INeedAttention.com

So, yes, the RIAA and MPAA have sued a bunch of RPI students. As a courtesy to everyone at RPI, if you find yourself on this list (link goes to a tool to tell you if you are or not), it might be time to give Dean Smith or an attorney a call…

The IPs listed here came from the original post made this morning on TrendyBlog.com. Here is a link to the list of RPI IPs sued by the RIAA, along with the original complaint.

Edit: (04/14/2005 02:05AM EDT) So, does anyone else find it odd they are including a computer on CoreNET, and on the wireless VPN concentrator? Are they really going to follow through with a suit on a router? If so, would RPI be liable for the transaction that they allowed to happen on their network? Apparently not, it would seem, since ISPs rarely are directly sued by the RIAA/MPAA. The same applies for the telephone network — traffic that merely uses the network without the operator’s knowledge does not constitute conspiracy or liability, as they merely provide the network on which the traffic occurs. Could the ‘ISP defense’ ever apply if, say, all connections on a campus were routed through a SOCKS proxy or some other type of semi-transparent proxy? Or, on a smaller level, what if someone was running an open wireless router and a user was hijacking their signal for this illicit use. Would the ISP defense then apply?

Considering that this hits so close to home for the RPI community, this is a good time to once again open the discussion on the business policies of the RIAA and MPAA, and how we should respond as their clients. Essentially, we all are clients at some level because of the amount of media that we consume that is protected by these organizations. These organizations made similar cries of lost business around the advent of magnetic storage. Tape cassettes and VCRs didn’t put movie companies out of business either, although it would seem that cassette technology is older than I am, and Hollywood flicks and the MTV culture seem to be more alive than ever.

It would seem astounding that rarely do book publishers file copyright infringement suits against those that pirate their materials on these same networks. Some text books are available on peer to peer networks, and textbooks after all can cost upwards of $100, if they are heavy enough. But book publishers have actually seemed to find that including the CD containing the textbook with the hardcover version itself has actually been an attractive feature to customers that do purchase it. In this way, the new technology has both increased the spread of the information and increased the salability of the product. Virtually any form of popular media that can be proliferated illegally on the internet is already being distributed.

The RIAA and MPAA just seem bent on public relations seppuku. Today during an RIAA press conference call regarding the I2Hub lawsuits, an executive of the RIAA stated publicly that no school at which students were being sued had more than 25 John Does on their list. Of course they would not dare to pursue every file sharer, although they did mention that they had evidence of at least 140 other school’s involvements across 41 states. Considering that there were 7,000 or so users on I2Hub on March 25th, they would have had to file 7,000 lawsuits. Think about how many people – how many customers – would be directly affected by that number of lawsuits. Seeing as how each of these two students, on average, would have two parents and one and four-tenths of a sibling according to an estimate of the national average, which would mean that 23,800 immediate family members would be directly impacted by a lawsuit that would levy damages often as high as tens of thousands of dollars (not to mention the uncles, aunts, nephews, and other close relatives). But it wouldn’t just be those 23,800 families that likely would have unfavorable thoughts – and highly unfavorable things to say – about the RIAA and MPAA. It would be the thousands of people that all of those people know, and all the people that were a mere degree of separation from someone who’s life likely might have been seriously hurt by similar vicious lawsuits. Thousands of dollars buys a not-so-used vehicle, or a new set of high-quality windows and frames, or a few months worth of food. But to the RIAA and MPAA, with the greatest audacity possible, not only rob ordinary people of the ability to enjoy art, but rob them of their earnings and forcibly take them out of their hands.

I’ve said it once, and I’ve said it before – I don’t buy CDs anymore, there is plenty of music out there for me that I don’t have to buy at all. Actually, when I was only 16, I set up concerts featuring local bands at American Legion halls and was able to turn not only a profit – but to a 16 year old, turning profits in the hundreds after each event – I was earning a fortune. So the RIAA and MPAA seem to find it difficult to do the same on a larger scale, which is rather pathetic considering that I was able to do it with the help of only one friend, and some old public address and mixing equipment. The live performance is always where the classic artist has shined. The massive sales of records, cassettes, and compact discs are products of the last century – and we simply have evolved our media delivery past these wasteful formats that simply do not deliver the quality, convenience, and durability that an MP3 or AVI file can deliver.

