Bit9

With the recent suspension of the SOPA and PIPA bills, the latest story in the Federal government’s war on Internet piracy was the shutdown of file-sharing site Megaupload.com. But did the FBI go too far? Now anyone who knows a little bit about Megaupload, knows that the site did carry a ton of illegal content – but is this the site’s fault or its users?

So what is Megaupload? Essentially the site offered a storage locker – in the cloud – to upload content that gave users un-policed access to post whatever they wanted. In certain cases, several used the site to post illegal content, with most of it being publicly accessible. Once posted, the content could be downloaded by anyone searching for it. This could be music, movies, television shows or applications. This provided a seemingly endless stream of content users could acquire for free without repercussions or payment.

The site had to know its days were numbered, but a shutdown and arrest of Kim Dotcom, Megaupload founder, may have been a bit overboard. In fact, the details of the arrest involve a police raid utilizing helicopters, Dotcom locking himself in the safe room of his 25,000 square-foot mansion with a sawed-off shotgun, while the police cut him out of the room to make the arrest. This all happened during a raid that seemed more like a scene from a nerd-ier version of Scarface than anything else. Someone should have told Dotcom that sawed-off shotguns are illegal in laser tag.

Maybe the recent arrest of Dotcom and the shutdown of Megaupload – and its sister site Megavideo – are proof that the U.S. government may not need SOPA or PIPA to protect copyrights? The flawed Digital Millennium Copyright Act (DMCA), enacted in 1998, gives lawmakers the authority to remove the presence of illegally posted content, without going as far as shutting down the site itself. Nonetheless, a shutdown of Megaupload was still accomplished. This was due in large part because the site had actively advertised its illegal content. Now even though the site was based in China, its .com domain still meant it fell under U.S. jurisdiction. SOPA however, would allow lawmakers to venture further, shutting down U.S. access to foreign domains as well as domains falling under U.S. jurisdiction.

It’s a slippery slope. We’re reaching an age where the definition of copyright infringement is blurred. If Megaupload is illegal, how is YouTube not? It’s a classic argument of who’s to blame? If the bank leaves the safe doors open and someone walks in and steals your money, is it the banks fault or the thief? Most would say both, but what if the bank never promised any level of protection? Or should they?

Upon hearing of the shutdown, it’s hard to defend the site, but also equally hard to keep the impending-doom light from going off regarding the future of my favorite websites – Google Music or YouTube to mention a couple.

As Internet-wide panic exploded over the weekend, several other sites have either revoked U.S. access or stopped file sharing indefinitely. FileSonic, one of the top file-sharing sites, has suspended all file sharing. Maybe this is what the government wanted? SOPA and PIPA fell by the wayside so maybe this is their next-best option? It’s hard to tell, but I believe the Internet is heading in the right direction. It’s just about getting there with only bumps and bruises and not broken bones. 

The hacktivist group Anonymous perpetrated some denial-of-service attacks against web sites belonging to the FBI, Department of Justice, as well as the RIAA and MPAA, lashing out in retaliation over the FBI's shutting down of Megaupload.com, a popular file-sharing website.  The mainstream media, however, has gotten the analysis of the situation a great deal more wrong than usual.

Really, this is War?

CNN catapulted cable journalism to prominence by breaking new ground in its Gulf War coverage some twenty years ago, and should be able to recognize a war when they see one.  They seem to have totally lost perspective on what war is, however, using that term many times during prime news coverage (Wolf Blitzer's show, Friday) to describe this action by Anonymous.

These actions are much more comparable to Occupy Wall Street protests than to actual war.  When protesters link arms across a street, or handcuff themselves to doors, gates, or cars, they're denying other people access to buildings or thoroughfares.  This is denial-of-service and usually we don't get that worked up about it when reported.  Does anybody think the FBI and DOJ rely on their websites for internal operations?  Were field operatives and lawyers unable to pursue their cases because their PR machine was offline for a few hours?

Please, folks.  I know Anonymous breaks into stuff sometimes, they cause damage, and that's illegal and wrong.  The DDOS stuff is arguably more illegal than it is wrong.  Let's start making a distinction between hacktivism and cyber-terrorism; can we agree on that?

