I’m a Corsair, Now

For the past few months, I’ve watched with growing fascination people trying to hack (and sometimes succeed) into my various servers.

Now, while I won’t admit to any foul play, it reminds me of things we used to do with a group of friends who are today much less disreputable than I am.

So, at the risk of earning once more a reputation of being a dinosaur, I’ll gloss over some stuff that gave us (and probably give the people behind these somewhat unskilled attacks) a rush and some thrills.

I don’t remember anything before 2000. My memory from before is composed of things that I was told. But, given the fact that some of these people are my friends to this day, people I trust completely, I’ll go ahead and assume they were true. It blends so well with what I do remember that I’m inclined to believe it all anyway.

Ye Olden Days

Back in the day of RTC modems, being connected was an investment. Relatively speaking, it costed a lot of money, especially given the fact we were paying by the minute, here, in France. We were connected because we wanted to be connected. None of that “hey, I’ve got 10 minutes to kill, I’ll watch a youtube video” kind of things. We didn’t even have the bandwidth to do that… 3KB/s meant that downloading a single mp3 file would take a half hour. And it would be a half hour where we could do nothing in the meantime.

I won’t say it forced us to do meaningful things, because it didn’t. But with so many things to cram in such a short time of activity, writing an email, a post on a newsgroup or a BBS, or even chatting on IRC took a certain degree of planning and will.

It’s hard to imagine today that checking my email (downloading AND sending) would take 5 to 10 minutes to complete. Then I would have to disconnect if I wasn’t doing anything on the ‘net, to reconnect when I felt like sending my responses. Boggles the mind doesn’t it?

It also means that every minute/hour we could steal to spend chatting with our friends on IRC would have to serve some purpose, whether to get news from people you like, plan something together, etc… What I certainly can remember is when most of us got permanent broadband access. Suddenly, the activity was a lot less focused.

Anyway, back to the thrills and the adrenalin rush, we were doing inconsequential things such as taking over channels, and probing defenses of other computers, sometimes even getting access. Some of that original group even went on making that their actual job. I never did, although I kept a toe in that pool: trying to figure out a way to hack into other people’s machines and servers, as well as “social hacking” organizations to get privileged information or just for fun, is a useful skill to have, if only to have a basic understanding as to how to protect yourself and people around you from it.

We would spend hours discussing the best methods, and talking about the latest exploits that would allow someone to get in and do… whatever. I don’t think, nor remember, doing any harm, but we could have, I guess. And that’s the clincher when you’re a young computer scientist in a world where most people just don’t get it. It gives you tremendous power, that can look, from the outside, quite magical. The temptation to use the skills, the minutes or hours you spend preparing and finally the victory over a security system is like every other sport. It makes you feel immensely good.

Fast Forwarding Ten Years

Nowadays, I get amused when I see the phishing campaigns which seem so effective. They are a very crude attempt at corrupting the weakest link in the security chain: the human brain. I mean, come on! Who in their right mind would think that the bank would send you an email telling you your account has been hacked/overfunded/…? Banks usually understand security, and will do paper or phone, not hilariously unsecure emails… Millions of people apparently fall for that.

To circle back to my current string of attacks, what appalls me is that it’s a brute force attack. The attacker(s) are trying as many passwords as they can to gain access. Someone read too much Dan Brown, the Bergovsky Principle doesn’t exist… While it is indeed possible on some incredibly weak protection schemes to guess the password for an account by repeatedly trying until you’ve exhausted all the possibilities, it’s hardly the most effective method:

  • it’s slow
  • it leaves a huge amount of traces
  • it can only work if you know for sure the login
  • it works only if you have an unlimited amount of tries
It’s All About The Brain

Man, some days, I pity the clever minds who always had access to that amount of raw processing power and bandwidth. The most effective way to do something to an average person or system is supposed to be repeatedly banging against the door? If a piece of software doesn’t run fast enough, “tough luck”, and wait for the next generation of hardware?

I was sitting at a table the other day with some young programmers who looked at me as if I foamed at the mouth because I asked if they were using encrypted connections to check out their sources. In a fricking public space. And for some reason, I’m a rabid and ranting person because there’s no way I’m going to store some personal and confidential data on a server I don’t trust (I’m looking at you google and dropbox).

Am I paranoid? Is it the rambling of an internet-time old geezer? Maybe. But remember: trust is something that should be earned. What if your account got hacked? How would you know? At least, with the (increasingly smaller, incidentally) amount of control I have over my servers and services, I can tell if I have been impersonated or stolen from…

It’s an evolutionary meme that scarcity of resources breeds inventiveness. When you don’t have the possibility of trying 30 million passwords per minute, the few you actually do try have to have a good chance of being the ones. When your bandwidth limitation means that it’s going to take literally forever to get something, you try to get it offline. And when you can’t trust a service beyond a certain point, you don’t give it information that is too sensitive.

