Warning: include(/home/mskala/ansuz/take-comments.php): failed to open stream: No such file or directory in /raid/home/mskala/ansuz/lawpoli/youthrights/cpbfaq.php on line 4

Warning: include(): Failed opening '/home/mskala/ansuz/take-comments.php' for inclusion (include_path='.:/usr/local/scripts/php74/lib/php') in /raid/home/mskala/ansuz/lawpoli/youthrights/cpbfaq.php on line 4

Warning: Cannot modify header information - headers already sent by (output started at /raid/home/mskala/ansuz/lawpoli/youthrights/cpbfaq.php:4) in /raid/home/mskala/ansuz/conditional.php on line 51

Warning: Cannot modify header information - headers already sent by (output started at /raid/home/mskala/ansuz/lawpoli/youthrights/cpbfaq.php:4) in /raid/home/mskala/ansuz/conditional.php on line 52
Cyber Patrol break FAQ (version 1.11)

Cyber Patrol break FAQ (version 1.11)

[Ad box removed; this image serves to flag pages that need to be updated in my log file.]

New in this version

Contents

Meta-questions

What's this all about?

This FAQ is intended to answer frequently asked questions about Eddy L.O. Jansson's and my essay, titled The Breaking of Cyber Patrol® 4, the resulting court cases, and related topics.

To summarize:  we took apart, to see how it worked, a software package designed to filter out undesirable content (such as pornography) on the Web.  We published a document explaining what we found inside the software.  The makers of the software sued us.  We settled out of court.  Issues related to this chain of events are still being fought in the courts and elsewhere.

What's the status of this FAQ?

This is version 1.11 of this FAQ, last updated September 25, 2001.  I'll probably be posting further updates as more things happen, but since the case is now pretty much over and done with, you shouldn't expect this document to change much in the future.  You're welcome to link to or redistribute this FAQ. It is public domain.

This FAQ is maintained by Matthew Skala.

Where can we read/hear/watch more about this?

The above list is incomplete.  If you've suggestions on additional things that should be added to it, let me know.  Where news outlets reprinted each other's stories, or press releases from the plaintiffs with no or minimal new material, I've included only the originals.  It's easy to recognize the plaintiffs' press releases because they carefully misspell my first name.

What have you and Eddy written about this?

Apart from the original reversal essay which we aren't distributing anymore, and this FAQ document itself, here are some additional writings on the subject:

How can we get in touch with you?

Type my name into any search engine, spelled correctly, and I'm there.  You can send me email as mskala@ansuz.sooke.bc.ca, or visit my Web page at https://ansuz.sooke.bc.ca/.  Note that my old URL at islandnet.com no longer works.  Offline, I'm in the phone book; but contacting me online is better.

How can we get in touch with Eddy?

His email address is srm_dfr@hotmail.com.  His Web provider took his site down when they received the complaint from Mattel, but he's got a home page there again now pointing to a less trigger-happy provider.

Cyber Patrol break

What is Cyber Patrol?

Cyber Patrol is an Internet filtering, or "censorware", package.  If it's installed on a computer, it's supposed to prevent users of the computer from accessing undesirable material on the Internet.  The stereotypical use of Cyber Patrol would be for parents to prevent children from viewing pornography on their home computers, although in fact the product is aggressively marketed to schools, libraries, and employers as well as to parents, and it blocks a lot more than just pornography.

The list of Web sites and other things blocked by Cyber Patrol is secret.  The makers of Cyber Patrol have invested a fair bit of work in preventing anyone, including licensed users of the product, from discovering exactly what it blocks.

How did this start?

Eddy L.O. Jansson wrote an essay (under the alias "Saruman") about his work reverse-engineering NetNanny, a package similar in nature to Cyber Patrol.  Along with someone called "Bobban", he'd also done an earlier essay on CyberSitter.  He posted the NetNanny essay on the Web, and I came across it - probably by way of an announcement in sci.crypt, I don't really remember.  I was very favourably impressed with the NetNanny essay, and linked to it from my Web page.  We exchanged a little bit of email at that time.

In late January of 2000 he approached me with an invitation to participate in a similar project focused on Cyber Patrol.  Eddy had already done some work on Cyber Patrol but had shelved the project to pursue other things, when the math started to get too complicated to be fun.  I think the reasons for approaching me were that the job called for a mathematician, I had the skills, and our political inclinations were compatible.

What did you do to Cyber Patrol?

We took it apart to see how it worked.  That process involved examining the software with tools like hex viewers and disassemblers, as well as special tools we wrote for the purpose.  Once we had recovered the algorithms, there was some mathematical analysis to figure out how best to attack them.  The general practice of taking things apart to see how they work is termed "reverse engineering".

The makers of Cyber Patrol have been reported as saying that we "compromised the source code" of Cyber Patrol.  I think that must be a misquote; they are surely aware that our disassembly never yielded anything like the original source code, which would contain a lot of information discarded by the compilation process.  Actually obtaining the source code would necessitate breaking directly into their computers, something which we were careful not to do (and lack the skills for, even if we wanted to try it).

Not too much should be read into my use of the word "attack" for our mathematical analysis of the Cyber Patrol security measures.  That is simply the technical term for this kind of analysis of any security system.  A cryptographic attack need not be hostile - in fact, the first thing any good cryptographer does to their own system is attack it, and the second thing is to invite everyone else on their side to attack the system.  It's much preferable to be attacked by your own side than by whoever you're actually trying to protect against.  Calling it an attack is perhaps unfortunate because it may cause the public to assume I'm out to damage Cyber Patrol; indeed, one of the claims made in the court filings was that Eddy and I were maliciously seeking to hurt Cyber Patrol's business.  But to not call it an attack would require me to either use patently incorrect technical terminology, or strained euphemisms.

The most accurate non-technical description of our actions is that we took the program apart to see how it worked.

What is cphack?

cphack is one of the three computer programs included in our posting.  Eddy Jansson wrote it.  Because cphack is a Windows program, it is probably more useful to users of Cyber Patrol (which is also a Windows program) than the two programs I wrote, called cndecode and cph1_rev, which were also in the package.  The main item in the package was the essay, The Breaking of Cyber Patrol® 4.  The computer programs were intended as illustrations for the essay.

A lot of media outlets have been referring to the entire package as "cphack", probably because that's a much more exciting name than "cp4break", the real name of the package.  Eddy says that he named his program cphack to indicate that it was itself a hack, in a certain technical sense of the word; that choice was perhaps unfortunate, because most people don't really have any clue what "hack" means, and have been drawing invalid conclusions from the name of the program.  We originally intended our posting to be for the computer programming community, where our use of technical language would not have been misunderstood.

cphack, when run on a computer that has Cyber Patrol installed, allows the user to browse the database of blocked newsgroups and Web sites, and the configuration of the local copy.  It can be used to determine the password on the Cyber Patrol configuration file, so a person using cphack would be able to shut off Cyber Patrol; they actually don't need the password to do that, though, because they could instead follow the much easier instructions for disabling Cyber Patrol, that Peacefire was distributing for many months before our own efforts were publicised.

How long did it take?

From when I started, about six weeks with both of us working on it.  Eddy had already done some work earlier, I don't know how much.  I told reporters "basically my spare time, about three solid weekends and a bunch of evenings spread out over six weeks"; that was variously reported as "0nl1 thr33 w33k3ndz, d00d!!" and "six weeks" (the more accurate figure).  I think Eddy spent a similar amount of time.  I view us as having contributed equally to the project.

What did you find in Cyber Patrol?

I have agreed not to further distribute technical details of what we found inside Cyber Patrol.  It was described in considerable detail in our essay titled The Breaking of Cyber Patrol® 4, but I'm not distributing copies of that essay nor telling people how to find it on the Web.  I can tell you that from a technical perspective we found that the program was better than average but still below our standards.

As for the blocking list, we found considerable evidence of poor quality control.  We found some evidence of Web sites that may have been added to the list by automated searches without human review.  We found a great many sites that were blocked under their former but not current addresses, suggesting that blocks are not reviewed once added.  We found some categories that had apparently been applied overly broadly; for instance, anything related in any way to war, explosions, guns, or bombs, for or against, including fireworks displays and anti-nuclear-war organizations, was labelled as "Militant or Extremist".  We found some unusual applications of the "Cult/Satanic" tag, to atheist sites among others.  We found a newsgroup devoted to the writings of the noted science fiction author Philip K. Dick, blocked as drug culture.  We did not, however, find clear evidence of specific political agendas.  That was a refreshing surprise, because certain other censorware packages have been caught preferentially blocking gay-rights or feminist sites.

Microsystems said you didn't really decrypt the list of blocked sites, and that your software was "primitive".  What does that mean?