By the way, a great deal of media's important failure to grasp basic facts centers around the distinction between denial-of-service attacks and actual infiltration.  That's an important distinction, but we'll save that for another post.

Media Dups:  It's not about Hacking!

The media also fell into a huge trap, and an old one.  Think about this question for a second, what is Anonymous actually about?

Have an answer?  If you said, "hacking,” you got it wrong.  Hacking is secondary for Anonymous, it's a tool.  What is Anonymous really after?  What are they much better at? PR!

They're after attention, and they're very very good at this.  They're so good at it that I entertained the humorous notion to myself that they might not have even hit a single keystroke to affect this DOS attack.  All they needed to do was get enough journalists and bloggers in a lather to get them to DOS the sites.  In reality, it probably helped get the job done - with journalists constantly pinging these websites every couple minutes to see if the sites were still down.  I'll bet these sites got more legitimate hits in a single hour than they usually get in a whole year!

Well, it turns out I was half right.  Anonymous apparently went even further and purposely tricked curious netizens into taking part in the attack – so much for media savvy.  Really, congress can obviously do plenty of damage through ignorance, but media seems equally willing to embrace it for the sake of ratings and buzz.

Same as the Old Boss

Probably the simplest evidence that the media is a naive and unwitting hand puppet for groups like Anonymous, is the fact that this sort of thing has been going on for a long time.  One of the favorite pastimes of modern hacking groups that started emerging in the 90's, is manipulation of the media through propaganda and misinformation.  If it's a psyops technique that the military has ever deployed, there's probably a shadowy version of it going on underground.  Why do they do it? Well mostly for fun and this has been true for quite some time.

The sad thing is, the media never seems to catch on.  As a friend of mine likes to say, <heavy sigh>.

I remember my father, a retired physician, railing against government attempting to legislate on medical matters, an area in which they demonstrated little to no understanding.  I didn't have a full appreciation for the sort of legislative blunders congress was truly capable of until SOPA and PIPA.

In short, the Stop Online Piracy Act (SOPA, congress) and PROTECT IP Act (PIPA, senate) bills try to placate the Big Media industry, which claims that Piracy is rampant and causing significant financial harm to the industry.  This claim, particularly that piracy is causing great financial harm to the music and movie industries is credibly disputed, however.  I won't bombard you with links on the matter, except to point you to eff.org for a good place to start.

However, not only is the goal of SOPA (and PIPA) possibly misguided, but the means for enforcing the controls on online piracy are incredibly irresponsible.  This is not to say that congress is acting out of ill will, collusion or self-interest (necessarily), but at the very least out of an abundance of ignorance.  Why?  What harm do these bills pose?

Tampering with How the Internet Works

These bills attempt to legislate how the Internet works.  Last I heard, the brilliant minds who crafted and refined the Internet over years are not working as congressmen.  What the geniuses in D.C. have decided in their rampant technological naiveté amounts to surgery on the Internet with a spoon.  These laws would require service providers (you’re likely familiar with Comcast or Verizon) to block offending sites from being listed in the global name registry called DNS.  This would be something like having your business removed from the Yellow Pages (back when people actually used the YPs).  Worse, like other egregious examples of technical legislation like the DMCA, there is little or no due process when complaints are filed.  Basically, you’re guilty until proven innocent.  It’s a little hard to grasp based on these abstract descriptions, but take the example of Youtube.  If some copyright holder files a complaint that someone has posted their copyrighted material, the resulting actions effectively shut Youtube down for some period of time, until the matter could be resolved.  In Youtube’s case, it would simply be decimated, effectively never online.  Would this stop piracy?  No.  Would it stop a great deal of the Internet you’ve come to rely on from working?  YES!

Ignorance is Bliss

Probably the most worrying thing about the SOPA debacle is congress’ willingness to legislate out of willful ignorance.  In 1995, congress made the ill-advised move to dismantle the Office of Technology Assessment.  This is exactly the independent body that could have provided congress with the clear-headed and technically aware perspective needed to kill these bills before they saw the light of day.

