pageok
pageok
pageok
[Paul Ohm (guest-blogging), April 9, 2007 at 10:11am] Trackbacks
The Myth of the Superuser, Part One:

Thanks very much, Eugene, for inviting me to talk about my latest research. I'm offering the VC reader a twofer: Today through Wednesday I'll describe my ideas about the Myth of the Superuser, and Thursday and Friday I'll discuss an empirical project involving the Analog Hole. (Quick plug: The Superuser article is looking for a law review to call home, so if you choose articles for a journal, please give it a read!)

My first project is a critique of the rhetoric we use when we debate online conflict. In our debates, storytelling is epidemic, and the dominant trope is the myth of power. To restate it like a less-charged version of Godwin's Law (I'd call it "Ohm's Law," but that's taken): as a debate about online conflict progresses, the probability of an argument involving powerful computer users approaches one.

For example, law enforcement officials talk about the spread of zombie "botnets" to support broader computer crime laws. Privacy advocates fret about super-hackers who can steal millions of identities with a few keystrokes. Digital rights management opponents argue that DRM is inherently flawed, because some hacker will always find an exploit. (The DRM debate is unusual, because the power-user trope appears on both sides: DRM proponents argue that because they can never win the arms race against powerful users, they need laws like the DMCA.)

These stories could usefully contribute to these debates if they were cited for what they were: interesting anecdotes that open a window into the empirical realities of online conflict. Instead, in a cluttered rhetorical landscape, stories like these supplant a more meaningful empirical inquiry. The pervasive attitude is, "we don't need to probe too deeply into the nature of power in these conflicts, because these stories tell us all we need to know."

Too much attention is paid to the powerful user, or the Superuser as I call him. (UNIX geeks, I'm aware I'm overloading the term.) Today I focus on the first part of the argument, my "proof" that the Superuser's importance is often exaggerated. Superusers inhabit the Internet, but they are often so uncommon as safely to be ignored.

(Two quick asides, that are sure to come up in comments: First, even a few Superusers deserve attention if they act so powerfully that they account for a significant portion of the harm. Measuring the impact of the Superuser requires more than a head count; it also means measuring the amount of harm caused by any one Superuser. Second, Superusers can empower ordinary users by building easy-to-use tools; I address this so-called "script kiddy" problem in the article.)

We know that the Superuser's power is often exaggerated for three reasons:

First, some statements of Superuser harm are so hyperbolic as to be self-disproving. For example, as Cybersecurity Czar under the Clinton and second Bush administrations, Richard Clarke was fond of saying, "digital Pearl Harbors are happening every day." I'm not sure what meaning Clarke was giving to the phrase, digital Pearl Harbor: he may have meant attacks with the psychologically damaging effect, horrific loss of life, terrifying surprise, size of invading force, or historical impact of the December 7, 1941 attack; no matter which of these he meant, the claim is a horribly exaggerated overstatement.

Second, experience suggests that some online crimes are committed by ordinary users much more often than by Superusers. Take data breach and identity theft. Data breachers are often portrayed as genius hackers who break into computers to steal thousands of credit card numbers. Although some criminals fit this profile, increasingly, the police are focusing on non-Superusers who obtain personal data using non-technical means, like laptop theft. Similarly, identity thieves are often not computer wizards; the New York Times reported last year that many District Attorneys see more meth addicts committing identity theft than any other segment of the population.

Consider also claims that terrorists are plotting to use computer networks to threaten lives or economic well-being. There has never been a death reported from an attack on a computer network or system. In fact, many experts now doubt that an attack will ever disable a significant part of the Internet.

Of course, there are limits to using opinions and qualitative evidence to disprove the Myth, because they share so much in common with the anecdotes that fuel it. The third way to dispel the Myth is through studies and statistics. As one very recent example, Phil Howard and Kris Erickson of the University of Washington released a study which found that sixty percent of reported incidents of the loss of personal records involved organizational mismanagement, while only thirty-one percent involved hackers.

This is just a taste; in the Article, I go into much greater depth about why the Myth is not to be believed. Tomorrow, I will discuss the significant harms that result from Myth-influenced policymaking. Finally, on Wednesday, I will focus on a root cause of the problem: the inability of computer security experts to discriminate between high risk and low risk harms online.

Jake (Guest):
From the paper:

Criminal laws have been written that prohibit theft and breaking and entering, and these laws are still considered effective even though some people can pick locks.

If we continue with this analogy, doesn't it support laws against digital trespass analogous to breaking and entering? You cite a couple of cases involving what look to be prosecutorial overreach, but we also see prosecutorial overreach in offline behavior. How do we know we're not just replacing the myth of the superuser with the myth of the superstatute?
4.9.2007 11:40am
Jake (Guest):
From the paper:

Criminal laws have been written that prohibit theft and breaking and entering, and these laws are still considered effective even though some people can pick locks.

If we continue with this analogy, doesn't it support laws against digital trespass analogous to breaking and entering? You cite a couple of cases involving what look to be prosecutorial overreach, but we also see prosecutorial overreach in offline behavior. How do we know we're not just replacing the myth of the superuser with the myth of the superstatute?
4.9.2007 11:40am
AdamL (www):
Is the Superuser myth at all similar to the ticking-time bomb scenarios used to justify certain law enforcement and CIA practices?

