I am not a law professor
i am and am not a hacker.

the term hacker has undergone significant change in the last two decades so the meaning is ambiguous these days.
let me give you this definition and for the sake of the next 4 mins of my talk consider it to the the authoritative one

hackers are computer users who are adept enough to bend the function of a program to their will.

security researchers are much like the hackers of the 1990’s but unlike what the term has come to mean lately.

when researchers find security flaws in software they will generally contact the manufacturer. they are met with one of three responses:
1) disregard
2) deference
3) contempt

When met with contempt they have been threatened with law suits using a variety of novel legal theories. Reading though our history is like walking through a catalogue of existing IP frameworks. Patent, Trademark, Copyright, Contract and Criminal have all been used in response to an individual making claims that a product contains a security flaw.

examples:
In 2007 Chris Paget of security firm IOActive was going to give a talk at a security conference about the insecurity of HID badges. These badges are ubiquitous in corporate America and the issues he discovered need to be discussed. HID forced his talk to be canceled with the threat of patent infringement.

A few years earlier in 2005, researcher Mike Lynn had discovered a security flaw in Cisco routers. These devices are largely responsible for the backbone of the Internet. Interestingly Cisco had already fixed the flaw yet filed a TRO against Lynn to prevent him from talking about his work to a group of like minded peers at a security conference. In the aftermath of this incident Lynn had to agree to a permanent injunction forbidding him from ever talking about it again.

Lessig famously said that on the Internet “Code is Law”. I would like to reverse that turn of phrase for the real world.
“Law is code”
It is compiled by legislators and debugged by judges

And in this sense what the companies we write about in our paper did was impressive. They hacked the law. The bent these disparate legal frameworks to their will and used seemingly unrelated laws to silence researchers who were making claims that their product was flawed.

what our paper proposes to do is patch the law so that legal hackers can not continue to subvert the legal system anymore. And with that I’ll turn it over to Derek to explain how that would work. [pdf]

Instead of summarizing his explanation I’m going to repost it here:

Dear Visitor,

since Friday 10th, August 2007 a new and very troubling law is enforced in
germany.

It is no longer legal to create and/or distribute so called hacking tools in
germany. This includes port scanners like nmap, security scanners like nessus
or simple proof of concept exploits like the MOPB exploits. They are now illegal
because someone COULD use them to commit crimes.

Until today I had hoped that our Bundespresident would stop this insane law with
a last minute veto, but now it is official and our government has rendered germany
more or less defenseless against the threats from outside germany.

Unfortunately our government has been deaf to the warnings from lots of experts
that tried to explain how important these so called hacking tools are not only
for the current generation of security consultants to do their daily job, but
also how important they are for the education of the next generation of
researchers and consultants.

If you do not know how to attack, you will never know how to defend yourself.

Yours,
Stefan Esser

This is incredibly frustrating for someone like me who is doing legitimate research into security problems that are plaguing the Internet. Security research is a rare and valuable skill set which should be cultivated not destroyed. Yet the German law is likely driving away people from this profession due to the impossibility of publication on the Internet without fear of criminal charges. At best the researchers who are turning away in Germany are finding other less beneficial avenues to explore. At worst they are publishing underground only.

I had largely forgotten about this law being passed in 2007 because I too had assumed the President in Germany would come to his senses and repeal it. Germany has had a remarkable history with hackers (see Chaos Computer Club) so it is very surprising they went in this direction.

Some old articles about this:
ars technica
article about aftermath

I need to do some more follow up on this but so far the results look grim.

a hybrid social media platform using rss feeds, twitter style messaging and public, private, and group key pair cryptography. it also solves the paradox of eventual decryption through the use of one time pads and very precise randomization.

secre.ts enables the user to share cryptographically protected messaging to allow use over untrusted publicly accessible networks like the Internet.

As a messaging solution secre.ts produces the greatest assets of email like services with the most secure traits of a virtual private network connection. vpn solutions are fragile connections and cumbersome on both bandwidth and the processor. secre.ts hybrid approach consumes processor but the messages are broadcast in public so connectivity is hugely increased and bandwidth isn’t impacted because the messages are received in cleartext.