I don't know what that really means, but it sounds like damage control to me.  In particular, they said that we said that they blocked whole sites, when actually they blocked only the objectionable parts of sites.  It is true that they sometimes blocked only parts of sites, but it is also true that they also blocked a great many entire sites, and whether blocking a whole site or just a directory, they often blocked much more than just the objectionable parts.  Our essay documented some examples of this, our software revealed many more, and anyone with a copy of Cyber Patrol (even subsequent to their anti-cphack patch) can verify it by experiment.  They almost never blocked single pages - almost always whole directories at least.  In the version of the blocking list we examined, there were far more blocks on entire IP addresses than on individual directories within an IP address, and almost none on single pages.

What is an "entire site" anyway?  When they blocked a directory instead of an entire IP address, it was usually a directory corresponding to an entire independent set of pages, on a server that served many different sites.  For instance, my personal Web "site", or set of pages, was at the time located at http://www.islandnet.com/~mskala/ (I have since moved).  That's one directory on the server at www.islandnet.com, which server also serves thousands of other people.  I would consider a block on my URL as a block on an entire site, even though my statement that they usually block whole IP addresses still is true even under the more conservative assumption that directory blocks cover only parts of sites.

Maybe Microsystems would prefer to count my directory as just an objectionable part of the entire Islandnet site.  That's not hypothetical, incidentally - my URL is blocked by Cyber Patrol, in every available category, last I heard.  So I don't think our statements on their blocking entire Web sites were at all inaccurate, although if they'd care to publish their blocking list to prove me wrong, I'd be happy to be proven wrong in that way.

As for the question of whether we really decrypted the list of blocked sites or not, it's complicated because the list has several types of data on it.  The main interesting thing on the list is the IP addresses.  We decrypted those.  The other part of the list is specific URL information which identifies which parts of an IP address are blocked - for the minority of IP addresses where anything less than the entire address is blocked.

On those specific URL blocks, we only got partial results.  Better results would not be possible (this can be proven mathematically) without actually spidering the Web sites, for reasons explained in the essay which I can't repeat here without explaining more than I care to about how Cyber Patrol works.  As a result of these limitations, going down the list of URLs, for most of them we correctly got the entire URL, but for some of them we got the name of the server but not the name of the directory.

In all cases we were at least able to identify the server; in most cases the entire server was blocked; in many but not all of the remaining cases, we were able to identify the directories that were blocked; in a few cases we got the server but not the directory.

We also recovered the list of positive-option Web sites (the so-called "CyberYES" list) except for one two-byte field which we decrypted but couldn't figure out what it was for, and we recovered all of the Usenet newsgroup blocking list, and the password and configuration information.

So it is true that we did not decrypt all of the list, but I disagree with the statement that we didn't decrypt the list at all.  I think that's just an attempt to salvage their claim that they have a secure product.

When it comes to our software being "primitive":  if it is, then what does that say about the quality of Cyber Patrol?

They implied that cphack isn't a threat because it requires a lot of computer skill to use the program.  That may well be true.  We were aiming our work at a competent audience instead of the average innocent child.  But if it is true that cphack isn't a threat to the kiddies, that contradicts their claim in court that this program puts porn into the hands of innocent children.  So they should think carefully about whether they really want to say that.

Could they have kept you out?

No.  It is impossible to build software proof against reverse engineering.

They could have made it much more difficult by various techniques that boil down to making the software more complicated so it's harder to comprehend, but ultimately they could not have kept us out.  It is a basic fact of computing that if a computer can run a piece of software, then a human can comprehend that piece of software.  Anybody who tells you otherwise is selling something, usually a snake oil copy protection scheme.  Copy protection doesn't work.  It never did.  Those who do not learn the lessons of history are doomed to repeat them.

Statistics on the strength of cryptographic systems are generally inapplicable to cases like this one.  Yes, a modern block cipher would take trillions of years to crack by the best known current methods, if you didn't have the key.  But in the case of reverse engineering, we don't need to crack the cipher at all.  In order for the software to be able to use its encrypted data files, it must contain sufficient information (i.e. the key) to decrypt those files.  We can recover that information by examining the program.  Thus all efforts to prevent this kind of attack are doomed, at least as long as the protection is limited to software on the local machine, no matter how strong the encryption may appear to be.

There is some hope for limiting the damage of reverse engineering by means of secure multiparty computation protocols.  Note that this does not constitute preventing the reversal (which would be impossible) but only limiting the damage that can be caused by the inevitable reversal.  The Unix password system includes a hashing scheme, where the system stores enough information to recognize passwords without actually storing enough information to recover those passwords.  Cyber Patrol attempted to use a similar scheme, but chose one with serious mathematical flaws which we were able to exploit.  I wrote a paper about a more elaborate hashing scheme adapted to censorware, and won an award from the Communications Security Establishment for it.

The relative sizes of the Web and of computer CPUs put limits on how secure such schemes can be.  As long as we can test URLs offline, we can link a lot of computers together and scan trillions of possible URLs in a few months, essentially scanning the entire Web to see what's blocked (although we're not actually connecting to all the servers).  The most secure censorware package I can imagine, if it's designed to operate independently without a central server, would still be within reach of people like Eddy and myself.  Just barely, but we could do it.

It would be possible to create a censorware system that used a trusted central server instead of having its own local blocking list.  Then the central server could refuse to hand out information quickly enough for a brute-force attack.  A system like that could make it almost impossible to examine the blocking list, as long as the central server was kept secure.  It would still be possible to subvert or disable such a system by interfering with the local blocking package's communication with the central server or by other means.  Even if that communication were encrypted, because (just like the case of encrypted data files) the blocking package must contain its own keys.

Let me reiterate:  what we did to Cyber Patrol was inevitable.  The insecurity of Cyber Patrol against our techniques was not something unique to Cyber Patrol, but rather a general and ultimately insurmountable weakness of all software.  It is impossible to build software proof against reverse engineering.

Some whys

Why reverse a censorware package?

I oppose Internet filtering software on philosophical grounds.  I think it's important for people to think about the issues related to censorware, and it's hard to have an informed debate without knowing what the products acutally block.  So that's one reason to make the blocking list available.

Another reason would be consumer protection - if teachers, librarians, employers, and parents are considering buying this kind of software, they have a right to know what they're getting.  If the manufacturer won't tell them what the product does, it's appropriate for someone else to do that; in much the same way that Consumer Reports publishes information about vehicle safety hazards.

Some people have suggested that we were seeking fame and fortune.  It's true that we hoped to advance our status within the programming community by publishing our break of Cyber Patrol, but we weren't looking for the more general publicity we've received.  We weren't looking for money.  If we had been, we would have approached Cyber Patrol directly instead of publishing our results.

Why do you oppose censorware?

Let me take a step back and say that I do think companies like Microsystems have a right to produce software like this, and I think parents have a right to buy it and use it on their own children.  However, I think parents who do that are foolish, and I believe that everyone has the natural right to examine and understand all information, including computer software, that they may encounter.

The science fiction writer Ursula K. LeGuin noted that "Grain grows best in shit." I'd expand on that by pointing out that if you want to protect someone from disease, you don't do it by sealing them in a sterile plastic bubble away from all possible sources of infection.  That would work for a while, but some day it's virtually certain that a gasket would break or something, and then the person inside would have no immunity and probably die from the first minor virus or bacterium that happened along.  If you really want to protect someone from disease, you do it by allowing them to build up immunities to the low-level pathogens in their environment, possibly even getting sick from time to time.  Then when they encounter a more serious potential infection, they're better prepared to defend themselves.

That's one reason I think parents who buy filtering software are foolish.  Only children who can experience the full range of human thought will be able to develop the critical thinking skills, the mental immune system, they need to survive.  Another reason not to buy filtering software is that much of the blocked content is only interesting to children because it's forbidden.

Finally, even if I believed the goals of blocking software were worthwhile, it's a dirty little secret that blocking software doesn't work.  As we documented in our essay, it's easy for a motivated person to find undesirable content on the Internet, even on a computer with a fully functional copy of Cyber Patrol.  So beyond the foolishness of trying to filter the Net, there's additional foolishness in any belief that the attempts are succeeding.

Setting aside the issue of parents and their own children, I seriously question the use of this kind of software by public institutions like schools and libraries, especially when the blocking list is secret.  There you have a case of a private company setting policy for what is and is not acceptable in the school or library.  The teacher or librarian doesn't have any control over what's blocked (beyond the possibly-misapplied "category" selections provided by the software) and he or she doesn't even get to find out what policies are being implemented, because the list is secret and anybody who tries to look at it gets sued for alleged copyright infringement.

That seems like an inappropriate use of public funds.

Why Cyber Patrol in particular?

Many of the other major censorware products had been broken already by others.  Cyber Patrol hadn't.  It was more technologically sophisticated than most, so it was especially interesting.  Finally, Cyber Patrol is one of the most popular, and is especially popular with schools and libraries, so a break of it would carry more political weight than a break of some of the other systems we might consider.