They seem to fit your definition of the Superuser Myth in Part I(A)(2) and are frequently used to justify infringements on civil liberties. I'm just curious to what extent your analysis can be applied to the ticking time-bomb scenarios.
4.9.2007 11:42am
Guest J:
The word "superuser" is really unfortunate here, because it's the name used on Unix and Unix-like systems such as *BSD and Linux for the master administrative user account, aka the "root" account. Given that many computer-savvy people use the term "superuser" routinely to refer to this account, reusing the word for this mythological figure invites linguistic confusion, or at least ambiguity.
4.9.2007 11:44am
Oren (mail):
I agree with your analysis in regards to most of the topics covered but DRM protected content is an important exception. Once a single copy of DeCSS is available (for example) every DVD is instantly compromised forever*. Similarly, once a single unprotected copy of a particular media item is released on the "scene" (to use the terminology of media piracy groups), it is likewise compromised forever.

Although most of the users that comprise the higher echelons of the scene are not superusers in the sense that you have defined (having exceptional skills) there are a number of factors that allow these groups to have an incredibly large impact. First and foremost is effective organization. When an episode of (say) The Simpsons is aired, there are people dedicated to capturing and encoding (compressing, removing commercials, etc. ), followed by people that are dedicated to high-level distribution among the scene (the "topsites"), followed by a whole separate arm that distributes to the plebs (eg see www(dot)eztvefnet(ddoott)org at the very bottom of the heap). This organizational structure actually extends across the "groups" to cooperation between groups to minimize duplication of effort - many TV shows are captured every week by the same group such that, by now, they is little overlap.

Secondly, these groups devote a fair amount of capital to these projects making them far more effective than the average internet user. Topsites are hosted on fast (100Mbps minimum), dedicated servers usually leased from a hosting copmany (increasingly, a hosting company in Sweden or the Netherlands which do brisk business in not caring what goes on). Distribution networks also use similar dedicated lines. For instance, on EZTV (linked above), if you manage to jump on right at the release of a particular episode, before the inevitable rush of slow internet users clogs the works, you can download at a few hundred Kbps getting a whole episode in a matter of minutes.

The net result is that within half an hour of the end of the east coast airing of a popular show like The Simpsons, there is a copy available online being "seeded" by very fast connections. After an hour, I would estimate (conservatively) that in excess of 10,000 complete copies have been made and tens of thousands more are in progress.

Lastly, while the "scene" is not made up of elite programmers and other highly skilled but they do know what they are doing. To distribute this many copies requires at least a bit of know how!

Finally, as a quick reminded of the weakness of legal remedies, consider the statement of the judge in UNIVERSAL CITY STUDIOS, INC, et al. -against- SHAWN C. REIMERDES, et al., more famously known as the 2600 case, after the famous magazine included as a defendant.


Thus, defendants obviously hoped to frustrate plaintiffs' recourse to the judicial system by making effective relief difficult or impossible.


He was indeed right, judicial relief was not possible and DeCSS is widely available today virtually everywhere on the internet.








*Assuming that the studios will not release DVDs that are not backwards compatible with the first players. I believe this is a reasonable assumption.
4.9.2007 11:53am
Taeyoung (mail):
Measuring the impact of the Superuser requires more than a head count; it also means measuring the amount of harm caused by any one Superuser. Second, Superusers can empower ordinary users by building easy-to-use tools; I address this so-called "script kiddy" problem in the article.)

I think this must be especially significant in the filesharing/online piracy/DRM situation. Your average user probably couldn't code a P2P protocol or develop DeCSS on his own, but he knows how to use Google to find them, and knows how to run an installer. Given, though, that the path to piracy runs through tools developed by "superusers" (as I understand you to be using the term), why shouldn't legal DRM efforts focus on limiting superusers? I mean, if you could actually shut-down the Blueray/HD-DVD cracks that are beginning to circulate, and prevent the development and distribution of programs implementing those cracks, wouldn't that heavily constrain the flow of copyrighted HD video data from the DRM-controlled market into the pirate market? If you could effectively use secondary liability theories to punish individuals who develop P2P filesharing systems, wouldn't that constrain average-user access to sources of pirated content?

In addition, my understanding is that quite apart from DRM, even after copyright material has escaped DRM into filesharing networks and so on, there are "power-users," as it were, who share huge volumes of data. Most people just leech off of these particular users -- if legal enforcement could effectively identify and target these power-users (perhaps not technically sophisticated, with knowledge of the law and loopholes and technology and all that, just sharing a huge library of files 24/7 over a broadband connection), wouldn't that constrain leecher leeching?

I mean, I'm dubious that the law is going to play much part in the arms race between users and content providers, but to the extent that content providers are trying to use the law, in addition to technical solutions like Vista's (apparently) overkill content protection system, I don't see why they shouldn't target superusers. They enable all the rest of us, after all.
4.9.2007 12:07pm
Ken Arromdee:
*Assuming that the studios will not release DVDs that are not backwards compatible with the first players. I believe this is a reasonable assumption.

This is an unreasonable assumption with Blu-Ray and HD-DVD. A key has already been revoked. New DVDs won't play on the old player, and if you ever try to do so it'll know the key is revoked and stop playing old DVDs too.

http://it.slashdot.org/it/07/04/07/1417253.shtml
4.9.2007 12:17pm
s806:
Online groups are active and highly dedicated to 'protecting' infringement and making it increasingly difficult to enforce the DMCA.

It's the 17 year old programmer that is the threat.
4.9.2007 12:18pm
Taeyoung (mail):
This is an unreasonable assumption with Blu-Ray and HD-DVD. A key has already been revoked. New DVDs won't play on the old player, and if you ever try to do so it'll know the key is revoked and stop playing old DVDs too.

