Developing Subversive Software?

e_lehman asks: "Software development is increasingly subject to corporate legal harassment. Suppose I want to write a program that I know corporate America won't like without being sued or arrested. How do I covertly find collaborators? How do I distribute the code? How can I distribute patches? How can I get user feedback and contributions? How can I prevent someone with a lot of resources from tracking me down? Producing "subversive software" must appeal to a lot of frustrated Slashdotters these days. How would you really go about it?"

"Examples of the problem are familiar: development of DeCSS brought police to Jon Johansen's home (Interestingly, Jon's two collaborators remain safely anonymous). Distribution of DeCSS brought onerous MPAA litigation down on 2600 and others. Development of CPHack landed Matthew Skala and Eddy Jansson with a suit from Mattel. Distribution of a driver for a barcode reader has put Michael Rothwell under legal duress. Openly defying corporate bullying is important, but grueling. Coding shouldn't always risk martyrdom.

Here are some stray ideas and questions in this vein:

• A program could be introduced to the net via a public access terminal. How common are these? Where are they? Is it easy to upload code? How do you then anonymously publicize your program?
• Code could initially be distributed in encrypted form with its function only loosely described. Lawyers would have no solid target until the key was released, which could happen once that cat was safely out of the bag-- say, after a hundred downloads.
• Do compilers slip information into binaries that could be used to identify the author? For example, do MS compilers sneak a registration number in there somewhere?
• Version 1.0 could include a cryptographic hash of a text message included in version 1.1, version 1.1 could inclue a hash of a message appearing in 1.2, and so on. This would let users know that that a newly posted version was indeed from the original authors, without identifying those authors.
• Gnutella and Freenet are obvious distribution models. But surely RIAA and the MPAA are scrutinizing them for vulnerability to legal bombardment. Will they really hold up? A sort of free-for-all model worked for distributing DeCSS; could that work routinely?

How would you go about developing, distributing, and maintaining 'subversive software'?"

Careful, posters

[dangermouse]

I can see the charge now: "Conspiracy to Do Something"

Ever used a BBS?

[legoboy]

I don't know about how the BBS scene is these days, but up until when I closed my own board, most BBSes didn't keep very detailed logs. To provide an example, I had nothing more than when the last time a user logged in was and who were the previous five callers. Nothing whatsoever about who uploaded what file.

Don't the groups that actually put out "warez" still use an elaborate BBS-based scheme before it gets onto the internet in general?

--

IRC File Servers

[endikos]

Perhaps using one of those "Free" ISPs you can distribute your software fairly anonymously over IRC, DCCing it to interested parties, perhaps getting it distributed in a "warez" channel, etc.

IRC Would at least be a good "injection" point for the software, then advertising on usenet etc.

Usenet?

[titus-g]

Could be used at least to publish initially, and possibly for ongoing developement.

usenetserver.com [usenetserver.com] (and i'd imagine most others) for eg doesn't keep logs of who posted what, so any trail back to you is broken there.

Need someone to start a comp.software.persecuted newsgroup for all these types of things.

It would also seem a good way to distribute as it will be mirrored worldwide very quickly after being posted.

First release

[JimDabell]

CPHack/DeCSS and similar software have problems that revolve around a single issue: there is some sort of secret that needs to be protected/supressed, e.g. decryption code. This sort of functionality can sometimes be factored out, into a plugin of some sort. All the grunt work like a GUI, website, mailing lists, etc can be neutral (e.g. "a program to decrypt arbitrary blocking lists), which couldn't be touched. Then you can release the legally-dubious code by using an anonymous remailer/usenet gateway, in plugin format. Sure, it might be obvious that the same people wrote the plugin, but the laywers can't prove it, assuming you've done a decent job with the remailer.

Re:Ever used a BBS?

[dangermouse]

The problem is this: if these files are originating at a BBS, the Man can just make that BBS' owner *start* logging or shut down. You can't have a single, stationary point of injection that can be traced to a person any more than you can just post it under your real name, because the effect is the same.

What's needed is a way to set up a "front" site and post your code there, without either being traceable to you, and without ever using the same front site twice. That way they can't catch you when you come back, since you don't.

Making us crackers...

[BrynM]

It seems that when a corporate entity wants to take code down, they make you out to be a (somewhat) lone cracker (they think hacker is the same thing). I don't think we can combat this effectively without banding together. It's far easier to prossecute 3 or 4 people than it is to prossecute an entire community.

Are these "divide and conquer" tactics working? Well, they are altering YOUR methods already. If they didn't work, you wouldn't have to ask your question.

Perhaps this is a question you should take up with the EFF or some other such body. They could use as much help as you can give.

bm :)-~

Re:If you live in the USA, forget it.

[thal]

There's a difference between lawless and free. Last time I checked, members of the Russian media were being arrested and the state was taking over control of television stations and newspapers.

Winking in the dark

[Money__]

The interesting thing with your question is, you're trying to attract a lot of people without attracting a lot of people. That is to say, you want to attract developers but not law enforcement. In this case, the "publish and subscribe" model of the web and mailing lists is clearly out.

I would suggest a private, secure newsgroup, hosted on your own machine, to allow only your developers to talk to each other. Think of it as your very own BBS for exchanging information and services. As a matter of fact, a BBS would be a pretty good way to a casual RIAA or MPAA port sniff. So ask your developers to dial into your box direct and keep it off the net.

As far as attracting new developers, this one is a little differant. They can't join a team they don't know exists, so look for trade mags and cheap "alternative newspapers" that have a lot of er umm "escort services" advertising in them. If they can advertise witout getting investigated, so can you. Getting their attention without tipping off "the man" won't be easy. It's a lot like winking in the dark. Sure, you know you're doing it, but does anybody else?

Depends on the road you want to take.

[www.sorehands.com]

In a "free country", you can take three tacks.

1. A school project, done for educational purposes.
2. Take the high road and make it an issue of rights.
3. Take it underground, and go through multiple anonymizers

4. I have taken, and prefer the high road. Hiding, will give the enemy amunition that you are hiding, therefore knowing it's wrong.

   If you do something with the belief that you are right, then stand up for what you believe. It's not easy, but large corporations can be fought and you can win. Though some will refer to you as a crackpot.

   If you go "underground" anyone who knows, can always surrender your name. You can always submit it to a rogue server from a cash paid public terminal. Use the Gnu or Watcom compiler to make sure that there is no embedded identification code in the executable.

Re:Ever used a BBS?

[legoboy]

Except for the fact that a large percentage of the world's population is not in fact under US jurisdiction.

And how is this front site any different than distributing to some BBS which you chose at random? Anonymity on the Internet is a myth. So many logs are kept of assorted kinds of traffic that I would never dream of doing anything more illicit over the net than grabbing the odd mp3.

--

Fight fire with fire

[Mike Belangia]

What about requiring an EULA saying "blahblahblah I promise not to use this code to do anything evil blahblahblah"? It works for the big boys, why not for us too? If nothing else, it requires their lawyers to jepordize their own "rights" by challenging the legality of an EULA...

What exactly are you hiding from?

[kaphka]

This question sounds a little fishy to me. Maybe it's just my personal opinion, but we aren't ready to go underground yet, are we? For one thing, that would eliminate any sympathy that we might have from the mainstream (it's hard to imagine the public rallying behind a group of anonymous hackers.) Furthermore, our legal system will never change if we simply circumvent it. It's not designed to work that way. Without any (openly) dissenting voices, only the opponents of free speech will be heard. Hiding only reinforces the picture that the government has successfully been painting, of a tiny group of immature hooligans who pay lip-service to "free speech," but really just want to cause trouble.

I'm sure you all think I'm naive, and I'm underestimating the damage that a lawsuit can do, but it strikes me as incredibly cowardly to do otherwise. Personally, I've sent copies of the musical version of DeCSS (a link would be helpful here) to all my friends, so that they can play it on their radio shows. None of them have blinked. Like most "broadcasters" (including authors), they know that because of their position, it is their duty to be the first line of defense against the thought police.

(Aside: Why do all my friends have radio shows? Do hand them out at concerts or something? I want a radio show!)

Developing Free Software

[Greyfox]

The problem with developing free software is that pretty much anything you write is going to compete with a commercial product and thus draw the ire of some corporation or another. And since there are a lot of corporations and their lawyers poking around on the net these days, it's very easy to inadvertently wander into someone's crosshairs.

The only method I can think of to avoid having this happen would be to take it underground. It wouldn't be that hard to set up a private, invitation only VPN. Using the web of trust model and the threat of kicking off a node that jepordizes the rest of the network (By allowing an untrusted leaf to connect through it) we could implement a net away from the common man and the corporate fiends. One pretty much unknown to them. One where we could post program foo without having to worry about getting a phone call from some corporate lawyer the next day, or a week or a month later.

Move coding out of the USA

[mind21_98]

I never thought this might be necessary but it seems like we need to teach the corporate community a lesson.

Do not use any American coders in your open-source project. You heard right, no American coders. Although this might be a bit extreme, it is necessary to prove to the government and to corporations that they are killing the American IT industry. (By American I mean the United States, not Canada or any other country in North America)

If this does not make the companies get the message, then it's their own fault for killing the economy.

Usenet? Definitely.

