Digital Copyright Canada

russellmcormond: RT @juliepsamuels: It's not everyday I'm accused of being too conservative. @binarybits says @EFF should go further on software patents. ...

russellmcormond: @CanadianArts Quite the opposite: #TPP will transfer rights from creators to device manufactures further than #C11 , making situation worse.

russellmcormond: #C11 in the Senate: what would I say to them? http://t.co/4Kk58X7M #TPM #DRM #ITPropertyRights #cdnpoli

russellmcormond: .@spikestabber The opposition weren't any better on #TPMs, and still spoke the "Harry Potter" narrative http://t.co/7RE5tIq8 #C11

russellmcormond: .@spikestabber And the entertainment industry is in the pockets of the #TPM part of the tech sector. #C11 #TPMs harm them as well.

At long last, I've completed the 0.6 release of the Tsukurimashou fonts (project home page). This one contains 1110 kanji, including all those taught in the Japanese school system through Grade Three. Also new in this release are experimental italics and integration with my IDSgrep structural-query software (which has its own, separate release series). Downloads: source code; precompiled fonts; demo PDF files.

Read More

Here is an actual quotation that I did not make up, from Microsoft's recommendations on how software should communicate with users:

Use the second person (you, your) to tell users what to do.

Here's one of my own:

Don't tell users what to do.

Read More

I have forked the GNU Image Manipulation Program, and you can download my version from this GitHub project. See my earlier posting for discussion of why. In few words: mainline GIMP is an XCF editor, not an image editor. My version is an image editor.

Read More

A few days ago, I ran Arch Linux's update process and it pulled down and installed a new version of GIMP, version 2.8. This version incorporates some changes in the user interface which apparently were under development for a long time, but only very recently finally put into the "stable" distribution stream.

The one that interests me may appear on the surface to be very small, but it is and is meant to be a really significant shift in the entire definition of what GIMP is. GIMP used to be, as the name "GNU Image Manipulation Program" implies, an image editor. With version 2.8, GIMP has become an XCF file editor with the ability to read and write other formats.

Read More

Since Part 1 in this series a few months ago, Plaintiffs have continued to file "pure bill of discovery" suits in Florida state court. These proceedings typically involve "John Does" who are accused of copyright infringement via peer-to-peer networks. The Plaintiffs (copyright-holders or their delegates) have continued to name as defendants in those "pure discovery" proceedings not the entities from whom they seek discovery (i.e., the Internet service providers) but instead John Does, from whom no discovery is sought. After filing their suits, Plaintiffs promptly seek and obtain an ex parte order for expedited discovery of the John Does' names from the ISPs, even though the ISPs are not then represented or present in the proceeding. Because the ISPs are not technically parties, the Plaintiffs can use these orders to issue subpoenas to ISPs from across the country regardless of whether the ISPs or their subscribers would be subject to the jurisdiction of a Florida state court.

The Plaintiffs' lawyers certainly must know that this is not right. For one thing, they tend to withdraw their subpoenas whenever it appears a court is actually going to hear the reasons why their use of the proceeding is improper.

Recently, several ISPs stood firm and proceeded to a hearing on their motions for protective order in a couple of these proceedings. The Plaintiffs' lawyers, in typical fashion, tried to withdraw their subpoenas and argued that the judges should not listen to the ISPs' arguments. Not surprisingly, the Plaintiffs did not fare well in an adversarial proceeding.

Both judges not only granted the ISPs' motions, but went farther. One of the judges dismissed the case, also quashing all outstanding subpoenas. The court also noted that, if the Plaintiff should amend (to name the ISPs as defendants, subject to their personal jurisdiction and other defenses), the Plaintiff must certify that the Does as to which discovery is sought committed a tortious act in the State of Florida. In the other case, the court quashed all subpoenas and required the Plaintiff to notify all ISPs of the court's order and an opportunity to object. If a given ISP, in turn, notifies the court that the ISP objects, then the subpoena will remain quashed. (In this manner, the court compensated for the cost and inconvenience to many of the ISPs of a challenge to this improper proceeding in a Florida state court.) Hopefully, this is the beginning of the end of this flagrant abuse of an equitable state-law proceeding.

On a similar theme, the Plaintiffs have also been trying a new tactic in federal courts, transparently designed to avoid procedural details such as personal jurisdiction, venue, and joinder. In this scheme, the Plaintiffs' lawyers sue a single John Doe defendant (who is believed to reside in the forum), and then seek expedited discovery not only as to that defendant but also as to hundreds of other John Does on the theory that they could be "co-conspirators" with the named John Doe. In such a manner, the Plaintiffs seek identification of the long list of so-called "co-conspirators" without any need to show that those Internet subscribers are properly joined and are subject to the jurisdiction of the Court.

