Jon Camfield

Thinking about tomorrow’s threats against human rights and Internet Freedom. Frustrated Optimist, gardener, salsa dancer, cook, husband, dad, embarrassed Texan. Opinions here are my own. he/they.

Many years ago - decades - I dreamt of staring a small, rude consulting group, called the “Trout Guerilla Consulting Group.” These were its founding documents, from the crazy dot-com years of 1999 and 2000.

Introducing the Trout Guerilla Consulting Group

TCGC logo

Good morning. The reason that there is a dead trout on the doorstep to your business today is that we at the Trout Guerilla Consulting Group (TGCG) have determined that your business model is failing or will fail in the Internet Age. But it’s not too late to save yourself. Yet. Contact us if you don’t want to be a fish out of water any longer.

The TGCG is working to save the world from itself. TGCG believe that the Internet can be the most pwerful force in modern history for bringing the world together as well as helping businesses; both the new ecommerce startups and more traditional brick-and-mortar businesses. The clients of the TGCG are all companies–no matter how connected they may already be. Just because a company is running powerful servers on a T3 with multiple Intranets and VPNs and whatnot does not mean that it is clued. A firewall is not sufficient as something to hide from the TGCG, but a good firewall is a good clue that maybe you don’t need us. All companies which are trying to control the Internet and make sure that nothing gets out of hand will have dead trout delivered to them–eventually. the TGCG is backlogged terribly, and we haven’t even started yet.

Many organizations need to realize that the Internet is not their enemy, it’s merely a new tool, a new method, and a new world. It does not correlate to the old world very well. Its economies are fictional, but they have rules. Its products are virtual, but they are restricted to the Internet. If you treat the Internet as part of your traditional business and try and control it that way, you will fail, and die like the trout we sent you from being out of it’s natural environment but still trying to get oxygen through the same old gills. Open your minds and breathe in the air of the Internet, or suffocate. The Internet and the real world can exist peacfully, side-by-side. They are DIFFERENT. Realize this. If you cannot realize this, TGCG can help.

TGCG vs the MPAA and DVDCCA: The MPAA, RIAA, and DVDCCA get dead trouts after going after DeCSS authors and the like

So one morning, the big long acronym associations of the recording and video industries would have piles of trout, dead, on their porches. They just don’t understand the reality of the Internet Age. The MPAA and RIAA have been trying to shut the barn doors, but they realize neither that the horses are not only already out, but already out of earshot, nor do they understand that there simply aren’t any doors that can be closed. The precedents have already been set. Digital media does not replace the feel of reality. eBooks may become the standard for your dimestore harlequinn romances, but a well-printed book with its book smell and feel will simply not go away. MP3 Music files may be the default medium for music, but will never replace the CD because the CD comes with a jacket with information, lyrics, and photos of the band, and can come with more–special programs written to the CD or other low or no cost bonuses. Witness, even, the continuing popularity of vinyl records; media that is not user-recordable, does not stand up over time as well as a CD, is not portable like a tape was. Yet vinyl records are still the way to go among audiophiles, and indeed there is now a 5-digit-cost record player that uses laser beams so as not to damage the record. And what do records have over tapes, or CDs, or MP3s? Technically, nothing. Get this, understand this. It’s not the technoilogy anymore. It’s the perception. The market. Hype.

VCRs did not ruin the movie industry. Copiers did not ruin the publishing industry. DeCSS will not kill DVDs (well, provided the boycott is lifted…)

For these industries; the simple fact of the matter is that once a user has the media, the user has the media. DIVX died, I predict all such methods will die similarly. Users are like children. If you treat them fairly and give them responsibilities, in general they will not double-cross you. There are always bad apples. There always will be. People were recording movies with camcorders at the theaters and will continue. There is NOTHING that can be done to truly block a person’s access to media which they have bought or can view at least once. Accept this and continue on with business–there are other ways around the problem.

TGCG and the FBI: The FBI goes after the DDOS culprits?

TGCG is picking on the FBI because they’ve been the most recent idiot on the block. Not to say that they’re the only one, or the worst one. The recent Distributed Denial of Service attacks against Yahoo, Buy.com and the rest got everyone a little scared. How these attacks (DDoSes) happen is that a malicious hacker (the correct term is cracker, here, and I will use this from here on out) breaks in to many, many machines. Reports indicate that the recent flurry invlolved anywhere from 50 to ten throusand compromised machines. The cracker will probably use standard vulnerabilities in these machines to gain access and plant a program in them. The cracker then penetrates a smaller number of machines (one of these can controll 1000 of the others) and plants a different program in them. From his own computer (which is probably hidden behind many different methods to make it impossible to track down), the cracker sends a command to the smaller set of computers, each of which sends commands to the huge number of different computers, and each of these computers starts requestng attention from one host (say, Yahoo.com).