What’s With The Dinosaurs, Anyway?

Dinosaurs got extinct, probably because they were built to take advantage of a much bigger resource pool than we are. They couldn’t adapt to having less. That’s why I laugh when I’m called a dinosaur. I might become extinct because I can’t adapt fast enough to certain things, that’s for sure. But resource-wise, I learned with my friends a long time ago, that if you have the skill, you can do a lot more, with a lot less. And if I do have more at some point in the future, who knows what I can do?

You guys who are trying to get in at that very moment… Do less, but smarter. It’s not that hard. And you’ll get in. And I’ll curse and I’ll laugh at the same time, and the game will go on. For the moment, you are behaving like a dinosaur, be it the cooler Tyrannausorus-Rex one, and it got extinct. Or so I’m told.

  

[Piracy] Torpedo In The Water!

We definitely live in strange times. The infamous French law named Hadopi was supposed to give the French government a whole new range of options to deter and sanction illegal copies of licensed material.

I’m not up to speed in all the minutiae of the legal procedures and stuff, but the base rules were thus:

  1. Some guy in some office with a license to hunt pirates down (but apparently not a cop, whose job it should be) peruses the web to find the IP of your computer participating in an illegal download.
  2. You get sent an email saying close to nothing except that your IP has been flagged for further investigation.
  3. You get a hardcopy of the email through the postal system
  4. If you are flagged again (or maybe not next time but after the third time or whatever, I’ve always been hazy on the details), your internet connection is shut down, and you might (or might not) see the cops at your door some time later.

Now, this mess has been up and about for a couple of years. And it’s dying a slow death, having cost taxpayers millions.

Why?

Because, apparently, the people at the head of this brand new agency get their seats for 2 years and someone forgot to renew the mandate of put other people in their places. Since the agency has no legal jurisdiction if the quorum can’t be satisfied, the whole thing just can’t legally work anymore.

It sounds nuts, doesn’t it? Unfortunately for our French pride, and until the murky waters can be cleared, it seems to be true.

And that’s only the tip of the iceberg, albeit arguably a summit in crazy stupidity.

This legal system (the agency and the laws to back it up) are what we call in the tech trade clearly “ad hoc”. It’s jumbled up together without any real plan, strategy or even common sense. To the people who actually understand how bits and bytes move around, it’s just (and I quote) “crazy bat-shit stupid”.

First off, since only the IP can be flagged, the law stipulates that if you get hacked and someone uses your network to do something illegal, it is somehow your fault. I am technically conversant, and I could probably spot some downloading activity going on through my WiFi network, but I live in a very dense area packed to the brim with computer students. That, plus the fact I willingly give authorizations to my visiting friends means that I wouldn’t bet anything on the safety of my own network. So how could someone who doesn’t even know how to change the fricking password on the WiFi relay do anything about it?

But it doesn’t stop there. Your IP has been flagged, but there’s no proof you’ve been engaged in an illegal activity until some duly appointed law enforcement agent inspects the contents of your hard drive. That means invading privacy in the name of justice, which requires a warrant. In order to get a warrant issued, you have to find a reasonable and plausible cause. In order to get that, you need to have something like a listing of the hard drive, because, frankly, “hey I think some bytes went towards this computer” may be enough in a movie, but in real life, suspicion isn’t proof. I don’t even know how they worked a loophole around that plausible cause in any case, but I guess it’s not such a done deal as they seemed to indicate when the new law was pushed through everyone’s throats.

And then, of course, there’s the official chitty. If memory serves, a warning has to be acknowledged to be acted upon. You can’t say “it’s the third time this guy has been warned” unless you have a proof that the piece of paper has been handed to the person. Theoretically, this is done through a receipt. A friend of mine got the email, but not the piece of paper. He never signed any receipt either. So, legally, he never got it. Is that tricky or what?

In the end, the only person that has any kind of certainty (for a given value of “certain”) as to anything in this process is the guy who flagged you in the first place. He has done his job properly, noted something and pushed it down a pipe.

I don’t know if it’s the case everywhere in the legal system, but I know for a fact that for circulation-related tickets and fines, the name of the officer who flagged the unlawful behavior has to put his name down. For speeding ticket where the flagger is a camera, you have its serial number on the ticket. And I’m waiting to be convinced that, somehow, it’s not the case in every legal procedures in the country.

