DoJ reacts to the Thomas-Rasset case

Posted on by
Reply

In June 2009, a Court sentenced Jammie Thomas for $1,9 million as statutory damages award. Meanwhile, Jammie Thomas has moved to the Court to either alter the judgment because the statutory damages award is unconstitutional, or remit the award, or grant a new trial because some evidences should not have been admitted.

The Department of Justice (DoJ) reacted against the first issue, ie, the unconstitutionality of the statutory damages award. Argument I of the published document recommends the Court to solve the case with the two last arguments (remittitur, and new trial due to unacceptable evidence. In other words, avoid to go on the constitutional battle ground.

But the most interesting part is in argument II. DoJ examines the issue of constitutionality of the statutory damages award. In short, the purpose of statutory damages is to compensate the plaintiff for damages that are hard to evaluate, as copyright infringements. Furthermore, Doj sheds some lights on their goals:

The Copyright Act’s statutory damages provision serves both to compensate and deter.

(page 17)

The message towards the infringing users is even clearer:

The current damages range provides compensation for copyright owners because, inter alia, there exist situations in which actual damages are hard to quantify. Furthermore, in establishing that range, Congress took into account the need to deter the millions of users of new media from infringing copyrights in an environment where many violators believe that they will go unnoticed.

(page 3)

Since 1999, the range is between $750 and $30,000 per infringed works in case of non willful violation. If willful, it raises to $150,000. Thus, the $80,000 is in the middle of the range.

Let’s see what the Court will decide.

PS: DoJ’s document is interesting to read although tough (as most legal paper)

Understanding Scam Victims

Posted on by
Reply

BBC has broadcast a set of TV documentaries “The Real Hustle“. In this documentaries, Paul Wilson, a con-artist, scams real people with real scams. When you look them, you are upset because they are sometimes extremely simple but devastating. For instance:

Frank Stajano from Cambridge Computer Laboratory has co-authored with Paul Wilson a paper that analyses these scams. The analysis extracts seven principles that may drive human behavior:

  •   The Distraction Principle
  •   The Social Compliance Principle
  •   The Herd Principle
  •   The Dishonesty Principle
  •   The Deception Principle (Dear to Mitnik :Happy: )
  •   The Need and Greed Principle
  •   The Time Principle

Frank explains how these principles may infer with security systems. We all know that human is the weakest link. Knowing that human behavior is driven by these principles, it may be possible to build systems that mitigate the importance of the human weak link.

Most of these principles are not new. Some have already been disclosed in books like “Beyond Fear” or “The science of fear”. Nevertheless, the paper is worth to read, even if it is just to better discover the world of scam (and may be increase our awareness and saving us in the future) Good summer reading.

Behead The Prophet

Posted on by
Reply

Behead The Prophet is the name of an unofficial add-on to World Of Warcraft (WoW). This add-on creates helpers (NPC) that will automatically (once commanded) fulfill some tasks for the player (healing, casting spells, grinding …) It has been presented at defcon17.

This is not the first time that such tool is offered. The interesting part is that such bots are considered as cheating tools by Blizzard Entertainment (the company behind WoW). Using them is a violation of the Terms of Usage.

The design of such tools is driven by different motivations: greed spirit, winning spirit, and hacking (in the golden meaning) spirit

Greed: Real money is exchanged in MMORPG. A typical example is gold farming where people will perform some tasks with your character on your behalf. China becomes worried about gold farming. It is probably not too much about ethics, it is mainly economical. These practices give more value to virtual money (that no State controls) and offer pathways for money laundering.

Winning: Some people want to succeed (with or without ethics). Their avatar will be like that, but they will most probably seek any virtual artifact that may give advantage. then, if they may have access to a tool that may change the odds…

Hacking spirit: This is a new frontier. It is a marvelous playground for programmers to test scripts, automation tools, … It is also a fight against the machine. This is rather similar with the community of home brew for the game consoles such as Wii or PS3.

Regardless of copyright issues, is Blizzard right to fight such unauthorized add-ons? Yes. Many of the players appreciate to struggle in these worlds because they have a fair chance to succeed. Everybody is with the same rules. Would there be many cheaters, then this assumption would be wrong. Increasing cheating would reduce the attractiveness of the game, thus meaning loss of players, thus loss of money.

Nevertheless, finding a solution to channel the creativity of the developers’ community could be worthwhile: for instance, through dedicated servers, or contests. This would most probably generate nice advances for Blizzard to integrate in newer version.