At the time, we had nothing against Cyber Patrol, Microsystems, or Mattel beyond our general objections to censorware.

Why didn't you release it under a pseudonym?

That would only have been necessary if we wanted to avoid getting caught doing something wrong.  Since we weren't doing anything wrong, there was no need to be concerned about that.  Using pseudonyms is sometimes fun for its own sake, even if it's not necessary, but for this particular project we wanted to present a polished, professional appearance, and pseudonyms smack of the unprofessional warez d00d culture.

Someone suggested that it wouldn't have been possible to publish anonymously anyway.  I disagree; I believe that the Cypherpunk anonymous remailer system works.  But for this project it didn't suit our interests to use that system.

Why don't you use your powers for good instead of for evil?

According to my own belief system, using my powers for good is exactly what I was doing here.

Understand this:  I have a religious belief that we were given the ability to think for ourselves on the expectation that we'd use it.  If you have a brain and don't use it, you're failing the power that created you.  Even if you're an atheist, in that case you probably believe in total extinction at death, and then it's even more important to get the most out of your life, because you won't be getting anything else.  So:  I believe it would be a bad thing, yes, even Evil, for me to allow my and others' thoughts to be limited when I have the ability to break the restrictions.  I feel okay about choosing for myself which puzzles to solve, but it is mandatory for me to solve some puzzles, and it's preferable to do it in such a way as to help free others.

That much would be true for anyone, in any situation.  It's even more important for me, in this situation, because of my unusual abilities.  Between the political factors and the rarity of my skills, there are very few people in the world who could have done the work I did on Cyber Patrol.  For me to say no would probably have doomed the project.  So I couldn't escape making a real decision with real consequences.  Power carries responsibility and duty with it.  Scott "kludge" Dorsey once said in a Usenet discussion, "Don't ever let anyone tell you that something God gave you is a bad thing[.]" He was talking to someone else, about something else, but it's a comment I like a lot.

So I'm all in favour of "use your powers for Good!" but I think that in this case, it's a strong argument for, not against, the course of action I chose.

The reversal essay

What did you do with your findings?

We wrote an essay called The Breaking of Cyber Patrol® 4, explaining what we'd found in Cyber Patrol.  We gave a lot of technical details both on how Cyber Patrol worked, and on the techniques and tools we used.  If you printed it out, the essay would total about 40 pages.

We also wrote some software illustrating the attacks we'd found.  In particular, I wrote two C programs called cph1_rev (which reversed the password hash) and cndecode (which decoded the blocking list).  My programs totalled about 1200 lines of C source code.  Eddy wrote a Delphi program called cphack, which did the functions of both my programs and provided a more friendly graphical user interface.  Eddy's cphack was about 3300 lines of Delphi source code.  We also provided a precompiled binary of cphack, so people could use it without programming tools of their own.

We put all four things (the essay, and the three programs) in a ZIP file which we called "cp4break".

How did you distribute the essay and programs?

We put the files on Eddy's personal Web site.  I wrote an announcement, which basically just repeated the abstract from the essay, and emailed the announcement to about a dozen family, friends, youth rights organizations, and electronic activist organizations.  We posted to sci.crypt on Usenet, the international discussion group for the science of cryptography.  We also submitted an item to Slashdot.  This announcement went out on March 11, 2000.

What happened immediately after you sent out the announcements?

Slashdot ran a story about it, and a whole lot of people downloaded and read the essay.  We got a whole lot of fan mail.  A bunch of activists and academics posted the essay and software on their own Web sites ("mirroring" it).  This was all more or less what we expected to happen.

Where can we get a copy of the essay?

In order to be quite sure of complying with the terms of my out-of-court settlement, I am no longer giving out copies of the essay or related material, links, or authorizations for anyone else to do so.  Sorry.  Others may still be distributing the essay and related material, outside of my knowledge or control; don't ask me to help you find such people.

The copyright has been assigned to Microsystems Software Inc., of Framingham, Massachusetts, so in theory you could ask them for a copy.  They're on the Web at http://www.cyberpatrol.com/ .

Is the essay banned, or just the cracking program?

All the court documents refer to "cphack.exe and cp4break.zip".  Since cp4break.zip is a package that includes the essay as well as the source code for the three programs and binary for one of them, I think the essay is included in the material at issue.  The plaintiffs have claimed in their press releases that they were only upset about the "Bypass Code" (i.e.  cphack), not the critical essay, but their court filings have always been careful to include everything.  A rational person examining the facts of the case might well suspect that the essay, which reveals the poor workmanship of Cyber Patrol, might be much more upsetting to them than the decryption software, which they can easily render ineffective with a slight patch to their own product.  That could explain why they've been careful to get the court to rule on the essay, while playing up the software as the villain in the press releases.  But that is only speculation.

The lawsuit

What's this about a lawsuit?

That's more or less what I said, when I got the email from Associated Press on the afternoon of March 15, asking for my comment on it.  What came out was that a court case had been filed, "Civil No.  00-cv10488-EFH", in the United States District Court for the District of Massachusetts, in Boston.  The plaintiffs were "MICROSYSTEMS SOFTWARE, INC., a Massachusetts corporation, and MATTEL, INC., a Delaware corporation"; the defendants were "SCANDINAVIA ONLINE AB, a Swedish corporation; ISLANDNET.COM, a Canadian corporation; EDDY L.O. JANSSON, a Swedish citizen; and MATTHEW SKALA, a Canadian citizen".

Who are Microsystems and Mattel?

According to a Slashdot posting:  Cyber Patrol was originally made by a corporation also called Cyber Patrol.  Cyber Patrol was bought by Microsystems Software Inc., Microsystems was bought by The Learning Company, and The Learning Company was bought by Mattel, Inc.  Immediately after the events described in this FAQ, Mattel announced plans to sell The Learning Company.  I don't know who the buyer will be.

So basically, the plaintiffs were the people who make Cyber Patrol.

Who are the various defendants?

Eddy and I are the co-authors of the essay.  Scandinavia Online is the company that operates the server where we posted our essay and software.  Islandnet is the ISP that hosts my own Web site, which never contained the essay or software.

What was claimed in the court filing?

The plaintiffs claimed that Eddy and I had damaged them by publishing the essay and software, and that our ISPs had damaged them by helping us publish the essay and software.  They demanded an injunction to stop us from further publishing the essay and software, and damages.  They also requested a temporary restraining order to prevent further damage while the case was being resolved, and "expedited discovery".  The amount of damages was to be decided by the court, but was claimed (in the demand for expedited discovery) to be greater than $75,000.  The exact claims were:

They also (and this is interesting) demanded that our ISPs should be forced to turn over a list of the identities of everybody who had looked at our postings.  As anyone familiar with the technicalities of the Web knows, between anonymizers and dynamic IP addresses it would be difficult for the ISPs to comply with such a ruling even if they wanted to.  It has also been suggested that providing such a list, even in response to a US court order, would violate the strict Swedish privacy laws.

Why sue in Boston?

Good question.  The court filings claim that the Boston court has "original jurisdiction" over this matter because one of the Web sites we sent our announcement to (probably Slashdot) is based in Massachusetts.  According to the plaintiffs, that means that we were doing business in Massachusetts and are subject to Massachusetts laws.  Whether that makes legal sense would be something the judge would have to decide.  Microsystems is based in Framingham, Massachusetts, so it would be much more convenient for them to argue in a Boston court than one in Sweden where our document was posted.

How did you find out about the lawsuit?

I came home from school on the afternoon of March 15 and found an email waiting for me from Associated Press, asking for my comment on the lawsuit filed against me.  That was the first I heard of it.  The reporter was kind enough to send me electronic copies of the court filings.  I wasn't officially served with the documents until the next afternoon - during my interview with the National Post. 

What happened after the Boston court case started?

I contacted Islandnet, Eddy Jansson, some of my local friends and family, the EFF, and the EFC. Islandnet officially asked me to remove the link to the reversal document from my Web page, which I did.  Please note that despite what was reported by various news outlets, I removed the link because Islandnet requested that I do so, not for any other reason.  After talking to the EFF and some people they put me in touch with, I chose not to hire a lawyer in the USA since that could put me under the US court's jurisdiction when I might not otherwise be.  I did seek legal representation in Canada.

The court case quickly became a big news story in Boston, on the Internet, and across Canada.  My lawyer advised me not to talk to the press, and Eddy adopted a similar policy, and so (after a couple of interviews I gave before receiving that advice) the story quickly took on a life of its own.