There’s a bit of history, here. The idea of a denial-of-service attack is old. Historically, it’s a pissing contest between two computers of who has more bandwidth, so major sites like Yahoo win. Many ecommerce sites receive hundereds of these style of attacks per day, but mainly from people using dialup modem lines and so they’re effectively ignored, or blocked. A student at NYU had a wonderful idea to support the Zapatista rebellion. If hundereds of people, all with simple dialup lines, simultaneously went after a website, they could effectively DoS it, provided it wasn’t a true powerhouse of a system. This fellow organized an Electronic Civil Disobedience movement and swamped the Mexican government’s website with failing webpage requests. The art of this attack was that it was simple web address requests, and the website’s error logs were recording everything, so everyone participating was requesting files like “Human Rights”; such that the error logs recorded “Request for “Human Rights”. Human Rights does not exist on this server” or somesuch.

Jump ahead a few years, Mixter, a German programmer and college student, exposes many flaws in the current implementation of TCP/IP (how computers talk to each other over the Internet). He begins releasing tools that show this vulnerability. These tools, such as Tribe Flood Network, create, easily, DDoS attacks. Mixter expressly does not condone the malicious use of these programs, but beleives in full-disclosure security. An earlier tool, Trinoo, did the same thing but the source code was never released, so it was harder to see what the vulnerability was. Mixter’s code was all open-sourced for everyone to look at and work with. In early 2000, Mixter released the end-all and be-all of DDoS tools, stacheldaht (‘barbed wire’). This was also open source, and combined everything from Tribe Flood Net (TFN), TFN2K, and other DDoS tools and theories.

So today, Feb. 14th, the FBI beleive that Mixter is the one responsible for the DDoS attacks. Why? Well, because one of those thousands of computers launching the attacks was in Germany. Of course, one was in California at UC-Santa Barbara, and another was in Oregon, and no one knows yet where the other 9,997 ‘zombie’ systems attacking are located. And these are just the front-line fighters. At best, they’ll point back to the controlling computers that were directly messaged by the cracker. But probably not, because current TCP/IP implementations don’t require a computer to tell the truth about itself.

Trails of evidence across the net have nothing to do with their geographical corresponding locations. This web page is hosted in India. The people running the hosting business are in New York. I’m in Texas. My information that I type into my webpage goes through who knows which countries. Just because a computer is in Germany doesn’t mean that the person controlling it is there. For all we know, they’re next door.

They’re claiming that they’re hot on the tail of ‘mafiaboy’, a Canadian braggart who was taking credit for the exploits on IRC. This is comprable to believing every little terrorist organization that comes out of the woodwork to claim an explosion, except on IRC, there are many, many, many times more little twerps who all would love to claim that power. And then, who are they going after, anyway? ‘mafiaboy’? I’d love to see that on a warrant. Hell, to hear the conversation with the Canadian (if (s)he was actually in canada and not just coming through a canadian computer system) extradition committee.

So, now is the time on TGCG that we stop dragging you over the rocks and tell you what is up. First–there is a DIRE need for a more secure information infrastructure. IPv6, IPsec–endorse these widely. Get all government computers up to snuff. Think of all of this hacking as the rigorous testing that field weaponry and vehicals must be put through. It is demonstrably true that software manufacturers do not tend to do the testing to acceptable standards, so consider all these hackers free safety testers. Second, by whatever means necessary, convince those in charge that one simply can’t go about infowar investigations in the same way that one might normal investigations. Hire people who are grey or white hackers. Hang out with the NSA more to learn their information tools. Educate yourselves about the new world–not even the TGCG can do this for you. You might want to start here.

TGCG vs Mattel: Mattel is trying to restrict the freedom of speech. And succeeding.

The Internet is a mean nasty evil place that’s full of pornographers and child molesters and encryption nutcases. At least that’s what producers of ‘censorware’ would have you believe. Of course, they call it friendlier things like ‘NetNanny’ or ‘CyberPatrol’. These programs have lists of sites that are no-nos containing bad things like sex information or pornography or dirty words. They’re used because parents and teachers are too lazy or clueless to give their kids correct instruction on what they should and shouldn’t be reading on the Internet, or to keep the family computer in a public location (the living room for example??) so that they won’t be tempted to bend the rules. Let’s first take a closer look at the ideas behind these programs. It’s effectively ‘outsourcing’ your morality to a corporation interested in making money off of it. They get to say what is and isn’t bad, which may or may not be in line with the morality of your family. You might be interested in letting your child learn about breat cancer–maybe they’re concerned or curious? Does the program block sites about breast cancer because it has the word breat in it? Some do. Can you find out if they do? Well, not after installing it certainly, because the programs list as ‘bad’ sites which discuss the problems of the program, like the censorware site linked above, which is universally blocked from all filtering software.