[Saint Aardvark]

It'd still be a little problematic, in that the end-user would have to grab the code fairly quickly...but if you post it regularly -- say, once a week or once a month -- there shouldn't be a problem.

The advantage is that if it was posted to alt.code.subversive.source from, say, Malaysia, it'd probably propogate to The Rest Of The World(tm) before reaching the US...at which point, it'd be too late for a quick-and-dirty yank of the original posting.

What you might also consider is making an announcement somewhere about how/where/when it'll be posted -- a pointer in the C sense of the word. "Look for subert.tar.gz in Base64 after the 15th of every month." The announcement could be made in any number of places besides just the newsgroup -- what if we all know that my user info on Slashdot can be checked for when v1.2 is coming out? And let's not forget the Real World. A classified ad in The New York Times would be an effective and fairly international way of announcing such a thing.

TAZ rewebbers

[alech]

Have a look at this site [berkeley.edu] for some information about anonymous publishing. I found the method they used quite interesting, not too easy to think of it... But I don't know if there are actually servers available that do stuff like this or if all of this is only purely theoretical... Greetings, Alex

The dangers of asking such questions

[Retribution]

Unfortunately, asking questions like these can actually endanger slashdot. Stuff like this would be the first things brought up if anyone tried to make a serious attack (legally or otherwise in the public eye) against slashdot.

At the same time, I'm glad we can still have this sort of discussion. I'm scared to think that the threat of net censorship could make things like this nonexistant, and I'm thankful that slashdot can cover this sort of material.

I realize that this is an "Ask Slashdot," and not actually material by the people who run slashdot. So what. Slashdot is run by CmdrTaco and company, but a very large portion of it is defined by the slashdot community.

In a nutshell, I think everyone should be thankful that we can still ask questions like this.

Cheers.

Hah!

[Chris Johnson]

I'll bet he's plotting a one click web fulfillment system- the bastard! *g*

Re:anonymous maintenance

[leo.p]

Signal 11 is just trying to be funny. There is a reasonable made in the USA sol'n to this problem.

Suppose I want to write a program that I know corporate America won't like without being sued or arrested.

You can send a synopsis of your proposed code and ask specific queries regarding its implementation at the folling email aliases (obfuscated to protect the innocent):

postmaster@[32.96.111.130]
webmaster@[208.47.125.33]
jv@[209.67.152.159]
root@[208.225.90.120]

Speaking of helping the EFF ...

[Col. Panic]

Here is how [eff.org]

Obfuscate your identity

[CodeRx]

Anyone with enough resources will be able to track you down. Big corps usually have good private investigators on the payroll - these guys don't have to play by the rules like the cops/feds do. You can take some steps to make things considerably more difficult, however.

Use a *good* anonymous remailer [publius.net] in a country other than your own. If possible, use several remailers in several different countries. Distribute your software through Freenet [sourceforge.net] and encourage users to set up mirrors. Use encryption software, such as GNUPG [gnupg.org].

These suggestions are perfectly legal ways to obfuscate your identity. This is good because if you are caught, there won't be a lot of "enhancement" charges thrown at you (like getting caught with a few grams of pot, a small scale, and a (legal) gun). Depending on exactly how "subversive" this software is, you may decide it's worth breaking a few more laws to reduce your chances of getting caught.

Use a non-digital distribution model

[mini me]

Instead of initially transfering it over the net, why not print it out on say paper, or a t-shirt, something along those lines. It is much more difficult to track anolog items, just look at paper money for example. Once the code is distributed to enough people the cat will be out of the bag and the people who recieved to code can start putting it in digital form and on to the internet.

If you are real ambitious you could hide the code into a picture [kuro5hin.org]. Then if you could get this picture into a highly distributed magazine then everyone would have the code and all they'd have to do is scan it and run it through a program to decode it. This picture method would also work if you want to still use the internet to distrubute it, atleast it would help a bit.

I would think if many people have the code before it is posted to the internet it would prove very difficult to prove who's code it is, and they would have to sue every single person who put it up which would take quite some time if they'd even bother.

You're Confusing Your Objectives...

[John Murdoch]

Hi!

I think you have to decide what you want to do:

• Run an Open Source project
• or, write guerilla software

If you want to run an Open Source project, hey, that's great. But by its very nature Open Source is open--the very opposite of clandestine. If you're going to write clandestine software you need to maintain an absolutely closed development group--you simply cannot tell the world the names and addresses of all the members in your cadre of 3l33t haX0r d00dz.

Corporations? You're Aiming Too Low
DeCSS may scare the (few remaining) wits out of the MPAA--but ultimately the MPAA is just a trade organization dedicated to staging an awards ceremony. If you really want to have a little excitement, consider doing something really subversive. Say, develop Arabic-language courseware targeted at girls (particularly Afghan girls). Or Bible-club software in modernized Chinese.

I have been involved, in years past, with an ad hoc operation that smuggled Bibles and other Christian books into countries where they were (and in several cases still are) considered contraband. The operation was relatively small--because we had limited funds, and because we depended upon people in-country to handle distribution. Our funds were limited by our need for security--if we'd broadcast to the world that we were smuggling Bibles to women in the Persian Gulf the locals might have caught on. Or worse, caught our contact in-country. Security is paramount.

That said, yes--Microsoft compilers do point to unique identifiers in things like class IDs. A necessary part of the COM interface requires a globally-unique identifier--that identifier of necessity points to your machine. That doesn't make it easy to find your machine--it only means that once the authorities get to your door they can prove that a particular class or DLL was originally compiled there. (That is, it was compiled there first--subsequent compiles on other machines won't change the class IDs, so those later builds will still point to your machine.)

I cannot resist!!!!

[zorgon]

Holdonjustaminutehere, tovarishch:
You said, "free country"
DO YOU MEAN free-as-in-BEER COUNTRY,
OR Free COUNTRY!

Free countries must use the Gnu Public Constitution(tm), or they're not really Free, merely free!

{grin}

WWJD -- What Would Jimi Do?

Some sort of physically hidden server?

[Saint Aardvark]

I remember "High Weirdness on the World Wide Web", and one of the things listed was just an IP address. Seems the guy was a sysadmin somewhere that had an extra IP address lying around, and he set up a machine as, I think, an FTP server for various text-files. He couldn't register a name for it, 'cos it would alert the boss, but I guess just the number slipped under the radar.

So a little gedankexperiment: You take to work a little palmtop something or other -- actually, this would be a perfect task for a Tiqit computer [tiqit.com] -- hook up a small hard drive (hell, you get 10 meg drives free at Burger King these days), hook it up to the ethernet at work, and stuff it behind some drywall. Voila, instant hidden server. (Best Ron Popeil voice: "Just set it...and...forget it!") You access it from public terminals/net cafes, following the usual precaustions (stay away from where you live, pay cash, don't use the same place twice), and you don't keep logs on the damn thing.

Before the flames start, IANAY (I Am Not Awake Yet), nor do I know much about networking. Is this sort of thing feasible, or is it just another cool idea that is utterly impractical? Anyone?

Re:First release

[matman]

Unfortunatly, your compiled code and the compiled plug in code would likely be almost identical, and identifiable. Now, if you obfuscated the code somewhat before compiling, then you could cloud the issue a little.

possesion of stolen material is still a crime

[www.sorehands.com]

But stole that car, I only got it in my driveway.

Look at the ruling in both the CPHack case and the DeCSS case. They are using the "working in active concert" bit to stop linking and mirrors.

The Napster [aclunc.org] is turning around the burden of proof on an infringement case.

Even so, big companies is using the expense of litigation to beat people into submission. That is why Jon settled with Mattel, not being able to afford to defend it. Not the issue of propriety of his acts.

Re:Sweet Skepticism of the Heart

[anonymous cowerd]

Sweet Skepticism of the Heart --
That knows -- and does not know --
And tosses like a Fleet of Balm --
Affronted by the snow --
Invites and then retards the Truth
Lest Certainty be sere
Compared with the delicious throe
Of transport thrilled with Fear --

-------------
Anonymous Emily Dickinson LIVES!

Jesus Christ, how in the world did this woman manage to anticipate all these slashdot articles so many decades before they were published? +1, Interesting, +1, Ontopic!

Another poetry lover remains,

Gratefully yours, WDK - WKiernan@concentric.net

Or try creating, instead of stealing...

[update()]

Here's a novel idea. Instead of expending all this effort on hiding from the law, why don't you concentrate on creating some original work that people will want, and making it available under whatever terms you see fit? I realize it's easier and more glamorous to devise a way to redistribute other people's creations against their wishes, but wouldn't you get more satisfaction out of making your own contribution to the world?

---------

XOR

[xercist]

David Madore [mailto] wrote a paper [eleves.ens.fr] about using XOR to be able to publish information without the author being trackable. I suggest you read it.

I wrote a program called Pad [lammah.com] which implements this scheme, if you're interested. I also have a public pad repository [lammah.com], one of many repositories which have links on David's page.

--

Re:Careful, posters

[anonymous cowerd]

Yeah, a snake-ball of ten million laws and another million new ones expected by the end of the year, and yet "ignorance of the law is no excuse." Obviously the plan is, a fearful proletariat, each individual subject to arbitrary arrest from any direction at any given moment, will be a docile and productive one. Somehow I doubt this is what Thomas Jefferson had in mind.