Not surprisingly, when a federal judge was able to scrutinize such a tactic (outside the context of an abbreviated, one-sided, ex parte discovery hearing), it was solidly rejected as improper. Ruling on several motions to compel, Chief Judge Holderman of the U.S. District Court for the Northern District of Illinois held that the discovery sought as to the so-called "co-conspirators" in several cases was not relevant to the claims asserted against the single John Doe defendants in those cases. The Court noted that the true purpose of the discovery sought was not to litigate the Plaintiffs' claims in these lawsuits, but rather "to either sue the individuals whose identity they uncover, or, more likely, to negotiate a settlement with those individuals." The Court pronounced that "[w]hat the plaintiffs may not do" is "improperly use court processes by attempting to gain information about hundreds of IP addresses located all over the country in a single action." The Court also took note of the aggregate burden imposed by virtue of the volume of subpoenas being generated by these Plaintiffs' lawyers in their numerous lawsuits.

Fictional pleading for the purpose of gathering names in order to pursue settlements should not be tolerated by the courts. The courts are likely to agree, as long as both sides of the arguments have the opportunity to be heard.

Today, I submitted public comments to the CA/Browser Forum. CA/B Forum is an industry group started by Certificate Authorities -- the companies that sell digital certificates to web sites so that your browser can encrypt your communications and can tell you whether it's connecting to the genuine site. It is important that CAs do a good job, and there have been several examples of Bad Guys getting fraudulent certificates for major web sites recently. You can read the comments below, or download a pretty PDF version.

Public Comments to the CA/Browser Forum Organizational Reform Working Group
March 30, 2012

I am pleased to respond to the CA/Browser Forum's request for comments on its plan to establish an Organizational Reform Working Group.[1] For more than a decade, Internet users have relied upon digital certificates to encrypt and authenticate their most valuable communications. Nevertheless, few users understand the technical intricacies of the Public Key Infrastructure (PKI) and the policies that govern it. Their expectations of secure communication with validated third-parties are set by the software that they use on a daily basis--typically web browsers--and by faith in the underlying certificates that are issued by Certificate Authorities (CAs). CAs and browser vendors have therefore been entrusted with critically important processes, and the public reasonably relies on them to observe current best practices and to relentlessly pursue even better practices in response to new threats.

[continue reading...]

The CA/B Forum emerged after the PKI system on the Internet was already established, but it has become one of the de facto venues for the industry to discuss and define policy standards. Although it began as a mechanism for creating the "Extended Validation" certificate policy standard, it has recently asserted a broader role in defining policy standards for the much larger set of certificates used throughout the industry.[2] The Forum is the industry's attempt to create a self-regulatory structure that can keep up with the rapid operational developments and security vulnerabilities in this area. It should be commended for its efforts.

Nevertheless, the current organizational structure suffers from at least two major shortcomings. First, the Forum includes no representatives from the public or from CAs' customers--these are commonly referred to by CAs as "Relying Parties" and "Subscribers," respectively. This is troubling, given that these are the entities that are most at risk from poor policies or practices. Second, the Forum conducts its business largely in secret, with little public transparency into the process by which policies are developed and implemented. While there may be benefits to keeping some security vulnerability information private for short amounts of time, there is no compelling reason to do most of the Forum's work in private.

Fortunately, there are indications that the Forum is open to change. The call for comments notes that CA/B Forum will consider, "wider membership and participation," and "a more open and public process." The Forum derives its legitimacy from its users and the others in the PKI ecosystem that choose to implement its guidance. A major change in posture in the two areas cited is necessary for it to secure and retain this legitimacy.

Wider membership should include representatives from all parts of the ecosystem, in proportions and with voting authority that allows them to meaningfully represent their interests. As a result of the industry structure, CAs dominate current membership. Some of this is inevitable given that there are simply far more CAs in existence than browsers, but the formal addition of relying parties, subscribers, and perhaps the auditor community would help promote a more diverse and healthy consideration of stakeholder interests. Likewise, the Forum should consider how to structure voting rights to ensure that these interests are appropriately represented the process, and how to encourage new entities that seek to take part.

The processes of the CA/B Forum should be made completely open to the public, absent some compelling reason in individual cases. Most of the rest of the PKI ecosystem, and indeed most policy processes related to the Internet as a whole, are conducted in public due to the broad set of stakeholders involved. The public posture of technical standards groups like the IETF and W3C should be guidance for opening the policy processes at the CA/B Forum. Email discussion lists, draft documents, and face-to-face meetings should all be made significantly more public.

The comments that PayPal has already submitted to the Forum succinctly summarize the need for an, "open, public, multi-stakeholder process."[3]

If the CA/B forum truly wishes to play a broader role in fostering industry best practices through proposed policies, it must be seen as representative, responsive, and transparent. If it cannot do this, it could fail not only to fulfill that mission but also to provide a dynamic industry-driven alternative to hands-on government intervention. The recent security breaches and revelations of troubling industry practices have not lent confidence to a process that is seen by many as being far too insular. Given the high likelihood of similar headline-grabbing developments in the future, CA/B Forum should change course while it still has that opportunity.

Regards,
Stephen Schultze

Associate Director
Center for Information Technology Policy
Princeton University

[1] The comments and opinions presented here are entirely my own, and do not necessarily reflect those of Princeton University, the Center for Information Technology Policy, or any other entity.

