Do Your Rights To Listen To Legally Licensed Music Stop At The Border?
from the rights-holders-fuck-up-everything dept
Two rather successful venture capitalists, Brad Feld and Fred Wilson, have been at the forefront of bucking the ridiculous claim that VCs only invest in companies that have patents, as both have spoken out about how patents tend to stifle innovation, and how their portfolio companies are often held back by patents, rather than helped by them. It looks like both of them are also quite aware of how copyright gets in the way of basic innovation as well. Brad Feld has a post up about how he created a Pandora station based on Fred's blog post detailing his top albums of the decade. Pretty cool, right?Well, the problem is that Brad sent Fred an invite to this "station," and Fred is traveling for the holidays in Argentina with his family. So, because of ridiculous demands from copyright holders that make it so Pandora is only available in the US, Brad gets informed that Fred cannot access the station that Brad created for Fred solely due to ridiculous copyright holder demands. Yes, even though Fred almost always accesses Pandora from the US, but just happens to be in Argentina this week, Pandora says he can't listen to the station that Brad created for him. Brad makes a good point, that any human can understand why this situation is silly, but computers still can't quite figure it out, noting: "The level of interaction of human and machine is high, although the level of sophistication is pretty low." As for Fred's summation of the situation? "Rights holders fuck everything up." Indeed.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: brad feld, fred wilson, licenses, music, rights holders
Reader Comments
Subscribe: RSS
View by: Time | Thread
Plenty of things stop at the border
There is nothing new in this story, just a realization by two guys with unrealistic expectations that borders aren't just lines on the map.
[ link to this | view in chronology ]
Re: Plenty of things stop at the border
[ link to this | view in chronology ]
Re: Plenty of things stop at the border
That was the first one, this is the second one.
[ link to this | view in chronology ]
Re: Re: Plenty of things stop at the border
[ link to this | view in chronology ]
Re: Plenty of things stop at the border
I can buy a CD from Amazon but I can't buy an MP3 from them. The same distribution is involved, why should national restrictions apply in one case and not the other? Why is the expectation of free trade between trading nations unrealistic?
As for the case of Pandora itself, I've argued against it many times. I used to listen to the service, and bought at least 6 albums based on recommendations it gave me. Then the record industry stepped in and Pandora had to close off its service outside of the US. Stupid, stupid, stupid.
[ link to this | view in chronology ]
Re: Re: Plenty of things stop at the border
Sorry Paul, just another point that you got wrong on this one. I am not an American (and wouldn't want to be one either).
Pandora can operate in other countries, provided they work out licensing in each country. They aren't doing it, so they are not available outside of the US. The record industry didn't step in and stop a legal product, the record industry required Pandora to honor and respect a musical license that it operates under.
You sort of so missing on this one (reading your comments further into the discussion).
[ link to this | view in chronology ]
Re: Re: Re: Plenty of things stop at the border
You mean "work out licensing from the same US company in each country".
[ link to this | view in chronology ]
Re: Re: Re: Plenty of things stop at the border
Fair enough. The comments you were making are those typical of people who live in a country fully serviced by things like Hulu, Pandora, Amazon and Netflix and thus have no concept of the frustration that comes when you're blocked from 90% of digital content. I jumped to conclusions and I apologise for that.
"Pandora can operate in other countries, provided they work out licensing in each country. They aren't doing it, so they are not available outside of the US. The record industry didn't step in and stop a legal product, the record industry required Pandora to honor and respect a musical license that it operates under."
OK. My argument is that if the music industry had spent the last decade and a half making the licensing easier, and stopped pretending that the online business models can be the same as offline, then Pandora and other services like it would have no problem obtaining those licenses worldwide. Instead, we have a situation where users are constantly penalised and frustrated, and where artificial restrictions make licensing a nightmare of a minefield. I accept that licenses are necessary, it's the way they are implemented that's the problem.
...and as I always try to point out, this makes "piracy" much more attractive. After trying the "legal" service and failing, there's plenty of infringing methods to share music. Yet again, the industry inadvertently encourages people to learn how to do that instead of using a legitimate service. The VCs in the article could quite easily have set up an unlicensed private stream or used an online filesharing service to send copies of the full albums. Illegal perhaps, but the legal services are literally having to refuse their business.
