Bill Wishon’s News and Views

The new Dutch transit card system, on which $2 billion has been spent, was recently shown by researchers to be insecure. Three attacks have been announced by separate research groups. Let’s look at what went wrong and why.
The system, known as OV-chipkaart, uses contactless smart cards, a technology that allows small digital cards to communicate by radio over short distances (i.e. centimeters or inches) with reader devices. Riders would carry either a disposable paper card or a more permanent plastic card. Riders would “charge up” a card by making a payment, and the card would keep track of the remaining balance. The card would be swiped past the turnstile on entry and exit from the transport system, where a reader device would authenticate the card and cause the card to deduct the proper fare for each ride.
The disposable and plastic cards use different technologies. The disposable card, called Mifare Ultralight, is small, light, and inexpensive. The reusable plastic card, Mifare Classic, uses more sophisticated technologies.
The first attack, published in July 2007, came from Pieter Sieckerman and Maurits van der Schee of the University of Amsterdam, who found vulnerabilities in the Ultralight system. Their main attacks manipulated Ultralight cards, for example by “rewinding” a card to a previous state so it could be re-used. These attacks looked fixable by changing the system’s software, and Sieckerman and van der Schee described the necessary fixes. But it was also evident that a cleverly constructed counterfeit Ultralight card would be able to defeat the system in a manner that would be very difficult to defense.
The fundamental security problem with the disposable Ultralight card is that it doesn’t use cryptography, so the card cannot keep any secrets from an attacker. An attacker who can read a card (e.g., by using standard equipment to emulate a card reader) can know exactly what information is stored on the card, and therefore can make another device that will behave identically to the card. Except, of course, that the attacker’s device can always return itself to the “fully funded” state. Roel Verdult of Raboud University implemented this “cloning” attack and demonstrated it on Dutch television, leading to the recent uproar.
The plastic Mifare Classic card does use cryptography: legitimate cards contain secret keys that they use to authenticate themselves to readers. So attackers cannot straightforwardly clone a card. Mifare Classic was designed to use a secret encryption algorithm.
Karsten Nohl, “Starbug,” and Henryk Plötz announced an attack that involved opening up a Mifare Classic card and capturing a high-resolution image of the circuitry, which they then used to reverse-engineer the cryptographic algorithm. They didn’t publish the algorithm, but their work shows that a real attacker could get the algorithm too.
Unmasking of the algorithm should have been no problem, had the system been engineered well. Kerckhoffs’s Principle, one of the bedrock maxims of cryptography, says that security should never rely on keeping an algorithm secret. It’s okay to have a secret key, if the key is randomly chosen and can be changed when needed, but you should never bank on an algorithm remaining secret.
Unfortunately the designers of Mifare Classic did not follow this principle. Instead, they chose to combine a secret algorithm with a relatively short 48-bit key. This is a problem because once you know the algorithm it’s possible for an attacker to search the entire 48-bit key space, and therefore to forge cards, in a matter or days or weeks. With 48 key bits, there are only about 280 trillion possible keys, which sounds like a lot to the person on the street but isn’t much of a barrier to today’s computers.
Now the Dutch authorities have a mess on their hands. About $2 billion have been invested in this project, but serious fraud seems likely if it is deployed as designed. This kind of disaster would have been less likely had the design process been more open. Secrecy was not only an engineering mistake (violating Kerckhoffs’s Principle) but also a policy mistake, as it allowed the project to get so far along before independent analysts had a chance to critique it. A more open process, like the one the U.S. government used in choosing the Advanced Encryption Standard (AES) would have been safer. Governments seem to have a hard time understanding that openness can make you more secure.
Share This