[2] "CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.0" at http://cabforum.org/Baseline_Requirements_V1.pdf

[3] "PayPal supports reform at the CA/Browser Forum" at http://www.thesecuritypractice.com/the_security_practice/2012/03/paypal-supports-reform-at-the-cabrowser-forum.html

Professor Ed Felten, while on loan to the Federal Trade Commission for 2011 and Spring 2012, has a new Tech Policy Blog, Tech@FTC. When he's in his role as Chief Technologist of the FTC, he'll blog there; when he's wearing his regular hat as Professor of Computer Science and Director of the Center for Information Technology Policy, he'll blog here at freedom-to-tinker.

Of course, the big news from the FTC this week is the official report, Protecting Consumer Privacy in an Era of Rapid Change, and I see that Ed has something to say about that. But he's also got an article about SQL injection and our friend, little Bobby Tables.

Tomorrow afternoon, the Center for Information Technology Policy is hosting an event that looks at the state of online copyright enforcement and the policy perspectives of the parties involved. We've got a great lineup, with folks from the content industry, internet service providers, web companies, academics, and the press.

Date: Tuesday, March 13, 2012
Time: 1:00 PM – 5:00 PM
Location: The Friend Center, Princeton University, Convocation Room
hashtag: #copyrightcitp

This conference is free and open to the public. Please register here.

Copyright enforcement in the digital era has been an ongoing game of cat-and-mouse. As new technologies emerge for storing and transmitting creative works, content creators struggle to identify the best response. The content industry has employed different tactics over time -- including technological copy protection, litigation against infringers, and collaboration with Internet Service Providers (ISPs). In August of 2011, some members of the content industry signed an historic Memorandum of Understanding (MOU) with some of the largest ISPs, agreeing to a "graduated response" system of policing. ISPs agreed to notify their subscribers if allegedly infringing activity was detected from their connection and, if infringement continued after multiple warnings, to impede access. Meanwhile, a wave of "copyright troll" litigation has continued to sweep the country and burden the courts. Use of takedown notices under the Digital Millenium Copyright Act has continued to evolve. This event will examine enforcement efforts to date, and debate the merits of the new private approach embodied in the MOU framework.

New York, New Jersey, and Pennsylvania CLE credit is available for attorneys who attend. (details)

Keynote: Technology and Trends (1:00 PM - 1:30 PM)

Mike Freedman, Assistant Professor in Computer Science, Princeton University

Panel 1: The Existing US Legal Landscape (1:30 PM - 3:00 PM)

Moderator: Bart Huffman, Locke Lord LLP

• Preston Padden, Adjunct Professor at Colorado Law School and former Executive VP of Government Relations, The Walt Disney Company
• Timothy B. Lee, Ars Technica
• Randy Cadenhead, Privacy Counsel, Cox Communications Inc.
• Katherine Oyama, Copyright Counsel, Google Inc.

Break (3:00 PM - 3:30 PM)

Panel 2: The 2011 Content-ISP MoU (3:30 PM - 5:00 PM)

Moderator: Stephen Schultze, Princeton CITP

• Joe Karaganis, Vice President, the American Assembly, Columbia University
• Keith Epstein, Associate General Counsel at AT&T
• Annemarie Bridy, Fellow, Princeton CITP
• Daniel M. Mandil, Senior Vice President, Associate General Counsel, Litigation, Viacom Inc.

A student group at the University of Pennsylvania Law School has put together a fantastic symposium on the state of fashion law, but along the way they (allegedly) snagged themselves on Louis Vuitton's trademarks. After creating a poster with a creative parody of the Louis Vuitton logo, they received a Cease & Desist letter from the company's attorneys claiming:

While every day Louis Vuitton knowingly faces the stark reality of battling and interdicting the proliferation of infringements of the LV Trademarks, I was dismayed to learn that the University of Pennsylvania Law School's Penn Intellectual Property Group had misappropriated and modified the LV Trademarks and Toile Monogram as the background for its invitation and poster for the March 20, 2012 Annual Symposium on "IP Issues in Fashion Law."

Ironically, the symposium aims to further education and understanding of the state of intellectual protection in the fashion industry, and to discuss controversial new proposals to expand the scope of protection, such as the proposed bill H.R. 2511, the “Innovative Design Protection and Piracy Prevention Act".

The attorneys at Penn responded by letter, indicating that Louis Vuitton's complaint failed any conceivable interpretation of trademark law -- outlining the standard claims such as confusion, blurring, or tarnishment -- and asserted the obvious defenses provided by law for noncommercial and educational fair use. It indicated that the general counsel had told the students to "make it work" with the unmodified version of the poster, and concluded by inviting Louis Vuitton attorneys to attend the symposium (presumably to learn a bit more about how trademark law actually works.)

I, for one, am offended that the Center for Information Technology Policy here at Princeton has not received any Cease & Desist letters accusing us of "egregious action [that] is not only a serious willful infringement" of fashion trademarks, but "may also may mislead others into thinking that this type of unlawful behavior is somehow 'legal' or constitutes 'fair use'." You see, our lecture this Thursday at 12:30pm at Princeton by Deven Desai, "An Information Approach to Trademarks", has a poster that includes portions of registered fashion industry trademarks as well. Attorneys from Christian Dior and Ralph Lauren, we welcome you to attend our event.