I faced a very tough decision as to how agressively to attempt to fight it.  On the one hand, I believe that what I did was legal and right.  It goes against my grain to allow Mattel or anybody else to intimidate me.  On the other hand, I didn't have a lot of resources to fight with.  I'm just a student myself, not a multi-billion-dollar company.  Electronic Frontier Canada started taking steps to form a legal research and education fund, which could be used to support me; their estimates of how much could really be raised by such a fund, however, were just enough to give us a chance; not enough to really have any confidence of winning.

This appears to be a parallel between the law and mathematics:  I can write the correct answer on a math test and still get zero marks for it if I don't show my work or follow the directions for how to solve the problem; similarly, I can do something legal and still be punished severely for it if my side's money runs out before the other side's money does.  Since Mattel is big, and I'm little, and this is Canada, where many of the legal issues have not been formally decided yet, they could stretch the case out arbitrarily, and no matter how obvious my right to take things apart may seem to my fellow tinkerers, ultimate success would be dicey.

Of course I was disappointed by this state of affairs.  When we published the essay I didn't expect a lawsuit, but I had also thought, "Well, if there is a lawsuit it won't be a problem, because there are organizations that take care of things like that." I fondly imagined that in case of legal silliness, someone would just step in and say "We'll take it from here." What I found out was that those organizations, through no fault of their own, were able to give me a lot of sympathy and not enough of anything else, particularly money, to bring my personal risk of tragic consequences down to an acceptable level, despite, incredibly, the fact that what I had done was legal.  Ultimately, I couldn't rely on anybody to deal with my problems but myself.

Some people learn that lesson a bit less impressively than I had to.

The settlement

How did you proceed?

My lawyer negotiated with the Vancouver-based lawyers for the plaintiffs, towards an out-of-court settlement.  While we were negotiating in good faith, before the deadline they had set for when they would escalate matters, the plaintiffs started a court case in British Columbia Supreme Court in Vancouver as well.  Even after that, we continued to be accomodating of their demands for further compromise of our position.

We reached an out-of-court settlement late on March 24; it was announced in the court hearing in Boston on the 27th.

What was the settlement?

I agreed to stop distributing the essay, software, and associated material.  I agreed not to break any more of their software or help others do so.  I also agreed to transfer to them my rights to the essay and software, insofar as I had any, for a dollar.  The copyright assignment was given reluctantly, but they were unwilling to consider a settlement without it.  In exchange, they agreed to drop both court cases.

I'm starting to wish I had also asked for them to agree to stop calling me a criminal in their press releases.  Since they've signed a document saying that they're dropping their claims that I broke the law, it seems like dirty pool to continue blatently making those claims to the press.  I suppose if I really cared I could try to sue them for libel, but I guess it's a sticks-and-stones thing, and at this point I'm quite sick of lawyers and courts.  I'm not calling them very many of the creative names I can think of.

The plaintiffs' spokeswoman was quoted as saying that I'd agreed not to teach my skills to other "hackers".  That statement is possibly misleading, because my agreement not to help others reverse engineer Microsystems products was limited to the specific angle of reversing Microsystems products.  As a member of the academic community, I could well be called upon to teach my reverse engineering skills in a more general way, and my agreement with the plaintiffs doesn't cover that.

What about Eddy?

He arrived at a similar settlement.  It was a little confusing because his lawyer was negotiating on his behalf, without Eddy's direct participation, partly for geographic reasons; Eddy's lawyer agreed to the settlement, which he did have the authority to do, several days before Eddy knew about it.  Microsystems told me they had a settlement with him, I agreed to mine, then Eddy told me he hadn't settled yet, and for a while it looked like Microsystems might have lied to me.  It turned out that they hadn't, at least not on that particular point; it was just a matter of Eddy not knowing what had been done on his behalf.

Where can we read the settlement documents?

My settlement with the plaintiffs is in the court record and you can view it on Frank Ritter's page as scanned GIFs.  I think there's a machine-readable version floating around too, but I couldn't lay hands on it to link here.

I have not seen Eddy's settlement agreement and don't know where you could get it.

I'd especially like to direct your attention to paragraphs 7.2, 7.4, and 7.5.  Microsystems surely intended that those paragraphs should limit my options should I claim that they cheated me, but the wording cuts the other way as well.

Was the settlement secret?

No.  Out-of-court settlements are often secret, but this one wasn't.  There was no secret appendix to the public part of the settlement.  No cash changed hands except the copyright assignment dollar, and of course a lot of money in fees from both sides to our respective lawyers.  The concept is entertaining, but I didn't get thousands of dollars worth of Mattel merchandise, nor any other particularly exciting bribes or special considerations either.  Just the agreement to drop the lawsuits.

A lot of people have suggested that Mattel ought to offer me a job.  No such offer was ever made, and given the company's highly unethical actions during and after the lawsuits, any such offer would go to the bottom of my list.  It was a long list even before we published the essay, and has been added to greatly since then.

Why did you accept the settlement?

Because the chance of losing the court case, and the consequences if I did, outweighed the possible value of winning the court case.  I had already made my political point and would not gain much by making the legal point as well; losing the case, however, would be a Bad Thing.

Most of the people who say I shouldn't have settled seem to be basing their statement on their assesment of whether my actions were legal.  That's the wrong criterion.  I'm sure my actions were legal.  What I wasn't sure of was winning the court case; merely being right doesn't mean one will win, and losing sucks.

Why a Canadian dollar, and what happened to it?

To make the copyright assignment stick.  I don't know if it was actually a legal necessity, but my lawyer thought it was a good idea.  The general concept is that a contract on a sale has a lot more strength than a contract on a pure gift, and so saying "I sell my copyright for a dollar" is more enforceable than saying "I give you my copyright".  It was a Canadian dollar because the contract was a Canadian contract.

Some people have reported that the dollar was necessary under Canadian law.  I don't believe that to be true, and it would be a very dangerous thing to say, because it would throw into question the position of free software license agreements that don't involve a dollar payment.  The dollar was to make sure of enforceability; that doesn't mean the contract would have been unenforceable without it.

I do think it's interesting that the plaintiffs were willing to pay me a dollar for my portion of the rights to the essay and software.  If the essay and software had been a genuine copyright violation, then they would legally own it already anyway and wouldn't need to pay for it.

I was never given the dollar as a separate payment; it was buried among the numerous nickle-and-dime charges on my lawyer's bill.  For all the creative invoicing we computer geeks do, we've still got a long way to catch up.  But I've got a loonie (that's a Canadian dollar coin, for those not in the know) which I'm using to represent "the" dollar.

Eddy didn't get a dollar, and although I made the offer, he didn't want half of mine.

Is it true that you've agreed to go to jail if you should break the settlement agreement?

The plaintiffs asserted that in one of their press releases, but it depends on a somewhat fanciful interpretation of the settlement agreement wording.  The thing is that because the settlement is backed by a court order (or is to be backed by one - I still don't think the Canadian court has officially agreed to it yet, and that's the one that counts), any violation of it could be cause for a contempt of court proceeding.  As far as I know, a private citizen doesn't actually have the power to "promise to go to jail" unless they're convicted of a crime (otherwise it could serve as a free hotel).  The plaintiff's boast is really just a restatement of the basic fact that people who break their word tend to get in trouble - and they themselves face exactly the same consequences I could, should they fail to honour their own side of the bargain.

I haven't read Eddy's settlement, but it sounds like he may have agreed to a "liquidated damages" clause, which I did not.  That means that in the event of a dispute between him and the plaintiffs over whether he stuck to his agreement, the amount of damages involved wouldn't be open to question - they've agreed on both sides that it is to be one million kronor.  I don't know for sure that that is the nature of Eddy's settlement, since I only have the plaintiff's boasts in their press releases to go by, but that's what it sounds like.  In any case, I didn't agree to that.  If they decide to claim that I broke my agreement, then they will have to prove to the arbitrator (in Vancouver, not Boston!) how much money it's worth, and potentially face all over again a lot of the issues they escaped facing this time when they settled with me.

Why was the ACLU surprised by the settlement?

Well, it's months later, and has required some heated email back and forth between me and various fans of the ACLU, but it looks like we've cleared up some of the confusion.

The thing is, on March 15 when I started contacting civil rights advocates, the first people I contacted weren't the ACLU - they were the EFF and EFC, who in turn put me in touch with the Censorware Project and several individual US lawyers, who told me not to hire a US lawyer because it could put me under US jurisdiction.  My top priority was to find a Canadian lawyer, and so (having my hands full with that) I didn't follow up some of the phone numbers of US lawyers that I had been given, and one of the ones I didn't follow up was Chris Hansen of the ACLU. People I talked to were certainly talking to the ACLU, but I myself never did directly.