I'm not sure if it's a proper assumption, but I think it's a possible outcome -- I recall that some industry figures have speculated that fear of consumer outrage, on discovering that their Blueray/HD-DVD players no longer work, would keep content producers from revoking device keys (it's device keys that are revocable, right?) in most cases.
4.9.2007 12:21pm
Paul Ohm (mail) (www):
Very helpful comments, everyone.

One important point that touches on Jake's, Oren's, and Taeyoung's comments is that I'm not calling for an end to every regulation designed to target Superusers. For the reasons you all describe, there are sometimes good reasons to "go after" Superusers or to try to keep Superusers and ordinary users apart.

What I'm objecting to is the unthinking or intentional use of the Myth of the Superuser to force through broad, harmful regulation that can be (and often is) used primarily against non-Superusers. I think this happens more often than not.

The problem (as I will discuss more thoroughly on Wednesday) is that we just aren't equipped to count whether a problem is Superuser-rich or --poor. Until we can do that, I think it's safer to assume that the Superuser is a myth unless someone establishes otherwise.

And "Guest J". Look at footnote 8. It's written with your comment in mind. I thought about choosing a less overloaded term, but nothing else seemed to work.
4.9.2007 12:24pm
Zathras (mail):
Superusers economically self-select themselves out of the hacker world. Once someone gets to this level of proficiency, that person will likely earn significantly more than anything they can do as a hacker. As someone who dabbled into a little hacking as a teenager, I know many other teenage hackers who followed this route. Every teenage hacker I remember who stayed with hard core computer work went from red hat to white hat somewhere along the road.
4.9.2007 12:39pm
Guest J:
Paul Ohm: Sorry, I didn't notice your note until later. Why not use the term super-hacker, which you do use at least once in your discussion? (I'm aware that "hacker" is problematic in that it has both a good and bad sense, but super-hacker is, I think, so far unclaimed.)
As for the overloading of the term, I think the problem here is that this likely to cause confusion in conversations between computer people and lawyers / law enforcement, if the term catches on. Imagine if there were some important function of computer software called "establishing probable cause" or "civil procedure" or "promissory estoppel", and it came up in conversation; do you think lawyers could start using such terms when discussing software? It would be just way too jarring, I would think.

The term superuser is also sometimes used outside the Unix and Unix-like systems world, by the way, for administrative accounts. I think Windows people sometimes use it to refer to their administrative powers, too.
4.9.2007 12:41pm
billb:
Guest J: To preempt Eric Raymond's arrival on-scene to say this, I think it would be best to call them "super-crackers". The general haker (white hat) community can get pretty annoyed with folks lumping them with the bad guys through an implied negative connotation in the use of "hacker".
4.9.2007 12:58pm
Guest J (mail):
billb: I'm not sure that's a live concern. I'm a programmer, and though I know plenty of people who are proud hackers in the old MIT/problem solving/ESR sense, I've never heard the term "super-hacker" used seriously. It seems a bit too self-congratulatory and silly to be adopted by the (problem-solving) hacker crowd. Among proud hackers, in the old sense, the term hacker already was a superlative -- it connoted mastery. It's one of those terms that don't become stronger by intensifying them. But the term "super-hacker" is used in the sense of describing super-computer-vandals. If you do a google search you'll find plenty of examples.

Since the (legitimate) hacker community doesn't (and I think wouldn't) user the term, and since it is in fact used commonly to talk about the phenomenon under discussion here, I think it's probably a decent fit. I liked the idea of the term "cracker" but I'm not sure it's ever really going to catch on.
4.9.2007 1:08pm
Jim G (mail):
I'll echo the suggestion to find a different term than "Superuser." Not only does it collide with a term already used in two ways, but it's also a little charged, being based on the word "Super." It generates visions of people in capes and value judgments that may or may not be appropriate.

I would suggest finding a more neutral term. The word "expert" seems perfectly useful in this context.
4.9.2007 1:14pm
Max Hailperin (mail) (www):
I had already expressed my regret in another thread that Ohm's choice of the word "Superuser" undermines his stated desire to engage with computer security experts. Here, let me take on another case where Ohm seems to unnecessarily cut himself off from those whose behavior he would like to change. He writes

First, some statements of Superuser harm are so hyperbolic as to be self-disproving. For example, as Cybersecurity Czar under the Clinton and second Bush administrations, Richard Clarke was fond of saying, "digital Pearl Harbors are happening every day." I'm not sure what meaning Clarke was giving to the phrase, digital Pearl Harbor: he may have meant attacks with the psychologically damaging effect, horrific loss of life, terrifying surprise, size of invading force, or historical impact of the December 7, 1941 attack; no matter which of these he meant, the claim is a horribly exaggerated overstatement.