The RIAA and MPAA are like some imaginary old fashioned coal strip mining company that insists that coal is still an efficient, clean, and safe energy source, when we know that it’s really been mostly made obsolete, to the dismay of those involved in the industry. But coal mining is not an art, and employees of the coal mine don’t go down into the mines for a full work week because they are passionate about it. True artists do, and even prior to mass media, the work of the excellent artists was made widely known and was appreciated. The record companies and movie studies know that they’re being threatened – not because their customers are robbing them but because the industry was simply not sustainable in the face of a set of technologies that eliminated the need for that industry – like coal power and its gradual phase out.

It’s also ironic that they have to resort to suing college students. It’s likely that college students – already in debt from educational loans – will not seek the advocacy of a respected attorney, someone known as well as the late Johnnie Cochran. Young adults can’t defend themselves properly when they can’t even drink at a bar (to regular readers of my blog that find this statement ironic, please interpret my prior article as kindling for discussion on the drinking age, and about the way we enforce laws, and not about how much of a plague underage drinking is). RPI happens to be where I go to school, and that’s why I took personal interest in this. We’re engineers and technologists – not lawyers. But on that note, it’s interesting that so far they haven’t sued the kids at Stanford, Yale, Georgetown, or George Washington University, that likely would have both the connections to the I2Hub and affluent and outspoken lawyers ready to take a stance against the RIAA in court. As of my current understanding, no individual college student has ever actually taken a file sharing case to trial – every case has been settled for an outrageous amount likely costing as much as a semester or year of education (or about six weeks of classes at RPI, after the 7% tuition increase for the 2005-2006 academic year).

So, bearing all of these things in mind, can I please ask the readers of my site, who are all likely college students right now considering the material contained herein to collectively take a step back – take a deep breath – and take our collective middle fingers and stick them right in the face of the executives at the RIAA and MPAA. It might be time to ask your friend to borrow that CD you heard them play in their car stereo, or visit a library to rent a new movie (most “good” libraries have new releases, if you didn’t already know). Maybe tomorrow, have a couple of your friends do a movie madness day with them. I’ve done it before, but it’s pretty unlikely that the MPAA is going to take me to small claims court for walking past a few lazy ushers – or would they have the gall to actually do that too? In times like these, we seemingly can never be certain. But let’s be vigilant, and just stop buying their crap, and return to enjoying it as an art form, as opposed to being consumers of an industry or in a micro-economy.

Also, on a more amusing note, I wanted to mention that by no means should consumers avoid independent labels – you can use the RIAA radar tool to assess whether artists you like art part of the RIAA cartel. For example, it’s OK to listen to Rydia but it’s not OK to listen to four out of the five albums published by “Larry the Cable Guy” of “Blue Collar Comedy” fame (but seriously, it’s really only four of the five albums, even though you can be sure that zero of five are of any substantial entertainment value).

NOTE: A minor modification of host name data was made to protect student privacy.

That’s right – fools. That’s what they are. They’re the fools that are underage, but go out anyway and binge drink at places that serve them alcohol, wherever they might be. They’re the fools that serve those kids. They’re the fools that turn a blind eye to it. And, of course, there are the fools that don’t even consider it a problem.

I would not bash alcohol. I drink pretty frequently myself, and some people even say too frequently. I wouldn’t bash social binge drinking, because basically, that’s what I end up doing myself. And also, I wouldn’t write this so seriously if it was not an April Fool’s joke. It’s not, though, because I’m really sick and tired of watching things be harmed by other people’s addictions.