So, since everything was moving so fast, although I was talking to civil rights groups, the news that I and my Canadian lawyer were talking with Microsystems about a settlement didn't make it as far as the ACLU, and they wound up getting a shock in the Boston courtroom.  I don't know who to blame for that, but it at least wasn't all my fault - I was trying to do the right thing.  The remark I've heard, that Eddy and I settled "without informing [our] lawyers", was out of line - the ACLU lawyers were never ours.  Of course I wasn't loudly advertising what I was doing, because you don't broadcast the progress of such negotiations while they're in progess, but I certainly thought I was keeping the appropriate people informed as much as they needed to be.

As of the 20th or so, when we were looking towards making the deal (it was finally signed on the 24th), the main civil rights organization I was talking to was EFC, via David Jones.  Being Canadian, they were a lot more able to do anything practical to help me.  I certainly made clear to Dr. Jones that I was seriously considering an out-of-court settlement.  He was working on setting up a legal fund that would be available for me, and he fully understood that my priority was to protect my own interests, and I wouldn't be going to court unless I had to.  But EFC ain't ACLU, so the ACLU didn't find out about that until too late for it to be useful to them.

What you must understand is that although lots of people thought I ought to go to court, that isn't legal advice.  Even the US lawyers I spoke to who said that I was pretty clearly in the right, were not giving me legal advice at the time.  Legal advice is when you pay a lawyer (or in some official sense have them agree to skip being paid) to tell you his or her professional opinion; one difference between that and "well, you'd probably win" is that with legal advice you can sue your lawyer for malpractice if they do a bad job.

The formal legal advice I recieved was that I should accept an out-of-court settlement if I could get one on reasonably acceptable terms.  I was, of course, free to ignore that advice, but:  I do consulting work within my own area of expertise and give non-experts professional advice myself.  If I had a dollar for every time one of my own clients ignored my formal professional opinion that they were paying for because they thought they knew better, and then they regretted it, well, as a matter of fact I do have a dollar for every time that has happened, and it's a fair number of dollars, although not enough to fund a fight against Mattel.  It makes sense to me that I should pay good attention to my lawyer's advice.  So I proceeded accordingly.  It's unfortunate that that meant the ACLU was surprised by my actions, but I don't think I did less than I should have in the way of keeping people informed.

How did people react to the settlement?

It was mixed.  I was hailed as everything from a hero to a traitor.  I'm sorry that some people didn't like what I did, but that's more or less the reaction I get for everything I do that I consider really important, in a pattern that goes back many years before the events described here.  Like the song says, I can't please everyone so I have to please myself.

Something to consider, for people who know me personally, is that I don't let people off the hook easily.  It's part of what makes me a good writer, programmer, and lover.  If I forced it into court, you would think you understood what I was doing, and you could stop thinking further about it.  By publishing the essay, people who didn't know about reverse engineering had to start learning about that.  By settling, people who didn't know about the realities of the legal system had to start learning about those.  Be assured that I will continue to force you to think about things in the future.

Subsequent events

Was cp4break released under the GNU General Public License?

Eddy and I think it's not GPL. Some people think it is GPL, despite Eddy's and my statements on the matter.  An authoritative answer would have to come from a judge, or at least a lawyer.  Bennett Haselton (of Peacefire) and I almost got into an "Is not!  Is too!" argument about this on a radio show where we were both guests.  (Saved only by our mutual respect and politeness.)

The GNU General Public License, for anyone who doesn't know, is a special set of licensing terms which can be applied to computer software.  The GPL states that the creator of the software retains copyright, but allows the whole world to freely copy and use the software under certain conditions.  Many important pieces of software, including the GNU C Compiler (gcc) and the Linux operating system, are under GPL.

This would be an issue, of course, because if the software associated with our essay was GPL, the GNU GPL is supposed to be irrevocable, and so even if Microsystems might now own the copyrights, they would still be unable to limit distribution of the software by mirror sites.  Thus they wouldn't really be getting much bang for their copyright assignment buck.

Some people have suggested that the whole settlement was a "legal hack", that Eddy and I knew from the start that the copyright assignment was worthless and deliberately sold Microsystems up the river.  I wish I could take credit for doing that, even though it would have been suicidally insane from a legal perspective, just because it would be really cool...  but no.  We did not do any such thing.  The suggestion that it might have been GPL surprised Eddy and I just as much as it did anyone else.  We did not intentionally release the software under the GPL, we did not and do not believe that we inadvertently released it under the GPL, and we did not mislead the plaintiffs about what we were selling them.  Notice that I'm using the word "we" here where elsewhere I use the word "I"...  I'm speaking on behalf of both Eddy and myself, because these are points we've discussed and agree on.

The origin of the confusion is that in one source file in cphack (note that cphack is just one of the four main items in the cp4break package), there's a comment saying "Released under the GPL".  There is also a similar statement in the onscreen "About" box.

I think that doesn't mean much because saying "the GPL" doesn't really identify "the GNU General Public License version 2" as specifically as a copyright notice should.  There are several other things properly called GPLs, including the Nethack and Pteria GPLs.  We did not include the several paragraphs of legal disclaimers that one would normally put on a GNU GPL program.  We did not include a copy of the GPL itself in the package, which one would normally include with a GNU GPL program.  We did not (although I think this is a red herring) assign the copyright to the Free Software Foundation.

Thus, if we wanted the program to be GPL and wanted to argue that in court, I think we'd have to argue pretty hard, even with the legions of programmers who are doubtless willing to testify that "the GPL" is understood by the community to mean "the current version of the GNU General Public License".

Someone on Slashdot said that if Eddy and I wanted this to be GPL, then we obviously had no experience with writing serious code and were incompetant and inexperienced.  The vote of non-confidence isn't appreciated, but by contrapositive, you can arrive at the truth:  we didn't intend this to be GPL. The history is that we each independently thought, hmm, it should probably be released under some kind of free-distribution terms, and we each wrote our code with that in mind and made mental notes to talk to each other about it.

Eddy and I never actually had that conversation, partly due to our haste to release the damn thing already once we got to the point where it was releasable.  So it went out with the code in just whatever state we had left it - which meant no notices at all on my code, and these two fragmentary GPL-ish notices on Eddy's code.  Now, of course, it's too late to try to take it back and tweak the licensing.  Microsystems now owns whatever copyrights remain; it's up to their lawyers to figure out what that means and try to enforce it.

The Microsystems spokeswoman was quoted as saying that there'd be Big Trouble if we mislead them, but we did not mislead them.  They should certainly have read the source code before buying it, and they have lawyers to explain to them what the distribution notices in the code mean.  I have a signed document from them saying that they took responsibility for knowing what they were buying.  I don't think it'd be easy for Mattel to claim that I, a humble graduate student, coerced them, a multi-billion-dollar corporation, into accepting a bad deal.  Making the settlement as quickly as possible, late on a Friday night, was their idea, not mine.

Even though the material wasn't under the GPL, it did contain notices implying that wide distribution was permitted.  Microsystems, being the new copyright holders, now apparently want to revoke those permissions.  Whether they are able to do so has not yet been decided.

UPDATE:  Eddy has now declared that he did originally intend to GPL the package.  That's best explained in his article on the subject.

What does your T-shirt say in the CBC Newsworld interview?

The black T-shirt I wore in my most recent television interview says, "I am a professional.  Do not try this at home." Of course the joke was deliberate.

Did anything else embarrassing happen to Cyber Patrol recently?

Yes.  Bennett Haselton of Peacefire had an amusing idea, one of those "Now why didn't I think of that?" kinds of things.  He took some quotes from well-funded organizations expressing anti-gay views, and posted them on Web pages with the identification removed.  Then he submitted the page addresses to several censorware companies, including Cyber Patrol, with the claim that the pages were "hate speech" and ought to be blocked.  Sure enough, the censorware companies agreed to block the pages.  Next, he tried to get them to block the original pages from which he'd taken the quotes, and got a much less favourable response.

Conclusion?  The very same words are considered "hate speech" if they're uttered by some nobody in the general public, but not "hate speech" if they're being published by an organization with a legal department.

You can read more about this caper on the Peacefire "Bait and Switch" page.

Was that the only other problem they had?

No.  Cyber Patrol technology is available as an add-in for commercial "firewall" packages, not just in the consumer form Eddy and I reviewed.  The filtering list is (apparently) the same, but the packaging is different.  A firewall is a security product that interposes itself between a private network and the great ugly Internet and purports to improve security by filtering out traffic that would pose a security risk.  If you also wanted to filter traffic by its subject matter, that would be a natural place to put your censorware.

The trouble is that the Cyber Patrol module for Network Associates' popular firewall was so shoddy that it opened up a huge security hole.  If you installed the censorware module, then as well as the fact Eddy and I established that it wouldn't do its job as censorware, it would also cause your firewall to become insecure.  It may be the firewall company, rather than Mattel per se, who are to blame for making the mistake - but it certainly doesn't look good for Mattel.