Backlash

Now that these bills have made it so far through the legislative process, there has been a growing backlash among the tech community.  Wikipedia shut down most of the English version of their site (though you could still get the content if you knew where to find it), and Google and many many others either shutdown or modified their sites in protest of these bills.

Anybody with some knowledge of these matters knows that these bills are a bad idea.  As technically informed citizens, we must tell congress to put an end to ignorance-based legislation.

Before starting I want to address first that this is my opinion and not that of my employers. With that said, here we go.

Today Wikipedia, Reddit and 10,000 additional websites have gone black to raise awareness of two impeding bills: The Stop Online Piracy Act (SOPA) the PROTECT IP Act (PIPA). Several other sites have created petitions (the largest being Google) to help fight these bills. So what’s the issue? Essentially there are two at play. Keeping the Internet free, but somehow protect against the onslaught of websites that are providing copywrited content for nothing.

For instance, under this new legislation the music video you watch on YouTube for free would otherwise require YouTube itself or whoever is posting it to acquire consent from the original content provider. What could follow is having any real tiebacks from additional links posted on blogs, websites, or social media platforms to become illegal – or unnecessarily hard to accomplish. This could essentially kill SEO currently and where it might end up. In the end, all you will be left with is a mundane list of articles with no real interactivity. This could disrupt Google, Reddit, Wikipedia, Facebook, and thousands of other websites business models. In turn, muzzling the Internet through censorship. 

This could cripple open source projects across the web, give law enforcers new powers to enforce filters on the Internet, and block access tools to get around such filters. The bill will not remove pirate sites, but merely lay down cones in the road in which to navigate around. This hurts true job creators within the web industry like Google. The Mountain View Company has already mentioned – in their blog – on how to combat pirate sites by attacking their funding.

I can think back to the old Encyclopedia Britannica on compact disk and how limited that was to where we have gone. It’s not because this resource was not valuable, but it offered no room for growth - that is unless you purchased updates.

So let’s face it. We’re spoiled. We live in a world where updates are automatic and in large part for free. Most of them go unnoticed because they are just assumed – with Wikipedia coming to mind. But what it offers is the idea of rapid growth through a community of knowledge. It may take a village to raise a child, but a community can educate the world. Why would we stop this? I agree that protecting content and its producers needs to be address, but the way the bill is written offers moderate resolution for maximum consequences. If you agree, sign Google's petition here: https://www.google.com/landing/takeaction/.

A few events have converged to make me think this post is a timely one.  One of these events is the recent CES announcement of GM's "OnStar Future Car" <cue fading echo> and associated developer API.  This follows un-coincidentally on the heels of Carlos Ghosn's announcement that Renault will open up the car as a platform, allowing Android devices to interface with some systems on the car.

Among other things, GM "...will let you use a mobile app to unlock OnStar-quipped [sic] cars".  The way I feel about this can only be properly expressed with a prepubescent teenage texting meme:

O... M... G

This is one of the worst ideas in the long, sad history of bad ideas.  It has already been demonstrated that the OnStar system is hackable and presents a significant potential threat.  Perhaps less well known is that all modern cars use a common bus, called CANBUS that links a plethora (I know I know, “gesundheit”) of small embedded computer systems that control braking systems, stability control, fuel injection timing, etc.  Even more worrying than someone else starting your car remotely is the fact that these CANBUS-linked systems are also vulnerable to attack, as shown in this NSF-sponsored research paper.  There, researchers (including names that you infosec folks should recognize) demonstrated that cars can be compromised and controlled in ways very similar to your desktop computer.

Take CANBUS, connect OnStar-of-the-future, add a dash of Android, et voila!  A recipe that security nightmares are made of.

Perhaps most worrying of all is the lack of response this seems to generate among the press and industry.  After demonstrations like these, automakers press on with their tabletization of cars, and the press coverage either gushes, yawns, or decries the driving distraction issue – all seemingly oblivious to the real and obvious threat this poses.

