ifarqhar@uunet.UU.NET (Ian Farquhar) (02/20/90)
My article about the PC Cyborg AIDS Copy Protection System has caused quite a bit of discussion, and I would like to publicly reply to many issues that were raised. 1) FREE MARKET Many writers pointed out that the program itself was garbage, and justified their position (that it was a Trojan) with the argument that the money for the program was far too much and thus the program was an extortion racket. Being an Australia, I am used to being charged extortionate prices for software by both amateurs and professional companies. The point that must be made, however, is that in a free market economy the supplier can charge what they like. The idea is that supply and demand will weed out the excessively priced garbage from the reasonably priced quality items. Using this principle, PC Cyborg can charge what they like. This is not an effective argument either way. 2) THE ABSENCE OF THE REGISTRATION DISKS It is presumed that PC Cyborg would have sent the defuser program on receipt of the registration fee. Many people have pointed out that this did not happen. I imagine that the US Military rolling into Panama may have had something to do with that. 3) THE DEFINITION OF COPY PROTECTION Copy protection, by my definition, is a device, system or technique whereby the copyright holder can guarantee that the terms of the license are followed. Let us take the example of the color-bar system. The color bar is a small sheet or sheets of pages containing a series of codes that are matched to colors. The program, when started, asks the user what color is found on page 2, row 4 column 19. If the user answers correctly, then the program proceeds. If not, the program usually asks a couple of times more, then takes action. By the definitions of many of the writers, this would not be a copy protection system (because it allows you to copy the disk). However, it maintains the license agreements as only the person in possession of the color-bar sheet can run the program, and it is hard to cheaply copy a colored sheet. The AIDS CP System was simply an extension of this. It allowed copying of the distribution disk, and it allowed backing up of the hard disk. All it did was to ensure that people who were unregistered (and which were, I hasten to add, involved in a criminal activity) would have a lot of trouble. As for the concept of the user having legal control over what was deleted from his/her hard disk, I cannot see this as a problem. Multi-user systems have traditionally provided mechanisms for the superuser to control the user's files with far more privileges than the users themselves. This has never, to my knowledge, caused any legal problems. 4) INAPPLICABILITY OF US LAWS Many correspondents have quoted US laws and precedents at great length. These are totally irrelevant, as the license agreement prohibited importation into the US. 5) PRESUMPTION OF INNOCENCE Under British law, there is a concept called the "presumption of innocence". Put basically, someone is innocent until they are proven guilty. It would be nice to know that this basic concept is still followed, though I really do have my doubts. If I were the defense lawyer with access to this newsgroup, the first thing that I would have done is to take all of the relevant articles that have appeared, and present them as evidence prejudicial to the fair conduct of the trial. 6) CONCLUSION I am left wondering about the motives of many of the writers. There seems to be a fanatical, indeed almost religious zeal to see anyone concerned with the generation of viruses and Trojans convicted irregardless of the evidence (or its lack). There certainly seems to be a panic mentality at work here - the illusion that quick action is necessary regardless of the advisability of that action. There also is a strong reluctance to change an opinion in the light of new evidence, which is very worrying indeed. I have always maintained that computer security experts and employees of the intelligence services share many things in common, primarily the huge and quite unwarranted sense of paranoia. This whole discussion has only strengthened this view. Disclaimer: My opinions are my own. Ian Farquhar Phone : (612) 805-7420 Office of Computing Services Fax : (612) 805-7433 Macquarie University NSW 2109 Also : (612) 805-7205 Australia Telex : AA122377 ACSNet ifarqhar@macuni.mqcc.mq.oz.au ifarqhar@suna.mqcc.mq.oz.au
davies@sp20.csrd.uiuc.edu (James R. B. Davies) (02/22/90)
Ian Farquhar (munnari!mqccsunc.mqcc.mq.oz.au!ifarqhar@uunet.UU.NET) has posted two notes here recently claiming that the AIDS trojan was a copy protection scheme. This has not been a popular idea among respondents, but they have mostly been addressing themselves to the immorality of trashing someone's hard disk and the lack of the promised remedy after "registration". I think that a more damning feature of the AIDS program is that it would give the victim some "free" reboots if he would carry it to another computer and infect it. While this could be construed by some (like Mr. Farquhar, no doubt) as being analogous to the incentives offered by book clubs for enrolling new members (sign up a friend, get a free book), this to me seems clear evidence that the intent was malign (as if more evidence is really necessary). In particular, the new victims were not necessarily given the benefit of reading the "license agreement" as the original recipient was. In any case, Mr. Farquhar is either being intentionally dense to provoke arguments, or he has some bone to pick with commercial software vendors that use copy protection and hopes to cast them in a negative light by associating them with this scam. I personally don't see any reason why someone who is clearly responsible for this trojan wouldn't get convicted, as the overwhelming evidence is that this was extortion. jrbd
ram@uunet.UU.NET (Richard Meesters) (02/22/90)