The security problem with the firewall edition of Cyber Patrol turned out to be a classic "buffer overflow" attack, one of the oldest attacks in the book.  The Great Worm, which devastated Internet sites back in 1988, was based largely on that kind of attack, and the attack and how to protect against it were well-known for decades previous to that as well.  Good software should not be vulnerable to buffer overflow attacks.

You can read more about this story on Security Focus, Slashdot, or Business Week

Did they come up with any other ways to shoot themselves in the foot?

Amazingly, yes.  According to this story from CNET, AOL's youth filters protect kids from Democrats!  You can also read about it on Slashdot.

The CNET story glosses over some of the technical details, but what it boils down to is this:  filtering technology can work in two ways, which Eddy and I referred to as "negative option" and "positive option" in our essay.  Negative option is the usual kind of filtering:  they have a list of sites that are considered "bad", and you can visit any sites except those.  That's what most people use and it's what we mostly considered in our review.  Positive option works the other way:  there is a (very short) list of sites that are considered "good", and those are the only sites you're allowed to visit.  Of course, that's an extremely restrictive setting that essentially makes the Web useless, but it's the only way to make a censorware product that will actually work in the sense of blocking all objectionable material, and even then it'll work only with constant review of the "good" list to make sure none of the sites have "gone bad".

America Online, which provides network access for a huge number of people, has its own internal proprietary censorware which is basically Cyber Patrol's positive-option mode, that AOL have licensed and stuck their own brand name on.  If you turn that feature on, it'll allow kids to visit the Republican Party's Web site, because that site has been added to the "good" list, but not the Democratic Party's Web site.  Other findings (described in the linked article) seem to suggest that it's a conscious pattern in the choice of "good" sites, not just an accidental oversight.  So the political right is considered suitable for children, and the left isn't.  That upset people, for some reason.

Did Mattel's software division get in any more trouble?

You won't believe this, but yes, they did.  According to Salon Magazine, some of Mattel Interactive's software products aimed at small children would automatically make a network connection back to the manufacturer every so often.  According to Mattel, the program just downloads updated splash screens so they can keep you informed about new stuff.  That sounds like a polite way to say it's an advertising opportunity.

Furthermore, there's no way to know (without reverse engineering the program, and we know how much fun that can cause) that it really does what it claims.  The Salon reporter goes into some detail on other things the program could do - like scan your drive and report back to Mattel what other products you have installed.  Also, although they claim not to be compiling a database of personal information on the children who run the software, it's a fact that such a database would be valuable to marketers and easy to compile given a program like this that automatically "calls home" every so often.

Anyway, Mattel has stopped distributing this technology, apparently in response to the recently-passed US law against building marketing databases on kids, even though they claim that the law didn't really apply to this software anyway...

You can also read about this on Slashdot.

What did BUGTRAQ have to say about Cyber Patrol?

Eddy pointed this one out to me:  BUGTRAQ bug ID 1977, which you can read about on Security Focus's yuckiframe site, describes how Cyber Patrol uses substandard encryption (in fact, even more insecure than the encryption Eddy and I looked at) to attempt to conceal the user's credit card number when performing the "registration" process.  As a result, if you enter your credit card information when the program asks you to, then crackers sniffing the network may be able to recover enough information to attack your credit card account.

You should read the original BUGTRAQ posting, because it gives a whole lot of interesting detail.  My favourite part is that the hacker who discovered the vulnerability attempted to contact Microsystems and warn them, on his own dime, and he only "went public" with the vulnerability after they didn't return his phone calls or email in literally months.  I would have thought that after their experience with Eddy and myself, they might have learned their lesson.

Mirror site case

What is a mirror site?

A mirror site is a simply a copy of another site.  In the case of the cp4break mirrors, the mirror site operators were people who considered it important to distribute Eddy's and my work, and so posted copies on their own Web pages.  It's quite common practice to "mirror" Web documents; people do it to increase performance (a local mirror may be able to provide a document faster than a remote original site), to reduce the load on the original server, or (as in this instance) as insurance against loss of the original site.  Some mirrors are of individual documents, and others are of entire Web sites or parts of Web sites.  The concept also applies to other things besides Web sites - for instance, FTP file archives.

I think mirror sites are so called because, like a mirror, they present an almost perfect duplicate of some original thing.  Some mirror sites, like the VLUG LDP mirror, are automatically tied into their original site so that whenever it is updated, the mirrors update too.  Thus they present an ongoing "reflection" of the current state of the original.

Did you cause the mirror sites to go up?

The original essay included a brief note giving permission for people to mirror it and the software, and on that basis many people did so, long before any lawsuit was announced.  Of course, as soon as the lawsuits did start, the mirrors became much more numerous.  That wasn't my doing, it was just the nature of the Net - as soon as something looks like it might be controversial, it gets wide distribution, and the harder anyone tries to ban any document, the more widely distributed it becomes.  Of course Eddy and I knew that the document was likely to be mirrored as soon as it was released, but we don't take credit for causing that to occur; everybody who started a mirror site did so of their own volition.

According to the court transcript, the Cyber Patrol lawyer said that I made a posting on Slashdot inciting people to mirror the document and software, but I deny that I ever did that.  I made some anonymous postings to Slashdot, and some other people who made anonymous postings did make comments encouraging people to mirror the material, so that may be the source of the confusion.  I also mentioned in one of my postings the fact that the original documents gave permission to mirror, but mentioning that fact could hardly constitute "incitement".  Indeed, in my March 17 posting to the VLUG discussion list, I asked those close to me not to mirror the essay, just to avoid muddying the waters during our negotiations - which would seem to be going above and beyond my duty towards the plaintiffs.

How did mirror sites become involved in the Boston court case?

Cyber Patrol claims that if they only succeeded in preventing Eddy and myself from publishing our work, that wouldn't prevent the corruption of children's minds by mirror sites who might also distribute our work, and so it's necessary to stop people from mirroring it as well.  That seems to be why they demanded the famous one dollar copyright sale - as a further lever to use against mirror sites.

Because Cyber Patrol was looking for a judgement against all mirror sites, any mirror sites might have some reason to object.  In particular, three people associated with Peacefire (Bennett Haselton, Waldo Jaquith, and Lindsay Haisley), who have an organization that we the defendants don't, managed to get involved in the Boston case, and launched an appeal after the judge awarded the plaintiffs an injunction backing our settlement agreements.

This ought not to be worthy of mention, but just in the hope of preventing reporters from making silly mistakes:  Lindsay Haisley is apparently male, notwithstanding that the name "Lindsay" is also often used by women.

I'm a little annoyed that because Peacefire is involved with the mirror sites and has been involved with several other censorware reverse engineering projects, some people have confused them with Eddy and myself.  I'm not a member of Peacefire (although I am on their mailing list), Eddy isn't associated with them either as far as I know, and we did all the work all by ourselves without Peacefire's or anybody else's participation.  We certainly agree with a lot of Peacefire's politics, but they don't deserve credit or blame for our work.  Peacefire posted our essay and software but they didn't have a hand in writing it.

Eddy emailed me a clarification on the above comment about him not being in Peacefire:

That is correct.  I'm not a member or anything, I'm not even on their mailinglist.  I too found this association somewhat irritating (though not nearly as irritating as reporters asking questions clearly answered in the essay.  You know, before all this circus I actually thought I had reached "maximum jadedness" as far as the media goes, but they _really_ proved me wrong on that one, and they weren't even trying...)

How did the original Boston case's resolution affect "the Peacefire three"?

Justice Edward F. Harrington refused to answer that question, but Cyber Patrol says that the injunction which forbids me from publishing the essay or software also applies to everyone else in the world because, they claim, anyone who puts up a mirror site is "in active concert or participation" with me.  Nonetheless, Cyber Patrol claims that nobody but Eddy and I would have the right to appeal, and we can't because we agreed to a settlement.

The three Peacefire mirror site operators are appealing Justice Harrington's decision partly because they aren't sure whether the order applies to them or not, and they claim that it's against the rules for the judge to leave them in doubt like that.

What was the next step for the mirror site case?

The district court refused to entertain an appeal, apparently agreeing with Cyber Patrol's argument that because they weren't named as defendants, the mirror sites didn't have a right to appeal the decision.  The judge refused to answer the question of whether the injunction applied to them, but it's clear from the record that Cyber Patrol, who more or less wrote the injunction, intended it to apply to all mirror sites.  So the three Peacefire mirror site operators are appealing to a higher court.  They've filed a brief, some important people have filed an amicus brief supporting them, the Cyber Patrol folks have filed a brief of their own and the mirror sites have filed a reply.  The actual hearing will be August 2, 2000, which happens to be the day after I turn 24.

What happened at the August 2 hearing?

It's been very hard to get any information about the August 2 hearing itself; what I heard through the grapevine was that it was focused primarily on the "standing" question of whether or not the mirror sites had a right to appeal.  They claimed that if the court order bound them then they had to have a right to appeal, and conversely if they didn't have a right to appeal then the court order couldn't bind them.  The plaintiffs apparently claimed that the mirror sites were bound by the court order but had no right to appeal.

