So, remember all the hubbub about WoW Glider – the automated “botting” tool that automates the playing of World of Warcraft?

If you missed the story, it went like this:  Blizzard (the folks who make the highly-popular World of Warcraft) sued Glider for circumventing “Warden” – their on-board protection mechanism designed to keep people from doing stuff like building botting software to violate their terms of service.  Anyway, Glider has been unable to continue selling their software for the purposes of playing WoW since 2007, as the case makes its way slowly through the appeals process.

The other day, a federal appeals panel upheld the decision that Glider violates the anti-circumvention provisions of the digital millennium copyright act.  It’s interesting.  Some folks hold that when you buy a piece of software that you should be able to do whatever you want with it.  It’s a position I generally sympathize with.  But it turns out that when someone puts a provision in to keep you from doing a particular thing, they have the voice of the law behind them.  No matter how well the technical underpinnings of the protection mechanism are or not implemented.

I’m not surprised this played out the way it did I have to say, but it’s interesting nevertheless.

Note: originally ran Dec 16, 2010

So, remember all the hubbub about WoW Glider – the automated “botting” tool that automates the playing of World of Warcraft?

If you missed the story, it went like this:  Blizzard (the folks who make the highly-popular World of Warcraft) sued Glider for circumventing “Warden” – their on-board protection mechanism designed to keep people from doing stuff like building botting software to violate their terms of service.  Anyway, Glider has been unable to continue selling their software for the purposes of playing WoW since 2007, as the case makes its way slowly through the appeals process.

The other day, a federal appeals panel upheld the decision that Glider violates the anti-circumvention provisions of the digital millennium copyright act.  It’s interesting.  Some folks hold that when you buy a piece of software that you should be able to do whatever you want with it.  It’s a position I generally sympathize with.  But it turns out that when someone puts a provision in to keep you from doing a particular thing, they have the voice of the law behind them.  No matter how well the technical underpinnings of the protection mechanism are or not implemented.

I’m not surprised this played out the way it did I have to say, but it’s interesting nevertheless.

Wow.  It hurts to be ACS:Law right now.  In case you don’t follow this stuff, they’re the firm going around targeting people for violating copyright on movies and songs.  Needless to say, they’re pretty unpopular in some circles for it… but at the moment, they’re reeling themselves instead of putting the hurt on others.

The backstory is that the other day these guys got DDoS’ed by folks from 4chan – again because of their copyright shenanigans.  At the time, we were surprised the other day about how cavalier these guys were being about the DDoS and we speculated how being a Luddite was working in their favor.

But now that’s all changed.  Somebody coincidentally (ahem) broke into their site, stole data, and subsequently distributed it publicly.  Turns out what they distributed was a database of the 5,300 people sharing adult films online.  Of course, the folks on the list are understandably a little PO’ed.  As to what motivated the attack?  Presumably the attackers did this because they weren’t getting traction on the denial of service front.

And this tactic – the disclosing the database approach – as it turns out was a pretty effective in causing a wall of pain to ACS:Law.  ACS:Law is not only facing questions by UK’s Information Commissioner,  but potential legal action from Privacy International and up to 500k GBP in fines as well.  Ouch.

This is of course all very interesting to those of us on the sidelines, but it does raise an interesting point that folks aren’t really covering.  Put aside for a moment the “stick it to the lawyers” on the one hand and the “but what about owner’s rights” on the other.  Consider instead what these events mean to the attackers. Specifically, what does it mean that an attacker – for the first time as near as I can figure – turned breach disclosure into a vehicle for direct financial attack against an enemy?

Think about it this way: you leak regulated data, you are culpable… potentially for fines, civil liability, public ill-will, and increased regulatory overhead (like additional PCI reporting requirements).  In other words, it’s a pretty hard financial hit.  Rightfully so in the case of a firm that’s negligent.  But what happens if the person attacking you is motivated by causing you financial damage?  In other words, your firm has controls and security practices that are industry standard (i.e. they suck but are no worse than the next guy) and you just happen to get hit because someone hates you…

What does it mean for industrial sabotage?  For extortion?  All of a sudden, circumstances are such that someone with an ill intent can directly cause financial damage to others…. damage that looks like it could be pretty significant.  All of that is pretty scary when you stop and think about it.

I’m wondering how many people are setting up black market services to do exactly this at this very moment?

As some of you may or may not know, I’ve been following with interest the progress of Lawrence Watt Evans’ Spriggan Experiment. For those of you who aren’t familiar with LWE, he is a fantasy/sci-fi author whose cannon includes a number of titles that I think are exemplary; his writing style is informal and fun, and he’s the master of the super-interesting premise – “The Cyborg and the Sorceror” for example is a wildly creative idea and one that I think has been under-received by the sci-fi community.

So what does this have to do with information security? About a year ago, LWE decided to use Schneier’s Street Performer Protocol for the distribution and authorship of a new book in one of his series. Because he’s cool as shiz, he even answered some questions for us about the process and his use of the method. Well, apparently the experiment worked; so much so that he’s decided to release another book that way; even more interesting is that he’s put up a blog for reporting progress and (hopefully) where he’ll post his thoughts about the process.

So, needless to say I’m excited. I’m wishing him the best on this project and hopefully it’ll be economically successful enough that he’ll keep going… and going… and going…

As a side note, the image above is cover-art from the last serial he put out (linked to the image on his site.) I highly encourage fans of sci-fi to check it out; after all, it’s free to read.