Sometimes it’s hard to see the harms that alcohol causes. Some of these harms are more obvious than others. We accept a tolerable amount of harm with alcohol, and have created legislation to define what we collectively find to be acceptable. Ideally, we could say that democracy has worked to bring us to a level where our drinking habits are kept in check by laws to discourage the bad behaviors associated with alcohol. Urinating in public, for example, is a behavior that is more often associated with alcohol than not. But beyond the sanitation problems created by an occasional release of urine into the streets, there are more severe consequences – like DWI related fatalities. Professor James D Gould makes the argument that DWI is not such a serious crime, and that it offers an ethical case that, for most people, is clear-cut in the fundamentals, familiar from everyday life, and extraordinarily complicated in the details. In other word, it’s ideal for philosophical analysis at the introductory level.

I disagree with that fact that Professor Gould could even be so callous as to challenge the idea that DWI is wrong. In New York, at least, a second or third drunk driving charge within 10 years of the prior’s conviction results in a felony DWI charge. If we consider repeat DWI offenses to be jailable offenses, then certainly we acknowledge a problem. The problems, however, seem to be reminiscent frequently enough around the capital district. Our DWI fatality and property damage rates are not significantly higher or lower than areas around us – but we still contend with an incredible amount of DWI fatalities and related property damage. To compound matters, under-age and other young drivers that drive drunk are far more likely to crash than older drunk drivers.

I say, why measure the harm caused by underage drinking just by counting dead bodies, wrecked vehicles, and the cost to replace battered mailboxes and telephone poles. We should all agree that serving alcohol to minors commercially is wrong. I don’t object to giving someone underage a drink in the right context. In fact, I drank quite frequently before I turned 21. That’s the way it is in college, right? I acknowledge the pressure that’s put on kids to drink more than one wants sometimes is hurtful in it’s own right – but to be specific, I think it is far more harmful for any adult to own and operate a bar that is knowingly serving a population that is composed of more underage than legal drinkers. For a friend or relative to buy someone underage a drink is, to me, an effective way of putting the training wheels on young drinkers. But if we let one bar serve minors nearly exclusively, then when do we say how young really is too young? Shouldn’t we (and don’t we already) have some limit on that? If we don’t, then is it really acceptable to have a system that lets thirteen – or ten, or eight – year olds drink in a bar?

I heard from a close friend that her sixteen year old brother was able to get in and get served at one of the bars on or around Washington Avenue in downtown Albany. More often than not, it’s underage females that find it easier to get past the bouncers and into the bars than it is for underage males to do the same. If a sixteen year old male can get in to get served alcohol, how young were some of the females that they’ve let in before? Could they possibly have been as young as fifteen, or even fourteen years old, perhaps? Is it right at any level to allow such establishments to operate? Should we tolerate any establishment that decides it wants to serve underage kids?

I say no. If underage drinkers are going out and driving, only to find themselves wrecking their cars and sometimes their own and other people’s lives, then it’s something that we should intuitively know to say no to as members of an enlightened society. The laws on the subject exist to reinforce that moral fabric that we have sewn that dictates that it is wrong to sell beer to minors at all, let alone for a profit and with a valid liquor license. Then think about the violence associated with this type of establishment – likely a higher proportion of fights, rapes, and property crimes. Underage drinkers are often na�ve, and so it’s natural to know not to let them get out of control. An older friend or relative usually has the experience to know when enough is enough for their younger friend – someone was always there for me. But I wasn’t going to these types of establishments, and the people looking out for me were the ones serving me the alcohol. In Albany, and a large number of other places, you are served on the basis of the availability of cash. The people serving you are looking out only for themselves.

But if you build it, they will come. The kids come out night after night and drink to their heart’s content. The police even show up occasionally, but suspiciously leave without ever sanctioning these places, or so it would certainly seem. Why threaten the livelihood of not only the bar owners, but nearby convenience stores and eateries that likely serve a substantial number of underage drunk college students each night? I say, because it is wrong to consider economics before social consequences when talking about the ethics of underage drinking. People really do get killed as a result of underage drinking. Lives really do change in a moment’s notice, it’s not just a fairy tale told to high school kids before they were shipped off to their dormitories. What’s even worse is to consider that otherwise innocent bystanders are often hurt by the underage drinking. Vandalism is rampant in the areas around these bars. Last night, I saw someone no older than 19 rip a banister off a set of concrete stairs right near my building. It was obvious that he had been drinking all night, and decided to latch onto the idea of removing the banister in a moment of sheer foolishness.