[ link to this | view in chronology ]
Why should they stop at the border?
If I buy a book, I can do with it what I want.
Where did this twisted idea come from that corporations can get paid over and over for the same thing?
Copyright laws certainly do need to be reformed, but in the opposite way that the copyright lobby wants.
[ link to this | view in chronology ]
Re: Why should they stop at the border?
Since government seem to increasingly ignore the public interest uniformly I don't see this happening anytime soon.
[ link to this | view in chronology ]
Re: Re: Why should they stop at the border?
Keep the government out of your personal life.
[ link to this | view in chronology ]
Re: Re: Re: Why should they stop at the border?
[ link to this | view in chronology ]
Re: Re: Re: Re: Why should they stop at the border?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I could understand if I were in some European country with vastly different laws but I can drive to the US in a couple of hours but am not worthy of accessing that content.
I'm not sure if it's because of US or Canadian laws or policies (the CRTC, our version of the FCC, has a very nasty habit of keeping these things out so that Canadian companies can monopolize and bleed us dry instead) but it's no less bullsh*t anyway!
[ link to this | view in chronology ]
Re:
If you would have enacted DMCA style rules you would be able to listen, that will learn you!!!
/sarcasm
[ link to this | view in chronology ]
There are free alternatives to Pandora that are not so restricted. Jamendo has radio stations and plenty of free content to stream. If people like it better, they will go there instead, right? Isn't the Free Market going to magically solve this problem?
Oh, I know, I know - the Free Market will solve this problem, but that doesn't mean that we shouldn't ALSO browbeat rightsholders and Pandora from being so short-sighted.
But wait a second, is this one of those cases where it's the greedy rightsholders fucking society in the ass for their own gain? Because then you'd have to make the argument that they would do worse if they opened up a little more.
Or is it one of those cases where the rightsholders are being dumb, and if they just opened the sphincter a little more they would make more money too? In that case, everyone here is smart and every one of the rightsholders is an idiot, but the rightsholders are not being as greedy as they could be.
It's a dilemma. Oh, well, let's just make both arguments simultaneously and call it a day!
[ link to this | view in chronology ]
Re:
Dumb analogy is dumb. Last time I checked, the music mentioned wasn't illegal in Argentina, it's just being blocked.
"Jamendo has radio stations and plenty of free content to stream. If people like it better, they will go there instead, right?"
No, because it's a totally different service and doesn't have any major label content (or many of the larger indie labels). it's like saying "well, sirloin and chuck steak are both beef, people will be happy with the chuck if they can't get the sirloin".
"Oh, I know, I know - the Free Market will solve this problem, but that doesn't mean that we shouldn't ALSO browbeat rightsholders and Pandora from being so short-sighted."
There is no free market here - it's being prevented by those rightsholders. That's the problem.
As for your anal obsession, I'd see someone about that.
[ link to this | view in chronology ]
Re: Re:
So streaming the music from the United States to Argentina is legal, then?
No, because it's a totally different service and doesn't have any major label content (or many of the larger indie labels). it's like saying "well, sirloin and chuck steak are both beef, people will be happy with the chuck if they can't get the sirloin".
For all intents and purposes, it's an identical service. To the extent that there are small differences in the service itself, to my knowledge nobody is stopping anybody from creating a Pandora workalike service based on Jamendo content.
Your sirloin-to-chuck analogy is telling. Clearly you're of the opinion that free music (the "chuck") can't be as good as that held by major labels (the "sirloin"). Interesting.
You have a tremendous resource at your disposal. Twenty-THOUSAND albums' worth of music. I wonder whether Pandora has that much, especially as often as they repeat stuff on the stations I have. AND you don't have to pay a cent for it. Pandora has to actually pay to play their music.
"Waah I can't compete unless I can play Paparazzi by Lady Gaga in Argentina waah."
But I guess 20,000 free albums that you can do anything you want with and zero international competition from Pandora isn't enough of an advantage to get you started. What other advantages would you like in entering this market? Maybe some free marketing or something?
[ link to this | view in chronology ]
Re: Re: Re:
Yes, it is as long as the music is licensed. The problem is the licensing, which is under the remit of the music industry.
"Pandora has to actually pay to play their music."