The U.S. Department of Homeland Security Office of Inspector General (DHS OIG) released their report on safety of airport backscatter machines on February 29. The report has received criticism from ProPublica among others for what it says as well as what it doesn’t, mostly focusing on issues of incremental risk to the traveling public, the large number of repair services, and the lack of data analyzing whether the machines serve their claimed purpose. (The report does not address millimeter wave machines, which most scientists believe are safer.)

But what’s surprising in both the report and the critiques about it is that they have only discussed the radiation aspects when used as intended, and not the information systems embedded in the devices, or what happens if the scanners are used in unintended ways, as could happen with a computer system malfunction. Like any modern system, the scanners almost certainly have a plethora of computer systems, controlling the scanning beam, analysis of what the beam finds, etc. It’s pretty likely that there’s Windows and Linux systems embedded in the device, and it’s certain that the different parts of the device are networked together, for example so a technician in a separate room can see the images without seeing the person being scanned (as TSA has done to head off the complaints about invasion of privacy).

The computer systems are the parts that concern me the most. We should be considered about security, safety, and privacy with such complex systems. But the report doesn’t use the word “software” even once, and the word “computer” is used twice in reference to training but not to the devices themselves.

On the safety front, we know that improperly designed software/hardware interaction can lead to serious and even fatal results – Nancy Leveson’s report on the failure of the Therac-25 system should be required reading for anyone considering building a software-controlled radiation management system, or anyone assessing the safety of such a system. We can hope that the hardware design of the scanners is such that even malicious software would be unable to cause the kind of failures that occurred with the Therac-25, but the OIG report gives no indication whether that risk was considered.

On the security and privacy front, we know that the devices have software update capabilities – that became clear when they were “upgraded” to obscure the person’s face as a privacy measure, and future planned upgrades to provide only a body outline showing items of concern, rather than an actual image of the person. So what protections are in place to ensure that insiders or outsiders can’t install “custom” upgrades that leak images, or worse yet change the radiation characteristics of the machines? Consider the recent case of the Air Force drone control facility that was infected by malware, despite being a closed classified network – we should not assume that closed networks will remain closed, especially with the ease of carrying USB devices.

Since we know that the scanners include networks, what measures are in place to protect the networks, and to prevent their being attacked just like the networks used by government and private industry? Yes, it’s possible to build the devices as closed networks protected by encryption – and it’s also possible to accidentally or intentionally subvert those networks by connecting them up using wireless routers.

Yes, I know that the government has extensive processes in place to approve any computer systems, using a process known as Certification and Accreditation. Unfortunately, C&A processes tend to focus too much on the paperwork, and not enough on real-world threat assessments. And perhaps the C&A process used for the scanners really is good enough, but we just don’t know, and the OIG report by neglecting to discus the computer side of the scanners gives no reassurance.

Over the past few years, Stuxnet and research into embedded devices such as those used in cars and medical devices have taught us that embedded systems software can impact the real world in surprising ways. And with software controlled radiation devices potentially causing unseen damage, the risks to the traveling public are too great for the OIG to ignore this critical aspect of the machines.

David Robinson and I have just released a draft paper—The New Ambiguity of “Open Government”—that describes, and tries to help solve, a key problem in recent discussions around online transparency. As the paper explains, the phrase "open government" has become ambiguous in a way that makes life harder for both advocates and policymakers, by combining the politics of transparency with the technologies of open data. We propose using new terminology that is politically neutral: the word adaptable to describe desirable features of data (and the word inert to describe their absence), separately from descriptions of the governments that use these technologies.

Clearer language will serve everyone well, and we hope this paper will spark a conversation among those who focus on civic transparency and innovation. Thanks to Justin Grimes and Josh Tauberer, for their helpful insight and discussions as we drafted this paper.

Download the full paper here.

Abstract:

“Open government” used to carry a hard political edge: it referred to politically sensitive disclosures of government information. The phrase was first used in the 1950s, in the debates leading up to passage of the Freedom of Information Act. But over the last few years, that traditional meaning has blurred, and has shifted toward technology.

Open technologies involve sharing data over the Internet, and all kinds of governments can use them, for all kinds of reasons. Recent public policies have stretched the label “open government” to reach any public sector use of these technologies. Thus, “open government data” might refer to data that makes the government as a whole more open (that is, more transparent), but might equally well refer to politically neutral public sector disclosures that are easy to reuse, but that may have nothing to do with public accountability. Today a regime can call itself “open” if it builds the right kind of web site—even if it does not become more accountable or transparent. This shift in vocabulary makes it harder for policymakers and activists to articulate clear priorities and make cogent demands.

This essay proposes a more useful way for participants on all sides to frame the debate: We separate the politics of open government from the technologies of open data. Technology can make public information more adaptable, empowering third parties to contribute in exciting new ways across many aspects of civic life. But technological enhancements will not resolve debates about the best priorities for civic life, and enhancements to government services are no substitute for public accountability.