I will have to pay for common area damages because of what he did. But think about the other costs that we all pay as a result of underage drinking. To begin with, the fact that it’s college students who are doing the underage drinking far more than most. Our publicly funded education system is getting a very low bang for its buck by accepting such a high level of binge drinking. Of course, SUNY Albany supposedly has cracked down on this since it was named the “number one party school” by the Princeton Review. That qualification has certainly lowered the value of the diploma, and it’s likely that few people consider that the future of those students will be adversely affected by the fact that their degree may be rendered worthless to them depending on the field and level of study. Think about the taxes that we contribute to a highway system that replaces guardrails more frequently because of drunk drivers. Think about a healthcare system that has to handle more injuries as a result of underage drunk drivers (and drunk kids falling down and getting hurt) than it does from other age groups. We pay to support all of these institutions that are harmed by the underage drinking that we allow. To the proprietors of the peripheral stores in the areas around the bars: I’m sorry that fixing this problem will probably hurt you.

But to the proprietors of the bars themselves: shame on you. The fact that corrupt officials allow you to continue to operate doesn’t revive people that died as a result of the alcohol consumption that you illegally profit off of. If a state senator, driving inside a Crown Victoria was crashed into from behind, exploding the already fragile gas tank inside the vehicle, I’m sure that it wouldn’t take long to shut these places down and imprison the owners for criminal negligence and violations of the Alcoholic Beverage Control laws. The owners are irresponsible adults, and the patrons are students deemed too young to be responsible enough.

It’s time to do in Albany what we’ve already done to some extent in Troy – like Elda’s, these illegal operations should be shut down, and their owners charged criminally. The city of Albany should also seek damages from the owners by sanctioning them financially – to pay for the consequences their actions caused by their decisions as responsible adults. I really don’t believe that what I’m advocating is radical – is it radical to hold adults liable for the harms they’re causing to minors? It’s rational to hold people liable for all of their actions, as there should always be accountability.

That’s all I want: I want the owners of these establishments to be held accountable for the things they do that are common knowledge. In the meantime you will never get a cent out of me or anyone that I can convince to also boycott you, and so help me I will fight to see that you end up in a state prison where you belong. You are the scum of the Earth.

This was not an April Fools joke.

If you haven’t already seen it, there was an incredible article about New York’s Freedom of Information Law in the Journal News today. Not surprisingly, it seems that almost every organization audited by the Rockland Journal News denied the otherwise legal FOIL requests without due justification. Screwing around with your constituents that are merely trying to exercise their rights breeds contempt. I feel like making a few requests myself now. On that note, I’d like to request any information that they may have on me. I’d be curious to see if anything that is permisibly requestable is on file at any of these agencies. Also, I hope that the condescending desk sergeants at these departments get their face spit in by FOIL related lawsuits (no matter how unlikely). When I am rich, I’m going to be an advocate for these causes. In the meantime, I can’t really afford a lawyer to fight for these causes. Neither can anyone else, and such is the game that the law can be ignored by those that enforce the law. If the law disrespcts the people, the people should disrespect the law. Law is not a tool for control, it is a tool for peacekeeping and conflict resolution. We are not at war with drugs or with terror, we are at war with ourselves.

Here is a copy of the article, with my emphasis added.

Hunt for facts meets resistance from policeBy RICHARD LIEBSON
[email protected]
THE JOURNAL NEWS

Call them the secret police.

A Journal News audit of how local police departments comply with the state Freedom of Information Law revealed that most don’t.