I’ve read the mail, it is a funny thing to receive in and of itself. There is nothing on it that identifies the person who flagged the deed and initiated the procedure. If memory serves, there’s a date and a time of the alleged perpetration, but that’s it. Shady huh?

So the whole thing starts to smell, doesn’t it?

I’ve said it and I stand by it: piracy will always be around. There is no way to eradicate it totally, just like any other (more spectacular) kinds of crimes. By ridiculing the whole anti-piracy rhetoric this way, to my mind at least, they just make it even more OK… “Hey, even the government can’t do anything about it, so, who cares?”

The key lies in education. If the end user has good motives for buying licensed material (because he likes it, sees the just price for it, can afford it, and has easy access to it), he will. There’s no way that an abstract crime can be avoided in this fashion (no one infringed on any physical, tangible, integrity – there is no trace; no one has less money that they started with; everything is close to anonymous). You have to somehow make it real to the person who’s not supposed to commit it. Physical injury is real. Anyone can relate to that. Therefore it can be a crime, given a set of rules. Ditto for theft. Piracy, when it’s done well, leaves no trace, only actual sales figures that are lower than projected figures. How real can that be to warrant punishment?

Not enough.

So, time to put together positive reinforcement that will simply make piracy obsolete. Because it hurts someone you could like. Because piracy is uncool, for losers. Because pirating something is so much more difficult than getting a clean copy.

  

Software Piracy & The Genuine Customer

Piracy will always exist. Get over it.

An idea, however smart and new, is going to spread. A better method of doing old things is going to be used by people who recognize the value of it without wanting to pay for that realization. The only thing that might not necessarily get plundered is a way to present things, because there’s no accounting for taste, and besides, it’s a little bit too blatant.

I know, I know. You’ve just spent a couple of years developing that piece of software that’s new, cool, hype, awesome and altogether the whole source of your pride. And just one week after you publish it, that’s that miscreant who takes it all and presents it as his own. But, surely everyone in their right mind knows that it’s just been taken from you, right? I mean, come on! Apart from these two inverted text fields, it’s the same thing… Even the logo looks the same! It might be acceptable, maybe even flattering, if the Other One didn’t make more money than you do out of it…
You are so pissed that you swear that next time, you’ll make it really hard to copy, or understand, or use without your explicit consent. If there’s a next time because right now, there seems to be confusion in your mind as to whether you should be depressed or angry.

My advice is “just drop it”. It’s not worth the outrage. There is a lot of clever people out there. Ultimately, if your idea is a profitable or just downright awesome, someone will figure out a way to put it to better (or more profitable) use.

After all, you came up with the idea, right? So why spend time and energy making it less usable because of these .01% of the human race who are going to screw you in any way you can(‘t) think of? Wouldn’t that be better to actually improve on it, and make it so perfect that 99.99% of the population will think “What the hell, I know I could spend a month and come up with an alternative, but it’ll never be as good as this one, so might as well just use it as is (and pay the somewhat small fee involved)”?

The reason why I write about it today is because, for once, I’m in the position of the customer (or customer’s aide), and I despair of all the silly measures against piracy some “fellow developers” have taken to prevent me from a fair use of their technology.

A charitable organization is holding a gathering to promote their overall goodness (and they are good people, embarking on quite a noble voyage), and to attract attention to a very real and very important problem. I might talk about that sometime later.

Trouble is, the venue doesn’t have internet access, and their website is something they are proud of and the main way to contact them, making it indispensable. So, the solution surely is to make a copy of the website (which was paid for) onto a computer inside the venue, to give access to the visitors.

I was tasked with that small request, and after a few days of talking a lot on the phone and waiting even more, I end up with the relevant files. Turns out most of them are using a custom engine (that hasn’t been included in the package), and some of the vital files are stored encoded, to be decoded on the fly by the engine when needed. Unusable.

So let me get this straight: a customer paid for a website, and they can’t show it in a private gathering for fund raising and general awareness.

This would be like owning a car for which you have to phone the manufacturer every time you want to start it up.

Now, smarter people than me have debated that field ad nauseam but the question still remains: is a piece of software a manufactured good or an idea?

In many ways, since we buy “a software”, have a copy on our hard drives, can put it where we want, and delete it on a whim, it’s akin to a piece of furniture. Instinctively, it’s “ours”.

What makes it less obvious is that it’s so easy to copy it and to give it to someone else. If you buy a table, and give it to somebody else, you don’t have a table anymore. With a piece of software (including movies, music, etc), you can give it away while keeping a copy at the same time.