For a few awkward years, the situation is only going to get worse. But soon enough the labels, studios and every other paranoid media owner will have to stop acting like petulant teenagers. The time has come to address piracy with some real, sustainable solutions that consumers will support. The time has come for the entertainment industry to grow up.
ACT I: THE SET-UP
Current system is shot to hell. Heads buried firmly in sand.
A few months ago, the writer and NYU professor Clay Shirky told me he thought DRM was a “nostalgic” idea. Nostalgic is the best adjective I’ve heard to describe how most large entertainment companies think about controlling their content in a digital era. Big media continue to view the situation through rose-tinted spectacles while consumers see red. When being a pirate is the easiest way for people to access the content they want in the format they want it in, then something has gone very, very wrong.
There isn’t a moral defense for stealing in most cases. But there isn’t a moral defense for invading people’s privacy and imposing draconian laws to protect outdated, crumbling business models either. Music and movie piracy is rampant because over the last ten years, the market has utterly failed to provide a wide range of preferable legitimate solutions. If this continues as bandwidth increases and download speeds accelerate, the entertainment industry will be left in ruins. Many think that needs to happen for new business models to form. I think those currently in power simply need to grow a set and confront the reality of the situation.
So far the search for new revenue streams by the big labels and studios has only turned up one that they seem to be comfortable with: the legal department. It’s impossibly difficult and expensive for the average consumer to use music legally in podcasts, on websites, in remixes, or in public speeches for example. But if you do decide to use music illegally, it’s entirely possible that a huge team of lawyers will come at you like a troop of rabid spider-monkeys. Instead of looking at real solutions, all the labels seem to be doing is exacerbating their problems.
Pretending the current laws or legitimate options for consuming movies and music online are in some way going to stop piracy from turning the entire entertainment business into a giant anarchic swap-meet is like pretending recycling plastic water bottles will single-handedly end global warming. The problem is the entertainment business doesn’t recognize the giant anarchic swap-meet for what it really is; a great way for them to make a ton of money.
ACT II: CONFRONTATION
Licenses replace sales. Labels accept reality, or die.
CD sales are in freefall, (the arrival of the Mac Book Air this week was perhaps the final death knell for the format) and the legal department is clearly not a viable long-term revenue stream. A more efficient way to monetize how we consume music online (and other goods with zero marginal production costs) is not to think about monetizing them in terms of sales, but instead in terms of licenses.
This is already beginning to happen. Deals like the “Comes With Music” partnership struck between Universal and Nokia last month may feel like “one step forward, two steps back”, but at least we’re finally heading in the right direction. And the fact that all the majors are starting to work with legitimate file-sharing models like iMeem is encouraging.
The solution we are slowly moving towards is a voluntary collective license for music, which consumers could choose to pay, or not. It needs to work all over the world. National boundaries don’t apply to this kind of information anymore. To pretend they do is as nostalgic a notion as DRM.
Organizations such as ASCAP or the BMI could fulfill this role. This system wouldn’t be a tax; there would be no cap on the amount of money an artist or label could earn, innovation would not be stifled. Bennet Lincoff wrote a paper this time last year which I believe could be the answer. The EFF is also supportive of a similar solution, which they outlined in a 2004 paper:
“The concept is simple: the music industry forms a collecting society, which then offers file-sharing music fans the opportunity to “get legit” in exchange for a reasonable regular payment, say $5 per month. So long as they pay, the fans are free to keep doing what they are going to do anyway—share the music they love using whatever software they like on whatever computer platform they prefer—without fear of lawsuits. The money collected gets divided among rights-holders based on the popularity of their music.
“In exchange, file-sharing music fans will be free to download whatever they like, using whatever software works best for them. The more people share, the more money goes to rights-holders. The more competition in applications, the more rapid the innovation and improvement. The more freedom to fans to publish what they care about, the deeper the catalog.”
Under this system, the internet would work exactly as broadcast radio does. As the EFF proposal points out, “songwriters originally viewed radio exactly the way the music industry today views KaZaA users—as pirates. After trying to sue radio out of existence, the songwriters ultimately got together to form ASCAP (and later BMI and SESAC). Radio stations interested in broadcasting music stepped up, paid a fee, and in return got to play whatever music they liked, using whatever equipment worked best.”
We have a system where infringement by many pirates affects the ability of rights holders to license music legally to the few media companies that can afford it. What we need is a model where infringement by a few pirates will not affect the ability for rights holders to license music to the many law abiding broadcasters who want to use it.
Sure, there is good money in making it very difficult to license music, and charging a few people a lot for the privilege. But it’s likely there is a lot more money in making it very easy to license music to a lot of people for very little.
This wouldn’t just allow individual users to share songs legally - it would create new opportunities for a lot of sites to start selling music, which is a good thing. The entertainment industry has made it very clear it would prefer not to be beholden to a small handful of stores like iTunes, an anti-competitive situation which isn’t great for consumers either. It’s a monumental task, but it would create jobs and wealth and probably a lot of opportunities we can’t even see yet.
ACT III: RESOLUTION
A viable entertainment industry unfolds. New revenue streams spring forth.
The truth is we still need middlemen in the entertainment business. It’s just they stopped doing their jobs properly, so we decided to stop paying them. But if the industry embraces the way millions of people have been consuming their products for the last decade, there will be no longer be a reason for consumers to defend piracy. There will be more money for artists. There will be more commercial opportunities to distribute wider varieties of content. Publishing will grow. There will be a larger entertainment industry with more revenue streams, making more money than it does now. Once the benefits of sharing content in a more liberal fashion are widely understood, our definition of fair use will likely change as well, meaning a wealth of new non-profit driven content and culture will be created at the same time. I think that definition will look something like Tim Wu’s: “It is time to recognize a simpler principle for fair use: work that adds to the value of the original, as opposed to substituting for the original, is fair use. In my view that’s a principle already behind the traditional lines.”
Confronting the reality of where the traditional lines really are, and where the new ones have been drawn by the consumers (the people who really make the rules) is the only long-term solution to the pirate’s dilemma the entertainment industry faces. It is, in this instance, the only way the industry will ever stop piracy. It is the right thing to do, and it will force the rest of us to start doing the right thing too. When the entertainment industry decides to grow up about file sharing, the rest of us will have no choice but to do the same.

