I was skeptical about a two hour block allotted for Cory Doctrow’s keynote address at HOPE XI. I’ve been to Operas that are shorter than that and it’s hard to imagine he could keep a huge audience engaged for that long. I was incredibly wrong — this was a barnburner of a talk. Here is where some would make a joke about breaking out the rainbows and puppies. But this isn’t a joke. I think Cory’s talk helped me understand why I’ve been feeling down about our not-so-bright digital future and unearthed a foundation upon which hope can grow.
This morning Bunnie Huang wrote about his reasons for suing the US Government over Section 1201 of the Digital Millennium Copyright Act (DMCA).
The DMCA was enacted in 1996 and put in place far-reaching protections for copyright owners. Many, myself included, think these protections became far-overreaching. The DMCA, specifically section 1201 of the act which is known as the anti-circumvention provision, prohibits any action that goes around mechanisms designed to protect copyrighted material. So much has changed since ’96 — software is now in every device and that means section 1201 extends to almost all electronics sold today.
So protecting copyright is good, right? If that were the only way section 1201 was enforced that might be true. But common sense seems to have gone out the window on this one.
If you legally purchase media which is protected with DRM it is illegal for you to change the format of that media. Ripping your DVD to a digital file to view on your phone while on the plane (something usually seen as fair use) is a violation. Want to build an add-on for you home automation system but need to reverse engineer the communications protocol first? That’s a violation. Perhaps the most alarming violation: if you discover a security vulnerability in an existing system and report it, you can be sued under DMCA 1201 for doing so.
Cory Doctorow gave a great talk at DEF CON last year about the Electronic Frontier Foundation’s renewed push against DMCA 1201. The EFF is backing Bunnie on this lawsuit. Their tack argues both that section 1201 is stiffling innovation and discouraging meaningful security research.
If it’s illegal to write about, talk about, or even privately explore how electronics are built (and the ecosystem that lets them function) it’s hard to really master creating new technology. A successful lawsuit must show harm. Bunnie’s company, Alphamax LLC, is developing hardware that can add an overlay to an HDMI signal (which sounds like the continuation of the hack we saw from him a few years ago). But HDCP would prevent this.
Innovation aside, the security research angle is a huge reason for this law (or the enforcement of it) to change. The other plaintiff named in the suit, Matthew Green, had to seek an exemption from the DMCA in order to conduct his research without fear of prosecution. Currently there is a huge disincentive to report or even look for security vulnerabilities, and that is a disservice to all. Beneficial security research and responsible disclosure need to be the top priority in our society which is now totally dependent on an electronically augmented lifestyle.
If you have owned Android phones, there’s a reasonable chance that as the kind of person who reads Hackaday you will at some time have rooted one of them, and even applied a new community ROM to it. When you booted the phone into its new environment it’s not impossible you would have been surprised to find your phone now sported an FM radio. How had the ROM seemingly delivered a hardware upgrade?
It’s something your cellphone carrier would probably prefer not to talk about, a significant number of phones have the required hardware to receive FM radio, but lack the software to enable it. The carriers would prefer you to pay for their data to stream your entertainment rather than listen to it for free through a broadcaster. If you are someone capable of upgrading a ROM you can fix that, but every other phone owner is left holding a device they own, but seemingly don’t own.
Across North America there is a group campaigning to do something about this situation. Free Radio On My Phone and their Canadian sister organization are lobbying the phone companies and manufacturers to make the FM radio available, and in the USA at least they have scored some successes.
We have covered numerous attempts to use the DMCA to restrict people’s access to the hardware they own, but this story is a little different. There is no question of intellectual property being involved here, it is simply that the carriers would rather their customers didn’t even know that they had bought an FM radio along with their phone. If this bothers you, thanks to Free Radio On My Phone you can now join with others and find a voice on the matter.
It’s interesting to note that many FM radio chips also support a wider bandwidth than the North American and European 88 to 108MHz or thereabouts. In parts of Asia the broadcast band extends significantly lower than this, and the chipset manufacturers make products to support these frequencies. This opens up the interesting possibility that given a suitable app a cellphone could be used to receive other services on these frequencies. Probably more of a bonus for European radio amateurs with their 70MHz allocation than for North American residents.
Via CBC News. Cellphone image: By Rob Brown [Public domain], via Wikimedia Commons.
By now you’ve doubtless heard that the FBI has broken the encryption on Syed Farook — the suicide terrorist who killed fourteen and then himself in San Bernardino. Consequently, they won’t be requiring Apple’s (compelled) services any more.