Yours WDK - WKiernan@concentric.net

Comment removed

[account_deleted]

Comment removed based on user account deletion

candle vesus blow torch.

[www.sorehands.com]

A standard corporate tactic, which Mattel tried to threaten me with, is run up the legal bills. Even though they knew they were wrong (why else would they dismiss when a judge asked what's libelous?).

I caught that Mattel making inconsistant arguments and used it against them. They claimed that they should have an unfettered right to file lawsuits, but they filed (and lost) a lawsuit against someone for filing a lawsuit against them.

"Public Terminals"

[Datajunkie]

As far as public terminals go there are probably millions of them. here are a few

• Libarays
• Cyber Cafes
• Schools

Unfortunatly you do not have control of where your "subversive" software is going to go. Though I think piracy is one of the best things in the world for a software company (look at what doom did for id) when you are writing war programs and hacking programs and they are good they take on a life of their own... Along time ago I wrote a simple mail program (that didn't have good intentions hehe) and gave it to one friend. About 2 years later I was looking for war scripts for irc and about 7 out of the ten that I checked out came with my lil old program (that didn't have good intentions). This is from writeing a simple program for my use and that of that one friend I let use it. I had no control of it. Information is free and wants to be seen. It will find its way to the masses if it can...

Won't work

[Poligraf]

Do you know that the phone company has a log of all phone calls going through its system ???

This way a small BBS will be "decrypted" immediately; FBI just needs to run a query like:

SELECT DISTINCT originating_number
FROM all_phone_calls
WHERE target_phone_number = :bbs_number;

against the phone company's data warehouse.

It is so simple

[attackiko]

Go to IRC meet some geek from Europe. PGP the source and send it to him. He can then safely redistribute it (because he lives in a free country). The net is soo large and if you are careful there is no way they can catch you. Good luck!

Re:Ever used a BBS?

[dangermouse]

Ah, that's true. I thought you meant picking a BBS and using it for all of your distribution. You're right about the logs, but if you upload from public terminals, etc. you should be okay.

You are having paranoid fantasies

[Ars-Fartsica]

Firstly, a corporation is behind some of the most subversive software [napster.com] of our times - if there's money to be had, somneone, some company will back you.

You seem to have an overly high opinion of the "conformity", if you will, of corporations. There are companies that let you gamble and buy drugs, steal music and videos, and hire prostitutes, all over the web.

What on earth could you be doing thats is worse than this?

I have a funny feeling that you're a minor-league developer who has let the slashdot "black-helicopter" club feed your paranoia.

USENET + Signed PGP

[maynard]

Don't bother with setting up an FTP site, CVS Server, et all. Here's how to do it so that each collaborator is completely anonymous while everyone in the group maintains certainty of authenticity both by authors in the source tree:

• Start with an anonymous remailer as described in The Anonymous Remailer FAQ [andrebacard.com].
• Next, create a NEW PGP key (that's not related to your name, DUH!) and upload it to one of the many PGP Keyring servers, such as at pgp.mit.edu.
• Next, create an internal CVS tree with your source code. Tar it up, split it, md5sum the file, and attach both to a mail message pgp signed with your anonymous key. Mail this to the remailer with a USENET news header of your favorite newsgroup (make certain all your friends know the correct newsgroup to puruse).
• Now, all your friends need only suck down the attachment from the agreed upon USENET newsgroup and create their own CVS trees.
• They all follow the same steps, only they post patches, along with an MD5 sum of the patch+original CVS source tree (tar'd, or individual file)... this way you know when you're applying the patch that it's against a current revision).

There you go, because you're using an anonymous remailer it's completely anonymous. Because everyone is signing the USENET post with their (anonymous) PGP keys it's absolutely certain proof of authenticity from the author, and because you're MD5 suming either the source tree tarball or individual files you can be certain that the patch is against a particular revision of the source tree/file.

Answer your question?

Re:Subversive Code

[StormyMonday]

This is a very good question. The main applications that I see wold be designed ot get around the Draconian intellectial property laws that Corporate America is buying for itself.

* Anonymous distribution of "embarassing" materials. Model here is the "Church" of Scientology's (tm) "copyright trade secret" "scriptures". They have established a precident that, if somebody releases private material showing evidence of a crime, the IP issue of releasing private material takes precident over any crimes that that material might provide evidence for.

* Code that enables small-scale, not- for- profit sharing of things like recordings and movies. Right now, I would *not* want my name associated with an MP3-sharing program.

* Code that enables use of IP things in ways that the "owners" don't approve of. An example would be bypassing the "fast forward cutout" on some DVDs. Yes, fast forwarding through commercials is a "crime" now.

* The way that things are going, "reverse engineering" of any kind will soon be illegal. See the discussions on the "CueCat" and the hoohah about figuring out what CyberSitter et al actually filter out.

Anyway, the way the laws are currently written, any time you do something that a big company doesn't like, they can simply sue you into oblivion. Anonymous software distribution gives you a way of getting your stuff out there without painting a target on yourself.

mail2news anonymous remailing?

[mOdQuArK!]

Is it still possible to send out tarballs & updates to a binary newsgroup through the anonymous remailer systems?

Re:What exactly are you hiding from?

[alienmole]

We're not hiding, we're attempting to preserve some freedoms.

I think the request arises from the sense that so much of what we do on the Net is monitored and/or discoverable after the fact, via technical or legal means. Freedoms that we take for granted in the "real" world - the ability to have a private conversation with someone, for example - largely don't exist when we're on the Net.

For those of us whose lives are heavily intertwined with the net, this is rather disturbing, and it's only natural - and important! - to think about how these controls could be circumvented if it became necessary.

The politicians, beaureaucrats and lawyers are busily trying to create a world in which criminals can't function. Unfortunately, at the same time, they're creating a world in which everyone is potentially a criminal (copying a DVD for a friend qualifies now, under the DMCA.) The result has the potential to be quite scary, even for law-abiding citizens.

Re:Usenet?

[titus-g]

Yeah I only read that after I posted, although I'd say 48 hours isn't too bad as generally the people who try to censor this sort of thing take a while to catch on.

Then again you'd have to be sure they DO delete the logs, and if someone was really after you they could possibly recover them.

Then again there's quite a few usenet servers out there (including a lot of open ones), should be one that doesn't log.

If I thought someone was seriously after me though I'd think I'd only use this along with a few other links and fire breaks though.

Re:What exactly are you hiding from?

[Fred Ferrigno]

If there aren't systems in place to do things anonymously, there should be.

In an ideal world, there shouldn't need to be any reason to hide from the law, and, for the protection of the people, hiding from the law shouldn't be allowed. Of course we don't live in such an ideal world, but that's no excuse to just give up and assume that this can't be changed. Like the Suck.com article pointed out, if we don't work within the system we will be crushed by it.

--

Incorporate

[skoda]

My business/legal knowledge is minimal, but I think the safest way is to incoporate yourself, so to speak.

Create a business, file the proper papers, and have the software be created for the company.

Generally, the company can be held liable for the sins of its products, but the employees can't.

This is why MS may be broken up, fined, etc., but Bill Gates won't go to jail.

Any lawyers out to there to clarify or correct?
-----
D. Fischer

Rule #1

[Dr. Nonsense]

Don't post an article on Slashdot asking how to do something subversive if you plan on doing something subversive.

Re:Usenet? Definitely.

[titus-g]

Another possibility is to do what some of the cracks newsgroups do and post encrypted, during developement anyway, and make sure you really trust anyone you give the key to.

Possibly we should start (virtually) hanging out with some of the better crackers and warezers out there, some of them have been going forever without having been caught yet.

Another idea antiquated as it may seem would be to use the post, you write the program, drop a load of copies in the post to people you believe to be sympathetic, they get it, and drop a load of copies in the post to people they know. Pyramid distribution, nobody knows who started it, no one knows who has it...

Grow up

[GCP]

"Martyrdom"? Sometimes the preposterous, self-righteous bs here on Slashdot gets so deep I feel like putting on my rubber boots.

So you want to do some noble "power to the people" project that "corporate America won't like". Well, two things come to mind. One possibility is that you want to create something wonderful, like an extraordinary browser (Mozilla), or a whole operating system (Linux), or any number of other superb products that legitimately compete ferociously with products of "corporate America" like IE, Solaris, Oracle, etc. If that's the case, then the number of ways you could contribute to the world is virtually limitless, and you don't need to sneak around to do it. "Corporate America" calls it "competition", and it goes on above ground, in the light of day.

The other possibility is that instead of creating something of value yourself, you feel an adolescent urge to be a big hero to other adolescents by finding ways of stealing things of value created by others. You have some cartoonish image of "corporate America" as The Evil Empire from Star Wars, and you're some noble code Jedi with a compiler for a light saber. I suspect you're in this camp. I'm mistaken, then these comments apply to those who are, but not to you.

"Corporate America", in reality, isn't one entity, and it isn't even American. It is the majority of working people in the developed world and the relatively consistent conventions they've established for cooperating as groups and individuals to convert the hours of their lives into things of value, which they then trade with other groups and individuals. It is also the relatively consistent conventions they've established to prevent people and groups from stealing from one another, forcing them to have to produce things of value themselves that can be used in voluntary trades. That increases the pot of goods and services rather than just shifting them around.