You may have seen the preprint posted today by Lenstra et al. about entropy problems in public keys. Zakir Durumeric, Eric Wustrow, Alex Halderman, and I have been waiting to talk about some similar results. We will be publishing a full paper after the relevant manufacturers have been notified. Meanwhile, we'd like to give a more complete explanation of what's really going on.

We have been able to remotely compromise about 0.4% of all the public keys used for SSL web site security. The keys we were able to compromise were generated incorrectly--using predictable "random" numbers that were sometimes repeated. There were two kinds of problems: keys that were generated with predictable randomness, and a subset of these, where the lack of randomness allows a remote attacker to efficiently factor the public key and obtain the private key. With the private key, an attacker can impersonate a web site or possibly decrypt encrypted traffic to that web site. We've developed a tool that can factor these keys and give us the private keys to all the hosts vulnerable to this attack on the Internet in only a few hours.

However, there's no need to panic as this problem mainly affects various kinds of embedded devices such as routers and VPN devices, not full-blown web servers. (It's certainly not, as suggested in the New York Times, any reason to have diminished confidence in the security of web-based commerce.) Unfortunately, we've found vulnerable devices from nearly every major manufacturer and we suspect that more than 200,000 devices, representing 4.1% of the SSL keys in our dataset, were generated with poor entropy. Any weak keys found to be generated by a device suggests that the entire class of devices may be vulnerable upon further analysis.

We're not going to announce every device we think is vulnerable until we've contacted their manufacturers, but the attack is fairly easy to reproduce from material already known. That's why we are working on putting up a web site that you can use to determine whether your device is immediately vulnerable.

Read on for more details, and watch for our full paper soon.

Don't worry, the key for your bank's web site is probably safe

SSL is used to authenticate every major web site on the Internet, but in our analysis, these were not the keys that were vulnerable to the problems outlined in this blog post.

So which systems are vulnerable? Almost all of the vulnerable keys were generated by and are used to secure embedded hardware devices such as routers and firewalls, not to secure popular web sites such as your bank or email provider. Only one of the factorable SSL keys was signed by a trusted certificate authority and it has already expired. There are signed certificates using repeated keys; some of them are generated by vulnerable devices, some of them are due to website owners submitting known weak keys to be signed, and for some of them we have no good explanation.

Embedded devices are well known to have entropy problems. However, until now it wasn't apparent how widespread these problems were in real, Internet-connected devices.

Background: key generation

Websites and networked computers use public-key cryptography for authentication. The kind of authentication that we will be talking about here is a server certifying to a client that it really is the server that the client intended to connect to. An attacker who knows the private key to one of these systems would be able to impersonate the real system to a client or in many cases decrypt encrypted traffic between the client and server.

The most widely used cryptosystem for this purpose is RSA. The RSA cryptosystem is intended to be based on the difficulty of factoring large numbers. An RSA public key consists of a pair of integers: an encryption exponent e and a modulus N, which is a large integer that itself is the product of two large primes, p and q. If an adversary can factor this integer N back into its prime factors p and q, then the adversary can decrypt any messages encrypted using this public key. However, even using the fastest known factoring algorithm, to public knowledge nobody has yet been able to factor a 1024-bit RSA modulus.

It is vitally important to the security of the keys that they are generated using random inputs. If the inputs used to generate the keys were not random, then an adversary may be able to guess those inputs and thus recover the keys without having to laboriously factor N.

On modern computers and servers, key generation software attempts to collect random information from physical sources (often through the underlying operating system): the movements of the mouse, keyboard, hard drive, network events, and other external sources of unpredictable information. However, if the keys are generated from a small set of possibilities, that is, using too little entropy, then the keys may be vulnerable to an attacker. Gathering strong entropy and verifying its strength is a very difficult problem that has given rise to multiple vulnerabilities over the years.

Two versions of the problem

We decided to investigate the prevalence of this issue by scanning the Internet for all SSL and SSH public keys. We scanned every IPv4 address on the Internet, collecting a copy of each SSL certificate and SSH host key. We were able to complete both scans in less than a day: we first used a standard tool called nmap to find hosts with the relevant ports open, and then used our own optimized software to query those hosts. In our SSL scan, we collected 5.8 million certificates. In our SSH scan, we collected 10 million host keys.

We found that entropy problems resulted in two different types of weaknesses:

Repeated public keys. We found that 1% of the RSA keys in our SSL scan data were repeated, apparently due to entropy problems. When two different devices have the same public key, it means they also have the same private key. In effect, the devices that share keys are "in the same boat" as one another--an attacker would only need to compromise the weakest one of these devices, in order to obtain the repeated private key that protects all of the devices. This has long been a known problem, but until now, none of the publicly available security literature has documented how widespread the problem was.