A number of people have written in and asked what we knew about the hack, and the frank answer is “not a heck of a lot”. And it’s not just us, because the FBI has classified the technique. What we do know is that they paid Cellebrite, an Israeli security firm, at least $218,004.85 to get the job done for them. Why would we want to know more? Because, broadly, it matters a lot if it was a hardware attack or a software attack.
The Digital Millennium Copyright Act (DMCA) is a horrible piece of legislation that we’ve been living with for sixteen years now. In addition to establishing a de-facto copyright for the design of boat hulls (don’t get us started!), the DMCA includes a Section 1201 which criminalizes defeating encryption in cases where such could be used to break copyright law.
Originally intended to stop the rampant copying of music in the Napster era, it’s been abused to prevent users from re-filling their inkjet cartridges and to cover up rootkits. In short, it’s scope has vastly exceeded its original aims. And we take it personally, because we like to take stuff apart and see how it works.
The only bright light in this otherwise dark, dark tunnel is the possibility to petition for exemptions to Section 1201 for certain devices and purposes. Just a few days ago, the EFF won a slew of DMCA exemptions, including the contentious exemption for bypassing automobiles’ encryption to check out what’s going on in the car’s firmware. The obvious relevance of the ability for researchers to inspect cars’ firmware in light of the VW scandal may have helped overcome strong pushback from the car manufacturers and the EPA.
The other exemption that caught our eye was the renewal of protection for people who need to hack old video games to keep them playable, jailbreak phones so that you can run an operating system of your choosing on it, and even the right to copy content from a DVD for remixes and excerpts.
This is all good stuff, but it’s a little bit sad that the EFF has to beg every three years to enable us all to do something that wasn’t illegal until the DMCA was written. But don’t take my word for it, have a listen to Cory Doctorow’s much more eloquent rant.
A lot of questions have been raised by the recent “dieselgate” scandal. Should automakers be held accountable for ethically questionable actions? Are emissions standards in the United States too restrictive? Are we ever going to stop appending “gate” onto every mildly controversial news story? But, for Hackaday readers, the biggest question is most likely “how did they get away with it?” The answer is probably because of a law a lot of hackers are already familiar with: the DMCA.
If you haven’t seen the news about Volkswagen’s emissions cheating scheme, we’ll get you caught up quickly. In the United States, EPA emissions testing is done in a very specific and predictable way. Using clever ECU software tricks, Volkswagen was able to essentially “detune” the engines of their diesel vehicles when they were being tested by the EPA. This earned them passing marks, while allowing them to provide a less-restrictive ECU profile for the normal driving that buyers would actually experience.
How could they get away with this simple trick when a brief look at the ECU software would have revealed it? Because, they were able to hide under the umbrella of the DMCA. The ECU software is, of course, not intended to be user-accessible, which means that Volkswagen is allowed to lock it down. That, in turn, means that the EPA isn’t allowed to circumvent that security without violating the DMCA and potentially breaking the law. This kept the EPA’s hands tied, and Volkswagen protected. They were only found out because independent testing (that didn’t follow EPA procedure) revealed vastly different emissions levels.
Is your blood boiling yet? Add this to the stack of reasons why the EFF is trying to end the DRM parts of the DMCA.
[Mary Ann Davidson], chief security officer of Oracle, is having a bad Tuesday. The internet has been alight these past few hours over a blog post published and quickly taken down from oracle’s servers. (archive) We’re not 100% sure the whole thing isn’t a hack of some sort. Based on [Mary’s] previous writing though, it seems to be legit.
The TL;DR version of Mary’s post is that she’s sick and tired of customers reverse engineering Oracle’s code in an attempt to find security vulnerabilities. Doing so is a clear violation of Oracle’s license agreement. Beyond the message, the tone of the blog says a lot. This is the same sort of policy we’re seeing on the hardware side from companies like John Deere and Sony. Folks like [Cory Doctorow] and the EFF are doing all they can to fight it. We have to say that we do agree with [Mary] on one point: Operators should make sure their systems are locked down with the latest software versions, updates, and patches before doing anything else.
[Mary] states that “Bug bounties are the new boy band”, that they simply don’t make sense from a business standpoint. Only 3% of Oracles vulnerabilities came from security researchers. The rest come from internal company testing. The fact that Oracle doesn’t have a bug bounty program might have something to do with that. [Mary] need not worry. Bug Bounty or not, she’s placed her company squarely in the cross-hairs of plenty of hackers out there – white hat and black alike.