I agree that each of these meanings is implausible. As such, the charitable assumption would be that Clarke did not intend any of them. Perhaps he meant that every day, digital attacks occur that catch their victims with their guard down. Perhaps he also meant that the victims had what at least in 20/20 hindsight ought to have been sufficient advance warning that their guards ought not have been down. I would agree that the phrase "Pearl Harbor" would be an unfortunate choice of how to express those truths, because of its association with catastrophy. However, if Ohm's goal is to persuade Clarke to change his rhetoric, it seems far more fruitful to suggest to him that he be more careful in how he expresses truths than to assume he must have been expressing one of a list of obvious falsehoods. No one likes being called a liar, even if "lie" is spelled "horribly exaggerated overstatement." Offending someone is hardly a good start at persuading them to change their ways.
4.9.2007 1:36pm
Aultimer:
Guest J and Max -

Technology law already has its share of confusing/overloaded terms. "Proof" is my favorite - it has the "absolute and unambiguous truth" meaning to most techies, while most legal types interpret it as "the slightest evidence in one direction." We can figure out "superuser" pretty quickly, especially since many of us learned the technical version as an analog to "root".
4.9.2007 2:02pm
Max Hailperin (mail) (www):
Aultimer- My claim was not that we couldn't figure out Ohm's vocabulary. Rather, I was suggesting to him that if he were to change it prior to publication, he might find that his ideas get a better reception from a broader audience. Plenty of means of communication are intelligible without being maximally effective. I would also suggest that the analogy with "proof" is weak. Lawyers and mathematicians are each following traditions dating back to at least the 15th century in how they use this word. As such, when they come into dialog with one another, the resulting confusions are not easily avoidable by either party. By contrast, here we have a case where the computer systems community has been using the word since the early 1970s and suddenly in 2007, a law prof comes along with the specific intent of entering into dialog with that community and starts using the word in a new sense, one not previously present in his community any more than in theirs. Unlike with "proof," he could easily change his vocabulary prior to publication and thereby improve the effectiveness of his communication. This isn't about right and wrong, it is about effectiveness and ineffectiveness.
4.9.2007 2:18pm
Ken Arromdee:
Online groups are active and highly dedicated to 'protecting' infringement and making it increasingly difficult to enforce the DMCA.

This is so only if you buy the rhetoric that the DMCA is to prevent piracy. The DMCA is not there to prevent piracy; the DMCA is there to allow the entertainment industry to implement their licensing scheme, because making an unlicensed player is illegal per DMCA, and you won't be allowed to make a licensed player unless you pay them money and agree to a lot of restrictions (including but not limited to region coding).

The DMCA has been fairly successful in this regard.

Don't assume that the stated reason for something is the real reason.
4.9.2007 2:28pm
Paul Ohm (mail) (www):
I'm happy to have so many commenters, although I'm sorry so many of you have gotten tripped up on my use of the word, Superuser. Max Hailperin, your comments in the other thread, in particular, have me seriously considering a change. On the other hand, Jim G, I intended the association with capes. My point is about overmythologizing these people, and I like tapping into the Superman/Super Hero mythology by analogy.

I'm trying to walk a tightrope here. I want to engage non-technical policymakers as well as technical computer security experts. The former audience has never heard of superuser in the Unix sense, and they also like catchy, quotable descriptors. I definitely don't think cracker works (Honestly, RMS's and ESR's protests notwithstanding, I think the hacker/cracker ship set sail a long, long time ago.) Super-hacker isn't bad, although something deep inside me cringes at the thought of having the "H Word" in my article's title.

But I do want to engage computer security experts as well, and I don't want them to tune out five words in!

But indulge me in a little fantasy here: let's say my argument catches on. What's wrong with my attempt to add a second meaning to the word, superuser? Won't we know most of the time from context whether Superuser is meant in the "don't mythologize power" or the `cat /etc/shadow` sense of the word? Plenty of words have more than one meaning, and most of them have meanings that shade into one another but have different subtle connotations.
4.9.2007 2:34pm
Guest J:
Paul Ohm:
I guess context will usually provide a guide, but it just seems ... I don't know ... almost willfully confusing to step on such a previously unambiguous word. A lot of words that have multiple meanings are the short ones, whereas the longer technical terms are usually more unambiguous. Yes, ambiguities can be worked out from context, most of the time, but it makes it harder and slightly less pleasant to use a term in communication. Again, imagine if there were a new software concept called "probable cause". Wouldn't you think to yourself "Why on Earth did they reuse such a specific term of art?" It would not incline you to be friendly towards the new coinage. It's not *impossible* that a software concept of "probable cause" could somehow catch on and be disambiguated by context, but it sure introduces an obstacle to overcome. Not something you want to do with a new coinage.

What's wrong with the "h word" in a journal article title? That is, after all, what you're talking about! I agree with you that hacker has a clear meaning in the wider culture. I think ESR needs to accept that both meanings are at large. Paul Graham wrote an essay about how both meanings are extant, and a classic text on firewalls -- perhaps the first really significant book on the topic, was Cheswick's and Bellovin's _Firewalls and Internet Security: Repelling the Wily Hacker_.
4.9.2007 3:08pm
eddie (mail):
Sorry to dogpile on "superuser", but I find the term a poor choice not only because of the established meaning in the computer security field (which you should be concerned about, considering the significant overlap and cooperation between computer security technical experts and computer crime legal experts) but also because I think it poorly conveys your intended meaning.

The "super" adjective is clear, and I appreciate your invocation of Clark Kent and Nietzsche. But I don't think "user" is the right noun. The person you are describing is not merely a computer user, any more than they are merely a person. They are exercising their exceptional skills to overcome barriers that authorities are errecting, either to defeat DRM or steal identities or commit other sorts of crimes - some of which arguably should not be crimes (here alluding to the copyright and reverse engineering debates).

The term you are looking for is "hacker". Both its original meaning within the computer geek community as "someone with superior technical skills and uncommon ingenuity and creativity" or its modern popular meaning as "computer criminal" fit perfectly with the role you are describing. Tack on the adjective and "superhacker" indeed rises to the mythological status that you allege the authorities are responding to.

