DISQUS

Princeton is obviously the right choice -- why not go to grad school where Dan Wallach went? ;)

The window shade business might have a legitimate rationale. Having the shades up (a) ensures adequate light inside the plane even if the power fails, and (b) makes any dangerous conditions outside the plane more visible.

Richard,

The paper you cite points out inefficiencies in DOCSIS (when used with TCP, which it almost always will be). But it doesn't provide technical justification for the steps Comcast is taking. The paper's main result is that DOCSIS has trouble when lots of users are browsing the Web. Then why doesn't Comcast throttle Web traffic? Why do they throttle by sending RSTs rather than dropping packets or adjusting behavior at the DOCSIS level? Isn't the real problem that their network is underprovisioned, with too many users sharing the same termination system?

As Tim points out in the post, Peter Eckersley found a signature field in the Apple files. So I corrected the post that Tim quoted. For the record, his quotes capture the original version of the post correctly.

For what it's worth, I'm a reasonably happy CableCard customer. Over the holidays we switched from the universally hated Motorola settop DVR box to the vastly superior Generation 3 Tivo. The Tivo uses two CableCards (one for each of its two tuners), and they have worked flawlessly so far.

Regarding the RFC citations: the longer version of the paper does cite specific RFCs. But Hahn and Litan seem to have misunderstood the RFCs they cite, which mostly recommend an end-to-end approach.

Richard,

I think you're missing the point of the end-to-end argument. The point was not to engineer the network for a particular kind of application. The point was to engineer a maximally flexible network, because we didn't know which applications people would want.

Noel,

In case it wasn't clear, I'm using the economists' definition of value.

Consider these two scenarios. (A) I will cook dinner and my wife washes the dishes; no money is exchanged. (B) My wife pays me $5 to cook dinner, then I pay her $5 to wash the dishes.

The same value is created in both scenarios: the value of having dinner cooked, plus the value of having the dishes cleaned.

Noel,

Unclear writing reflects either (a) clear thinking, poorly expressed, or (b) unclear thinking. The DMCA looks like unclear thinking.

If you think there's a clear idea underneath the DMCA's conceptual clutter, tell us what it is. What should the DMCA have said, in detail?

A small correction: the article gives Wired's voting-machine recommendations, arrived at after talking to Dave Wagner and me. Don't assume that Dave and I both agree with every last thing in the article.

From a technical perspective, antivirus products like McAfee and Norton are no substitute for secure construction of the underlying OS. At best, antivirus products can partially plug some of the vulnerabilities in the underlying OS. What people were criticizing Microsoft for back in 2002, and what Microsoft started trying hard to change, was the prevalence of holes in Windows.

The original post seems to just assume that Microsoft's questioned actions will make Windows more secure. If Microsoft's actions do lock out some antivirus products or constrain their ability to protect users, then security may suffer. (Whether third-party programs can download and run is only part of the question. Once they're downloaded and running, how much latitude do they have to protect the user?) Only a detailed, technically sophisticated examination of what Microsoft is doing can tell us whether the company's actions will improve security. To just assume the result of that analysis is to ignore the most important question here.

The "error" you point to is just a decision on my part to simplify the explanation for nontechnical readers. If you want to write a short paper that nontechies will be willing and able to understand, you have to leave some things out. The congestion control discussion is about the cooperative nature of TCP backoff. For that purpose it's enough to know that TCP works that way, and there is lots of TCP traffic.

I would have the opposite worry about making the government pay the cost of data retention: the cost might be too low. The marginal cost, per byte of data stored, is dropping exponentially due to Moore's Law. There are fixed costs, but once those are paid the cost of adding to the data store could be very small.

In the long run, the true cost of data retention will be due to the risk that data will leak or be misused. Unless those costs are taken into account, government will buy too much data retention.

That last comment was from me.

Lee,

This is why I asked you to be careful about dates. The Oppenheim letter to which the judge referred was sent after we filed our suit. The issue in that court hearing was not about the state of affairs when we filed the suit; it was about whether the suit could continue given RIAA, SDMI, and Verance had, AFTER WE FILED THE SUIT, withdrawn their threats.

Do you have any evidence, either in the record or out, that the RIAA, SDMI, and Verance withdrew their threats before we filed the suit?

Lee,

I'm not sure what you're trying to imply when you call my statement "extraordinary". If you're trying to imply that the statement is false, then all I can say is that you should have talked to some of the people involved before making assertions about what did or didn't happen.