These threats bear many similarities to the SCADA threats that have finally started to receive long overdue attention and will be the subject of a future post.  I haven’t found many references, but I know that Mudge has been waving his hands about the threat these vulnerabilities pose to our infrastructure (nuclear power plants, electric grid, etc.) for many years – long before Stuxnet came along – and is now in a position to do something about it.  Richard Clarke’s recent fictional books also contain many warnings about potential worst case SCADA attack scenarios.

Let’s not wait a similarly long time to act on this problem.  It’s time for us to wake up and smell the new car smell – carrying a faint whiff of ozone and solder.  We can’t afford to wait for the well-established pattern to unfold, where hypothetical security threats play out in startling reality.

Let’s discriminate between technical progress and security regress.  At consumer shows like CES, we need to start exercising real consumer power and demand that security come first!

The recent theft of Symantec's flagship product, Symantec Endpoint Protection (SEP) version-whatever has the twitter-blogo-news-osphere in hyper-overdrive mode.  There's lots of speculation about who the source was stolen from (right now seems like Indian military intel servers), who did it (credit claimed by a group called "Lords of Dharmaraja"), and what this means for Symantec and infosec in general.  But many of the talking points seem way off to me.

Attackers getting access to source isn’t, from a technology standpoint, the big a deal that headlines want you to believe.  The first claim is that this is a huge blow to Symantec’s technology.  Now that their “secret sauce” is out there, big bad hackers will be able to have their way with SEP.  The biggest problem with this claim is that attackers worth their salt already have their way with SEP.  I have first-hand evidence that SEP is straightforward to bypass.  It’s a given in the infosec research community and has been for years.

Second, implicit in this claim is that having access to source code makes something less secure.  This isn’t true.  For example, the reason we have so much confidence in cryptographic algorithms like SHA256 is that they’re publically available, for experts to scrutinize over a long period of time.  Proprietary encryption has a long sad history of failure.  Just ask DVD Jon.  Also, ask industry wonks which is more secure, IE or Chrome.  You’ll likely get a belabored argument which neither side will win.  Now, I wouldn’t rule out that Symantec has done some silly things that they wouldn’t do if they thought the bad guys had their source, but this argument is mostly erroneous.  Yes, it’s bit harder to find flaws in software that’s binary.  But source code analysis is not the way most bugs are found.  There are a myriad of ways to find software flaws, including binary reverse engineering, automated analysis tools (fuzzers, static analysis and dynamic instrumentation, etc.).  That’s why QA folks have jobs.  Programmers are guaranteed to make mistakes, lots of them, and not all will be found by code reviews.

Another claim I find extremely ironic, and this one is made by Symantec to downplay the incident, is that this is no big deal since the source code is old.  To quote Symantec’s spokesman, Cris Paden, “We distributed 10 million new signatures in 2010 alone. That gives you an idea of how much these products have morphed since then, when you're talking four and five years.”

Wow.  There’s just so much wrong with this it’s hard to know where to start.  First, if your large, mature commercial software product has largely been rewritten in the last five years, a) you’re likely doing something wrong and b) I don’t believe you.  Second, adding signatures to a database is not the same as modifying your product’s source code.  The code implements the scanning, and the signature database says what to look for.  Little if any code needs to change for new signatures.  Third, Paden appears to be bragging about one of the largest flaws in traditional antivirus software:  the huge number of signatures they have to look for.  How many of these 10 million new signatures are wrong?  Probabilistically quite a few.  Worse, do you think the signatures in this database comprehensively cover all of the malware out there?  Of course not.  All new malware bypasses signature a/v until it’s found, analyzed and signatures are generated.  Besides, there are well-known tools to evade traditional a/v by encoding (scrambling) existing known malware so that the signatures don’t match and the malware slips right by.  And that’s just one way to get by.

The basic problem with the premise, that this breach is a huge blow to Symantec’s antivirus technology, is that this technology was fundamentally flawed to start with.  Traditional a/v is often the punch line to bad jokes at security conferences.  There’s no particular need to mourn the loss of a little spilled a/v source code.

If, however, this gets a few more people to rethink their reliance on a/v for protection, then this could be one of the best things to happen to infosec in a long time.

I’ll preface this with the disclaimer that this rant is my own opinion and not necessarily that of my company - particularly the bit about The Black Eyed Peas.  With that out of the way, let’s talk DRM.

