A few months ago we reported on a case coming before the United States Supreme Court that concerned recycled printer cartridges. Battling it out were Impression Products, a printer cartridge recycling company, and Lexmark, the printer manufacturer. At issue was a shrinkwrap licence on inkjet cartridges — a legal agreement deemed to have been activated by the customer opening the cartridge packaging — that tied a discounted price to a restriction on the cartridge’s reuse.
It was of concern to us because of the consequences it could have had for the rest of the hardware world, setting a potential precedent such that any piece of hardware could have conditions still attached to it when it has passed through more than one owner, without the original purchaser being aware of agreeing to any legal agreement. This would inevitably have a significant effect on the work of most Hackaday readers, and probably prohibit many of the projects we feature.
We are therefore very pleased to see that a few days ago the Supremes made their decision, and as the EFF reports, it went in favor of Impression Products, and us, the consumer. In their words, when a patent owner:
…chooses to sell an item, that product is no longer within the limits of the monopoly and instead becomes the private individual property of the purchaser, with the rights and benefits that come along with ownership.
In other words, when you buy a printer cartridge or any other piece of hardware, it is yours to do with as you wish. Continue reading “Impression Products V. Lexmark International: A Victory For Common Sense”
XKCD 936, the comic that introduced the phrase, ‘correct horse battery staple’ into both the lexicon and password dictionaries, is the best way to generate a password. Your passwords should be random phrases of random words, hopefully with a few random numbers or symbols sprinkled about. It’s the most entropy you can get that’s also easy to remember.
However, generating your own ‘correct horse’ password is generally a bad idea. Humans are terrible at coming up with random bits of information. Thankfully, the EFF has come up with a wordlist containing 7,776 random words (65, or five rolls of a six-sided die.) ready for the next time you reset a password.
[m145mcc] thought the EFF’s word list should be a book, so he made it a book. With the clever application of a laser printer, glue, thread, and some card stock, [m145mcc] has a handy password generator that fits in his pocket. All that’s needed to build a password is a single die, a pen, and some patience.
The EFF’s random passphrase list is based off [Arnold Reinhold]’s Diceware list from 1995, but has a few changes to make the list easier to use and more palatable for the audience they’re going for. Most significantly, vulgar words were removed from the Diceware list, as the netsec crowd doesn’t swear as a rule. Additionally, numbers were removed, along with rare and unusual words. The passwords generated by the EFF’s list are longer, but they are arguably more memorable.
Despite the idea of a random dice-based password list being around for two decades, there are few if any examples of this list in dead tree format. The idea of a bound version of this list is a great idea, and we’re glad [m145mcc] could bring it to the table.
I was skeptical about a two hour block allotted for Cory Doctrow’s keynote address at HOPE XI. I’ve been to Operas that are shorter than that and it’s hard to imagine he could keep a huge audience engaged for that long. I was incredibly wrong — this was a barnburner of a talk. Here is where some would make a joke about breaking out the rainbows and puppies. But this isn’t a joke. I think Cory’s talk helped me understand why I’ve been feeling down about our not-so-bright digital future and unearthed a foundation upon which hope can grow.
Continue reading “Cory Doctorow Rails Against Technological Nihilism; Wants You to Have Hope”
This morning Bunnie Huang wrote about his reasons for suing the US Government over Section 1201 of the Digital Millennium Copyright Act (DMCA).
The DMCA was enacted in 1996 and put in place far-reaching protections for copyright owners. Many, myself included, think these protections became far-overreaching. The DMCA, specifically section 1201 of the act which is known as the anti-circumvention provision, prohibits any action that goes around mechanisms designed to protect copyrighted material. So much has changed since ’96 — software is now in every device and that means section 1201 extends to almost all electronics sold today.
So protecting copyright is good, right? If that were the only way section 1201 was enforced that might be true. But common sense seems to have gone out the window on this one.
If you legally purchase media which is protected with DRM it is illegal for you to change the format of that media. Ripping your DVD to a digital file to view on your phone while on the plane (something usually seen as fair use) is a violation. Want to build an add-on for you home automation system but need to reverse engineer the communications protocol first? That’s a violation. Perhaps the most alarming violation: if you discover a security vulnerability in an existing system and report it, you can be sued under DMCA 1201 for doing so.
Cory Doctorow gave a great talk at DEF CON last year about the Electronic Frontier Foundation’s renewed push against DMCA 1201. The EFF is backing Bunnie on this lawsuit. Their tack argues both that section 1201 is stiffling innovation and discouraging meaningful security research.