Only because the major labels freaked out about the fact that people were using it to listen to their content. Rather than leverage the extra free exposure to generate sales, they demanded massive payments and caused it to be locked to 95% of the world. Again, stupid.
"Your sirloin-to-chuck analogy is telling. Clearly you're of the opinion that free music (the "chuck") can't be as good as that held by major labels (the "sirloin"). Interesting."
Nope, and actually I've been boycotting major labels for many years. I was an eMusic customer till they screwed the pooch, and since then I've mainly been using AmieStreet. However, you're saying that people should flock to a similar (but in no way identical) service that many would consider inferior just because the "better" one is unavailable. That's silly.
OK, we've established that you like Jamendo's service, which is fine. You also have a way to compare it to Pandora, which I don't thanks to the dumb licensing (in the same way that I can install the Last.fm app to my Xbox 360 but am not allowed actually listen to any music).
But, that doesn't change the point of the article. An American businessman wanted to share his favourite music with a colleague but wasn't allowed to do so because his colleague happened to be sitting on the "wrong" patch of dirt at the time. Jamendo might not have the albums he wanted to share, and if so, that service would be useless to him.
Blocking cross-border internet traffic is silly, especially when the entire point of a service like Pandora is to expose listeners to new music and encourage them to buy it. This can be fixed by stopping the doomed attempts to enforce physical borders on the internet. The ball's in the record industry's court.
[ link to this | view in chronology ]
Re: Re: Re: Re:
So, in other words, no.
Rather than leverage the extra free exposure to generate sales, they demanded massive payments and caused it to be locked to 95% of the world. Again, stupid.
Then how do you resolve the fact that record labels are well-known to be maximally evil and greedy with the fact that they are deliberately cutting off profitable revenue streams?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
So, in other words, no."
No, in other words yes. The music is legal, the activity is legal. The only problem is the licences. It's only illegal because the labels have opted to make it so, and thus your drug analogy is inappropriate and misleading.
"Then how do you resolve the fact that record labels are well-known to be maximally evil and greedy with the fact that they are deliberately cutting off profitable revenue streams?"
Because they:
a) don't correctly understand the internet.
b) are trying to impose a regional business model on a market where traditional regional areas do not exist.
c) don't recognise that internet radio is a potentially lucrative advertising platform (despite their history of payola, they don't seem to understand how to leverage non-standard radio), and seem to regard it as tantamount to piracy.
d) cannot control internet radio stations in the same way they control ClearChannel's output.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
So, in other words, it's illegal. Got it.
Forgive my skepticism, but your reasons for why this situation exists all boil down to "I, PaulT from the Internet, am smarter than every decisionmaker at every major label and even most indie labels who could be involved in changing this situation." I don't discount that this is statistically possible, but why should I believe it's even likely?
I mean, do you know that any of these things are true, or are you just guessing?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
- It is legal to transfer music from the US to Argentina via the method of shipping a CD, no additional licenses are required.
- It is legal to stream or send music from the US to Argentina via the internet, as long as the music has been licensed.
- Due to licensing decisions, Pandora are not allowed to stream their service to Argentina, although many other stations are (e.g. those without major label content).
- Therefore, potential customers are inconvenienced, as per the above article and my own experiences.
- To the best of my knowledge, there is no legal reason why such music cannot be licensed, and in fact it was until the major labels started demanding massive fees from Pandora. After this happened, they were forced to block traffic originating from outside the US. Also to the best of my knowledge, there is no similar service offering a complete catalogue that's available in both the US and Argentina.
Please correct me if any of the above is wrong or misleading, but I don't believe that it is. If not, then the issue is with record label licensing decisions, which is what I've been saying. As a victim of such decisions, I know for a fact that it regularly prevents me from buying the products I wish to buy, or use the services I wish to use. I cannot see how this can be good for business, but I can see how it drives many to "piracy" once the legal alternatives are blocked. I'm always open to be corrected, but the situation is clear from my point of view.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
Not all the rights needed to stream a song are held by the major labels. The labels may control only a portion of the necessary rights.
You can read more about this here.
Had each individual rightsholder provided these rights in advance, put their music in the public domain, or licensed them permissively, then those compositions could be streamed without much difficulty. But they didn't.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
Again, it's legal to stream correctly licensed music. The laws you're citing were lobbied for by the major labels, and that's where I'm placing the blame. Where am I wrong with this?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Other countries do not have the same compulsory licensing scheme. So if you want to stream to those countries you need to start making a lot of phone calls.