You may not be aware of Digital Rights Management (DRM) but it is a technology that you likely use on a weekly, if not daily basis.  Most music and video obtained (legally) online is encumbered with DRM.  DRM uses cryptographic means to enforce Big Media’s control over content in your possession.  With it they can make the media playable only on a single device, they can make the data uncopyable (so you can’t make backups), and they can require you to repurchase the media if you, for example, lose your device or have it stolen.

In short, DRM sucks.  But, with streaming movies becoming the rule rather than the exception, there doesn’t appear to be much push back from the consumer.  Are we really going to take this lying down?  Are we going to let big media specify the terms of when and how we consume media?

If we do, perhaps we should give up hope, just go ahead and adopt the following DRM pledge:

DRM Pledge

I do solemnly swear on my public key

To attest for Big Media’s certainty

That my bits are aligned with integrity

To teach children to honor PROTECT-IP

DMCA, SOPA, then maybe we

Can live together in harmony

 
I swear to shun Pirate Bay and all P2P

And loopholes of analog variety

Which lead to decay of society

In return, nebulous Clouds promise me

To store content paid for, indefinitely

And never to charge me recurring fee

For content delivered so cleverly

So with approved devices I can see

Schlock like Gigli and The Black Eyed Peas

In an upcoming post I’ll discuss the security applications for the technology underlying DRM, called TPM, and why it can be a Good Thing™.

Score another win for Android. The Department of Defense (DoD) has recently announced the approval of the Dell Streak Series of Android devices, running Android 2.2 (Froyo), to be an alternative for the floundering RIM usually utilized by defense professionals. Call it a black eye for iOS and maybe the nail in the coffin for RIM, Android’s escalation to the top of the smartphone food chain has been swift and brutal to its competitors.

The problem here is Android 2.2. The military does not have a great reputation of staying ahead of the curve. The adoption of newer devices has been known to evolve its approval process slower than a shuffleboard game at a retirement home. The move to Android is no different. Sure DoD approved Android devices is great news for Google, but what they are running is a bit more concerning.

Android 2.2 was released in August 2010. Last time I checked that’s light years behind in the smartphone world. Also, they have approved Dell’s Streak series of tablets that have recently been discontinued. Is this a bad joke? It’s like giving your kid a Nintendo 64 this past Christmas and then raving about how good the 15-year-old graphics are – the kid doesn’t buy it so why should you?

Froyo has not been maintained with current patch updates since the summer. Most current Android devices – including the discontinued Dell Streak Series – have upgraded to Android 2.3 (Gingerbread) or beyond. Recently Bit9 released a report, regarding the vulnerabilities of the Android update ecosystem, and how the broken system prevents security patches and updates from being pushed to devices other than its Nexus models.

Android’s fragmentation is the result of its open-source nature and its update model handled by Android manufacturers. Fragmentation hurts the average user with regards to security, because more often than not Grandma is not going to manipulate Android’s source code in between bridge games to resolve security issues. Which means the average user could be left with buggy devices – or worse – security problems. The DoD seems to think that because of these same open-source principles, they can tinker with Android’s source code to prevent these types of issues. It’s a little bizarre. Why discontinued Dell devices? And why a year and a half old OS?

With mobile malware up 400 percent on the Android platform this past year and malicious applications finding a new home in the Android market – you figure and hope the Pentagon knows what they are doing. They are revoking access to the Android Market and locking down specific features, but in the end, is it enough and does anyone really care? 

2011 was the Year of the Hack. We saw an unprecedented rise in targeted attacks, ranging from the rather primitive (but effective) to the highly sophisticated.