Maybe tomorrow and Wednesday you'll get some substantive comments on the paper itself.
4.9.2007 3:23pm
eddie (mail):
Besides, if you're intending to homestead on the noosphere, I would grab "superhacker" over "superuser" in a heartbeat. Consider that someone who is trying to raise a scare scenario about cyberterrorism or what have you is likely to describe their theoretical enemy as a "superhacker". If your argument takes off, then you'll have preempted that move; they'd be rightly viewed as hyperbolic and comical. Even if they don't use the term and instead talk about "highly skilled cyber operatives" or some such bullpuckey we'd still be able to (rightly) make fun of their arguments by accusing them of worrying about Superhackers.
4.9.2007 3:30pm
Porkchop:
Paul,

I spent a couple hours last week with some of your old friends from the Computer Intrusion Section of the FBI Cyber Division discussing botnets, bot pimps, and computer intrusion at financial institutions. I'm not on the technology side, but certainly I found their presentation on risk convincing. This is one of those classic risk assessment situations where the likelihood may be low, but the consequences could be catastrophic. The "superuser" menace may be overstated (and poorly named), but there seem to be plenty of naive under-secured internet users who fall prey to the bots and their handlers.

You may be right in your assertion that most intrusions are attempted by small timers and most identity theft is at a low level, for example, stealing data from unencryted laptops. The TJX matter, though, gives one some pause, I think. No one even knows the extent of the theft, because of the practices of the retailer. The ready market for stolen information on IRC sites at, I understand, relatively low prices seems to indicate that there is plenty of stolen data out there. A successful intrusion at a major credit card issuer could certainly have disastrous consequences.
4.9.2007 4:25pm
logicnazi (mail) (www):
Taeyoung,

They have already revoked the key from WinDVD after it was reverse engineered out of the system.

Also targeting 'superusers' in terms of the DRM issue is both deeply unjust, unworkable and probably unconstitutional. It is unjust because the real 'superusers' who often enable the breaking of these protection technologies are primarily academic researchers publishing academic papers about the security of various encryption systems. Once the papers enumerating the flaws of CSS were out it no longer required a genius to implement DeCSS. Either you are going to be putting genuine academic researchers with no bad intent in jail (and making us generally less secure) or you might as well not bother since anonymous programmers in other countries can always just implement the algorithms.

Besides, arresting someone because they published a program that allows you to circumvent encryption for a product you own make about as much sense as holding gun dealers liable for any deaths they cause. We might know some of the product will be used illegally but that doesn't mean that it has no legal uses, e.g., fair use.

In either case I don't think there is a need for this. The encryption community has plenty robust algorithms they could use. However, both the DVD people and the HD-DVD/Bluray people prioritized cheapness of cryptographic integrity and as a result their systems are considerably less secure.
4.9.2007 4:44pm
_____:
The superuser has long been a useful cover, if you will, for a range of activities that are actually conducted with a good deal of coordination by a number of individuals who are often inside the industries or companies promoting particular security technologies.

For instance, it is acknowledged that "DVD Jon" had help from industry insiders when he came up with DeCSS. Here, the idea of the "genius superuser" was clearly at play. Further, remember, when a kid does something like this, from a legal perspective, the penalties the kid faces are drastically reduced . . . the kid is consequently used as a proxy.

I don't think that Linus owes the creation of Linux to Minix, but I suspect there have been points where useful code relating to kernel optimizations that was kept as a trade secret by several different companies may have been contributed to the open source community by employees of those companies, who were conflicted as to whether something should be kept secret (i.e. knowledge should be free). The genius idea provides a plausible counterexplanation.

Another reason the superuser myth got started lies in the realm of copyright--have a kid "clean-room" generate code, and claim, hey, he's a genius, he came up with it himself, and the effect of another software company's copyright went away . . . patents have changed the legal regime, but the myth lived on.

Not to say there aren't geniuses out there--I even know one or two--but they tend to have interests that are noncommercial/noneconomic in nature. They're not really motivated to commit crime, in general, with significant exceptions.
4.9.2007 4:59pm
Taeyoung (mail):
Re: Logicnazi
They have already revoked the key from WinDVD after it was reverse engineered out of the system.
WinDVD doesn't trigger the same consumer backlash concerns as revoking keys for a hardware player would, or at least, not the same degree. WinDVD is a software system, after all, and the slashdot article linked above indicates they are distributing a patch/update that will give them new device keys (probably to be broken almost immediately). WinDVD is also, as far as I know (I've only had it come as bundled software) much cheaper than the $600+ HD-DVD and Blueray players you see on the market these days. As a result, I don't think the WinDVD situation gives us much insight into what the industry's general approach to code revocation is going to be.
Besides, arresting someone because they published a program that allows you to circumvent encryption for a product you own make about as much sense as holding gun dealers liable for any deaths they cause. We might know some of the product will be used illegally but that doesn't mean that it has no legal uses, e.g., fair use.
Hey, I'm not making a value judgment about the rightness of arresting people for developing DRM cracks or suing people for developing filesharing protocols. We know, empirically, though, that the RIAA and MPAA are pushing for those kinds of laws, and those applications of the law. And in fact, that they have got those kinds of laws too -- my (non-expert) understanding of the DMCA is that the anticircumvention provisions already penalise the distribution and use of unauthorised programs implementing the DeCSS crack, and any other DRM cracks out there. Strictly speaking, though, they don't seem to penalise fair-use copying itself, only the circumvention of the content-control system put in place to prevent that copying. The legality or whatever of what the user is trying to do by circumventing the content-control system is probably not the issue -- certainly the RIAA and MPAA don't care.
4.9.2007 5:29pm
Paul Ohm (mail) (www):
A fair number of you have talked about DRM. I spend a good deal of time on DRM in the paper, in Part II.F ("The Myth and Legal Scholarship").