If you are implying that the record companies could have simply lobbied for laws that permitted Webcasting without licensing of all the rights, that is a very interesting argument but I think you would have gotten some resistence from the disenfranchised rightsholders.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
The DMCA has been known to squelch innovation and competition in favor of the "old businessmodel".
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
DRM needs outlawing.
Here in the UK we have Spotify but i cant see any differance between that and Pandors. Except i cant stream my playlist to friends on spotify.
But then we wont be able to do anything like that in the UK when Mandy's bill is law.
[ link to this | view in chronology ]
Fix'd!
This year, I'm here now for the last 2 weeks of the year - I got around the problem.
I decided to start a small business - and one of the products I created is an IPSec VPN using cisco equipment.
Cant listen to pandora? I turn on zipline (my vpn product) and away I go. :D
My endpoint is in my home on business cable - assuming the thing actually sells, I'll be moving it to a datacenter.
www.atenlabs.com/zipline :)
[ link to this | view in chronology ]
Re: Fix'd!
"Terms:
* Thanks to the way our music licensing works, you have to live in the United States to use Pandora. You also have to be at least 13 years old. Pandora can only be used if you are in the United States."
I'd also suspect that you'd fall afoul of numerous laws if you're planning to sell a service that bypasses these restrictions on to foreign 3rd parties.
[ link to this | view in chronology ]
Re: Re: Fix'd!
[ link to this | view in chronology ]
Re: Re: Fix'd!
> suspect that you'd fall afoul of numerous laws
> if you're planning to sell a service that bypasses
> these restrictions on to foreign 3rd parties.
Pandora can't legally bind every person on the planet to their terms of service. They can only bind the people who actually *use* their service. Creating a product that spoofs a person's geographic location isn't using Pandora's service. If someone buys that product and uses it to violate Pandora's TOS, then Pandora would have a case against *that* person, but not against the person who created the tool that was misused.
What you're suggesting would be roughly akin to a wife suing Black & Decker because someone used one of their hammers to beat her husband to death. It's the person who used the tool that's responsible, not the person who made the tool.
[ link to this | view in chronology ]
Re: Re: Re: Fix'd!
If B&D made a special "head smashing hammer", that assures "a solid kill on every swing", their intent would come into play.
Someone selling VPN service as a way to "appear to be in the US" has intent. They don't need to go any further.
The question: "Why are you using a VPN, which is often a much slower way to access the internet"
Answer: Umm, I like a slower connection because it is somehow more secure.
Yeah, right.
Intent, the same wonderful concept that is sending IsoHunt to the bit bucket.
[ link to this | view in chronology ]
Re: Re: Re: Re: Fix'd!
Which is only one necessary element of a crime. In order for crime to be complete the mens rea or guilty mind (intent) must be accompanied by actus rea or guilty act. One without the other results in no crime.
[ link to this | view in chronology ]
Re: Re: Re: Re: Fix'd!
The only intent they have is to create a way to appear somewhere other than where you are on the internet, not to specifically violate Pandora's terms of service.
[ link to this | view in chronology ]
Re: Re: Re: Fix'd!
1. Pandora specifically restrict their service to the US, so using that service outside of the US would risk some kind of penalty. Presumably, this would involve the user having their account removed.
2. Then, my next point. If this gentleman is going to try and make money by selling a service to people that specifically bypasses regional control, he is then at risk of stiffer penalties. I'm not sure if some part of the DCMA or other laws would be involved, but I'm positive that he would be breaking some actual law. After all, these regional protections wouldn't exist without some kind of legal protection, would they?
If so, then somebody selling a service superficially designed to get around those laws would be at risk unless they're extremely careful. That was my major point, especially since he's here specifically pimping his service.
[ link to this | view in chronology ]
Re: Re: Re: Re: Fix'd!
> service to people that specifically bypasses regional control
He's selling a service that allows someone to appear somewhere other than where you are on the internet, which is not in and of itself illegal. If someone else buys that product and uses it violate Pandora's terms of service, then they have a case against that person, but not against the person who made the (perfectly legal) tool in the first place.