While state sponsored attacks and cyber espionage have been occurring for decades, the level of disclosure and visibility of these attacks rose to new levels in 2011. Among just a few of the high profile attacks:  

• With the RSA breach, we saw just how sophisticated and patient nation states can be when it comes to stealing intellectual property. In a scene reminiscent of a sci-fi movie, they attacked one corporation in order to get the keys to break into other corporations months later. It is estimated that the attack which hit RSA was actually used against over 700 other companies. This was not a smash-and-grab cyber attack, it was a lie-in-wait attack.
• With Operation Night Dragon, we saw a coordinated and wide scale attack on several energy companies across multiple continents. The cyber attack used multiple vulnerabilities and techniques in a coordinated campaign specifically against petroleum and energy companies. The attacks were traced back at least two years.
• With Operation Shady RAT, over 70 different companies across dozens of countries and different industry sectors were attacked using the same command and control server. The attacks spanned at least five years and included companies from energy, finance, real estate, technology, government, and even the International Olympic Committee. As common for targeted attacks, Shady RAT established its foothold through spear-phishing (targeted emails), using social engineering to trick users into opening malicious content.
• With Nitro, at least 48 different companies within the chemical and defense industries were targeted. In the Nitro attacks, a program was installed allowing the attacker remote control of the infected systems. Interestingly, the same servers used in these attacks were previously used in a campaign against human rights organizations and NGOs.

In total, thousands of different companies around the world were attacked in 2011, with no stone left unturned. If you have any data of value, regardless of your company size or industry, you are a potential target. All of these attacks were targeted and involved manual interaction, where humans were on the other end controlling the malware and all of these attacks have been linked, with various degrees of certainty to individuals or groups within China.

We are witnessing the greatest theft of intellectual property in history. Unfortunately, 2012 looks to be no better when it comes to organized state-sponsored attacks. Not only have the attackers been emboldened by their successes, there are currently no consequences for their activities.

As the 2011 examples demonstrate, energy and utility companies are a particularly ripe target. The SCADA (supervisory control and data acquisition) systems and ICS (industrial control systems) computers controlling our nation’s public and private infrastructure are woefully outdated when it comes to security. Until real progress is made in securing these systems, we will continue to see further breaches. Most concerning is that attacks on ICS systems can result in physical damage or even loss of life.

2011 also saw a dramatic increase in hacktivism – politically and socially motivated attacks with the aim of causing embarrassment to a target or simply make a public statement. We saw the rise, and sort-of-fall of LulzSec, as they used Sony as a punching bag for hacking. We saw Anonymous continue making social and political statements, aligning with movements like Occupy Wall Street. The internet is an integral part of the fabric of modern society; it is natural that it has become a common medium for protest.

It does not take a crystal ball to realize that the trend of hacktivism will continue, not just into 2012, but throughout the next decade at least. While the techniques used by hacktivists will get more advanced, they are generally and comparatively “low tech” today – using well known techniques for distributed denial of service (DDoS), SQL injection, and cross-site scripting to take down or deface web servers. From a security perspective, it is disheartening to see how successful such basic and well known attacks can be against even the largest of corporations. I would like to believe this year has been a wake-up call for companies to get their basic security house in order. Sadly, this is not the case and we will see more big names successfully “hacked” in the coming year.

2011 saw the rise of the smartphone. The number of smartphones sold in the last quarter of 2010 was greater than the number of personal computers, and this trend is continuing. The amount of malware targeting these devices has increased dramatically, with estimates ranging from four-fold to well over ten-fold. While this is still a game of small numbers, even a penny-a-day-doubled adds up very quickly.

Seventy-six percent (76%) of smartphone consumers use their devices for business purposes as well. These miniature computers contain not only our most personal information (e.g. contacts, text messages, geo-location, credit card and password information) they also contain confidential business information (e.g. corporate emails and documents). As our report on the most vulnerable smartphones of 2011 describes, most smartphones run out-of-date software with known vulnerabilities that leave users at higher risk.

In 2012, we will reach over one billion smartphones worldwide. This is a green field for attackers, as the technology has evolved faster than security. We will continue to see a rise in traditional malware targeted personal and financial information on these devices. Like the personal computer, we will begin to see targeted attacks on smartphones where the motivation shifts from financial to corporate espionage and IP theft. I will coin a new term here to describe the next generation of smartphone hacking – “smacking.” I predict 2012 will be the year of the “smack down,” as mobile devices earn their place as a critical corporate asset under cyber assault.