Something is seriously wrong with the MPAA… You’ve probably already heard about the recent MPAA decision to sue people for linking to stuff. If you haven’t heard about this foolishness, it’s worth looking it up… About a month ago, he MPAA decided to sue a basketful of Usenet and Torrent related web sites for facilitating illegal downloads. What’s really strange about the Torrent stuff is that they don’t host or transmit copyrighted material – they link to it. So, according to the MPAA, if you tell somebody where to go to get pirated material, you immediately become part of the illegality. To use a physical-world analogy, if somebody comes up to you on the street and asks where they can buy a pirated DVD of “The Little Mermaid”, you’re doing something illegal if you say something like “try asking that dude with the movie table down on 5th Ave”.

But I digress. The point isn’t about that stuff… It’s about the completely crazy event that came to light yesterday about what the MPAA has been doing to support the case against these guys. Apparently, according to a complaint from yesterday, the MPAA has hired a hacker to break into TorrentSpy’s computer equipment, steal proprietary information, dumpster-dive, and so on. Creepy. Without TorrentSpy’s claim to have the documented agreement between the hacker and the MPAA rep, I would suspect someone of making this stuff up. I guess we’ll see how concrete the documentation is as the trial gets underway.

I’ve said it before, and I’ll say it again: there’s nothing more dangerous than an idiot with initiative. Sony is now recalling all CD’s protected by their controversial DRM technology. This is probably a good thing, since folks digging around the uninstaller noticed the fact that the rootkit removal tool is itself a rootkit.

No, seriously – it’s an ActiveX, it’s marked “safe for scripting,” and the developers broke one of the cardinal rules of ActiveX – i.e. if you say it’s “safe”, it shouldn’t for example be able to connect to an arbitrary Internet site, download software, and execute it. Ouch. As a former developer, I can tell you “never do that”.

In other news, BlackHat just got bought by the folks that brought us CSI.

Last week gave us an interesting behind the scenes look into how content companies approach the ongoing copyright debate: we saw the Sony rootkit get exposed by the technology community, judged in the court of public opinion, and subsequently get left on the side of the road. So now Sony has promised to keep their CD’s free of noxious content (at least as far as software goes – Ashley Simpson will apparently keep singing.) Everyone seems to be doing their victory dance, but I’m curious – how much did consumers really win? Was it a “confetti in the streets” victory – or maybe just a “Miller time” sort of victory? My apologies if I seem to have a negative outlook, but my quick take is that as far as things go, we won a “MillerTime” (kiddie size) sort of victory – if even that.

First and most importantly, we won nothing on the “fair use” front. It would seem to me that Sony maintains the same vise-like grip on when/how you play your music as they did yesterday. They just removed one of their technical controls. Do their rights change without the technical enforcement? If there’s a cop sitting on the side of the road looking for speeders, does it become legal to speed when the cop pulls away? Clearly not. In other words, consumers are in the same position relative to Sony as they were before. Nothing’s changed. In my opinion, the issue is that Sony felt it had the right to do what they did in the first place. I doubt that they’re view of that has radically changed since they made their decision.

We got zilch on a technical front. The fact that this particular rootkit on this particular platform is gone doesn’t mean that there aren’t other technologies waiting in the wings that take away your control over a device you own… What’s to come will take away our control just as effectively as Sony’s rootkit, but will be forwarded by the technology. Mark my words, by the time DRM comes around, it will be so hidden inside something legitimate that we’ll be begging for it to happen.

So, no – I don’t think this was much of a victory. Sorry to disappoint.

All of us are following the Sony DRM “rootkit” issue, right?

Since this story broke, I’ve been asking the question if Sony’s DRM software is going to be considered “malware” by the AV/spyware players. CA has answered that question for us, and the answer is “yes, it most certainly is”. They’ve added it to the CA Spyware Encyclopedia, and has given it a very thorough analysis.

This is a good move for CA in my opinion; the home and corporate buying public has spoken loud and clear about their feelings about this software and I think CA is heeding that sentiment. Take 5 minutes and look through the ocean of responses and comments to Mark’s SysInternals blog entries – note how many are from administrators experiencing pain:

I’m just some network admin. Just a couple hundred users, a few servers, nohting special. I’ve encouraged users to bring CD’s in to work if they want to listen to music ’cause I don’t really have the bandwidth to support a lot of streaming content. Silly me.

or

I am sysadmin … This Sony’s Rootkit just makes my work harder… Having this program installed calling home is a security risk that no sysadmin can take, period. No matter how you call it: rootkit, DRM, etc. It opens a door in an already difficult to secure OS.

I know what side I’d want to be on if I were an anti-spyware player. Kudos to CA for reading the market and taking a stand.

In case anybody’s paying attention, Grokster has shut their doors. Their website is down and their service is inaccessible. I guess everybody already knew this was coming, so there should be no surprises.

On a related note, Ed Felten has an interesting take on some of of the recent RIAA legal activity here.

Hey, feel like getting angry? Worth reading is Wired’s take on the litigation activities of the RIAA. They’re apparently “cracking down” on the criminal masterminds of digital piracy; namely: single moms, the disabled, and the elderly. Looks like Granny Crabtree’s been downloading Jim Nabors hymns again – maybe 10 years on a chain gang will turn her off her wicked ways…

My favorite part of this is where they go after the disabled single mom for a million in damages:

“I don’t even know how to download music,” said Tanya Andersen, a disabled single mother from Oregon who lives on Social Security benefits. “The user names (they cite) I have never heard of.”

Andersen is one of three single parents claiming to have been erroneously identified as an illegal music trader by a law firm representing RIAA interests, which is seeking more than $1 million in damages — $750 for each of the 1,400 songs Andersen allegedly shared.