There are plenty of areas in commerce where reasonable people of good will legitimately disagree on areas of legal policy. There are also countless inequities and inefficiencies in a system that still requires human lawyers to argue the edge cases. Those with the biggest legal budgets tend to win more than their fair share of edge cases.

Unfortunately, there are also a lot of people who think it's their right to steal anything that they can get away with stealing. They frequently point to the inequities of the system as a rationalization for their base desire to simply steal something rather than trading for it.

Instead of pouring your energies into finding ways to steal from your neighbors, whom you refer to as "Corporate America" to make it sound noble, why don't you find a charity that can't afford to pay for "enterprise software" and build something for them from open source components?

Or why don't you find a way to extend the features of some open-source system to cover the needs of a group that doesn't yet have the necessary level of computer literacy to do it for themselves?

Or why don't you go out and create music or great films or whatever, and then give away what you've traded the hours of your life to produce, instead of trying to give away the hours of other peoples' lives?

How to release and maintain code anonymously

[Python]

And how to do it without going underground.

1) E-mail

Setup a nym account with one or more of various nym servers out there:

nym.alias.net [mailto]
redneck.gacracker.org [mailto]

OR, you can get a paid for nym account with ZKS:
ZKS Freedom Net [freedom.net] (They are taking applicants to beta test their Linux port now)

This takes care of having an anonymous bi-direction e-mail account that people can contact you through and will be secure from the attacks of a determined foe (be sure to change your reply blocks often though).

2) Publish the code somewhere publicly available, like the web or usenet.

The next problem is distributing your code. What you need is a means to publish the code anonymously.

Web

To contact sites like sourceforge [sourceforge.net] anonymously, which provide you with a nice mechanism for releasing the code and storing it somewhere, you need a web anonymizer or an anonymous routing scheme like ZKS.

Several solutions exist to do this. In order of highest security:

ZKS Freedom Net [freedom.net]

CROWDS [att.com]

Anonymizer [anonymizer.com]

Usenet:

Usenet is means of publishing your code that is even more resistant to censorship attacks than publishing the code on a website:
mail2news gateways. These allow you to post an e-mail message to usenet, preferably after you have anonymized it thru several remailers. Posting to usenet is an EXCELLENT mechanism for getting past the most determined censor. As long as you don't start spamming your distribution, and thereby driving your BI up, you can be pretty sure that your post will not get robo-canceled. If you want to be really fancy, you can encrypt the message, publish the password in another forum, and then post the conventionally encrypted message to aalt.anonymous.messages [alt.anonymous.messages]. This will defeat efforts to automatically find your post on usenet and then issue a third party cancel for it.

Here is a list of known mail2news gateways:
mail2news AT nym.alias.net
mail2news AT zedz.net
mail2news AT mixmaster.shinn.net

Send a message to one of the above e-mail addresses with "help" in the subject for instructions on how to use the gateways.

Python

Re:You are having logical errors

[alienmole]

if there's money to be had, somneone, some company will back you.

What if there's no money to be had? What if the individual wants to do something that he believes is of social importance but doesn't have a great deal of direct monetary worth?

There are companies that let you gamble and buy drugs, steal music and videos, and hire prostitutes, all over the web. What on earth could you be doing thats is worse than this?

There aren't any corporations selling DeCSS, though - why is that?

Just because some corporations do subversive things, doesn't mean that there aren't any problems with developing subversive things, and it doesn't mean that individuals shouldn't consider the problems they might encounter doing something like that.

Re:unique identifiers [OT]

[alienmole]

The identifying part usually comes from your network card, if you have one. (If you don't have one, you're actually fairly safe from this particular issue.) You could indeed use one network card to generate IDs, then hide it or destroy it, and use a different card the rest of the time. Or you could just generate IDs with your network card removed.

Re:anonymous maintenance

[Anonymous Coward]

That is partly malicious advice. Dangerous because one has to make sure that the client is also secure.

College computing sites are perfect for this. Do not put your dev machine on the net; instead deliver it via read-only media to the site, and get access (for example, sniff passwords w/out doing anything malicious to the user; the more actions you take against the user, the more you expose yourself). Send the information (sourcecode, binaries, etc) via many different routes, almost all of which are irrelevant.

By the same token, if you know how to hack, make automated scripts that send information in a similar manner, to the same routes. Only one person need know how to compromise such machines; that can be your logistics person. No gratuitous damage there, either.

College areas are unlikely to have any sort of visual surveillance. And of course you will keep in mind that it is not impossible.

I am demonstrating much of this at the moment.

stealing is not the point

[alienmole]

Do you consider DeCSS stealing? I consider it dangerous to criminalize something like, say, copying a DVD for backup purposes, or playing a DVD on a device which isn't officially approved. It's also dangerous to criminalize computer code.

I think the balance of power is seriously shifted in favor of corporations. It's not just a question of "stealing" copyrighted material, it's also about the customer's right to use that material in reasonable ways. Even though I don't agree with the use of Napster to perform large-scale free distribution of copyrighted work, I think things like Napster and DeCSS are important in order to reach some kind of acceptable balance on these issues, and ultimately to declaw UCITA, DMCA et al.

Re:Incorporate

[QuoteMstr]

Doesn't that only work for publically-held corporations?

Re:Or try creating, instead of stealing...

[dangermouse]

You miss the point. Anonymity allows dissention without reprisal, and that's a good thing. We're not talking about swapping N*Sync mp3s here, or pirating Windows games, we're talking about the ability to hide in an environment increasingly hostile to hackers. God forbid you should use a barcode reader for reading barcodes of your own choosing, rather than just those in ads the way the manufacturer intended. If such a thing is going to bring you enemies, I say (in the immortal words of Miagi-san): "Best defense: no be there."

Also known as...

[AlexB892]

"Conspiracy to Think Independently"

Oh wait, you can already get in trouble for that...

Re:Usenet?

[titus-g]

Yeah this is a case where IDRC :)

I have an account with them from when my ISP didn't have newsgroup access (barbaric or what?, but hey they gave me unmetered calls)

There is some info on anonymous usenet posting at http://www.geocities.com/Capi tolHill/1236/howto2.html [geocities.com], also a lot of info [google.com] if you search on google.

Actually I guess if nothing else this is probably going to end the old hacker (coder) / hacker (system breaker) argument as we're all going to have to be both the way things are going...

This is a toughie, for sure.

[Chris Johnson]

I have to sympathise. This query reminds me of the 'what are you doing to help the legal situation?' story (the one that references 'Suck'). That one essentially asks 'what are you doing to help the legal situation?' and this one asks 'what are you going to do when we can't change the legal situation and things become completely unbearable?'.

My own answer has been along these lines- I will create to the best of my ability and use the legal system to defend the interests of the people I'm creating for. That's sometimes meant GPLing software, when I could- my software is frankly not world-class, it's not really my area of expertise- and now it's beginning to mean that I must put together not only my recording studio, but also CD mastering and duplication, and even hosting for free audio. The studio's done and quite functional- CD mastering and even Video CD mastering is dead simple- duplication's going to cost me some serious money, I'll be taking out a bank loan when I have my ADAT paid off to get a duplicator- and hosting is beyond _my_ reach though I need it desperately.

All this is needed because I can't trust the commercial sector to handle it for me. The breakdown goes like this:

• Studio: the $75 an hour I'm asking is actually very low for a studio. This part is pretty straightforward- studios are service oriented and it's more a financial question than anything else.
• Mastering: mastering houses charge a _lot_ of money for what they do- the gist of it is that you can't seriously tailor the frequency range and soundstage of your CD while listening over pathetic little nearfield monitors. The need for an extra pair of ears on the project is somewhat counterbalanced by the fact that these days, mastering houses are increasingly forced to brutally compress their results until average levels are about 1 db down from peak. This sounds appalling but is louder than the competing songs on the radio ;P
• Duplication: currently having a burner will do- one nice thing about being a geek is ability to track down things like Mitsui CD-R media with process color surface-prints: it can cost six times what you can find cheap media for, and maybe twenty times what commercial CD materials cost, but archival quality is substantially better and honestly, there is a place for a quality argument. The point at which the commercial product is cheap crap at premium prices is the point at which the quality argument at reasonable prices starts to substantially work. The trick is you have to make all aspects _look_ professional- hence the process color media print, at 400 dpi carefully color corrected (the guy who does the CD printing called this 'overkill', to which I replied 'good!' ;) ) When things develop to the point that I need more duplication, it will be time to talk to my bank about the next bank loan- currently I'm paying one off for my 20-bit ADAT studio recorder, it seems reasonable to think in terms of another to get a serious CD duplicator. I'm also excited about the possibilities of producing Video CDs- which can be played in DVD players. Hooray, an accessible format for short video that can piggyback on the leverage of the stinkin' MPAA! I may get a DVD player just to test my VideoCDs on :)
• Hosting: This is the killer. I don't have any way to offer _this_. I have done some research, however, into what needs to be out there.

