Bill Wishon's News and Views

For people who like to smoke 40 cigarettes with their morning cup of coffee, Japan’s AM/PM minimarkets are offering this convenient package.

Link

HBO is dipping its toes into online video waters, launching a limited trial for “HBO on Broadband,” a service that will let existing cable subscribers stream videos on their computer. Unlike other recent online video efforts like Hulu from FOX/NBC and Fancast from Comcast, HBO’s initiative features an installable application that then downloads movies and shows to your hard drive. There are several other restrictions according to The New York Times:
“… The program is available only on Windows PCs initially; the downloaded content cannot yet be transferred to portable devices; and the content expires four weeks after being downloaded.”
I’m not sure I get this one. While I can see the need for HBO to preserve its cable subscription revenues, this is essentially a cumbersome version of HBO On-Demand, without the advantage of being watch what you want instantly on your home theatre setup. On the other hand, HBO is simply offering this service complimentary at no additional charge to existing customers, so, it ’s essentially just another viewing option, which is always a good thing.
That said, HBO has indicated that this is simply a trial that will only be running in Green Bay and Milwaukee. Overall, it seems like the network would be better served by an online subscription program or pay-per-download format, but we’ll wait and see what the folks in Wisconsin have to say about it.
Share This

The new Dutch transit card system, on which $2 billion has been spent, was recently shown by researchers to be insecure. Three attacks have been announced by separate research groups. Let’s look at what went wrong and why.
The system, known as OV-chipkaart, uses contactless smart cards, a technology that allows small digital cards to communicate by radio over short distances (i.e. centimeters or inches) with reader devices. Riders would carry either a disposable paper card or a more permanent plastic card. Riders would “charge up” a card by making a payment, and the card would keep track of the remaining balance. The card would be swiped past the turnstile on entry and exit from the transport system, where a reader device would authenticate the card and cause the card to deduct the proper fare for each ride.
The disposable and plastic cards use different technologies. The disposable card, called Mifare Ultralight, is small, light, and inexpensive. The reusable plastic card, Mifare Classic, uses more sophisticated technologies.
The first attack, published in July 2007, came from Pieter Sieckerman and Maurits van der Schee of the University of Amsterdam, who found vulnerabilities in the Ultralight system. Their main attacks manipulated Ultralight cards, for example by “rewinding” a card to a previous state so it could be re-used. These attacks looked fixable by changing the system’s software, and Sieckerman and van der Schee described the necessary fixes. But it was also evident that a cleverly constructed counterfeit Ultralight card would be able to defeat the system in a manner that would be very difficult to defense.
The fundamental security problem with the disposable Ultralight card is that it doesn’t use cryptography, so the card cannot keep any secrets from an attacker. An attacker who can read a card (e.g., by using standard equipment to emulate a card reader) can know exactly what information is stored on the card, and therefore can make another device that will behave identically to the card. Except, of course, that the attacker’s device can always return itself to the “fully funded” state. Roel Verdult of Raboud University implemented this “cloning” attack and demonstrated it on Dutch television, leading to the recent uproar.
The plastic Mifare Classic card does use cryptography: legitimate cards contain secret keys that they use to authenticate themselves to readers. So attackers cannot straightforwardly clone a card. Mifare Classic was designed to use a secret encryption algorithm.
Karsten Nohl, “Starbug,” and Henryk Plötz announced an attack that involved opening up a Mifare Classic card and capturing a high-resolution image of the circuitry, which they then used to reverse-engineer the cryptographic algorithm. They didn’t publish the algorithm, but their work shows that a real attacker could get the algorithm too.
Unmasking of the algorithm should have been no problem, had the system been engineered well. Kerckhoffs’s Principle, one of the bedrock maxims of cryptography, says that security should never rely on keeping an algorithm secret. It’s okay to have a secret key, if the key is randomly chosen and can be changed when needed, but you should never bank on an algorithm remaining secret.
Unfortunately the designers of Mifare Classic did not follow this principle. Instead, they chose to combine a secret algorithm with a relatively short 48-bit key. This is a problem because once you know the algorithm it’s possible for an attacker to search the entire 48-bit key space, and therefore to forge cards, in a matter or days or weeks. With 48 key bits, there are only about 280 trillion possible keys, which sounds like a lot to the person on the street but isn’t much of a barrier to today’s computers.
Now the Dutch authorities have a mess on their hands. About $2 billion have been invested in this project, but serious fraud seems likely if it is deployed as designed. This kind of disaster would have been less likely had the design process been more open. Secrecy was not only an engineering mistake (violating Kerckhoffs’s Principle) but also a policy mistake, as it allowed the project to get so far along before independent analysts had a chance to critique it. A more open process, like the one the U.S. government used in choosing the Advanced Encryption Standard (AES) would have been safer. Governments seem to have a hard time understanding that openness can make you more secure.
Share This