If it’s illegal to write about, talk about, or even privately explore how electronics are built (and the ecosystem that lets them function) it’s hard to really master creating new technology. A successful lawsuit must show harm. Bunnie’s company, Alphamax LLC, is developing hardware that can add an overlay to an HDMI signal (which sounds like the continuation of the hack we saw from him a few years ago). But HDCP would prevent this.
Innovation aside, the security research angle is a huge reason for this law (or the enforcement of it) to change. The other plaintiff named in the suit, Matthew Green, had to seek an exemption from the DMCA in order to conduct his research without fear of prosecution. Currently there is a huge disincentive to report or even look for security vulnerabilities, and that is a disservice to all. Beneficial security research and responsible disclosure need to be the top priority in our society which is now totally dependent on an electronically augmented lifestyle.
The Digital Millennium Copyright Act (DMCA) is a horrible piece of legislation that we’ve been living with for sixteen years now. In addition to establishing a de-facto copyright for the design of boat hulls (don’t get us started!), the DMCA includes a Section 1201 which criminalizes defeating encryption in cases where such could be used to break copyright law.
Originally intended to stop the rampant copying of music in the Napster era, it’s been abused to prevent users from re-filling their inkjet cartridges and to cover up rootkits. In short, it’s scope has vastly exceeded its original aims. And we take it personally, because we like to take stuff apart and see how it works.
The only bright light in this otherwise dark, dark tunnel is the possibility to petition for exemptions to Section 1201 for certain devices and purposes. Just a few days ago, the EFF won a slew of DMCA exemptions, including the contentious exemption for bypassing automobiles’ encryption to check out what’s going on in the car’s firmware. The obvious relevance of the ability for researchers to inspect cars’ firmware in light of the VW scandal may have helped overcome strong pushback from the car manufacturers and the EPA.
The other exemption that caught our eye was the renewal of protection for people who need to hack old video games to keep them playable, jailbreak phones so that you can run an operating system of your choosing on it, and even the right to copy content from a DVD for remixes and excerpts.
This is all good stuff, but it’s a little bit sad that the EFF has to beg every three years to enable us all to do something that wasn’t illegal until the DMCA was written. But don’t take my word for it, have a listen to Cory Doctorow’s much more eloquent rant.
(Banner image courtesy [Kristoffer Smith], who we covered on car hacking way back when.)
Right now, the FCC is considering a proposal to require device manufacturers to implement security restricting the flashing of firmware. We posted something about this a few days ago, but completely missed out on a call to action. Contrary to conventional wisdom, we live under a system of participatory government, and there is still time to convince the FCC this regulation would stifle innovation, make us less secure, and set back innovation in the United States decades.
The folks at ThinkPenguin, the EFF, FSF, Software Freedom Law Center, Software Freedom Conservancy, OpenWRT, LibreCMC, Qualcomm, and other have put together the SaveWiFi campaign (archive.is capture, real link is at this overloaded server) providing you instructions on how to submit a formal complaint to the FCC regarding this proposed rule.
Under the rule proposed by the FCC, devices with radios may be required to prevent modifications to firmware. All devices operating in the 5GHz WiFi spectrum will be forced to implement security features to ensure the radios cannot be modified. While prohibiting the modification of transmitters has been a mainstay of FCC regulation for 80 years, the law of unintended consequences will inevitably show up in full force: because of the incredible integration of electronic devices, this proposed regulation may apply to everything from WiFi routers to cell phones. The proposed regulation would specifically ban router firmwares such as DD-WRT, and may go so far as to include custom firmware on your Android smartphone.
A lot is on the line. The freedom to modify devices you own is a concern, but the proposed rules prohibiting new device firmware would do much more damage. The economic impact would be dire, the security implications would be extreme, and emergency preparedness would be greatly hindered by the proposed restrictions on router firmware. The FCC is taking complaints and suggestions until September 8th.
Even if you’re not living under the jurisdiction of the FCC, consider this: manufacturers of routers and other WiFi equipment will not be selling two version of hardware, one to the US and another to the rest of the world. What the FCC regulates affects the entire world, and this proposed rule would do us all a disservice. Even if you’re not in the US, tell your second favorite websites to cover this: neither Ars Technica nor Wired have posted anything on the FCC’s proposed rule, and even boingboing is conspicuously silent on the issue. You may submit a comment until September 8th here.
If you weren’t at [Cory Doctorow’s] DEF CON talk on Friday you missed out. Fighting Back in the War on General Purpose Computing was inspiring, informed, and incomparable. At the very lowest level his point was that it isn’t the devices gathering data about us that is the big problem, it’s the legislation that makes it illegal for us to make them secure. The good news is that all of the DEF CON talks are recorded and published freely. While you wait for that to happen, read on for a recap and to learn how you can help the EFF fix this mess.
Continue reading “Cory Doctorow Rails Against the Effect of DRM and the DMCA”