For those who are interested, my book: “The Pirate’s Dilemma: How Youth Culture Is Reinventing Capitalism” is out now through Free Press, and probably soon on a BitTorrent tracker near you ;).

Jon Taplin posted about the music industry and he likes the idea of “taxing” ISPs, which of course really means taxing the ISPs’ users, and giving the money to the RIAA (it would have to be the RIAA, how would such a tax be evenly distributed to artists? How would you really know that a given artist was downloaded more than another and break down the earnings?)
I think it’s a pretty bad idea, but there are a lot of comments and it’s an interesting post.
Here’s what I said:
Another thing: why not tax external hard drive makers, webmail providers, web hosts, browser makers, OS makers, and copy machine makers? All of them are vectors for massive copyright infringement. It’s just a bad idea all around.

Yesterday, thanks to a leaked memo, it came to light that Time Warner Cable intends to try out use-based broadband pricing on a few of its customers. It looks like the plan is for several tiers of use, with the heaviest users possibly paying overage charges on a per-byte basis. In confirming its plans to Reuters, Time Warner pointed out that its heaviest-using five percent of customers generate the majority of data traffic on the network, but still pay as though they were typical users. Under the new proposal, pricing would be based on the total amount of data transferred, rather than the peak throughput on a connection.
If the current, flattened pricing is based on what the connection is worth to a typical customer, who makes only limited use of the connection, then the heaviest five percent of users (let’s call them super-users as shorthand) are reaping a surplus. Bandwidth use might be highly elastic with respect to price, but I think it is also true that the super users do reap a great deal more benefit from their broadband connections than other users do — think of those who pioneer video consumption online, for example.
What happens when network operators fail to see this surplus? They have marginally less incentive to build out the network and drive down the unit cost of data transfer. If the pricing model changed so that network providers’ revenue remained the same in total but was based directly on how much the network is used, then the price would go down for the lightest users and up for the heaviest. If a tiered structure left prices the same for most users and raised them on the heaviest, operators’ total revenue would go up. In either case, networks would have an incentive to encourage innovative, high-bandwidth uses of their networks — regardless of what kind of use that is.
Gigi Sohn of Public Knowledge has come out in favor of Time Warner’s move on these and other grounds. It’s important to acknowledge that network operators still have familiar, monopolistic reasons to intervene against traffic that competes with phone service or cable. But under the current pricing structure, they’ve had a relatively strong argument to discriminate in favor of the traffic they can monetize, and against the traffic they can’t. By allowing them to monetize all traffic, a shift to use based pricing would weaken one of the most persuasive reasons network operators have to oppose net neutrality.
Share This