For a few awkward years, the situation is only going to get worse. But soon enough the labels, studios and every other paranoid media owner will have to stop acting like petulant teenagers. The time has come to address piracy with some real, sustainable solutions that consumers will support. The time has come for the entertainment industry to grow up.
ACT I: THE SET-UP
Current system is shot to hell. Heads buried firmly in sand.
A few months ago, the writer and NYU professor Clay Shirky told me he thought DRM was a “nostalgic” idea. Nostalgic is the best adjective I’ve heard to describe how most large entertainment companies think about controlling their content in a digital era. Big media continue to view the situation through rose-tinted spectacles while consumers see red. When being a pirate is the easiest way for people to access the content they want in the format they want it in, then something has gone very, very wrong.
There isn’t a moral defense for stealing in most cases. But there isn’t a moral defense for invading people’s privacy and imposing draconian laws to protect outdated, crumbling business models either. Music and movie piracy is rampant because over the last ten years, the market has utterly failed to provide a wide range of preferable legitimate solutions. If this continues as bandwidth increases and download speeds accelerate, the entertainment industry will be left in ruins. Many think that needs to happen for new business models to form. I think those currently in power simply need to grow a set and confront the reality of the situation.
So far the search for new revenue streams by the big labels and studios has only turned up one that they seem to be comfortable with: the legal department. It’s impossibly difficult and expensive for the average consumer to use music legally in podcasts, on websites, in remixes, or in public speeches for example. But if you do decide to use music illegally, it’s entirely possible that a huge team of lawyers will come at you like a troop of rabid spider-monkeys. Instead of looking at real solutions, all the labels seem to be doing is exacerbating their problems.
Pretending the current laws or legitimate options for consuming movies and music online are in some way going to stop piracy from turning the entire entertainment business into a giant anarchic swap-meet is like pretending recycling plastic water bottles will single-handedly end global warming. The problem is the entertainment business doesn’t recognize the giant anarchic swap-meet for what it really is; a great way for them to make a ton of money.
ACT II: CONFRONTATION
Licenses replace sales. Labels accept reality, or die.
CD sales are in freefall, (the arrival of the Mac Book Air this week was perhaps the final death knell for the format) and the legal department is clearly not a viable long-term revenue stream. A more efficient way to monetize how we consume music online (and other goods with zero marginal production costs) is not to think about monetizing them in terms of sales, but instead in terms of licenses.
This is already beginning to happen. Deals like the “Comes With Music” partnership struck between Universal and Nokia last month may feel like “one step forward, two steps back”, but at least we’re finally heading in the right direction. And the fact that all the majors are starting to work with legitimate file-sharing models like iMeem is encouraging.
The solution we are slowly moving towards is a voluntary collective license for music, which consumers could choose to pay, or not. It needs to work all over the world. National boundaries don’t apply to this kind of information anymore. To pretend they do is as nostalgic a notion as DRM.
Organizations such as ASCAP or the BMI could fulfill this role. This system wouldn’t be a tax; there would be no cap on the amount of money an artist or label could earn, innovation would not be stifled. Bennet Lincoff wrote a paper this time last year which I believe could be the answer. The EFF is also supportive of a similar solution, which they outlined in a 2004 paper:
“The concept is simple: the music industry forms a collecting society, which then offers file-sharing music fans the opportunity to “get legit” in exchange for a reasonable regular payment, say $5 per month. So long as they pay, the fans are free to keep doing what they are going to do anyway—share the music they love using whatever software they like on whatever computer platform they prefer—without fear of lawsuits. The money collected gets divided among rights-holders based on the popularity of their music.