This last one is the hardest one, and I'm not sure how to address it- and this post is about how I'm trying to address each issue personally instead of announcing that 'someone should' do this stuff :)

Basically, I see a pressing need for just plain media hosting on a massive scale. It could well be restricted to mp3 and ogg vorbis (hell, include wma). It could also be restricted to 128K on two assumptions: one, it'll be important to not have everyone doing 320K and using up two and a half times the resources for their stuff, and two, it's low enough quality to justify being giveaway stuff and high enough to basically enjoy. It will not pay musicians one cent for the downloads- on the other hand it will not _charge_ musicians a cent for the hosting. Most importantly, it will have a usage agreement that protects both parties, asks only nonexclusive rights to host the material, claims no copyrights to the material, and requires any contract changes to be explicitly signed off on by the artist. (This last one is the main thing mp3.com just lost in their contract alteration).

Instead of instantly planning to fund the thing off ad banners (aren't we all sick of that by now?) I propose the hosting service be incorporated... as a 501c3 nonprofit corporation. This is a VERY IMPORTANT point for protecting artist rights in the current climate. The 501c3 must have an explicitly spelled out mission statement that it must abide by to maintain its nonprofit status. It can seek grants- it could even solicit money from the RIAA labels, 'leeching' off them to provide its services in perfect safety. It can pay server operators a relatively decent salary for doing their jobs- you wouldn't have to go hunting for MCSEs, you could spec out a proper high-load server farm and pay to have it run properly, nonprofit doesn't mean it can't pay employees a normal wage. Finally and most importantly, a 501c3 answers to the IRS and has to follow certain rules or cease to exist. It CANNOT be bought out, either in a takeover or a merger, by a commercial corporation. It can only be bought/merged with another 501c3- and for this to happen both 501c3s must have essentially (literally?) the SAME mission statement, not differing ones- and it is so hard to change a 501c3's mission statement that you might as well disband it and start a new one. And when you disband a 501c3, all assets it has must be distributed to OTHER 501c3s covering the same basic area.

When you look closely at these things (I have a friend who is expert at framing charters for 501c3s and knows all about them and has a terrific batting average for his 501c3 proposals being approved), it's amazing- almost GPL-like- it's a form of legal incorporation that uses the meanest parts of the US government (the IRS!) to protect you against rampant corporate abuses. If you are a 501c3 no commercial corporation can touch you- they can give you money for a tax break, and that's about it. They can't buy you out. They can't shut you down- even if they for some reason got totally Mafialike and pressured all your boardmembers to disband the corporation, your resources simply get distributed to other 501c3s doing the SAME JOB. It's like the liquid metal Terminator- no amount of force can destroy you! All watched over by the IRS with gimlet eyes. You don't have to vigilantly guard against, say, major labels subverting you and making you a profit-earning subsidary. The IRS will vigilantly guard against that :)

I'm not sure what the software sphere would need in terms of a 501c3 to develop ideas that need to remain free of corporate control. I do know the needs of my own sphere- music, media in general, video as that becomes a factor. The music sphere needs free hosting because a musician who's even slightly prolific will rapidly exceed the bounds of any personal site or typical hosting service, and it seems like most/all of the music/mp3 hosting services on the net are RIAA label controlled or copying their contractual provisions.

In order for musicians to be able to function outside the confines of RIAA ownership, they need to have the ability to own the means of production (easy: CD burners and duplicators and Internet sales) and the ability to circulate music to people who don't know the music yet. It really isn't necessary to have one recognizable site for people to _browse_ from (mp3.com is full of bands who've never been listened to- I always got most listens from mentioning what I do on Slashdot), but it is necessary to have a site with acceptable policies/contracts which won't need to be changed or moved. Wherever it is, there needs to be a fair amount of stability so that the musician can distribute CDs, posters, handouts with the URL on it. Because of mp3.com's change of contract, I have posters, CDs out there, even 24 cassette tapes that haven't even been _recorded_ yet, all with the mp3.com addy on them, which is now obsolete.

The common factor here is that it's all about giving _my_ material a base of operations that's not easily destroyable by corporate interests. I'm not attempting to, say, sample RIAA label acts and use their music as part of my composition. I am not negativland ;)

A very good question would be, how important is it to pursue development on IP that corporations have claimed as their own, and how important is it to defend IP that is actually original? Most of my response has been centered on defending the ability to produce and distribute stuff (music, video) that is original, knowing that the _facilities_ for this production and distribution are under continuous attack, but my right to produce is not actually in question.

Are programmers in danger of losing their right to produce, or is the perceived threat simply that anything programmers do will be patented by corporations and taken away from them? There is a point at which this begins to seem unreasonable. Somebody at Amazon _thought_ they invented one-click ordering, which is stupid but doesn't necessarily mean Amazon set out to 'steal' stuff from the public domain. I question the wisdom of assuming, from the start, that what YOU CREATE is so doomed that it must be 'subversive' to survive. I would suggest trying to remain visible and CREATING stuff, quite openly. Use contractual tools like the GPL to protect your interests. Don't assume you're so outclassed that you must go into hiding! We're looking at an era of much legal rule-changing. Some of the rules are changing to heavily favor corporations and piracy, by them, of intellectual property and other types of property and privileges. Some of these rules will be changed BACK once the consequences are clear. Act as if the world was fair and you had rights! Behave in good faith and don't knuckle under to the appearance of oppression. Act AS IF you had rights, know what they would be if you had them. Don't act like you are a criminal just because some other entity profits by criminalising you.

The last word is this- when you create, you set the rules. My CDs will have "All commercial rights reserved- noncommercial copying OKAY" at the bottom of every single one of them. If the RIAA manages to make (for instance) copying of tracks off audio CDs automatically illegal, I will happily participate in a test case: someone can rip my stuff and put it on Napster, and I will testify that I explicitly allow such noncommercial copying of MY CDs, thus no blanket rule can be made. The RIAA DOES NOT HAVE THE RIGHT to set MY rules, and my rules for my CDs permit noncommercial copying. I'm even spelling it out on the CD itself where it can't be missed- my wishes _will_ be respected. That's justice.

The road you take depends on other things too.

[Tau Zero]

Hiding, will give the enemy amunition that you are hiding, therefore knowing it's wrong.

Ammunition, perhaps, but the general claim is false. Knowing that something is wrong is very different from knowing that you can be harassed, even bankrupted, for doing it. The trumped-up charges and outrageous bail demands for protesters in Philadelphia last month show that the price of merely gathering to petition the government for redress of grievances is being raised beyond what most people can pay. The powers-that-be have the entire resources of the government to bring to bear against the few people who put their faces forward, and they do this with the intent of shutting off that part of the political process. When they play hardball, going anonymous is a legitimate response.

The outrageous distortions and outright lies used to demonize software such as DeCSS, combined with the sledgehammer tactics against the people who dared distribute it or merely talk about it, proves that the system is grossly broken. There are people who want to go around it until and unless it is fixed. Anonymity is a good way to do that, and I fully support them.
--

Too vulnerable to duress.

[Tau Zero]

The only method I can think of to avoid having this happen would be to take it underground. It wouldn't be that hard to set up a private, invitation only VPN.

"Three people can keep a secret, if two of them are dead." If one person can be threatened by contempt-of-court charges or trumped up criminal charges into revealing the identities of the other people in the network, it's over. The only way you can make this work is to keep things fully anonymous.

It sucks, I know. But this is the way it is at the moment, and the way it will continue to be until the public gets outraged by something and DEMANDS that the corporations admit that people have rights and leave them alone. What could do that? I dunno, how about a utility to store DVD's on a hard drive so that kids can play "The Lion King" whenever they want without trashing the expensive disk? How many parents would just LOVE that? How much sympathy would there be for the MPAA and Disney if they went after the people who gave it to the public? That's the kind of thing to go for.
--

Re:Ever used a BBS?

[quux26]

Your question should be, If a tree falls on an anonymous coward yelling 'first post' in the forest, does anybody care ?

My .02
Quux26

Re:anonymous maintenance

[John Jorsett]

What you need to do is simply setup a server and get ftp/shell access to it and then make sure whatever you're doing is legal in that jurisdiction and that they're not a WIPO member or friendly to the Red, White and Blue Empire (that would be us, folks).

Unfortunately, this doesn't appear to work either. The U.S. gov't has just successfully prosecuted an American citizen for running an internet gambling site based in Antigua (he himself was in Antigua too, at the time of the 'violation', and the site is legal in Antigua). His crime seems to be that he is an American and was allowing Americans to access his site. So, it appears that doing something that is legal in the place where you are and is theoretically outside of U.S. jurisdiction is not necessarily a defense, if you're a U.S. citizen.

Re:You are having logical errors

[Ars-Fartsica]

What if there's no money to be had? What if the individual wants to do something that he believes is of social importance but doesn't have a great deal of direct monetary worth?

Then beyond threatening someone with violence, this individual should have no problem posting his/her thoughts on the web in the US.

Hell, if NAMBLA can have a PO box, anyone can.

There aren't any corporations selling DeCSS, though - why is that?

Uh, maybe because its free?