This is the second in our promised series summing up where the 2008 presidential candidates stand on digital technology issues. (See our first post, about Obama). This time,we’ll take a look at Hillary Clinton
Hillary has a platform plank on innovation. Much of it will be welcome news to the research community: She wants to up funding for basic research, and increase the number and size of NSF fellowships for graduate students in the sciences. Beyond urging more spending (which is, arguably, all too easy at this point in the process) she indicates her priorities by urging two shifts in how science funds are allocated. First, relative to their current slice of the federal research funding pie, she wants a disproportionate amount of the increase in funding to go the physical sciences and engineering. Second, she wants to “require that federal research agencies set aside at least 8% of their research budgets for discretionary funding of high-risk research.” Where the 8% figure comes from, and which research would count as “high risk,” I don’t know. Readers, can you help?
As far as specifically digital policy questions, she highlights just one: broadband. She supports “tax incentives to encourage broadband deployment in underserved areas,” as well as providing “financial support” for state, local, and municipal broadband initiatives. Government mandates designed to help the communications infrastructure of rural America keep pace with the rest of the country are an old theme, familiar in the telephone context as universal service requirements. That program taxes the telecommunications industry’s commercial activity, and uses the proceeds to fund deployment in areas where profit-seeking actors haven’t seen fit to expand. It’s politically popular in part because it serves the interests of less-populous states, which enjoy disproportionate importance in presidential politics.
On the larger question of subsidizing broadband deployment everywhere, the Clinton position outlined above strikes me, at its admittedly high level of vagueness, as being roughly on target. I’m politically rooted in the laissez-faire, free-market right, which tends to place a heavy burden of justification on government interventions in markets. In its strongest and most brittle form, the free-market creed can verge on naturalistic fallacy: For any proposed government program, the objection can be raised, “if that were really such a good idea, a private enterprise would be doing it already, and turning a profit.” It’s an argument that applies against government interventions as such, and that has often been used to oppose broadband subsidies. Broadband is attractive and valuable, and people like to buy it, the reasoning goes–so there’s no need to bother with tax-and-spend supports.
The more nuanced truth, acknowledged by thoughtful participants all across the debate, is that subsidies can be justified if but only if the market is failing in some way. In this case, the failure would be a positive externality: adding one more customer to the broadband Internet conveys benefits to so many different parties that network operators can’t possibly hope to collect payment from all of them.
The act of plugging someone in creates a new customer for online merchants, a present and future candidate for employment by a wide range of far-flung employers, a better-informed and more critical citizen, and a happier, better-entertained individual. To the extent that each of these benefits is enjoyed by the customer, they will come across as willingness to pay a higher price for broadband service. But to the extent that other parties derive these benefits, the added value that would be created by the broadband sale will not express itself as a heightened willingness to pay, on the part of the customer. If there were no friction at all, and perfect foreknowledge of consumer behavior, it’s a good bet that Amazon, for example, would be willing to chip in on individual broadband subscriptions of those who might not otherwise get connected but who, if they do connect, will become profitable Amazon customers. As things are, the cost of figuring out which third parties will benefit from which additional broadband connection is prohibitive; it may not even be possible to find this information ahead of time at any price because human behavior is too hard to predict.
That means there’s some amount of added benefit from broadband that is not captured on the private market — the price charged to broadband customers is higher than would be economically optimal. Policymakers, by intervening to put downward pressure on the price of broadband, could lead us into a world where the myriad potential benefits of digital technology come at us stronger and sooner than they otherwise might. Of course, they might also make a mess of things in any of a number of ways. But at least in principle, a broadband subsidy could and should be done well.
One other note on Hillary: Appearing on Meet the Press yesterday (transcript here), she weighed in on Internet-enabled transparency. It came up tangentially, when Tim Russert asked her to promise she wouldn’t repeat her husband’s surprise decision to pardon political allies over the objection of the Justice Department. The pardon process, Hillary maintained, should be made more transparent–and, she went on to say:
I want to have a much more transparent government, and I think we now have the tools to make that happen. You know, I said the other night at an event in New Hampshire, I want to have as much information about the way our government operates on the Internet so the people who pay for it, the taxpayers of America, can see that. I want to be sure that, you know, we actually have like agency blogs. I want people in all the government agencies to be communicating with people, you know, because for me, we’re now in an era–which didn’t exist before–where you can have instant access to information, and I want to see my government be more transparent.
This seems strongly redolent of the transparency thrust in Obama’s platform. If nothing else, it suggests that his focus on the issue may be helping pull the field into more explicit, more concrete support for the Internet as a tool of government transparency. Assuming that either Obama or Clinton becomes the nominee, November will offer at least one major-party presidential candidate who is on record supporting specific new uses of the Internet as a transparency tool.
Share This