We manually verified that 59,000 duplicate keys were repeated due to entropy problems, representing 1% of all certificates, or 2.6% of self-signed certificates. We also found that 585,000 certificates, or 4.6% of all devices used the default certificates pre-installed on embedded devices. While these devices are not using keys generated with poor entropy, they are suspectible to the same attack as their private keys are found on every device of a given model. We manually verified these keys because a large number of websites may utilize repeated keys for legitimate reason; these provide no risk to users.

Factorable public keys. More surprisingly, we discovered that entropy problems can allow a remote attacker with no special access to factor a significant fraction of the RSA keys in use on the Internet. We were able to factor 0.4% of the RSA keys in our SSL scan. We did this by computing the greatest common divisor (GCD) of all pairs of moduli from RSA public keys on the Internet.

We identified 1724 common factors which allowed us to factor 24,816 SSL keys, and 301 common factors which allowed us to factor 2422 SSH host keys. This means we were able to calculate the private keys for almost half of 1% of the RSA keys in use for SSL. We will explain how we did this calculation below.

Specific vulnerable devices

Embedded devices often generate cryptographic keys on first boot, when their entire state may have been pre-determined in the factory. This can result in the kinds of entropy problems we observe in this study.

We were able to use information from the SSL certificates to identify classes of devices that are prone to generating weak keys. Many more devices than the ones whose keys we factored are probably also producing weak keys that could be compromised by a determined attacker. The list of vulnerable devices that we have already identified includes more than thirty different manufacturers, including almost all of the biggest names in the computer hardware industry. The kinds of products that we identified include firewalls, routers, VPN devices, remote server administration devices, printers, projectors, and VOIP phones.

We're not going to list specific devices or brands until we've told the manufacturers, but here are some examples:

Firewall product X:
52,055 hosts in our SSL dataset
6,730 share public keys
12,880 have factorable keys

Consumer-grade router Y:
26,952 hosts in our SSL dataset
9,345 share public keys
4,792 have factorable keys

Enterprise remote access solution Z:
1,648 hosts in our SSL dataset
24 share public keys
0 factorable

How could this happen?

It wasn't obvious at first how these types of entropy problems might result in keys that could be factored. We'll explain now for the geekier readers.

Here's one way a programmer might generate an RSA modulus:

prng.seed(seed)
p = prng.generate_random_prime()
q = prng.generate_random_prime()
N = p*q

If the pseudorandom number generator is seeded with a predictable value, then that would likely result in different devices generating the same modulus N, but we would not expect a good pseudorandom number generator to produce different moduli that share a single factor.

However, some implementations add additional randomness between generating the primes p and q, with the intention of increasing security:

prng.seed(seed)
p = prng.generate_random_prime()
prng.add_randomness(bits)
q = prng.generate_random_prime()
N = p*q

If the initial seed to the pseudorandom number generator is generated with low entropy, this could result in multiple devices generating different moduli which share the prime factor p and have different second factors q. Then both moduli can be easily factored by computing their GCD: p = gcd(N1, N2).

OpenSSL's RSA key generation functions this way: each time random bits are produced from the entropy pool to generate the primes p and q, the current time in seconds is added to the entropy pool. Many, but not all, of the vulnerable keys were generated by OpenSSL and OpenSSH, which calls OpenSSL's RSA key generation code.

Computing the GCDs of all pairs of keys

If any pair of RSA moduli N1 and N2 share, say, the same prime factor p in common, but have different second factors q1 and q2, then we can easily factor the moduli by computing their greatest common divisor. On my desktop computer, computing the GCD of two 1024-bit RSA moduli took about 17µs.

For the mathematically inclined, I'll explain how we were able to use this idea to factor a large collection of keys.

The simplest way that one might try to factor keys is by computing the GCD of each pair of RSA moduli. A back of the envelope calculation shows that doing a GCD computation for all pairs of moduli in our data sets would take 24 years of computation time on my computer.

Instead, we used an idea Dan Bernstein published in the Journal of Algorithms in 2005 for factoring a group of integers into coprimes which allowed us to do the computation in a few hours on a desktop computer, in a few lines of Python. The algorithm is no great secret: a long stream of published papers has worked on improving these ideas.

The main mathematical insight is that one can compute the GCD of a single modulus N1 with every other modulus N2,…,Nm using the following equation:

gcd(N1,N2…Nm) = gcd(N1, (N1*N2*…*Nm mod N12)/N1)

The secret sauce is in making this run fast--note that the first step is to compute the product of all the keys, a 729 million digit number. We were able to factor the SSL data in eighteen hours on a desktop computer using a single core, and the SSH data in about four hours using four cores.

The bottom line

This is a problem, but it's not something that average users need to worry about just yet. However, embedded device manufacturers have a lot of work to do, and some system administrators should be concerned. This is a wake-up call to the security community, and a reminder to all of how security vulnerabilities can sometimes be hiding in plain sight.

Last June, I wrote about the decision at the business meeting of IEEE Security & Privacy to adopt the USENIX copyright policy, wherein authors grant a right for the conference to publish the paper and warrant that they actually wrote it, but otherwise the work in question is unquestionably the property of the authors. As I recall, there were only two dissenting votes in a room that was otherwise unanimously in favor of the motion.