The worst part in it is that most people don’t do it maliciously: it’s more out of goodness than greed. “Hey I found this program that does coffee just the way I like it, want to try it out?”. The other party, being given the goods doesn’t see it as stealing, not really. They are just trying it out, or they don’t think anyone is being robbed by this act, or that the software is being paid for by other people, given the outrageous price tag.

As with most things, I think it’s a question of education and message. If the recipient is aware that it’s wrong to accept, they will make it right in their own way, and in their own time.

I have a friend who has 10000+ CDs at home. If he likes a band, he buys the album. I have more than once got a copy from a friend of a piece of software to look at. If I ended up using it for real, or if I used it to make money, I paid for it.

How do we educate people to understand that this is someone else’s work and that it should be rewarded as such? The easiest (and to me worst) way is to be repressive about it. The current campaigns about anti-piracy in regards to music and movies makes it obvious: if you participate in the plunder, you’ll end up in jail. I think it doesn’t work, and I think it even pushes people who were “moderates” to more extreme reactions.

Come on, we’ve all been teenagers. Authority (especially faceless authority) doesn’t work half as good as Authority thinks. Besides, they don’t think they are doing anything wrong when they share something they like with their friends. If anything, they are doing the author a favor by promoting the work. Authority therefore is brutally stupid, and should be ignored.

So, how do we get these “confused” people, who think they’re not doing anything wrong, to understand that they are actually depriving us good developers (and artists) of our living? My view of the field is a little biased, as I do freelance job and know quite a lot of artists who get a reasonably big chunk of the retail price. I guess things are a little different when the middleman (major, editor, etc) takes the biggest share of the sale, but here goes:

  • Be somewhat transparent of the proceedings. The price tag has to fit the instinctive value of the software. Who the hell pays 4000 euros for a piece of software they will use once? That sounds too much like preying on desperation.
  • Make sure the end customer knows who you are. Faceless implies meaningless. I think it’s a lot harder to be robbing you if they think they know you.
  • Make sure you know who your customers are (in at least a general way). Reply to their emails, thank them for their feedback, make it clear you work for them. It’s your work, but you didn’t do it for yourself. No one likes a selfish and greedy bastard.
  • Don’t force your customers to do something they don’t want to do. If they don’t want to pay for your work, they shouldn’t profit from it, that’s agreed. But if they put some effort in it, they’ll be able to, anyway. Being hostage doesn’t automatically evolve in a Stockholm Syndrome… Most of the time it just brings resentment.
  • If it doesn’t cost you a lot, you should be flexible. The example of the above case is an obvious one: there shouldn’t be any problem exporting a “degraded but working” website that can be used offline. The customer (me, here) is usually not asking for much in their own opinion. Bowing to their small request makes the relationship more cordial and personal. Next time you tell them it’s difficult or not possible, they will understand, since you were understanding of their own problem the previous time.

Granted, this way is slow. And by doing this, we are competing with the Big Boys out there who are repressive and seemingly more efficient (at making money, if nothing else) than we are. It all depends to what kind of overall result we want to have…

I’d feel much better in a world where people understand my need to get paid for my work, and gladly submit, than in a world where they do indeed pay, but try knowingly to screw me over because they think I’m not worth being paid. We’re far from there as of today. And as I said numerous times here, I suffer chronically from it. But I think it’s a dream worth having, and worth working for.

What do you think?

[IMPORTANT UPDATE]

Already got a couple of replies. No it doesn’t mean I think all software should be open sourced. Flexible doesn’t mean giving away what you’ve worked so hard to accomplish. I’m just talking about means to distribute and get paid for it.

[IMPORTANT UPDATE 2]

Now that the feedback has abated slightly, there seems to be two major schools of thoughts: OpenSourcists (everything should be open source, that way it puts everyone back on an equal footing) and LOLYouAreSoNaive-ists (the world is unfair, accept the rules and make the best of it).

To the first ones I’ll say: I agree, it’s a good dream too. Unfortunately, a customer usually isn’t able to evaluate the quality of your work. Therefore, it’s not necessarily the best that will reap the benefits, but the ones best able to convince the customer to pay. Back to square one, I’m afraid.

To the second ones I’ll say: Yea! welcome to the Dark Ages v2.0.
Ethics should NOT be context-dependent. Otherwise, what’s the point?
Should we also abolish laws? They can be so tiresome, too… Or are they a way to keep score?
Just remember that evolution is not only “survival of the fittest”, but also about symbiotic relationships that bring a balance.
And that everyone else might take it as normal to screw you too. Including your own children.

I’m sorry, I still think there can, and should, be a better way to do things.