Not true

[John Jorsett]

Not true. If carefully used, modern tools like Zeroknowledge System Freedom can make it impossible to trace items back to you. All transactions are strongly encrypted, no records are kept, and the traffic can be made to pass through 3 servers in different political jurisdictions. If one used a particular ZKS nym just a few times, the likelihood of discovery of one's true identity is effectively nil.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:stealing is not the point

[Chris Johnson]

I don't think Napster is a useful tool to 'declaw' DMCA, though DeCSS is (to the extent that it allows DVDs to be played on Linux which is otherwise not possible).

We don't have the proper tool yet. The RIAA, MPAA will give us the proper tool in time- that tool would be further legislation that is so completely intolerable that it produces a backlash and calls the whole show into question. For instance, retroactively making all CDs owned by the record company so everyone's existing collection becomes 'leased' not owned- or outlawing all forms of media exchange, or outlawing all ripping of audio CDs. These steps are probably inevitable but they are crucial- they would plainly reveal the true situation, that media in general is very close to being a 'closed shop', like a sort of government only you can't vote for how it's run.

The key factor is that it can't simply affect what people do with RIAA property (such as the music content of CDs ripped to mp3): it has to begin to affect people's personal property (I don't own my CDs now? But they're _my_ CDs!) or their rights over their property (I'm not allowed to mp3 my song? But it's _my_ song, recorded it myself!).

Only then will the problems be clear enough to see justice done. As long as it's about copying Britney Spears CDs without her permission it's a losing argument. But it _will_ escalate until the problems are so terrible that there's no more ground to give.

Don't use a CD Burner

[SuiteSisterMary]

I know that CD Burners put all sorts of information into the TOC. Take any Windows CD-R/CD-RW software; it probably burns in the machine name, the name of the registered owner of the Windows installation, I wouldn't be surprised if it put in a email addy, blah blah blah.

Re:IRC File Servers

[Frymaster]

Back in the "old days", I would take my handy-dandy Mac Plus down to a $30 hotel, sign in as "Scott Free" and hack til check out off their number. Saves the payphone hassle (ie, cruising eBay for an acoustic coupler... ha!) and you get a bathroom and all the free soap you can steal thrown in to the deal...

Re:Careful, posters

[civilizedINTENSITY]

Score: 4, funny...
Seriously, this was my first thought: Would active participation in this thread constitute conspiracy? Could it be actionable to give good advice here?

Re:stealing is not the point

[alienmole]

I agree Napster isn't a perfect case - in part because it was ultimately about commercial profits, not individual freedom. I think Napster would have done better to take some actions to protect copyrighted works on its network, so that it could demonstrate some more widely acceptable primary use - but of course it wouldn't have been as popular, then. Napster's technical function is a useful and ultimately necessary one; but they did nothing to deter technically illegal abuses of their system.

Nevertheless, I see an element of civil disobedience amongst Napster users that goes beyond just the desire for "free stuff". Some see cheap justifications and rationalizations; I see at least some people who aren't necessarily articulating what's bothering them very well, or in the right places (mea culpa), but their actions speak for them. Mindlessly criminalizing this kind of activity won't ultimately help even those lobbying for the criminalization, as we both know.

[...]or their rights over their property (I'm not allowed to mp3 my song? But it's _my_ song, recorded it myself!).

I agree, this is one of the big danger areas. Actually, as copyright holder of your own work, you'll probably be allowed in theory to mp3 or dvd it, but getting access to the necessary tools could be another question. In the current climate, it's easy to envisage being forced to join the RIAA, pay dues, and use an approved publishing company, all to gain access to the technology required to create content that can be recognized by consumer players.

As long as it's about copying Britney Spears CDs without her permission it's a losing argument. But it _will_ escalate until the problems are so terrible that there's no more ground to give.

Agreed on both counts.

One ray of hope I see is that higher courts in the U.S., especially the Supreme Court, are often pretty good at handling this kind of thing. As long as the next president doesn't totally mess up the court, I fully expect some of these things (like code that's illegal?!) not to hold up.

Speaking of which, to bring this back to the original topic, now that particular bits of code have been declared illegal, I consider it virtually a moral duty to try to write such "subversive" code - otherwise, we are capitulating to an unacceptable restriction on freedom of thought, expression, and communication. I haven't thought of a suitable application yet, though, so the NSA and RIAA can sleep easy for another night! ;^)

Sure it'll piss off you AOL users

[Greyfox]

But the rest of us folks won't have any problem getting in.

Re:Careful, posters

[slam smith]

We are a free people here in the US(except where prohibited by law)

Re:Some sort of physically hidden server?

[AndrewD]

It wouldn't even take a traceroute. Having just spent the day recabling my office, it's surprising how easy it is to spot where things are drawing power just by watching the electricity meters, following the cabling, and wondering what the hell this is that's plugged in right where I want to put this printer box.

Add to that that most HDDs are noisy wee bastards, and that behind a dryline is a very dusty environment, and you've a recipe for a very grindy HDD that wouldn't last long at all.

And if it wasn't the dust, it'd be the moisture.

Pick your country

[Pflipp]

Well, the U.S. of A. is known to have a picky government... I think that you should simply become (or -- claim that you are) a civilian of a country that doesn't care about what you're doing, and where the folks that should become angry from your software don't live. Just like they do with code with US export restrictions.

It's... It's...

Re:You are having logical errors

[alienmole]

Then beyond threatening someone with violence, this individual should have no problem posting his/her thoughts on the web in the US.

One of us must be missing something here. If I write some code which is considered equally threatening to commercial interests as DeCSS, by posting it on my website, I risk prosecution and legal sanctions, assuming my code falls foul of the DMCA, UCITA, etc., which is not that difficult.

This might all be more acceptable if the function of the code in question were somehow inherently against the interests of society. However, I don't see that as being the case here. For further arguments along these lines, see this message [slashdot.org] and my reply to it.

Hell, if NAMBLA can have a PO box, anyone can.

Part of the point is that online, some of the freedoms that exist in the "real" world are disappearing. You may think that would be good, in the case of something like NAMBLA, but actually that's a good case in point. NAMBLA members aren't doing anything illegal until they actually break the law. The same thing used to be true of copy protection circumvention: you could sell and own copy protection circumvention equipment or software. That has now changed. It used to be legal to buy a device to circumvent Macrovision copy protection on videos. I bought one so I could play legally purchased DVDs on my PC, through my VCR (not to tape them, just to watch them.) I haven't checked for certain, but if these devices aren't already illegal under the DMCA, certainly their software equivalents are.

> There aren't any corporations selling DeCSS, though - why is that?
Uh, maybe because its free?

Yeah, yeah. My point is that it's illegal under Federal law. A company selling DeCSS could be shut down in short order. Yes, you might be able to order a hooker online. But that's only because there aren't any big corporations who really care to stop you. That's not the case when it comes to the sort of "subversive" software raised by the original query.

Re:Usenet? Definitely.

[titus-g]

Sad innit, but the laws about mail was written in a different age, when the upgrade came, they had a chance to rewrite the rules, and hey, they did.

Kinda good in a way, even just for nostalgia, I can remember the waiting and hoping for the postman to come when you are expecting a letter from someone you care about, and who even now doesn't know the intrinsic joy of parcels....

Re:unique identifiers [OT]

[alienmole]

I was referring to the algorithm used to generate GUID or UUID numbers, which is the most common form of identifier subject to this issue, and is used by DCE, CORBA, XPCOM, COM, and various other systems.

The ability of this algorithm to generate "globally" or "universally" unique identifiers relies in part on the fact that network adapters contain a node address which is issued in blocks to network card manufacturers by the IEEE, so is guaranteed to be unique. Here's some info about UUID generation [opennc.org].

While processor IDs can be used to identify a system, there currently isn't widespread use of these numbers in standard software components.

Re:You are having logical errors

[Ars-Fartsica]

If I write some code which is considered equally threatening to commercial interests as DeCSS, by posting it on my website, I risk prosecution and legal sanctions, assuming my code falls foul of the DMCA, UCITA, etc., which is not that difficult.

This a good point - our society hasn't reached the conclusion that code == speech. I hope it does, but I'm not optimistic.

On the other hand, you have to wonder if it really matters. Sure, DeCSS is "illegal", but I have a copy of it, and so do thousands of other people. Technically, J-walking is illegal too.

Of course, this is a cop-out- I understand that there is a profound difference between "legal" and "getting away with it", and it mostly has to do with society being honest about what it thinks is right and wrong.

Re:ZKS is insecure

[Python]

If you are refering to me as the original poster, I do understand the differences. I run mixmaster and cpunk remailers, along with a ZKS freedom server. I have been doing so for many years (with Type I and Type II remailers).

A couple of issues to respond to. Every ZKS server is not on a carnivore monitored network nor are they in the US or canada or even run by companies in many cases. Many ZKS servers are run by private individuals, with no legal obligation to support Carnivore (under current law). So, it does not follow that all ZKS servers are or could be carnivore monitored. Additionally, reply blocks in the ZKS network *do* allow for latency time, so traffic analysis is not as straight forward as you might think. It still needs cover traffic and remixing, but its not as simple to defeat the model as you make it out to be.

Regardless, presenting an array of options to the end user is much better than just shoving the highest security solution at them. High security remailing is complicate and requires the users to understand how to use the remailer network in a secure manner. Which includes dummy (cover traffic) messages, remixing, long chains, rotating reply blocks and so on. ZKS is easy to use, setting up nyms to do re-mix is not a simple matter for most users.