CyberPatrol is one of the worst of the bunch. I can’t imagine this site will be unblocked by them for much longer. The orignal release blocked such sites as MIT Computer Science, an online pet care store, numerous gay-rights and discussion sites, and things such as the National Academy of Clinical Biochemistry–which remains blocked. Censorware reports on the newsgroups that are blocked:

The entire rec.games.* hierarchy, 100 groups concerned with games of all types, continues to be banned as containing illegal, violent, profane, and intolerant content. Misc.headlines and the misc.health.* hierarchy (the block is on “misc.hea”) continue to be banned under Violence/Profanity and SexActs. The news.groups.* tree is still banned, ensuring that new users who want to find out what newsgroups cover a specific topic will find it challenging to do so. Rec.hunting.* is still banned under Militant/Extreme. The soc.* hierarchy is still hard hit - groups for soc.support., for example, are still banned as profane and intolerant, and soc.feminism is still banned for Violence/Profanity and SexActs, despite the fact that it’s a moderated group. Alt.coven continues to be banned, despite Microsystem’s promise earlier this year to quit discriminating against non-mainstream religions. Alt.censorship is still censored, in a fine display of irony. The alt.cyber tree continues to be banned. Feminism? Banned. Journalism? Banned. The 220 mostly-unrelated groups that match the pattern alt.sup*? All banned. Great software, right? Fantastic stuff? It gets better. Some programmers discovered that the software wasn’t even particularly well made. It was trivial to find the password and get access to the list the sites CyberPatrol blocks. Note that the program of itself DOES NOT break the locks and allow users to get around the CyberPatrol–ONLY to read the list of what sites it blocks.

They published an academic essay on the program and the list of blocked sites they found. This paper is being used in college classes to discuss the new age of media and control. The programmers got entangled in a lawsuit in which Mattel claimed that reverse engineering the CyberPatrol software and finding these gaping holes and bad-faith block lists was, get this, illegal. And let’s not stop with the program, said Mattel, which went after the essay about the flaw and the list of sites that CyberPatrol blocked. And the judge agreed with Mattel.

So all copies of the program, essay, and list that are floating around on numerous mirror sites are illegal and being pursued and sent cease-and-desist orders. but why stop there? Mattel has issued subpoenas to the major sites hosting mirrors of the software requesting that the relinquish the logs of EVERYONE who DOWNLOADED the program. Now this is a unique approach.

Now, let’s consider what, exactly is wrong and then TGCG will suggest some plans of action to pursue.

First, banning reverse engineering is the same as telling someone who bought a car that it is illegal for them to look under the hood. It’s insane and wrong and harmful to the consumer. Second, trying to ban information, especially essays, is what we call ‘Orwellian’. If you don’t know what that means, you must educate yourself. The information is already out there and can be regained, banning it does nothing. Further, it’s an entirely useless endeavor in that the more you try and squelch it, the more valuable the information becomes and the more fastidiously it is guarded and traded.

So, what should Mattel do? In an ideal world, drop the charges and return the rights of the programs to the programmers. Hire the programmers, if they are willing, to improve the product. Make the list of banned sites public information, and available to the consumer who buys the product to let them know exactly what they’re getting. In an ideal world, Mattel would admit the error of its ways and turn to an open solution that welcomed comments on its list of banned sites and software so as to improve it.

Whither Netiquette?

I always thought that the idea of a barely-spoken code of honor among the CyberCommunity was a good idea that just never happened enough. There are some unspoken rules, but we as a community just aren’t strong enough at self-government to have a good set of manners we follow. If you flame, you will be flamed back is a rule, not a good ethical code of operation. I mean, really. Whatever happened to the basic rules of politeness and (on-line, at least) general helpfulness and volunteer attitude. If something needs doing, do it. This is how we got some of the greatest features of the ‘Net, the WireTap e-texts, for example, or the Lyrics ftp database. I admit, a lot of this continues by necessity1. Warez and MP3 type sites rely on volunteer work to exist, though we must realize that oftentimes these are enforced by ratios of uploaded data to downloaded data, forcing people to trade. I am a firm believer in volunteer building of the Internet. It doesn’t pay well, but it is often rewarding. I run the Undernet #Poetry channel to try and provide a good place for poetry to be shared and improved, and try to do more things through my website.

We complain when we see a site that we have to pay money to interact with, but don’t go to the trouble to provide our own work to parallel said site for free to other users.

IRC displays a lot of what’s wrong with the lack of Netiquette online. Many are the people who exist solely to annoy and piss off others on-line. What the heck? Don’t you have something better to do than to incite people to ban you from every channel online?

And about all this e-mail crap… I really, really hate chain mail, even the funny ones get annoying, and especially the GoodTimes Virus mails. My policy with chain mail is to return to the sender the listed number of mails I’m supposed to forward. I also really really hate unsolicited e-mail ads, for these I give one warning and then on the second unsolicited e-mail, I flood their server. I really hate junk mail. (But I like monkeys) (kudos to the 4.3 people out there who got that reference).