Specifically, I take on the popular, Superuser-myth notion that all DRM eventually will be broken. Whether or not this is true in an absolute, computer scientific-theoretical sense, I think there are two important, underappreciated caveats:

First, even if DRM is inherently vulnerable, what matters more for the policy debate is how long it takes for the Superusers of the world to break any particular DRM implementation. According to this ArsTechnica piece, the DRM implementation of Windows Media Player was not "widely breached" from late 2001 until FairUseForWM was released in August, 2006.

You can argue that nobody has needed to break the DRM on WMP because they could get their DRM-free music from other sources (ripped CDs, iTunes) and although this is relevant if you're thinking about DRM from the global/RIAA point of view, it's not terribly relevant if you're looking at it from Microsoft's point of view. From that vantage point, DRM that survives for five years is plenty good, especially because once it is cracked, Microsoft can force an update of the software on you, as pointed out in articles by Picker and Zittrain.

Second, many people point to Biddle, et al., and the Darknet paper for the idea that all DRM will be broken. In great detail, I point out how that this is simply "an assumption" of the Darknet paper, and to elevate that paper to providing "proof" is to skip a step.

Finally, it all turns on what I call the "limits of human bandwidth". If there are enough Superusers with enough time and motivation to crack a particular DRM implementation, they will probably (eventually) succeed. But given the number of adjectives and caveats in that sentence, it's not terribly helpful to merely repeat a mantra, "DRM is inherently vulnerable." Policymakers need to understand the cracking landscape: they need a head count of DRM circumventors; they need statistics on the usual lifespan of an average DRM implementation. These numbers will be hard to come by, but as far as I can tell, because of the Myth of the Superuser, nobody has tried.
4.9.2007 6:52pm
Taeyoung (mail):
Policymakers need to understand the cracking landscape: they need a head count of DRM circumventors; they need statistics on the usual lifespan of an average DRM implementation. These numbers will be hard to come by, but as far as I can tell, because of the Myth of the Superuser, nobody has tried.

Isn't part of the problem simply because there's no way to generalise reliably about the success of DRM without working back down to the underlying DRM approach involved? I think the record for the shortest time-to-crack for a DRM system is probably held by Sony's Key2Audio system, which I recall was cracked in a matter of days. But the solution (draw a line around the edge of the CD with a sharpie) was unique to the system -- it's not like a brute force crack, where there's a key, say, and the key is so many characters long, and it will take X computations to brute force it. Similarly, some proposed solutions for getting around whatever that content protection system encoded into the new HDMI standard (1.3?) is, apparently consist of a hardware box with the same chip you have in the TVs and so on, to strip the content protection out of the digital audiovisual signal, so you can either view the signal on an older system, or rip it to a computer file. These kinds of manual workarounds don't lend themselves well to extrapolation (at least as far as I can see), so while gathering data might be interesting, it's not clear that it would be super useful for policy-makers.

Another issue -- one suggested by the WMV situation -- is that a superuser's motivation to find a crack for a particular DRM system is probably dependent on the availability of alternative equivalent quality sources for the same content. A DVD provides higher quality content than, say, a handycam videotape from the movietheatre, or even a TV broadcast, so there's some reason for many of these superusers to work on a DVD crack -- the motivation given by the user who cracked a number of keys for the Blueray content control system was simply that he discovered his hardware wouldn't let him play the content if he didn't circumvent the system, so he went ahead and did so. In contrast, most audio file protection systems, whether it's Apple's system or Microsoft's systems, are protecting material still easily obtained in equivalent quality from alternative sources (e.g. ripping CDs). Sure some people will still work on it, but far fewer than you would get if the content controlled source were the exclusive source. So one question with the WMV system would be: Did people not crack the WMV system because it was a secure system? Or did many people who could have done, given the time, just pass up the challenge as more trouble that it was worth? As a result, a useful evaluation of the time-to-crack, as it were, should take into account the availability of the same or equivalent content in other more accessible forms. And I don't think that's something we can project forward reliably.
4.9.2007 7:26pm
Tom Cross (www):
Paul Ohm:

You've written a very interesting paper here. I'm a computer security professional with over 10 years experience and I agree that the level of hype and confusion in this space frequently results in bad policy (although I fear that is not something unique to computer crime). I think you've hit the nail on the head here in several regards. I've seen overbroad warrants that target toasters and television sets, overbroad laws that couple mandatory minimum prison sentences with no de minimis standard for applicable behavior, and outlandish claims about threats like steganography that are rarely employed in practice. A strike at some of this insanity is quite welcomed. I thought I'd offer some observations:

1. The word SuperUser somewhat difficult, but its not nearly as difficult as the word SuperHacker. The word hacker is perhaps the ultimate example of the problems caused by the versatility of the English language. Its perfectly natural to use "hack" as a verb meaning "to break into a computer." You do that in several places in this paper (see page 18 for example). However, it seems almost impossible to use it as a noun without making someone unhappy.