On Feb. 8, reporters went to 27 Westchester, Rockland and Putnam police departments seeking the names, addresses and charges against everyone arrested in the previous 72 hours. The reporters did not identify themselves unless they were asked. Although the information is public under the law, only 11 departments eventually provided it, and only two made it available the same day.

“In this country we do not have secret arrests,” said Robert J. Freeman, executive director of the state Committee on Open Government. “The kind of information you requested is routine, and in my opinion should have been released without hesitation.”

Few in the police departments appeared familiar with the law, as evidenced by the confident ignorance they displayed in denying requests.

“You’re not privileged to get that information,” a Kent police dispatcher told the reporter who asked for arrest data. “Someone who’s arrested could, but we can’t as an agency, by law, give you that information.”

Nevertheless, the dispatcher provided a request form to fill out, and 30 minutes later a police sergeant called to provide the information.

Other departments were less responsive.

A state trooper in Somers said the records were “public information, but not general information.” He took the reporter’s telephone number and said a sergeant would call to schedule an appointment to view the records. The newspaper is still waiting for that call.

A Clarkstown police officer just said no, repeating several times that “arrest reports are not public record,” before telling a reporter not to bother filling out a Freedom of Information request because it would be rejected.

In Cortlandt, a state trooper said the request had to be made in Albany, but he did not know to which office. A Carmel police dispatcher would not show a reporter arrest information but suggested that he check the newspaper.

“The newspaper has a police blotter,” she said. “I don’t know what you’re looking for, but you might find it there.”

In the Haverstraw town police records office, a woman said arrest records were released only by subpoena, adding under her breath that the requester “must be crazy.” After speaking to a dispatcher, a sergeant and two lieutenants, the reporter was told to put the request in writing. Six business days later, the reporter received a fax containing information on the arrest of a 17-year-old.

Of the 27 departments audited, 17 required written requests. Although the law states that such requests must be acknowledged within five business days, eight of the police departments still have not replied. Of the nine that did, two denied the requests, fourcomplied, and three released general arrest information but did not provide the names and addresses of suspects.

Twelve of the police departments visited are accredited as meeting a series of standards established by the state Division of Criminal Justice Services. Accredited departments are supposed to have policies for FOI requests that comply with New York Fair Trial/Free Press guidelines, which say that arrest information is public. Only fiveof the accredited departments filled the newspaper’s information request.

“I’m not surprised,” said Brian Nickerson, director of Pace University’s Michaelian Institute for Public Policy and Management. “The initial reaction by police to any public request for information tends to be negative. It’s probably a combination of policy and ignorance.”

Since the Sept. 11, 2001, terror attacks, he said, “Police have used the terror threat as a way to get around releasing information. … They’re overly suspicious of public requests for information and overly cautious about how they deal with those requests.”

Harrison Police Chief David Hall agreed that “there’s a lack of awareness,” when he was informed that his desk sergeant had told a reporter arrest information could be obtained only by filing a FOI request “directed to the state, or at least the county.”

Hall said that if the request had reached him, he would have released the information.

“Obviously, our guys should know what the law is,” he said. “If you’re telling me that they don’t, I guess I’ll have to do a better job training them.”

Dobbs Ferry Police Chief George Longworth, attorney for the Westchester police chiefs association, said the Journal News audit “will certainly be a topic at our next meeting.”

Greenburgh Police Chief John Kapica, whose department provided arrest data, said he makes it a point to keep up with the FOI Law.

“We believe in giving the information out if it’s legally permissible,” Kapica said. “People do have a right to know who has been arrested in their community.”

Nickerson, of the Michaelian Institute, said change must come from the top.

“I think that police departments will continue to be overly cautious about releasing information unless they have leadership that emphasizes a more open policy and back that up with training,” he said.