Fast forward to the present. The IEEE Security & Privacy program committee, on which I served, has notified the authors of which papers have been accepted or rejected. Final camera-ready copies will be due soon, but we've got a twist. They've published the new license that authors will be expected to sign. Go read it.

The IEEE's new "experimental delayed-open-access" licensing agreement for IEEE Security & Privacy goes very much against the vote last year of the S&P business meeting, bearing only a superficial resemblance to the USENIX policy we voted to adopt. While both policies give a period of exclusive distribution rights to the conference (12 months for USENIX, 18 months for IEEE), the devil is in the details.

For the IEEE, authors must assign "a temporary joint and undivided ownership right and interest in all copyright rights" to the IEEE, giving the IEEE an exclusive to distribute the paper for 18 months. Thereafter, the license "expires."

Those quotation marks around "expires" are essential, because there's language saying "IEEE shall nonetheless retain the sole and exclusive right to archive the Work in perpetuity" which sounds an awful lot to me like they're saying that the agreement doesn't actually expire at all. It just moves into a second phase. For contrast, USENIX merely retains a non-exclusive right to continue distributing the paper. That's an essential difference.

There are some numbered carve-outs in the IEEE contract that seem to allow you to post your manuscript to your personal web page or institutional library page, but not to arXiv or anything else. (What if arXiv were to offer me a "personal home page service?" Unclear how this license would deal with it.) This restriction appears to apply in both the initial 18 month phase and the "in perpetuity" phase.

My conclusion: authors of papers accepted to IEEE Security & Privacy should flatly refuse to sign this. I don't have a paper of my own that's appearing this year at S&P, but if I did, I'd send them a signed copy of the USENIX agreement. That's what the members agreed upon.

Disclosure: I am currently running for the board of directors of the USENIX Association. That's because I like USENIX. Of all the venues where I publish, USENIX has been the most willing to break with traditional publishing models, and my platform in running for USENIX is to push this even further. Getting ACM and IEEE caught up to USENIX is a separate battle.

This morning, the Supreme Court handed down its decision in United States v. Jones, the GPS tracking case, deciding unanimously that the government violated the defendant's Fourth Amendment rights when it installed a wireless GPS tracking device on the undercarriage of his car and used it to monitor his movement's around town for four weeks without a search warrant.

Despite the unanimous result, the court was not unified in its reasoning. Five Justices signed the majority opinion, authored by Justice Scalia, finding that the Fourth Amendment "at bottom . . . assure[s] preservation of that degree of privacy against government that existed when the Fourth Amendment was adopted" and thus analyzing the case under "common-law trespassory" principles.

Justice Alito wrote a concurring opinion, signed by Justices Ginsburg, Breyer, and Kagan, faulting the majority for "decid[ing] the case based on 18th-century tort law" and arguing instead that the case should be decided under Katz's "reasonable expectations of privacy" test. Applying Katz, the four concurring Justices would have found that the government violated the Fourth Amendment because "long-term tracking" implicated a reasonable expectation of privacy and thus required a warrant.

Justice Sotomayor, who signed the majority opinion, wrote a separate concurring opinion, but more on that in a second.

I think the Jones court reached the correct result in this case, and I think that the three opinions in this case represent a near-optimal result for those who want the Court to recognize how its present Fourth Amendment jurisprudence does far too little to protect privacy and limit unwarranted government power in light of recent advances in surveillance technology. This might seem counter-intuitive. I predict that many news stories about Jones will pitch it as an epic battle between Scalia's property-centric and Alito's privacy-centric approaches to the Fourth Amendment and quote people expressing regret that Justice Alito didn't instead win the day. I think this would focus on the wrong thing, underplaying how today's three opinions--all of them--represent a significant advance for Constitutional privacy, for several reasons:

1. Justice Alito? Maybe I'm not a savvy court watcher, but I did not see this coming. The fact that Justice Alito wrote such a strong privacy-centric opinion suggests that future Fourth Amendment litigants will see a well-defined path to five votes, especially since it seems like Justice Sotomayor will likely provide the fifth vote in the right future case.

2. Justice Scalia and Thomas showed restraint. The majority opinion goes out of its way to highlight that its focus on property is not meant to foreclose privacy-based analyses in the future. It uses the words "at bottom" and "at a minimum" to hammer home the idea that it is supplementing Katz not replacing it. Maybe Justice Scalia did this to win Justice Sotomayor's vote, but even if so, I am heartened that neither Justice Scalia nor Justice Thomas thought it necessary to write a separate concurrence arguing that Katz's privacy focus should be replaced with a focus only on property rights.

3. Justice Sotomayor does not like the third-party doctrine. It's probably best here just to quote from the opinion:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U.S., at 742; United States v. Miller, 425 U.S. 435, 443 (1976). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. Perhaps, as JUSTICE ALITO notes, some people may find the "tradeoff" of privacy for convenience "worthwhile," or come to accept this "dimunition of privacy" as "inevitable," post, at 10, and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.

Wow. And Amen. Set your stopwatches: the death watch for the third-party doctrine has finally begun.