On the one hand you have the news media, and people whose views are informed by the news media, who tend to think computer hacker is a synonym for computer criminal. The media does this specifically because they want to evoke the sort of irrational fears that you discuss. I think it would make many people happy if they would change their style guides to simply say "computer criminal" or perhaps "cybercriminal" if they insist on being sensational. But for the time being if you replace "superusers" with "superhackers" you'll perhaps find people who are shocked by your observation on page 23 that some "superhackers" aren't bad people.

On the other hand, you have ESR and his followers, who insist that people they disapprove of must not be called hackers. Hackers are people who do skillful things with computers for fun (as opposed to "for a living"). Right and wrong is a tangental question, and I think the jargon file definitions have contributed to more ignorance then they have resolved. The community of motorcycle enthusiasts, for example, has myriad subgroups, and while one might discuss the shared notions of that subculture in a general sense, individual participants may be evil or good, and nothing about their individual malice or benevolence impact whether or not they are reasonably considered "motorcycle enthusiasts."

I think the biggest problem, however, with using the word superhacker here is that it does imply an amateur. On page 23 you refer to Ed Felton. The fact that he is a professional computer scientist frankly raises him above the term "superhacker." I'm not sure the word really does him justice. Your SuperUsers are a superset of hackers and professionals.

I wish I could provide you with a great alternate suggestion. PowerUser comes to mind, but its a term from PC marketingspeak and doesn't exactly fit what you're talking about either. You might resolve the question simply by moving your discussion of the history of the term "superuser" out of the footnotes and directly into your paper. I don't really think the term is a huge problem as long as your readers know you aren't confused. However, you might also consider "the myth of the "Dangerous Expert."

2. The problem you're having with DRM is that computer experts are asking a technical question and you're asking a sociological one. As a computer security expert I can confidently tell you that you can't build a DRM technology that is "unbreakable." Although I think trusted computing architectures, in which the user isn't really in the control of the computer, could come close, ultimately, if I tell you something, you can repeat it to someone else, and thats a basic fact of physical reality that you just aren't going to engineer around no matter how hard you try.

Whether DRM is useful for some sort of social purpose is a different and more complex question. The ability for SuperUsers to distribute circumvention technology is part of the puzzle, but you'd be surprised at how easy some lockpicking tools are to use. Sometimes you really just need to keep honest people honest, and make the legal means also the most convenient means, and the amount of theft you'll see will be minimal.

I think you understand this distinction, but clearly given the debate it sparks you should endeavor to be as clear as possible about it in your paper. The fact that the music industry seems to have started parting ways with DRM in the last few months may mean that the question is moot. Some of the other factors in the social puzzle may have tipped the scales...

3. A note about secrecy: I work with software vulnerabilities. Some user communities (for example, Apple customers) largely believe their software is immune to vulnerability. Furthermore, in this industry, no one really cares about academic proofs. People are very emotional about security problems and a paper that provides a mathematical proof that 1+1=2 is quickly dismissed as theoretical and its advice ignored. However, someone who actually implements an attack that everyone in professional circles always knew was possible and demonstrates it to the public often gets wide spread attention and reaction from user communities. It shouldn't be this way, but it is.

Now, the problem is the only way I can truly demonstrate a vulnerability such that I can completely satisfy people who deeply want to ignore me is to fully disclose its details and provide proof of concept code that other people can run and reproduce my result. Generally speaking, I don't want to do this, specifically because it enables other people to reproduce my result! So I've got to give you something less then 100% of the detail. In fact, the less detail I give you, the better off you are, and you may, in fact, need to rely on other experts to confirm my results by filling in the blanks.

What I'm saying is that there are good reasons for secrecy in this field, at least in some contexts, and before you demand proof you should be careful what you wish for.

4. You make a couple of assertions that I have trouble with. I wouldn't be so confident in the claim that the entire Internet will never crash. Certainly, large parts of the Internet and of the telephone network have crashed before, and not always at the hands of malicious people. Its unlikely, but its not impossible.

More important is your skepticism about botnets. Yes, they are a big, big, big problem, and yes, we have data. Nearly every bit of malware out there is part of a centrally controlled botnet. Most of the signature updates that your anti-virus software has gotten in the past 5-10 years are targeted at individual malicious programs that make up specific centrally controlled networks. If you want a source for data, one might suggest shadowserver.org. Those guys have a heck of a lot of statistics on their website. They are tracking over 2 million infected hosts as of this writing.

Now, it does not necessarily follow from the fact that bot nets are a problem that there should be no floor for the sort of computer crime that warrants federal prosecution. I'm reminded of a anti-phishing bill in Georgia that sets a 1 year minimum prison sentence but doesn't differentiate between a single email used to capture a single password to a insignificant service and a million emails used to capture thousands of passwords to bank accounts. The point, as you make it, is that legislators need to specifically describe what it is that they are really trying to control. This observation leads me to my final point...

5. Why do we have so many laws that target specific technologies? In my mind, laws should relate, as much as possible, to human behavior and not technology. For example, murder is illegal. The method through which murder is committed is irrelevant. We don't have one law against murder with a gun and another law against murder with a knife, and we don't run into problems wherein murder with a spatula isn't covered and we're unable to prosecute someone who does it. We already have laws against fraud. Why can't we prosecute phishers under it? They are clearly misrepresenting themselves for a criminal purpose. They may be committing thousands of individual offenses as they send out their spam. Why are normal anti-fraud laws insufficient to cover that scenario?