OPINION: The RIAA stands for Recording Industry Association of America

OPINION: The RIAA has filed many cases against file sharers as civil actions and not criminal

OPINION: In the US, civil actions do not guarantee the defendant representation by an attorney

OPINION: The RIAA has compared copyright infringement to stealing many times in the press

OPINION: Copyright infringement and shoplifting are two distinct and separate crimes

OPINION: 30 average songs could be contained in 2 CD’s

OPINION: The average cost of 2 CD’s in a store is < $100

OPINION: In Massachusetts the fine for shoplifting under $100 is a fine up to $250 the first time

OPINION: There is a huge discrepancy between the punishment for shoplifting and infringing an equal amount of music

I’ve created a public document which contains a list of the bands and any Twitter, Myspace, Facebook, or other public forums the bands have set up for themselves. I could use help tracking down some of the missing links in this list. In some cases the bands no longer exist but members of the original band still live on in other bands or on their own.

To be clear the purpose of this project is not to harass these musicians. It is to remove the wedge of the RIAA from artists and their fans and ask them to communicate. The one question I’d like to see the artists answer is “Do you support the actions the RIAA has taken on behalf of your band in destroying the life of Joel Tenenbaum?”

Joel is being fined $22,500 for each of the 30 songs that he downloaded
from KaZaa. His total fine is $675,000 for an activity that a majority of the Internet users in this country have and still participate in. This isn’t to say that we should advocate copyright infringement but that we shouldn’t agree with the penalties associated with infringement.

This project is still being assembled and I would appreciate any feedback and help the FC community can muster. I’d like to coordinate a massive feedback storm requesting comment via Twitter, Myspace, etc so these artists can’t escape without saying something. Anything. What we need is dialog from musicians about what is happening to their fans.

The working spreadsheet of bands and their online identities is here:
 http://spreadsheets.google.com/ccc?key=0…

If you would like access to edit the spreadsheet please email me (oliver.day@gmail) and I will add you to the access list.

Since I initiated I went ahead and dropped my guard a bit and allowed anyone from the Harvard network to see me (thankfully she is an alum!) Of course now that we are friends the curtains have been drawn again around my profile but this is definitely one of the more interesting experiences I’ve had with Facebook.

While I’m glad they offer me so many privacy settings they really need to think about this particular edge case where two privacy loving individuals happen to want to friend each other.

***This talk will be announced and open to the general public, and WILL
REQUIRE AN RSVP as space is limited. Given the size and layout of MRLB,
we’ll be doing a bit of re-arranging to accommodate attendees.***

Please RSVP to  rsvp001 at n0where.org

Here’s a brief bio on Mr. Atkinson (more at http://tscm.com/biojma.html)

msg["koreaFail"] = “본인확인제로 인해 한국 국가 설정시 동영상/댓글 업로드 기능을자발적으로 비활성화합니다. We have voluntarily disabled this functionality on kr.youtube.com because of the Korean real-name verification law.”;

I looked into this a bit more and South Korea seems to have rallied around the death of a popular actress who killed herself due to online comments about her. The new “anti bully” law requires all sites with at least 100,000 users to verify the posters real name.

“The Cyber Defamation Law, as it’s called, went into effect on April 1st. According
to officials at the Korea Communications Commission (KCC), the country’s
broadcasting and telecommunications regulator, the law is an attempt to
quell the cyber-bullying and spread of misinformation on the internet.”

source: readwriteweb

Google is unwilling to collect this kind of data about its users and instead has opted to disable upload (and I assume comment) capabilities from South Korean IP addresses.

I’m also not going to be a regular columnist at SecurityFocus after this month. This was more a decision on their part than mine however I am not going to fight it. I could use the extra time to focus on two very exciting academic papers I have lined up for this year.

The magic of converting it is pretty easy to find online however if you are using ruby simply install the IPAddr gem.

>> ip = IPAddr.new(’255.255.255.255′)
=> #
>> puts ip.to_i
4294967295
=> nil

Reversing the process isn’t quite as easy and the documentation fails to mention this possibility. A little digging online will unearth this additional parameter that is needed:

>> ipnum = 4294967295
=> 4294967295
>> ip = IPAddr.new(ipnum, Socket::AF_INET).to_s
=> “255.255.255.255″

When I first tried to store this in MySQL I ran into another problem. In my haste I created the column ip_num as an int(11). The code I ran didn’t raise an exception and converted all the ip addresses in the database. However when I viewed the results a large number of ip addresses came back as 127.255.255.255. This ip address converts to 2147483647 as an integer.

If this number looks familiar it is because it is exactly half of the value of 255.255.255.255. It is also the limit of a signed integer.
“The signed range is -2147483648 to 2147483647″

Ensure that you create an unsigned int column for ip addresses to hold the max value of 4294967295.
The unsigned range is 0 to 4294967295.