Presenting the various options, in a limited slashdot posting, gives the user the option of finding out more and educating themselves. The post was not intended as a complex lesson on the pros and cons of the various technologies available for protecting your anonymity.
Python

Legal tangles...

[Kryffpi]

The correct way to release DeCSS would have been in a self extracting archive with shrinkwrap license agreement.

"By clicking "OK" you agree not to hold the distributor of this software program liable for anything" type of thing. Even throw in a clause whereby the user agrees not to use the product for any number of "infringing" uses.

This protects - using another totally insane act of law - the UCITA -- the DeCSS distribution at a number of levels.

1. Representatives of the MPAA obviously opened the distribution and looked inside - thus agreeing not to sue based on the contents of the archive. If they didn't click ok and still have examined the contents it can only be becasue they bypassed the protection on the archive and thus have fallen foul of the DMCA itself.

2. The end users of the software too have enterd into (and been bound by) the contract not to use the software for infringing uses.

Done properly and worded right this would put the DMCA in conflict with UCITA. Hopefully one of them would give, and half our current problems would be over.

WARNING: Caffine levels low. Output may be incoherent.

Re:You are having logical errors

[alienmole]

On the other hand, you have to wonder if it really matters.

Forgive me quoting myself, but I just wrote a message about this [slashdot.org], attached to the "Lawsuits Suck" article. To me, the important point is this:

"...having laws in place which everyone routinely breaks, provides yet another way in which the government can harass citizens if it so chooses. [...] Laws are instruments of control, and unnecessary laws are dangerous. They can sit on the books for years until the wrong person gets into a position to abuse them."

Gotta go hide, I hear some black helicopters outside...

haX0r comment unfair

[Bodhidharma]

I think the Mr. Murdoch (from Dark City?) asks a legitimate question. He clearly smells which way the wind is blowing. It isn't over a field of daisies.

However, I also have to agree that openness is the only way to win. As long as software writers can be the David vs. the corporate Goliath, we have a chance to sway public opinion. There are two problems to overcome. The first is that the people with political power owe their position to the people with money, i.e. korporate Amerika. The good news is that politcians have to pay attention to public opinion.

The other piece of bad news is that the general public doesn't have a lot of sympathy for techies. We could easily become the modern equivalent of Salem witches if someone with enough juice decided to push the right buttons.

That brings us back to openness. People distrust what they can't see. People also believe what they see in the media. I'm sure the average person believes that a hacker is someone who breaks into computers and writes viruses. Writing underground software is only going to further those misconceptions.

That said, we could really be headed for a dystopia a la Shadowrun. I know that I won't be working for a megacorp. I could be asking these same questions in a few years.

Re:Grow up

[Garund]

Interesting system of logic you have going there.

It sounds reasonable, but I think it only describes half the equation. There's a question of balance to be examined.

While large cooperative groups offer advantages, they also have a number of qualities which I think are largely uncontroled today.

Maybe the advantages in the pseudo-symbiotic relationship we share with corporate entities are enough to overwhelm any worries you might have as to the more destructive qualities corporations exhibit, but I choose not to wear blinders or to see the world in black & white, and certainly not to tell people who might have legitimate concerns to 'grow up', just because I would rather not face the nauseating possibility that maybe there is something terribly wrong.

So I'll definitely be keeping at least one of my feet squarely in the, 'Corporations are the Evil Empire,' camp you described, simply because corporate entities do lots and lots of morally questionable things which make the world crappy for lots and lots of people. The fact that you can clearly write well, means you're not ignorant, so I won't bother listing off any of the ton of available examples of corporate greed and willfully reckless behavior. (When profit is god, how money is made is unimportant, so long as it's cheaply done and doesn't leave shit in your own immediate corner of the pond.)

Also. . .

'The other possibility is that instead of creating something of value yourself, you feel an adolescent urge to be a big hero to other adolescents by finding ways of stealing things of value created by others.' [snip] 'why don't you go out and create music or great films or whatever, and then give away what you've traded the hours of your life to produce, instead of trying to give away the hours of other peoples' lives?'

Yeah. . .

Fair enough. Except you're again looking only at the portion of the equation, (that which clearly makes you feel comfortable in your own philosophical rules set). Hate to say it, but. . .

The problem is one of fairness. The people who make music don't ever receive the lion's share of the profit. I'm all for a system which will put a quarter into the hands of the artist for every track of music I decide to keep, and keeps the millions of dollars out of the hands of the non-creative music execs who currently take nearly all of the profit.

And take stealing the content from DVD's. I think that's entirely fair. -The content of a DVD has usually made its money back with lots of profit by the time it plays theatrically world wide. The disks themselves cost pennies to press. If DVD's cost eight bucks a unit, I'd never rip one off ever again. As it is, they regularly retail for over thirty dollars. That's just plain greedy and unfair. The 'competition' which is supposed to bring us fair prices clearly doesn't work. (Gee? There are content cartels? Who would have thunk it!)

Currently, piracy is the only semi-organized structure which has a shot at bringing about fairness in the market place. Shucks.

Sure, I sometimes feel like I'm wielding a metaphoric lightsaber, but that's only because I feel that I'm being manipulated and taken advantage of by a metaphoric evil.

And I don't wear blinders made from half-reason.

-Garund

Balance is everything and we don't have enough.

Re:What exactly are you hiding from?

[Ellen Ripley]

kaphka said:

For one thing, that would eliminate any sympathy that we might have from the mainstream (it's hard to imagine the public rallying behind a group of anonymous hackers.)

The public-at-large will never support hackers. The reason we have this world is because most people want security, not freedom. The belief that the desire for freedom is universal has been the undoing of every reform in history.

The only system that will guarantee freedom is one that supports individual rights, power and freedom over all other concerns, especially concerns of safety and security. It would have to have this support hard-wired in, without the ability of the will of the majority or judicial review to override the central idea of individual freedom.

The US doesn't have such a system. Even if the US were the democracy it sometimes claims to be, that would only support the will of the majority, which is for security and not for freedom.

Furthermore, our legal system will never change if we simply circumvent it.

If voting could change anything, it would be illegal. For voting, substitute anything.

Without any (openly) dissenting voices, only the opponents of free speech will be heard.

These openly dissenting voices are needed in addition to, not instead of, hidden action.

Ellen

Re:anonymous maintenance

[RallyDriver]

So, it appears that doing something that is legal in the place where you are and is theoretically outside of U.S. jurisdiction is not necessarily a defense, if you're a U.S. citizen.

The jurisdiction of US federal law is US territories plus US citizens. This is common of most countries, e.g. the UK (well, England and Scotland to be precise) use this to prosecute people who use child prostitutes in Thailand. This is how Mossad could justify snatching Mordechai Vanunu in Italy.

There was a case recently of Americans in tax exile in the Carribean against whom a writ was issued by a redneck judge somewhere for tax evasion (probably the same one who ordered the handover of a German company's domain name to a South Carolina company, only to be frustrated by the limit of his jurisdiction) - there is no way for the US to obtain an extradition order (that depends on satisfying the local courts of the case too) but if these folks ever set foot back in the US they will be arrested.

Life, liberty and the pursuit of lobbyists. Enjoy!

Leverage Frameworks - Post Only Subversive Parts

[goingware]

I suggest that you minimize the amount of explicitly subversive code (and also your development workload) by making use of readily available frameworks.

It's preferable if these are open source, but they don't have to be to suit your purpose; for example Metrowerks [metrowerks.com] PowerPlant is the most popular application framework for the MacOS, and although it is a commercial product it is inexpensively available and when you do buy the Codewarrior development system you get the PowerPlant source code on the installation disk.

You can even develop an open source framework yourself and publish it openly, and invite in contributors publicly, and distribute non-subversive demo and test programs. Alternatively, you can add functionality to frameworks that almost suit the purpose and submit your patches back to the original maintainers.

This will save you work, although you may have to write "adapters" to be able to use someone else's library for your own purposes, it will increase reliability of your product, because the framework will have already been debugged by someone else and also tested under a wider variety of circumstances than it will encounter in your code, and you can concentrate your work on the particularly subversive parts.

Then you post only the "interesting" parts of your source code, and provide hyperlinks to the needed application frameworks in your build instructions. Be sure to include the version numbers needed for this build of your program, and if the sources to any of the frameworks are signed with a public key, include the key which those sources were signed with when you got them. That way you can be sure future programmers can rebuild the same program as you did.

It may well be that you have a large application but only a few source files and some build instructions to upload, which could be done off a floppy disk at a public access terminal. If you upload these to a few free webhosting service pages, then email the URL to a bunch of warez site maintainers, your code will be looked after.

Note: to find lots of warez sites (and even more serialz sites) go to Altavista [altavista.com], click on "Advanced Search" and enter:

download and warez and photoshop and illustrator and crack [altavista.com]

Probably only 10% of the sites you find will actually have live warez (they get taken down quickly) but some patient hunting will find you any software title you want - but of course your objective here is to contact the warez site maintainers so they can introduce your program into their archive system.