Linden Lab, the company that runs the popular virtual world Second Life, announced Tuesday that all in-world “banks” must now be registered with real-world banking regulators:

As of January 22, 2008, it will be prohibited to offer interest or any direct return on an investment (whether in L$ or other currency) from any object, such as an ATM, located in Second Life, without proof of an applicable government registration statement or financial institution charter. We’re implementing this policy after reviewing Resident complaints, banking activities, and the law, and we’re doing it to protect our Residents and the integrity of our economy.

This is a significant step. Thus far Second Life, like other virtual worlds, has tried to avoid entanglement with heavyweight real-world regulatory agencies. Now they are welcoming banking regulation. The reason is simple: unregulated “banks” were out of control.

Since the collapse of Ginko Financial in August 2007, Linden Lab has received complaints about several in-world “banks” defaulting on their promises. These banks often promise unusually high rates of L$ return, reaching 20, 40, or even 60 percent annualized.
Usually, we don’t step in the middle of Resident-to-Resident conduct – letting Residents decide how to act, live, or play in Second Life.
But these “banks” have brought unique and substantial risks to Second Life, and we feel it’s our duty to step in. Offering unsustainably high interest rates, they are in most cases doomed to collapse – leaving upset “depositors” with nothing to show for their investments. As these activities grow, they become more likely to lead to destabilization of the virtual economy. At least as important, the legal and regulatory framework of these non-chartered, unregistered banks is unclear, i.e., what their duties are when they offer “interest” or “investments.”

This was inevitable, given the ever-growing connections between the virtual economy of Second Life and the real-world economy. In-world Linden Dollars are exchangeable for real-world dollars, so financial crime in Second Life can make you rich in the real world. Linden doesn’t have the processes in place to license “banks” or investigate problems. Nor does it have the enforcement muscle to put bad guys in jail.
Expect this trend to continue. As virtual world “games” are played for higher and higher stakes, the regulatory power of national governments will look more and more necessary.
Share This

Have you ever emerged from a matinee movie, squinted into the ? Up to a third of the population will answer this question with an emphatic "Yes!" (whereas nearly everyone else scratches their head in confusion). Sneezing as the result of bein…