The judges issued a decision on September 27 saying that the mirror sites had no right to appeal, but not saying whether or not the order bound them.  It's not at all clear where that leaves them.  If their logic was correct, then that should mean the order doesn't bind them and they have the right to put their mirrors back up; but that's a dangerous bet to make because if the order does bind them, they'd be guilty of contempt of court (which is an actual "crime", significantly worse than the "torts" I was accused of).  As far as I can tell the Peacefire mirrors are still down and they've dropped the case and stopped talking about it on their Web sites, but they may well be simply regrouping for their next move.  Numerous other people on the Net are still mirroring the material and as far as I can tell the plaintiffs have left them alone; the plaintiffs may well have realised that further attempts to suppress it will only dig them in further.

The appeals judges were very careful to only touch the procedural issues without commenting at all on the more important political issues in the case.  Although I'm sorry they didn't take the opportunity to right the wrong that was done in the lower-level court, I can't blame them; it's their job to decide cases as cleanly as possible without invoking heavy-duty political issues unless absolutely necessary.  I wish Judge Harrington had followed a similar policy and thrown out the original case for lack of jurisdiction; it seems to me he had plenty of opportunity to legally do so.  Claims that I acknowledged the jurisdiction of the Boston court are false; my settlement contains no such acknowledgement, and was made primarily to settle the action in the Vancouver court.  (The jurisdiction of the Vancouver court might also be questionable because we never posted our essay in Canada, but that issue never had to be decided.)

What about the Library of Congress DMCA rulemaking?

As you may know, the US has a controversial new law called the DMCA, which makes some types of software reverse engineering illegal.  This is interesting because it underscores the fact that it isn't illegal except for the DMCA. Anyway, in their claims for why the appeal should be denied, the plaintiffs-appellees claimed that what Eddy and I did was a violation of the DMCA. They hadn't claimed that in their original suit, and so the ACLU lawyers rightly argued that they couldn't try to use it in the appeal case.  The original suit was based on the even shakier foundation of regular copyright law - which traditionally permits reverse engineering.

Anyway, a whole lot of people were upset about the DMCA's anti-reverse-engineering provisions, and the US government asked the "Register of Copyrights", which seems to be part of the Library of Congress, to get community comments and issue a ruling on what kinds of reverse engineering should be exempt from DMCA prohibition.  The community argued strongly for "everything", but the ruling made on October 27 was that the following kinds of reverse engineering are exempt from the DMCA:

  1. Compilations consisting of lists of websites blocked by filtering software applications;
  2. Literary works, including computer programs and databases, protected by access control mechanisms that fail to permit access because of malfunction, damage or obsoleteness

You can read the original decision on the LC Web site, or the Slashdot article about it.  The decision mentions my case ("Microsystems et al v.  Scandinavia Online et al") in particular when talking about the rationale for point number 1.

What does point number 2 mean?  Who knows!  It looks like what they intend is that if you use a proprietary system and the vendor goes out of business, you're allowed to reverse engineer it to get your data out.  But I wonder if one could claim, "Well, this anti-reverse-engineering system uses substandard, obsolete techniques (copy protection is by definition obsolete...) and so it's legal to break it."?  Only time, and the courts, will tell.

I can't call this an unmixed victory, because I think the DMCA should be thrown out entirely, not just patched.  However, it's gratifying to think that they changed the law in a good direction on account of Eddy's and my activities.

What does this mean for cp4break?  Well, as I understand it, I am still bound by my settlement agreement not to distribute the essay and software.  Its effect on others who might distribute cp4break is unclear.  However, I think it argues strongly that even if my actions weren't legal (and I believe my actions were perfectly legal), anyone who reverse engineers blocking software in the future will face a much nicer legal climate.  The Register of Copyrights appears to be saying that they consider reverse engineering of blocking software to be a good thing - good enough to be worth changing the law in order to permit it.

What was the final outcome?

As chronicled on Waldo Jaquith's Web site, when the Register of Copyrights ruling mentioned above went out, and given that the appeals court had said "you aren't allowed to appeal" (which, under the ACLU's logic, means they aren't bound by the injunction), the ACLU decided to assume that in fact, the Peacefire mirrors were not bound by the injunction.  Accordingly, Peacefire put their mirrors back up.  Happy Halloween!

So it looks like it's legal for people to mirror the content in question, although I still am not allowed to tell anyone to mirror it.  So bear that in mind - any mirrors you see, weren't authorized by me.  If the plaintiffs want to make something of it, they will have to bring contempt charges against the Peacefire (or any other) mirrors.  I can't predict what they might do, but I don't think it's likely to happen because the Cyber Patrol product has now been sold off to UK-based company called "JSB".

The cphack program no longer works with current versions of Cyber Patrol.  Considering how fast the fix became available, I bet they made only minor changes and a skilled party could easily apply the same techniques we used to break in again.  I won't be doing that myself, though.  Remember, please, that all software is eventually vulnerable to this kind of analysis; the fundamental laws of how the Universe works guarantee that.

I've now progressed to other projects; as well as finishing my Master's thesis, I'm working on laser networking right now.  I'll probably do more anti-censorware work some time, but not really soon.  In the final analysis it's hard to say who "won" the dispute.  Eddy and I became famous "hackers" overnight, we made our political point and got a lot of publicity for our cause, and via the Register of Copyrights ruling we made it safer for others who would follow in our footsteps.  On the other hand, the Boston courts held a lot of points in the plaintiffs' favour, they succeeded in stopping Eddy and myself from distributing our work or attacking Microsystems products in the future, and they had the chance to do a lot of posturing in the press spotlight too.  They're certainly claiming to have won, although of course they would do that in any case.  Maybe both sides won.  I think now Mattel and Microsystems would like to forget about the whole thing.  Will they be able to do that?

My activities

What else do you do?

Formally, I am a graduate student of computer science at the University of Waterloo, working towards a Doctoral degree.  I recently (August 2001) completed the requirements for my Master's degree; my thesis title was Generation of Graphs Embedded on the Torus.  I don't know yet what my PhD area will be; I may or may not stick with graph theory, but will probably stay in the theoretical end of computer science anyway.  I expect to be occupied full time by my studies until mid-2004 at the earliest.  I am currently supported by an NSERC Postgraduate Scholarship (PGS A with the PhD stiped upgrade).  I have worked professionally as a computer programmer, and do still do the occasional bit of consulting and short-term contract work, but I'm not particularly looking for job offers.

While I was in Victoria, I served on the executive of two local computer clubs.  With the start of my PhD program (September 2001) I've moved to Waterloo, Ontario.  I haven't built many contacts here yet but I'll probably be active in the local user group scene one way or another.  Other things I do include a bit of creative writing, hanging out on Usenet, and some mentoring of aspiring techies.  I take action in support of my political views, which mostly revolve around protecting the rights of young people and smart people, and especially young smart people.

Are you a hacker?

Tough question, because there are several different meanings for that word.  When I said that to my lawyer, he reacted as if I'd said the ethics of hacking are open to debate.  That's true, too, but what I said and meant was that there are several really different meanings for the word "hacker".

I don't usually call myself a hacker.  Sometimes I call some of the things I do "hacking".  Other people have certainly called me a hacker a lot recently.  Eddy says that he wouldn't call himself a hacker, and objects to others calling him one, because he thinks it's a compliment he doesn't deserve.  I'm not sure I'd agree; he's certainly a highly competent programmer and that's a big part of what being a hacker means to me.  I'm a bit less modest and might enjoy being called a hacker if I thought the people who were doing it knew what they were saying.  Basically, I subscribe to Eric S. Raymond's interpretation of what it means to be a hacker.  Subsequent to my writing that here, I had email from the man himself saying that he figures I qualify; make of that what you will.

Unfortunately, most people who use the word use it to describe a type of criminal who breaks into others' computer systems, and I'm not that kind of hacker.  Breaking the security on Cyber Patrol is not comparable to what those people do; it's the difference between reading a book I bought, and picking the lock on your door to read a book from your bookshelf.

Could you use this project for academic credit?

I'm sorry to have to say this, but no, because it was too easy.  What we did was a pretty straightforward application of well-known techniques.  The password hash reversal, in particular, was just undergraduate-level linear algebra.  One newspaper reported that I said "Any undergrad could do it"; actually I said "An undergrad could do it", not necessarily just any undergrad.  That's one small y for a newspaper, one giant leap for the scope of my remark.

Then again, I've been told that the essay has academic value as a teaching aid.  Maybe that makes it more useful academically than the difficulty of the math would suggest.  It's not really in my research area, though, so although I'll certainly list it on my CV, I won't be pressing it as a big part of my schoolwork.