Note that if you want to build a Windows application you can build it with Cygwin [redhat.com] (a GNU shell environment for Windows including gcc) so you can be sure Microsoft doesn't embed Globally Unique Identifiers in your code. I'd also suggest that when you make a windows build, you buy a brand-new copy of windows 98 (pay cash), install it on a freshy formatted hard drive, build your binary, upload it, low-level format the hard disk you built it on and throw away the Windows 98 installation disk and all the materials that came with it. It's probably hard to get away with installing a development system on a public access terminal.

If you don't want to use a public access terminal (after all, you might be recorded on a surveillance camera, or the coffee shop waiters might remember you skulking around), then use Zero Knowledge Systems' Freedom [freedom.net] to anonymize your web access.

Note that the way Freedom works is your HTTP packets are multiply encrypted with the public keys of the Freedom Network's servers, then "unwrapped" one by one as they pass through up to three servers until they are passed unencrypted to the public net at a faraway place.

Freedom provides both anonymous web browsing and anonymous email send and receive.

Some sources for open source libraries:

• Available C++ Libraries FAQ [trumphurst.com]
• The Apache XML Project [apache.org]
• The Free Software Foundation software page [gnu.org]
• Walnut Creek CDROM Free Software Archive [freesoftware.com]
• SourceForge [sourceforge.net]
• Freshmeat [freshmeat.net]
• Gnome [gnome.org]

While all free software provides it source code, not all programs provide source code that is suitable for use as libraries. Unless you want to go to a lot of extra trouble, it's probably best to look for ready-to-use libraries that are packaged as such, rather than trying to extract code from a complete program. Unless the original application developer went to extra trouble to make components of his program able to stand on their own, it is usually difficult to extract parts of a program out and use them as a library, except perhaps for little snippets.

On the other hand, when you write new code, it is definitely worth while to snip out little bits and make sure that they will compile and run on their own, or depend only on other readily available libraries. That way you can create a library yourself.

The book More C++ Gems [fatbrain.com] has some articles on Large-Scale Software Architecture that discusses reducing cyclic dependencies in software projects, in part so that the projects can be rebuilt faster but also so that they can be unit tested in smaller parts and the parts can be extracted out and reused in other programs - although the claim is often made that object-oriented software is more reusable, this claim is baseless unless good engineering practices are observed.

Re:Ever used a BBS?

[Kisai]

Hmm, howabout designing the software on your computer, compiling, testing, etc. Then encrypt it and run a ftp or something on your computer. Then goto a "public" terminal and move your software from your computer, to the terminal, decrypt it, and then upload it to wherever. For extra security you can then create a virus on the spot to trash the terminal in a few minutes after the next user sits down. ^_^

Windows9X machines are good candidates, you don't even need to log in, just hit cancel.

As for BBS's, If I recall correctly, phone companies keep logs, all they have to do is get the log from the phone company and figure out who was connected long enough to transfer the file.

What we need is legal cure, not subversion.

[thedarb]

You've seen it in the /. news, you've seen the articles... We lose because we have no political power. It's time for banding together. Starting a political party or adopting one and making it our own. Only then can we have people with our interests in mind in Congress, the White House, and most importantly... the courts. We need a movement, where we can move as one powerful force against those who hold us back. A strong nation wide I.T. union would be a good move as well. Corporations could be stung by such a union when they try a legal stunt we didn't like. America would be hurting if every I.T. professional were to strike together over an issue. With both of these in place we could begin to undo the DMCA, save file sharing technologies, fix patent laws and processes, re-structure copyright law. We are well overdue for this. Currently we have no trump card, the Fed knows it... The Press knows it... and the corporations know it. I for one am ready for such a plan of action. I will vote to support my rights to code, to speak, and reverse engineer. Will you? Let's ask /. if they would help us co-ordinate the incipient stages of such a movement. How about it people? How about it /.? Will anyone agree to starting a forum for co-ordinating our communal beliefs into a firm political position? Will anyone agree to run for office based on these findings and support them? I will say right now I am *not* the best candidate for any public office, but I throw my name into the hat. I'll run for an office or gladly support another who has a less colorful past than myself. I need to start reading up on existing parties... are the Libertarians close to what we'd be looking for? I know that the Democrats and Republicans aren't... and I was a hard core Republican before. Come on folks, lets start the work, lets find some good men and women and put them into office!

Re:You're Confusing Your Objectives...

[Malcontent]

You want to smuggle bibles into countries that are already torn by religious strife? This is your idea of charity? Did you forget religious carnage that took place in bosnia? How many people were killed in the name of god there?

You are a sick sadist.

A Dick and a Bush .. You know somebody's gonna get screwed.

Use Linux authoring tools for CDs

[goingware]

While I don't know that mkisofs, mkhybrid and cdrecord don't put in such identifying information, it's less likely and you can at least inspect and modify the source code to make sure they don't.

OK for small stuff but what if they'd kill you?

[goingware]

What you suggest might be appropriate for merely annoying software, but what about software that is expressely intended to subvert the government - imagine a revolutionary wrote a virus that identified whether the computer it was on was in the .GOV domain and then wiped its hard drive.

Or provided secure communications channels for reporting human rights violations from within repressive regimes?

Or suppose the software in some way helped promote meaningful political change in a repressive regime - and was developed within the territory of that regime?

No, really this is an important question and needs to be addressed in a serious way.

Re:I cannot resist!!!!

[zorgon]

The answer is c) offtopic, and funny ;), It's just the way the original poster said "free country" that just grabbed my attention. I thought, "there's a really dumb joke in there somewhere..."

WWJD -- What Would Jimi Do?

Re:Let the public distribute the code for you

[dalamb]

When they boot it up (and some inevitably will) it can send itself to predetermined ftp sites. The origin can be traced but the distributers were just mules in the deal.

I think that relying on a mini-virus may well turn out to be a bad idea; every time someone has proposed a "good" virus idea, someone has eventually shot it down. In any case, legal systems are perfectly happy to prosecute mules, too, leading to a socialization that says "don't ever use an unknown CDrom" -- especially the FTP site mules; they'd be subject to "cease and desist" that prevents them from accepting software for which they can't identify the author.

What about "Distributed distribution" ?

[Cedric C. Girouard]

What about splitting your code into modules that could be recombined later using some kind of installer ?

For example: Gasoline is legal. Vita-Grow is legal. Combining both is legal. Blowing off a part of Oklahoma with the mix is not. But no one could have sued the guy who sold the gasoline to McVail.

Therefore, if I was to publish a set of "modules" and the instructions to combine them together (remember. The anarchist cookbook is still legal to read/sell last time I checked.) you could be untouchable. Your specific modules by themselves are harmless... It's those evil h4ck3rZ that found a way to do bad things with it.

Re:This is a toughie, for sure.

[Crixus]

What the HELL are you talking about?

Rich...

Re:Depends on the road you want to take.

[Weezul]

Actually, I would really like to recommend that people who do not want to get harassed treat these things as school projects (option 1). There is a viberant cryptography and computer science literature which can provide a strong ligitimizing influence on your work.

Now, it's not enough to just call it a school project. You need to be really doing something original and worth publishing, but you can do quite a bit legally when your intentions are academic. We had a good speaker from Lucent give a talk on this exact problem recently (at Rutgers). this is what he told us paraphrased:

I'm going to tell you three stories about three diffrent people working in cryptography, but first I'm going to tell you the endings to the three stories and let you take a guess as to which stories have which endings. Two of these folling people went to jall and one recieved academic laurals.

The first guy reverse engenered top secret government encrpytion chip and was told not to publish the results by his boss (and maybe NSA), but published the results in the New York times anyway. The second guy wrote a program to help him watch DVDs on his computer under Linux instead of Windows. The third found a major flaw in bank security for financial transactions and reported this to the company handling the financial transactins.

Well the first guy (our speaker) recieved great academic awards, the second guy (Jon Johanson) spent a night in jail, and the thrid guy went to jail too (I donno how long). Actually, the third guys story is really intersting. Apperently the banking company said "no we do not believe that any money could be stolen with this exploit, could you prove it to us by making a transfer." the guy made a ransfer and they said "Oh you've stolen some money so we are going to throw you in jail." The implication being that they were tring to shut him up, so they tricked him into doing somthing illegal.

Anywho, the moral of the story is that you can get away with these things if you have a PhD and work for a security company. I would say that people who are not any whare near getting a PhD in crypto, but want to publish subversive stuff should take their message to the academics. Specifically, you should get a respected academic as a coauthor for a paper and get your paper published in a resprected jurnal.

Re:This is a toughie, for sure.

[Crixus]

He's pointing out an intersting quirk of US tax laws that protects a certain kind of non-profit corporation from being taken over by commercial interests.

I didn't quite follow how that prevents "cease and desist" orders that would insist said corporation stop making such software available, though.

Me either. In fact the whole post seemed kinda wordy and self serving ultimately being an advertisement for his CD's and (cough!) recording studio.

Rich...

Re:Careful, posters

[cananian]

"free", huh? As someone who got arrested at the Republican National Convention in Philadelphia for *exactly* "conspiracy to possibly do something", I find that a very interesting concept indeed.

Re:You're Confusing Your Objectives...

[Malcontent]

But my conscience is clean. I never threw gasoline on to burning building like that sadistic bastard .

A Dick and a Bush .. You know somebody's gonna get screwed.