Your statement that our speech was not chilled is clearly inconsistent with the facts, for example with the fact that we had to withdraw our paper from publication in IHW, and the fact that Verance made legal threats against us and asked for a long list of redactions in the paper.

Your statement that the RIAA withdrew their threat before we filed the suit is also false. What evidence do you have to support it? (Pay attention to dates -- they did withdraw the threat later.)

Tim,

I'm not sure why you think our First Amendment claim indicates that we weren't fighting to publish our paper. If the court had ruled that our paper did violate the DMCA, then the First Amendment argument was the best (and probably only) way to get the paper published.

DMCA boosters can repeat the speech-was-not-chilled claim as often as they like, but it's still false. There are two big examples of the chill. First, WE ACTUALLY DID WITHDRAW THE PAPER FROM PUBLICATION at the Information Hiding Workshop. Second, ONE OF MY COLLEAGUES LOST HIS JOB BECAUSE OF THE PAPER. Sorry for yelling, but I'm sick of having this lie repeated.

At the time we filed our suit, the RIAA and SDMI had not withdrawn their threats -- they told the press that they had never objected to our paper (which was false) but they refused to tell us that they would not sue if we published the paper. And note that the RIAA and SDMI were not the only two parties that had threatened us. The other party, Verance, had done nothing to withdraw their threat. It was only after we filed our lawsuit that all of them promised definitively not to sue.

Note that the IPI paper is extensively footnoted. But the paragrpah that makes false assertions about our paper and lawsuit has no footnotes, no quotations, no references to primary documents. That's because their claims aren't supported by the record.

As you point out, it's hard to offer much commentary about the raid without knowing whether PirateBay was violating Swedish law -- a point on which almost everybody is unqualified to speak.

Surely you wouldn't approve of the Swedish police mounting this kind of raid against a lawful site?

The statement that "If 'open' must mean one can't hide anything* from the user, well, open source is going to have problems implementing *any security technique..." shows a pretty fundamental misunderstanding of computer security.

In fact, security is enhanced by the user's understanding of how the system works, just as aviation safety is enhanced by the pilot's understanding of how the plane works.

RFID chips were designed with one set of uses in mind, but they are actually implemented in ways that allow other (mis)uses as well. There's a small scholarly literature on these sorts of RFID problems. For example, David Molnar has a paper (with colleagues) about the library attacks, and there are several papers about e-passport issues.

There is some silly RFID panic out there; but these sorts of technical problems are real.

The cookie bit is hard to follow, even to techies like me. I think it's meant as an analogy, and what is really going on is that the guy can write information onto the RFID tag and then use various monitoring and reporting functions of the RFID-using system to figure out where the tag went. For example, maybe he can get the EZ-Pass system to report to him where a car went (instead of, or in addition to, reporting that information to the owner of the car). That sort of attack is probably possible.

As I understand it, the French bill contains both DMCRA-like reforms (which you like) and the open design requirement (which you don't).

The open design part won't have much effect. The main barriers to interoperating with FairPlay are legal, not technical. It's not that hard to figure out the information you need by reverse engineering. If the French want interoperation, all they have to do is make sure that reverse engineering and interoperation are clearly legal, and the market will take care of the rest.

In a civil suit, the standard of proof is preponderance of the evidence. If it is known for certain that some bad act was committed via your WiFi, a plaintiff only has to prove that it is more likely than not that you were the person who did it. They can brush off your argument that it might have been an outsider by saying, "Maybe, but probably not."

I guess DeLong didn't read the rest of the Wikipedia entry he quotes. It gives a pretty clear picture of HDCP's security woes: "researchers demonstrated fatal flaws in HDCP for the first time in 2001 ..." It even points to commercial devices that strip HDCP protection off of video signals.

Competition is the best way to solve this problem. But the difficult issue is whether we can have a truly competitive market. Competition is good for many reasons; but can it really be achieved by pulling the available public policy levers?

My sense is that the smarter advocates of net neutrality regulation support pro-competition policies but think those policies will have only limited success. They see regulation as a second best solution that will become necessary if, as they expect, the market is not competitive.

I'm not sure I understand your point about contracts. Contracts only bind the parties who agree to them. Networks, local affiliates, and cable operators make contracts with each other about redistribution. But viewers are not parties to those contracts, so how can viewers be bound by their terms?