every time I read about this damn censorware nonsense, I am more inclined to take my existing approach and really _run_ with it. There's no reason I have to show such decorum. I'm quite capable of taking my SF/fantasy stuff, dealing with the adult topics that do interest me, absolutely going for the throat (or, uh, other areas :) ) and STILL not using any Dirty Keywords.
I consider this the hidden cost of what the censorware people are doing. Eventually they may just have to _read_ my fiction writing and ban me on _content_ alone despite my tendency to not use dirty words. If they are capable of banning 'gay culture', then they are capable of banning the adult situations of entirely fictional characters which aren't even human in the normal everyday sense. But to do so they'll have to actually read it- and they'll also have to really drop the pretense and stand revealed as the bookburners they are.
In conclusion: censorware people? "You are stupid". Pardon my _obscene_ _words_. furrfu.
Surf with your kids (Score:3)
The web forces us to make decisions about who's spin is valid something kids didn't have to deal with in the days of the one way media monolith. Perhaps it will force us to be better and more involved parents.
What qualifies as Europe...? (Score:3)
More importantly, how does/will law deal with the Zen koan that is the Internet -- it being both everywhere and nowhere all at once?
"trial and error" is reverse engineering? (Score:3)
From my point of view, the law should say: "reverse engineering is permitted. 'Reverse engineering' is hereby defined as any method by which someone may gather information about how a software or hardware works".
Anything else is ridiculous. If I simply watch how something works I can design another thing that works in the same way. The internal components may be different or not, but if both the first designer and I followed the current engineering practice, there is a strong chance that we will arrive to similar designs.
If a design is original, and the owners want to protect it, they should *patent* it.
Moderators, take note:
1)Read the moderation guidelines before moderating anything
Re:Like I've said before... (Score:3)
Good point. Though the sandwich should be replaced by a baseball bat dipped in glue and broken glass a few times.
Continuing my previous post on SMUTSITE-miniHOWTO which was kind of vague. The following cause a well defined smut site to be greperitus resistant:
These are only antipattern matching HTML techniques. Pure networking intentionally omitted:
- The discussion on Java script injection in HOTMAIL on Bugtraq is a very good guide on masqing characters. Specifying a character as an escaped HEX, specifying it by HTML code, specifying it inside JavaScript Function, etc ad naseum. In order to match these the search engine will have to start interpreting HTML as a browser. Guess how much resources does this take.
- Though brilliant the BUGTRAQ discussion is highly limited. Javascript is more sensistive than pure HTML to bastardizing. In order to bastardize HTML the following options are also available: insert non-breakable spaces, tabs, backspaces, etc through their HTML encoding equivalents.
- Best of all use a pattern matching algorithm yourself and whenever you find smut in a page you shall display replace all "offending" f...oids, s...oids, etc with a mixture of randomly selected escaped alternatives. Ala stealth virus techniques.
And best of all make your smut site to operate via post style CGI's filling form values via JavaScript. There is no robot designed for these. And it is least likely to be designed beacuse this will require the robot to go as far as running javascript.If smut filter vendors had a clue on how evasive their subject is they would have been in a different business by now.
A little off-topic, but related. (Score:3)
going to outlaw all reverse-engineering? Do the major software companies really want this?
If you go into any major software program they almost all support importing/exporting into some competitors format. Are these competing formats open standards? I doubt it; they were probably reverse-engineered. Or what about Microsoft reverse-engineering of the AOL messenger protocol? That would now be illegal?
Is this the end of interoperability between proprietary packages?
Blocking by /keywords/ ?!?! (Score:4)
Good grief. I mean, according to those bits of search file, doesn't having the phrase "you are too stupid" on a page sucessfully match?
Maybe we need a publicly accessed "blocker"... kind of like NoCeMs in usenet - you basically pick a set of "trusted" people who you rate as being able to block stuff. The christian fundies can all subscribe to christian fundie blockers for all the categories, whereas a merely concerned parent might just go with someone a bit less radical.
Having a centralised system just seems hugely open to all kinds of manipulation: right from the naive bozoness that seems to permeate the industry these days to corruption, bribery and even actual criminal intent. Distributing the system removes a large amount of that failure.
I mean personally, I kind of think it would be nice to trust sites to rate themselves as "porn" or "unsuitable for minors" or "religious content", but I can see why people wouldn't trust it. The porn sites include "perl" in meta-tags and stuff. Honesty doesn't exactly seem to come hand-in-hand with web businesses. (Business models built on hit-counts seem basically flawed to me. Would you want to advertise on a page whose basic method of getting people to go there was to con them? Great chance they'll read the ads then...)
Distribution has to be the way to go. Undermine the obviously broken corporate approach with an open standard that ends up being free.
Legal risks led to one programmer quitting (Score:3)
Open Source Censorware? (Score:3)