I think a huge amount of technology oriented legislation is redundant to technology neutral laws that already exist, and thats something I'd love to see discussed as a primary question in a paper like this instead of just as a footnote. We could eliminate a lot of problematic, overbroad legislation if the legislature sought to avoid directly addressing technological means as much as possible, and instead focused on the right and wrong of human relationships.

Regards,
Tom Cross
4.10.2007 4:04am
Tom Cross (www):
In retrospect, another way to deal with the terminology problem is to use "superhacker," but carefully avoid it in the context of other kinds of experts, such as professionals, which means only a slight change in your current use of "superuser." The comments from Guest J and Eddie are apropos. Sensationalists are likely to say "superhacker" and you are addressing them. You could revert to using "experts" in the section about guilt by association and perhaps drop a footnote acknowledging that hacker is a word that doesn't always refer to bad guys.
4.10.2007 4:22am
Bruce:
Great stuff Paul. Some comments:

1. I agree with your take on the Darknet paper. I also think Tom Cross's distinction between "technical" and "sociological" questions is a pretty useful one.

2. "Phil Howard and Kris Erickson of the University of Washington released a study which found that sixty percent of reported incidents of the loss of personal records involved organizational mismanagement, while only thirty-one percent involved hackers." I don't have a link handy, but there's a brilliant example of this in the form of "super-hacker" (or is it "super-user?") Kevin Mitnick. He got access to a lot of systems simply by calling up and asking for passwords. In other words, his most "leet skillz" were good old-fashioned con-artistry. Industry-types worried about computer security often fall prey to the myth of the super-user by assuming that if they just buy a more expensive firewall, their problems are solved.
4.10.2007 11:21am
Oren (mail):
The revocation of the WinDVD key means very little in the long run because, as long as there are software players, one can debug them and grab the key from memory (note that Vista's PMP has already been cracked, allowing anyone to protect and unprotect any particular program at will. The media companies must either completely forgo any software based player (and in that case, somebody will extract a key from a hardware player, just to prove that they can) or accept periodic breaking of the system.

As far as my original post is concerned, I wanted to emphasize three important points that got lost in the details.

(1) Superusers have a disparate impact because DRM is a weak technology - broken once broken forever (key revocation changes little).

(2) There is developing a large "middle and upper class" of users on the internet whose considerable skills, resources and organizational talents make them very effective at their goals. Quite a bit more has been accomplished at this level that at the rarefied peaks of skill.

(3) Legal methods of impeding these individuals' goals are all-but-doomed to fail.
4.10.2007 12:10pm
Bruce:
Whoops, I skimmed the paper, Mitnick already makes an appearance.
4.10.2007 5:47pm
Penguin Pete (mail) (www):
Let's see here.

You perpetuate the error of calling crackers hackers, thus incriminating everybody who works in free software.

You go further to give the media a new term to misidentify crackers, with superuser, even after acknowledging that it's wrong. So now if I mention I went superuser on my Unix system to install something, I can expect SWAT teams to descend and haul me off. Gee, thanks. Just when I'd learned to never say "hacker" again in public. (I'm not kidding. I almost got fired once because my boss didn't know what 'hacking' meant, when she overheard a conversation.)

Then you go on at length when you could have just said this is how real-life computer break-ins happen:

Method A:
1. Google for "Warez Windoze Exploitz"
2. Download something like "S.A.T.A.N" or "Back Orifice".
3. Run it, following the provided directions.
4. Brag about it on AOL.

Method B:
1. Pay somebody else to do it for you with a bot-net.

So, where the heck were you 20 years ago?
4.11.2007 7:29pm
Bitz (mail):
My suggestion is to augment your legal education with a computer science education. It certainly helps when you desire to analyze both issues in parallel to know what you are talking about.
4.11.2007 10:23pm
Balt (mail):
The Howard and Erikson paper should be taken with a grain of salt, inasmuch as they scramble two important distinctions to come up with statistics that sound impressive, but actually aren't very helpful in targeting the prevention of actual harm.

First, they lump together accidental loss (i.e., a backup tape gets lost in the mail) with physical theft (i.e., somebody steals a laptop) under "organizational mismanagement." It's unclear why an inadvertent act (loss) is combined with theft. Or why a failure to buy a sufficiently secure door lock that allows someone to steal a computer out of an office is "mismanagement" but the failure to properly secure a firewall is not.

The distinction is important because of the other issue they gloss over: they make no distinction between data which is simply lost and data which is stolen in a manner that posses a real threat. There is a real difference between a backup tape lost in the mail (which even if not encrypted, often requires expensive specialized equipment to access) vs. a laptop stolen by a junkie in a smash and grab in a bank branch vs. a laptop stolen (or database hacked) by someone who is interested in identity theft.

While Howard and Erikson did not probe their data to make these distinctions, anecdotal evidence suggests that while "organizational mismanagement" as they define it may be responsible for a majority of the reported breaches, the proportion of breaches that cause actual harm in the form of stolen identities is very different.

Why does it matter? If you exclude the tapes falling out of boxes and getting tossed in a shredder by the shippers and the computers stolen by junkies who can't tell a database from a .jpeg; if you exclude the data breaches that don't cause actual harm and concentrate only on the ones which do, one may find a much smaller pool of bad actors.
4.12.2007 11:45am
James Guest:
Tom Cross

3. A note about secrecy: I work with software vulnerabilities. Some user communities (for example, Apple customers) largely believe their software is immune to vulnerability.

Well you can't have a conversation about computer security without an appearance from Artie McStrawman.
4.12.2007 12:32pm