munnari!mqccsunc.mqcc.mq.oz.au!ifarqhar@uunet.UU.NET (Ian Farquhar) writes: > 1) FREE MARKET > > Many writers pointed out that the program itself was garbage, and > justified their position (that it was a Trojan) with the argument > that the money for the program was far too much and thus the > program was an extortion racket. > > Being an Australia, I am used to being charged extortionate > prices for software by both amateurs and professional companies. > The point that must be made, however, is that in a free market > economy the supplier can charge what they like. The idea is that > supply and demand will weed out the excessively priced garbage > from the reasonably priced quality items. While I agree with you that in a free market economy, you can charge whaterver you like for the purchase of a product, the issue here with the AIDS trojan is whether you can give someone a disk and then demand payment for it. It really doesn't matter if the cost was 10 dollars or 10 thousand. I believe the argument being raised was not whether the AIDS infromation package was any good or not, but rather if the package indeed constituted a real software package, or simply a front to introduce a trojan into your system. > 2) THE ABSENCE OF THE REGISTRATION DISKS > > It is presumed that PC Cyborg would have sent the defuser program > on receipt of the registration fee. Many people have pointed out > that this did not happen. I imagine that the US Military rolling > into Panama may have had something to do with that. The end really doesn't justify the means. If this was a case of a real company trying to copy protect their software, (and I don't believe that for a second) this scheme has a major flaw. Consider what happens to the hapless user if the company goes out of buisness. He has now lost all data on his hard drive without any possibility of recovery through what you obviously consider legal channels. If a scheme like this is used to copy protect the software, the company producing it should have some level of responsiblilty (moral, if not legal) to protect your system from damage from a package you have rightly purchased. > 3) THE DEFINITION OF COPY PROTECTION > > Copy protection, by my definition, is a device, system or > technique whereby the copyright holder can guarantee that the > terms of the license are followed. True. But copy protection is NOT a mechanism by which the copyright holder can damage or hinder the operation of aspects of your system unrelated to the operation of said program. > The AIDS CP System was simply an extension of this. It allowed > copying of the distribution disk, and it allowed backing up of > the hard disk. All it did was to ensure that people who were > unregistered (and which were, I hasten to add, involved in a > criminal activity) would have a lot of trouble. > As for the concept of the user having legal control over what was > deleted from his/her hard disk, I cannot see this as a problem. > Multi-user systems have traditionally provided mechanisms for the > superuser to control the user's files with far more privileges > than the users themselves. This has never, to my knowledge, > caused any legal problems. The superuser on a multi-user system has responsibility to the users and owners of the system he administers. This is not the same as someone (ie. a hacker) illegally logging into your system as root and deleting or damaging files. This has caused several legal problems worldwide, and is a more apt description of what the AIDS trojan is, in effect accomplishing. It is true that the system administrator in this case, has left the door open for the damage to be done, but that still doesn't excuse the actions. That would be like letting a burglar off from all charges because the homeowner left the front door unlocked. > 5) PRESUMPTION OF INNOCENCE > > Under British law, there is a concept called the "presumption of > innocence". Put basically, someone is innocent until they are > proven guilty. It would be nice to know that this basic concept > is still followed, though I really do have my doubts. > > If I were the defense lawyer with access to this newsgroup, the > first thing that I would have done is to take all of the relevant > articles that have appeared, and present them as evidence > prejudicial to the fair conduct of the trial. You are most certainly correct that a person is innocent until proven guilty, but what we are debating here is whether or not a crime has been committed, not by whom. The person or persons brought to justice for this problem should, IMHO, recieve a fair and impartial trial. > 6) CONCLUSION > > I am left wondering about the motives of many of the writers. > There seems to be a fanatical, indeed almost religious zeal to > see anyone concerned with the generation of viruses and Trojans > convicted irregardless of the evidence (or its lack). > > There certainly seems to be a panic mentality at work here - the > illusion that quick action is necessary regardless of the > advisability of that action. There also is a strong reluctance > to change an opinion in the light of new evidence, which is very > worrying indeed. > > I have always maintained that computer security experts and > employees of the intelligence services share many things in > common, primarily the huge and quite unwarranted sense of > paranoia. This whole discussion has only strengthened this view. Sorry Ian, but I really don't see how you could have possibly drawn this conclusion from the previous discussions. We are not judge or jury in this case. If indeed the AIDS trojan was a copy protection scheme, then the answer to the problem is to prevent this type of CP scheme to be used in the future. However, the evidence and conjecture I have seen as a result of this discussion point to the fact that this is NOT a simple case of copy protection gone awry. You state that there is a reluctance to change opinion in the light of new evidence, yet you really haven't provided the group (or certainly me, anyway) with any strong evidence that would convince me to change my opinion. By the way, I am neither a computer security expert nor a member of the intelligence services, as you put it. What I have seen from this discussion appears to be a case of fraud and extortion, but it is, after all, up to the courts to decide that. Regards, - ------------------------------------------------------------------------------ Richard A Meesters | Technical Support Specialist | Insert std.logo here AT&T Canada | | "Waste is a terrible thing ATTMAIL: ....attmail!rmeesters | to mind...clean up your act" UUCP: ...att!attcan!ram | - ------------------------------------------------------------------------------