> I'm not sure if some part of the DCMA
The DMCA doesn't make this illegal and even if it did, the DMCA only applies to America. The internet exists in many other places where the DMCA has no effect.
> but I'm positive that he would be breaking some actual law
You'd be wrong. There's no law requiring every person on earth to authentically broadcast their true geographic location when using the internet.
> After all, these regional protections wouldn't exist without
> some kind of legal protection, would they?
The only legal protection they have are the contractual obligations people agree to when using the service. As I said, Pandora would have a valid case against people who use their service inappropriately but they have no case against the person who makes some software that spoofs a user's real location because that person is not in privity of contract with Pandora.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Fix'd!
"why would anyone, with a reasonable internet connection in their home, need to appear to be somewhere else than where they are?"
The answer: To bypass geo based security or legal restrictions put in place by sites,to bypass restrictions to access in the home country, or to try to disguise or hide illegal activities.
There you go. Without a good answer to the basic first question a lawyer would ask in court, the rest is pretty much meaningless.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Fix'd!
> simple question:
How do you know I can't answer it? You've never asked it of me before, genius.
> "why would anyone, with a reasonable internet connection in their
> home, need to appear to be somewhere else than where they are?"
Your argument fails because I don't need to answer a question like that if my product is not illegal.
As I said above, there's no law against making or using a product that masks one's true geographic location. Absent any such law, the answer to your snide little question is irrelevant because people don't have to justify their legally produced products to others merely because those others don't like them.
But just for shits and giggles, here's a legitimate use: human rights workers could use it to thwart the ability of totalitarian regimes to track them down for exposing their abuses. Corporate whistleblowers could similarly use it to mask their identity to avoid retaliation.
> There you go. Without a good answer to the basic first question
> a lawyer would ask in court, the rest is pretty much meaningless.
Actually, the first basic question the *court* will ask your hypothetical lawyer (usually during a summary judgment motion by the defense) is whether what the defendant has done is illegal (in this case producing and selling the product in question). If the answer to that question is "no"-- as it would be here-- the defendant is entitled to summary judgment and a dismissal of the case.
The court would never even reach your precious question before the case was dismissed.
[ link to this | view in chronology ]
Rights to listen to music
[ link to this | view in chronology ]
BBC iPlayer is even more ridiculous
The ridiculousness is simply having a verified account would address the problem. I create an iPlayer account and then verify that account with the Tax people saying I've paid my license fee. Then I should be able to log in anywhere in the world watch shows I've paid for (compulsory payment as well).
[ link to this | view in chronology ]
i'll explain this to you lawyers and noobs
1)buy or acquire my tunage whatever way
2) fuck you for telling me what and how to listen to it
3) BIG FUCK YOU for telling me where i can listen to it
and remember FUCK YOU
[ link to this | view in chronology ]
Re: i'll explain this to you lawyers and noobs
[ link to this | view in chronology ]
I keep saying: the future of music is all pirate, all criminal, all the time.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
I keep saying: the future of music is all pirate, all criminal, all the time.
if you having streaming problems i feel bad for you son. i got 99 problems, but gettin my hands on free content ain't one.
[ link to this | view in chronology ]
Illegal: not according to or authorized by law
http://www.merriam-webster.com/dictionary/illegal
A license agreement is between two or more parties and when broken is a civil matter.
[ link to this | view in chronology ]
Bit Torrent.
Not that I condone pirating, mind you, I'm just saying that it seems that they intentionally drive people to pirate music. Probably because it's far more lucrative to sue for copright infringement than sell digital copies. (Or stream them!)
[ link to this | view in chronology ]
meanwhile, about DVDs and regions
In her selection & essay for the best movies of 2009, New York Times movie critic Manohla Dargis says, "You should" own a region-free DVD player if you are a dedicated movie lover.
Because many of the world's best films just aren't available here in the USA.
Let me re-emphasize: one of America's pre-eminent movie critics is telling readers of a leading newspaper that it is imperative that they possess & use equipment to defeat technical region-restriction measures on DVDs.
http://www.nytimes.com/2009/12/20/movies/20dargis.html?_r=3
(A digression: if you love movie reviews, start paying attention to Manohla Dargis. I believe she is going to be Roger Ebert's successor as the best film critic. Not, mind you, that I am trying to hurry Roger along; I am so delighted to have Roger back at writing full time.)