2012: The Dawn of the Information Oligarchy

For several years now, the founding principles of Internet freedom have been under attack.  The sources of these attacks are largely media industry organizations (meaning movies and music), and the politicians that seem to be in their pockets.  The basis of these attacks come from a desire to control, police, or tax the Internet and the technology marketplace in general.  Of particular concern are software patent lawsuits like this one, the Stop Online Piracy Act (SOPA) and its senate cousin, and the battle surrounding net neutrality.  These issues are reported on very lightly, obscured by current worldwide concerns, but I believe they may be equally historic and potentially disastrous.

In all these cases, certain special interests have lobbied Congress to make sure they do the exact wrong thing.  Individually these actions are egregious examples of the dysfunction of current political governance in the U.S., and together they may spell the end of the Internet as we know it.

Software Patents

Most people think of their smartphones as hardware devices, which sound like reasonably patentable devices.  However, the useful functionality of these devices are driven primarily by software, with the hardware playing only a supporting role.  The types of legal shenanigans where simple features are patented as if they’re comparable to inventing the telephone, currently playing out in Apple’s trivial feature suit against HTC are simply the latest examples of the fallout from innovation-killing software patents.  It’s rather difficult to summarize in lay terms why software patents are such a terrible idea, so I’ll be brief and mostly just point out a few arguments online.  The basics are that, as software professionals, I and millions of others have to constantly look over our shoulder, wondering if, during the course of our day to day work, we might actually be reinventing something trivia that has somehow been previously and inexplicably patented.

Worse, companies are incentivized to patent virtually everything they do, ostensibly to defend against patent infringement suits waged by competitors.  This situation becomes self-enforcing unless patent law reform is enacted.  The fallout is that the consumer mobile device and other software-based markets may deteriorate into monopolies, creating malware-friendly monocultures, not to mention simply destroying innovation through litigation.

Intellectual Property

Did you know that when you watch streaming movies, your hardware is complicit in providing a guarantee to Hollywood that you are running certain software that is incapable of copying the media?  That’s true even if you “own” the movie that you’re watching.  That means that if their site is down, you can’t just pop in your backup copy of Pirates of the Caribbean.  This is part of the righteous battle being waged by the Motion Picture Association of America (MPAA) and Recording Industry Association of America (RIAA) against evil media pirates, like 10-year-old girls, grandmothers (not an isolated incident), and homeless people.  Now they’ve taken that fight to Congress, who, for some reason, don’t appear to be much opposed to legislating on their behalf in the form of SOPA and PROTECT-IP.  Perhaps the apparent moral failings of the proposed legislative action can be partially excused by the widespread technological ignorance among members of Congress that appears to be the true enabling factor.  However, evidence continues to mount, that this ignorance is ironically self-chosen.

Net Neutrality                                                                                                          

It’s important to understand history and to learn its lessons.  Most important is understanding what those lessons really are.  Politicians often invoke history, at least their understanding of it, in their political campaigns and rhetoric.  In this particular case the politicians have their history wrong;  very very wrong.

Having worked for several years at a company that lays a reasonable claim to contributing substantially to the creation of the Internet, I believe I have a better perspective on that history than do most politicians, Al Gore among the possible exceptions.

Opponents of Net Neutrality claim that the Internet is broken.  No single entity exercises appropriate control over the Internet, and it is currently bigger than any one country.  That is exactly the point.  The Internet is bigger than any one country.  The Internet abhors censorship and secrets.  Controlling the Internet is not only doomed to failure (“The Net interprets censorship as damage and routes around it” – I would argue that bandwidth shaping is a form of censorship), but is misguided  and will cause damage and unfairness in the meantime.  It is antithetical to the principles under which the Internet came to become such a powerful tool and facilitator of free and open communication.  By the way, you can add Al Franken to the short list of Washington-folk who seem to “get it” on technological issues, and omit others who apparently do not.

These issues are converging to form a pivotal moment in history.  If we fail to sufficiently educate the public and political leaders on these issues, it will usher in a new age of information oligarchy.  Innovation will be stifled, free speech censored, and information security will face brand new challenges.  Control of the Internet will increasingly become concentrated in the hands of a few.  Criminals and tyrannical nation states will be the only ones to appreciate the new world order… back in the USSR.