Have you done anything like this before?

Reverse engineering is certainly a big part of my work as a computer programmer.  I remember, in particular, a day when my boss (I was working for the Federal government at the time) brought me some data tapes that had been made by his research group a number of years earlier.  They'd lost the specifications for how the data was stored, so I analysed the tapes in much the same way that Eddy and I analysed Cyber Patrol, and I was eventually able to recover the data.  That kind of thing is all in a day's work for me.

As far as reverse engineering of censorware goes, no, this is my first project in that line.  Eddy was involved in at least two previous similar breaks, of CyberSitter and NetNanny.

I've been involved in many previous youth rights projects.  I hung out for a long time on the ASFAR (Americans for a Society Free from Age Restrictions) mailing list and contributed to the discussions there.  I try to empower (although I dislike that word) young computer programmers as much as possible, by offering support and advice wherever it's welcome.  I fondly expect that in five or ten years, the kids who looked up to me as a role model will be achieving the same things I'm achieving today, and greater things than these.  My most visible youth rights project is probably the Nauthiz campaign, opposing age discrimination by Internet service providers.

Will you do something like this again?

I have promised not to reverse engineer any more Microsystems software.  I may someday reverse other censorware, but probably not any time soon; I sort of feel that I've done my share of that in this one project.  I also want to resist classification; I find that I get the best results from my activities if nobody ever knows what to expect from me.

I will certainly continue to do things to support my political views.  I am determined not to let this be the only interesting chapter in my biography.

What if you knew then what you know now?

If I knew that publishing the essay would result in my getting sued, I'd still have done it, with my real name on it.  But I'd be very careful to see that the copying permissions were spelled out clearly.  Eddy and I released the cp4break package with our internal "placeholder" messages still on it, and the consequences surprised everybody.  I think ideally we'd have released it as explicitly public domain; then the plaintiffs could gnash their teeth all they wanted but would have to actually prove that the essay was illegal (a difficult task, to put things mildly) in order to halt its distribution.  The copyright would be essentially destroyed, so there'd be no question of our being forced to assign it.

Some people suggested that we deliberately put the package under GPL and then sold the copyright as part of a devious plot to simultaneously sting the plaintiffs and also create a badly-needed GPL test case.  It's flattering that you would think we'd be that smart, but we weren't.  The fragmentary GPL messages were a simple oversight, nothing more.

What else have you done that's interesting?

Lots of stuff.  You can read some of my creative writing on my home page, particularly in the Air classification.  I did some cryptographic research, amusingly on the very topic of what censorware companies might be able to do to prevent reverse engineering, and you can read the paper I wrote about that, which won me an award from the Communications Security Establishment, Canada's equivalent to the NSA. People who agree with the political side of the Cyber Patrol analysis will probably also like my submission to the Canadian government's public comment process on copyright reform.

The disc isn't available, but I did edit a combination history disc and yearbook on CD-R for the Usenet newsgroup alt.kids-talk, containing roughly as much content as an encyclopaedia.  I ran a campaign for spoiled ballots (the "Vote for Barney" campaign) at the University I attend.  I wrote the Twofish cipher module for GNU Privacy Guard.

You can find other interesting stuff about me by searching for me on the Web; there are a few other Matthew Skalas in the world, and I'm not a football player nor a member of Delta Upsilon, but almost all the other "Matthew Skala" material is about me.

Responses to the inevitable offers

Can we join your 31337 h4k0r group?

No.  I'm an independent activist.  I sometimes join forces with others when their goals happen to coincide with mine.  I speak of myself as part of the youth rights movement, but that is not any single specific organization.  Eddy has, or once had, some connection with DFR, who are credited in his two previous censorware reversal essays, but this one wasn't particularly a DFR project.  I can't put you in touch with DFR, the Underground, the Illuminati, or anybody else like that.

I am a member of BB&C and VLUG.  Neither of those is exactly a hacker group, but they are at least computer-related organizations.

Would you like to join our 31337 h4k0r group?

No.

Can you answer our questions about computer security?

My interest is primarily in the cryptographic aspects of security.  I don't know much about other security issues - e.g.  firewalls, system cracking, etc.  The media description of me as a "hacker" is somewhat misleading if you think that a hacker is someone who breaks into computer systems.  I do answer questions people email me from time to time, subject to A. the limits of my expertise and B. if you don't pay me to help you, then I'll only help you when and if I feel like it.  Please note that I do not use Windows and cannot answer Windows-related questions of any kind.  Especially annoying Windows questions may get cranky or deliberately misleading answers.

May we email you a Microsoft Word document, under any circumstances?

Please don't.  I actually can read them fairly easily with my Linux system (which can handle almost any file format), but I find Word documents attached to email messages highly annoying, and reserve the right to be impolite about them.

Do you want a job?

I will be busy full-time until mid-2004 at the earliest, completing my PhD program.  After that time I may be looking for a job.  I already have a long list of offers and am not really in the market at this time.  I do from time to time accept consulting and short-term contract work, but only when I want to.  I already make more money than I need, without actually working much at all, so offering me more money isn't likely to make me more interested.

Are you interested in a perfectly legitimate business opportunity?

No.

Personal questions

How old are you?

At the time of the publication of the essay (March 2000), I was 23 and Eddy was 24.  One news source reported that we were "teenagers".  I don't know why.  One interviewer asked me how I felt about that report; I said that although I thought it was silly they couldn't get it right (since our ages are no secret), I didn't really mind because I still feel young.  Really, I still feel about the same way I felt when I was 4 years old.  It may be open to debate whether that means I am an immature adult, or was a mature 4-year-old.

Subsequent to these events, Eddy and I have been named Honorary Teenagers.

I was born with the Sun in Leo, the Moon in Libra, and Virgo rising, for people who care about that sort of thing.  I've been told that that's exactly what you might expect for someone who's done the sorts of things I have done, but that's exactly what I might expect to be told.

Are you single?

Yes.  If I had a wife or girlfriend, I probably wouldn't have had time for this stuff.  (Not, of course, that anyone who approves of my activities should let that dissuade them...)

Who is Pele?

In my part of the acknowledgements section of the original essay, and in some of my subsequent Web postings, I thanked "the goddess Pele for favours received".

Pele is the Hawai'ian volcano goddess, both a creator and a destroyer.  One of her many appealing features is that unlike most other creators, Pele does her work here and now, right before your eyes, instead of in some hypothetical past; you can actually see her building new islands out of lava.  That same lava can also be fearsomely destructive.  Pele does what she does, good and bad for humans, and there's absolutely no stopping her either way.  We're talking pure forces of nature here.

Pele strikes me as a goddess appropriate to programmers, or at least to the type of programmer I aspire to be.  She's also a male-positive goddess, so we can offend the more obnoxious Wiccans and neo-pagans as well, the ones who believe that male human beings are necessarily second-class spiritual citizens.  Offending such people is a goal near and dear to my heart.  The Goddess in my short story Light and Speed isn't identified by name and isn't necessarily Pele, but does bear some resemblance.

I had one Wiccan write to me about the comment on Wiccans in the previous paragraph, eager to assure me that not all Wiccans are of the variety I dislike.  Yes, I know that, and don't worry...  if you know that there is more than one kind of Wiccan and a difference between them, then you're almost certainly not the kind I dislike.

On a more abstract level, I believe in a divine power that transcends personification.  It doesn't really matter whether you're worshipping Allah or Jehovah or Pele or "blind luck" or "nothing at all" or "zero point energy" or whoever; whatever works for you.  I believe that human beings are the beloved children of the creator, and as such it is our place to inheirit the family business.  I believe that I personally have been fortunate in being granted a whole lot of creative power.  This project was one of the ways I've chosen to apply that power, but by no means the only nor the most important one.  So in recognition of all these things, I say thanks to Pele for favours received.

I see no contradiction between my belief in the creation of the Universe by a divine power, and my belief in the evolution of life on Earth.  Who's to say that the creator didn't deliberately design a Universe where evolution would occur?  That's exactly the same thing I might do by running a program like Tierra on my computer, and probably for the same reasons, too.  It cannot be disproved, so it isn't science, but something need not be science to be useful.

Actually, my main reason for mentioning Pele is that other celebrities (athletes especially) so often take advantage of their fame to give praise to Jesus Christ.  I've always found that practice annoying, and thought that if I ever had the chance I'd put in a similar plug for someone else just to even the score.

Please note that Eddy takes no part of my religious views; based on his Web page I think he's an atheist, but I shouldn't really speak for him even to that extent.  I'm only speaking for myself in this FAQ entry.

[Ad box removed; this image serves to flag pages that need to be updated in my log file.]
This page has been released to the public domain by its author, Matthew Skala
Updates to this entire site: [RSS syndication file]
Updates to this category (youthrights) only: [RSS syndication file]