4. This was the wrong case for a privacy overhaul of the Fourth Amendment. Most importantly, I've had misgivings about using Jones as the vehicle for fixing what is broken with the Fourth Amendment. GPS vehicle tracking comes laden with lots of baggage--practical, jurisprudential and atmospheric--that other actively litigated areas of modern surveillance do not. GPS vehicle tracking happens on public streets, meaning it runs into dozens of Supreme Court pronouncements about assumption of risk and voluntarily disclosure. It faces two prior precedents, Karo and Knotts, that need to be distinguished or possibly overturned. It does not suffer (as far as we know) from a long history of use against innocent people, but instead seems mostly used to track fugitives and drug dealers.

For all of these reasons, even the most privacy-minded Justice is likely to recognize caveats and exceptions in crafting a new rule for GPS tracking. Imagine if Justice Sotomayor had signed Justice Alito's opinion instead of Justice Scalia's. We would've been left with a holding that allowed short-term monitoring but not long-term monitoring, without a precise delineation between the two. We would've been left with the possible new caveat that the rules change when the police investigate "extraordinary offenses," also undefined. These unsatisfying, vague new rules would have had downstream negative effects on lower court opinions analyzing URL or search query monitoring, or cell phone tower monitoring, or packet sniffing.

Better that we have the big "reinventing Katz" debate in a case that isn't so saddled with the confusions of following cars on public streets. I hope the Supreme Court next faces a surveillance technique born purely on the Internet, one in which "classic trespassory search is not involved." If the votes hold from Jones, we might end up with what many legal scholars have urged: a retrenchment or reversal of the third-party doctrine; a Fourth Amendment jurisprudence better tailored to the rise of the Internet; and a better Constitutional balance in this country between privacy and security.

It has been an exceptionally busy week for copyright policy. We heard from all three branches of the US Federal Government in one way or another, while the citizens of the Internet flexed their muscles in response.

The most covered story of the week was the battle over SOPA and PIPA -- the twin proposed bills that aimed to cut down on online piracy of copyrighted works by giving the government significant new authority to block access to allegedly infringing web sites. Other authors on this blog have pointed out how the bills show inconsistency in the copyright industry's position on regulating the internet, could threaten free speech in repressive regimes, and may ultimately be found by the courts to violate fundamental constitutional liberties. On Wednesday some of the most popular sites on the web "went dark" or otherwise heightened awareness of the issue, and the surge citizen pleas to Congress caused a surprising reversal of momentum in the House and Senate. [Update: Both PIPA and SOPA have now been shelved.]

Buried in the day's developments was the Judicial branch's copyright contribution. In a highly anticipated decision, the Supreme Court ruled on the case of Golan v. Holder. At issue was the question of whether or not Congress had the right to make a law that moved public domain works into copyright. Opponents of this law claimed that such a move violated not only the First Amendment, but also the purpose of the Copyright Clause -- not to mention and age-old legal principles. The majority did not agree, and in a 6-2 vote it stated that individuals do not have any particular right that guarantees their use of the public domain, so they have no claim if Congress removes materials from it. Justices Breyer and Alito dissented, explaining that the ruling upset the delicate balance that the Founders had struck in affording limited monopoly rights to content creators. Nevertheless, the majority clearly demonstrated that the Judicial branch continues to trend toward greater expansion of copyright protection.

On Thursday, the Executive Branch weighed in. The Department of Justice announced that it had seized the domain name and servers of the popular file-sharing site Megaupload and had indicted several of the site's operators. Although Megaupload claimed to be complying with US copyright law -- in particular the notice-and-takedown provisions of the Digital Millennium Copyright Act -- the feds claimed that the operators knew full well that the majority of the content on the site was infringing. Within minutes of the announcement, hacktivist group Anonymous had launched a denial-of-service attack on the Department of Justice web site, which remained unreachable for hours [Update: days].

Opponents of SOPA and PIPA welcomed the opportunity to reflect on why these developments demonstrated the shortcomings of the proposed bills. Some of them noted that the DoJ's actions were done without any additional authority from harmful new bills, while others observed that such approaches to enforcement are ultimately ineffective -- they observed that it was only a matter of time until Megaupload returned, or the many other file-sharing sites filled their shoes. By Thursday night, all four GOP presidential candidates had come out against SOPA.

It is hard to consolidate all of these developments into a coherent story of where things are headed. However, a few things seem clear. First, the SOPA/PIPA backlash is shows us that the internet can help citizens to rally a truly remarkable effort that penetrates the beltway bubble. Second, internet freedom is a compelling and accessible counter-narrative to copyright maximalism and government policing. Third, the courts continue to favor an approach to copyright that emphasizes property rights of those who have already created works over the free speech rights of those who may rely on those works to create new works. Fourth, the enforcement arms of the government are interested in taking ever-more-extreme measures to take down those accused of infringement, and are committing more taxpayer resources to a problem that continues to grow despite their approach.

But perhaps most significantly, this week shows us that there is just plain turmoil in this area. Policymakers are struggling to find good answers, and sometimes their "solutions" provoke far more criticism than praise.