“In exchange, file-sharing music fans will be free to download whatever they like, using whatever software works best for them. The more people share, the more money goes to rights-holders. The more competition in applications, the more rapid the innovation and improvement. The more freedom to fans to publish what they care about, the deeper the catalog.”
Under this system, the internet would work exactly as broadcast radio does. As the EFF proposal points out, “songwriters originally viewed radio exactly the way the music industry today views KaZaA users—as pirates. After trying to sue radio out of existence, the songwriters ultimately got together to form ASCAP (and later BMI and SESAC). Radio stations interested in broadcasting music stepped up, paid a fee, and in return got to play whatever music they liked, using whatever equipment worked best.”
We have a system where infringement by many pirates affects the ability of rights holders to license music legally to the few media companies that can afford it. What we need is a model where infringement by a few pirates will not affect the ability for rights holders to license music to the many law abiding broadcasters who want to use it.
Sure, there is good money in making it very difficult to license music, and charging a few people a lot for the privilege. But it’s likely there is a lot more money in making it very easy to license music to a lot of people for very little.
This wouldn’t just allow individual users to share songs legally – it would create new opportunities for a lot of sites to start selling music, which is a good thing. The entertainment industry has made it very clear it would prefer not to be beholden to a small handful of stores like iTunes, an anti-competitive situation which isn’t great for consumers either. It’s a monumental task, but it would create jobs and wealth and probably a lot of opportunities we can’t even see yet.
ACT III: RESOLUTION
A viable entertainment industry unfolds. New revenue streams spring forth.
The truth is we still need middlemen in the entertainment business. It’s just they stopped doing their jobs properly, so we decided to stop paying them. But if the industry embraces the way millions of people have been consuming their products for the last decade, there will be no longer be a reason for consumers to defend piracy. There will be more money for artists. There will be more commercial opportunities to distribute wider varieties of content. Publishing will grow. There will be a larger entertainment industry with more revenue streams, making more money than it does now. Once the benefits of sharing content in a more liberal fashion are widely understood, our definition of fair use will likely change as well, meaning a wealth of new non-profit driven content and culture will be created at the same time. I think that definition will look something like Tim Wu’s: “It is time to recognize a simpler principle for fair use: work that adds to the value of the original, as opposed to substituting for the original, is fair use. In my view that’s a principle already behind the traditional lines.”
Confronting the reality of where the traditional lines really are, and where the new ones have been drawn by the consumers (the people who really make the rules) is the only long-term solution to the pirate’s dilemma the entertainment industry faces. It is, in this instance, the only way the industry will ever stop piracy. It is the right thing to do, and it will force the rest of us to start doing the right thing too. When the entertainment industry decides to grow up about file sharing, the rest of us will have no choice but to do the same.

For those who are interested, my book: “The Pirate’s Dilemma: How Youth Culture Is Reinventing Capitalism” is out now through Free Press, and probably soon on a BitTorrent tracker near you .

Jon Taplin posted about the music industry and he likes the idea of “taxing” ISPs, which of course really means taxing the ISPs’ users, and giving the money to the RIAA (it would have to be the RIAA, how would such a tax be evenly distributed to artists? How would you really know that a given artist was downloaded more than another and break down the earnings?)
I think it’s a pretty bad idea, but there are a lot of comments and it’s an interesting post.
Here’s what I said:
Another thing: why not tax external hard drive makers, webmail providers, web hosts, browser makers, OS makers, and copy machine makers? All of them are vectors for massive copyright infringement. It’s just a bad idea all around.