MPAA 2 – RealDVD 0

Posted on by
Reply

By Eric DIEHL

In October 2008, MPAA succeeded to stop the sales of realDVD. The main concept of realDVD is to rip a DVD and store a PROTECTED copy on the hard disk of a computer. A first decision of justice banned the sale. Of course, RealDVD appealed this ruling.

Currently, RealDVD site displays:

RealDVD is currently unavailable
Due to recent legal action taken by the Hollywood movie studios against us, RealDVD is temporarily unavailable. Rest assured, we will continue to work diligently to provide you with software that allows you to make a legal copy of your DVDs for your own use.

Last week, judge Patel granted a preliminary injunction in favor studios. RealDVD has been granted a license by DVD-CCA. DVD-CCA is the licensing authority for DVD. This license is mandatory to legally get the keys that allow to descramble CSS protected discs. According to judge Patel, the license of DVD forbids to make permanent copies of CSS protected DVDs. Furthermore, according to judge Patel, fair use does not allow to circumvent a protection under DMCA.

Interestingly, Kaleidescape that has the same issues (but for a high end expensive product) has also been ruled against by a Californian court during the same week.

The story continues…

Identification of more risks can lead to increased optimism

Posted on by
Reply

I am more and more strolling around the psychological sides of security and risks. Magne Jorgensen (Simula research lab, Norway) published a paper which result is counter-intuitive. Its title is Identification of more risks can lead to increased over-optimism of and over-confidence in software development effort estimates.

Through four experiments, he highlights that when people are going more in depth in risk analysis, it most often ends up with a lower effort estimation and higher success estimation than when people make a fast risk analysis!!

He proposes some potential explanations. Once more we end up with judgment-based (the Guts) versus reasoning-based (the Brain) (See Gardner’s book) Among the explanations:

  • illusion of control; people are more confident when they believe to be in control. Seeing more risks may give an illusion of control. Identifying a risk is already a little bit controlling it.
  • Availability heuristics: the more vivid in the memory, the higher the importance for the Guts. When analyzing risks, it is more probable that the most important ones will be find quickly whereas the last discovered ones will have the lesser probability. Unfortunately, the Guts will be biased by the last analyzed one for the overall risk. In other words, it will lower the global risk.

Jorgensen proposes a method to limit this bias. Analyze each risk and their impact together. Then sum the expected impacts.

May that study have some impacts in the way we make threat analysis? I am not sure. Threat analysis is a long process where the availability heuristic will probably be watered by time.

Nevertheless, it may impact the way we wrap up a threat analysis. Personally, I describe the threats in decreasing order of importance. In other words, the audience’s guts, when leaving the room, will remember the less important threats 🙁 I should present them in the increasing order. This would have two advantages: some thrill / suspense and the more dangerous threats in the Guts’ memory.

Storm on The Pirate Bay

Posted on by
Reply

In April, The Pirate Bay (TPB) was sentenced by a Swedish court. In the last months, the storm grew strong on the bay.

End of June, A company, Global Gaming Factory, announced that it would purchase TPB for 5.5 M€. The announced objective is to turn TPB into a legal distribution platform (using P2P) but for paid contents. The Global Gaming Factory owns a large network of cybercafes and develops cybercafe dedicated applications.

End of July,two gusts:

  • The US movie majors file in order to have the site shut down, citing the downloading of 100 TV shows and films download.
  • A Dutch court requires TPB to block access to their sites to all Dutch citizen. For each day the site remains accessible from Netherlands, the fine will grow by 30,000€. Funnily, it was probably the first time that a court sent a subpoena by Twitter.

4th August, one of the founders, Peter Sunde announced that he leaves the boat.

Meanwhile, many rumors circulated that Global Gaming Factory had not the money to purchase TPB. But, the company has just announced that it will officially acquire TPB on 27th August after its extraordinary shareholders meeting.

The Pirate Bay is still operating!

A password strength checker

Posted on by
Reply

I recently stumbled across a useful site for increasing security awareness. The Password Strength Checker evaluates the submitted password. The use is intuitive.

Sure, when a password is declared as strong, then it is strong. I played a little bit with. I discovered that my Firefox master key was 74%, my account password was 70%, and my password for this blog was only 30%!

When examining the poor result of this last password (rather long), I find that I was not in total agreement with the rationales of the penalties. Consecutive upper case letters, lower case letters or numbers are “penalized”. Intuitively, I would think that systematically you recommend to avoid consecutive upper case, lower case or numbers would give an advantage in brute force. If I select a upper case, then in brute forcing next character, I would avoid to use an upper case. It reduces (slightly) the space of passwords.

Nevertheless, a nice useful tool.