Some of you know that I take surveys as a source of supplemental income. Let me state at this point that I did not join such a program because I received a spam email about it. When you receive spam mails telling you that you can make money by taking surveys, what really happens is that you submit a profile about yourself — name, address, age, interests, etc. — and they sell that information to marketers. You will never take another survey, they just take the data you provided and sell it to other companies interested in selling you something. [Read more →]

With all the development that I’ve been doing lately on the AIM(R) Privacy Management software, I haven’t had much time to do the things that I enjoy. Namely, that means that I haven’t been messing around with websites and other random computers connected to the internet like I used to. But last night, I had a peculiar task that I set out to accomplish.

I was wondering what it would take in order to ‘hack’ a cookie. A cookie is supposed to be a piece of data placed on your computer by a remote website that your computer retains for future visits. Cookies allow sites to remember your name, for example. They sometimes also retain login information. This is where the vulnerability exists. A common method of storing authentication data in cookies is to store a username cookie, and a password cookie. Each time you visit the page, your browser sends those cookies, thereby automatically logging you in. Cookies, like all data sent via the HTTP protocol, are transmitted in plain text (unless of course you are visiting a website where the address begins with ‘https’ rather than ‘http’). Because this information is transmitted in plain text, anyone connected to the same network hub or on the same wireless router could easily view the contents of the transaction between your computer and the remote computer.

Sometimes, webmasters protect against accidental disclosure of your password as it is stored in cookies by using a technique known as ‘hashing’. Hashing is a one-way encryption scheme that converts your password into a garbled string that is machine readable but not intended for reading by humans. Most hashing algorithms are considered to be secure enough. The problem lies then in the fact that the hashed password is then transmitted in plaintext. A hacker would then have to take that plaintext hash and transmit it directly to the remote computer without having the remote computer attempt to re-hash that data. But, since the cookie on your hard drive is already hashed, all they really have to do is figure out how to transmit that hash as if it was a cookie stored on their computer.

Last night I actually wrote a PHP script that accomplished such a task, allowing me to transmit whatever cookies I wished to a remote website, then displaying the website in my browser. Shortly after, I found a plugin for Mozilla Firefox that allows you to not only view the cookies stored by a remote computer, but also edit them and delete them. I cannot emphasize the importance of this enough — cookie authentication is no longer a viable method of access control. An attacker merely needs to intercept a single packet containing a transaction in order to compromise the users account on the remote system. The problem is that now an attacker no longer needs programming or hacking skills and merely needs to be able to run both Ethereal and Mozilla Firefox and use basic copy and pasting techniques.

The experiment I performed last night involved a popular site for college students, TheFaceBook.com. With permission, I monitored a friend’s ethernet connection using Ethereal and a Motorola WN825G Wireless Notebook Adapter. Within seconds, I saw a single transaction between my friends computer and thefacebook.com. To some users, what was spat back out on my screen was garbage. But inside the HTTP header was a line that began with the word “Cookie:” and what followed was the data that their browser was transmitting to thefacebook.com. It appeared slightly similar to what is below (although I changed some numbers to make this data worthless):

Cookie: c_user=16153600; host=69.28.179.37; db=rpi; check_val=123639; c_code=11eacb6942f93e913f388b76ccbea0142;

Obviously, we can see a few useful pieces of information including the user number, ‘c_code’ and ‘check_val’. Both of the last two values are likely used to verify the identity of the remote user. However, within seconds, I had successfully manually entered those cookies into Mozilla Firefox using the Add N Edit Cookies extension. I typed in the address that their computer had requested — http://rpi.thefacebook.com/mailbox.php — and was immediately greeted by their message history. I was logged into their account without having any questions asked.

The moral of the story? Well, for most people, there is none. The problem is not with the users, it is with the developers. We must find creative solutions for these problems, or collectively agree to use HTTPS for even slightly sensitive data even though it incurs a higher processing cost. With HTTPS, these packets would be theoretically almost impossible to intercept. And without the data that I was able to sniff out above, this entire experiment would be moot. If you are interested in hacking cookies or forging cookies or even just experimenting with the cookie values other sites leave you, check out that Add N Edit Cookies extension for Firefox. And, of course, if you’re not using Firefox, you should switch away from Internet Explorer today!