[ link to this | view in chronology ]
mean
What they mean is patents stifle the copying of innovation.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
20 people all tossing around the term "illegal" when there are absolutely zero laws regarding anything described as being illegal in said discussion.
[ link to this | view in chronology ]
You Americans live on another planet
The Internet wasn't invented for Americans to trod all over the worlds and feel at home. It actually serves a purpose and needs to be regulated world wide, hence these "ridiculous copy right rules".
[ link to this | view in chronology ]
Re: You Americans live on another planet
> worlds and feel at home.
Actually, it was. It was invented by and for America.
> It actually serves a purpose and needs to be regulated world wide
No, it doesn't. The last thing we need is some kind of European version of "free speech" regulating the internet, where you can say what you want so long as you don't offend anyone anywhere at any time, and you can be criminally charged if you do.
Any world-based regulation that conflicts with the US Constitution, for example, would be void in America.
[ link to this | view in chronology ]
ZipLine could be Dangerous!
Your product idea seems intriguing, but I have some concerns. Specifically, it has one basic architectural flaw which leads to two related but distinct security risks.
You wrote (emphasis mine):
"Zipline is an IPSec VPN tunnel to *a* secure network *that I admin*. This solves for baddies *on the LAN* doing anything nefarious[…]"
It does indeed protect Zipline users from LAN attacks. In particular, the choice of IPSec instead of SSL tunnels is a good one. But such a system inherently places its users at extreme risk of any “baddies,” as you say, who may gain or have access to the Zipline servers themselves.
For the benefit of readers without a background in network security, the basic issue is this: a normal user in a coffee shop, browsing the web on the wireless connection, is engaging in insecure network behavior that looks like this (--- is an insecure connection, === is a secure one):
[laptop]---[router]---/internet/---[website]
Note that the route between the coffee shop router and the website in question could be through all sorts of different combinations of network resources, varying per request. But all of your traffic is going through the coffee shop router, so if an attacker takes it over, you are hosed.
Dan proposes to securely route your traffic through Zipline, after which it proceeds insecurely:
[laptop]===[router]===/internet/===[zipline]---/internet/---[website]
Zipline now assumes all of the same problems that the coffee shop’s router had before: if an attacker takes Zipline over, you are hosed. But it’s actually worse than that, because it’s not just one Zipline user that gets hosed. They all do. Actually, by aggregating many users’ traffic to a known and shared network location, Zipline itself becomes an attractive target for hackers, thus exposing its users to many more hacking attempts than the mostly-empty coffee shop they frequent. With Zipline, you don’t have to worry that there’s one person *in your coffee shop* sniffing your traffic, you have to hope that there’s not one person *in the world* that’s decided to attack the Zipline servers.
The product is very aptly named—while a zipline enables its users to skip past potentially dangerous terrain, ziplines are major sources of danger in their own right.
By aggregating user traffic to one known service, Zipline itself becomes a *much more attractive target* for hackers. The benefit of Zipline (slightly increased protection against boneheads in coffee shops) doesn’t justify the cost of aggregating user traffic, inserting a known network route and server into the packet path, and (presumably) having to secure a new codebase of cert management. And having to trust an unknown third party, which brings me to the second basic security issue with Zipline.
Putting aside the increased risk of attack from outside, the Zipline scheme also requires its users to trust the Zipline network operators. You’re asking your users to put all of their security eggs into one basket—your basket—which is basically the same as asking your users to trust you *completely*. A service such as Zipline would have to have mint-level credibility for users to trust it sufficiently.
Earlier in your email, you rhetorically asked:
"Do you find yourself in coffee shops, or other public wifi frequently and sometimes wonder who is watching your traffic?"
This is a really interesting question, because it highlights this second core security problem precisely. Dan, you’re a well-known perpetrator of *exactly the kind of exploit* you claim to protect Zipline users *from*.
No one can be sure how frequently you engage in such behavior. I’ve heard of several incidents, at least one of which is well-documented[1]:
on 27 December 2008 you attended a meeting of the Linux Users of Southern California, at which you performed a man-in-the-middle attack on the coffee shop’s wireless network.
For the benefit of any of your potential customers reading this list, here are some of the details from Dan’s victims that evening:
David Kaiser wrote, in [2]:
"Right. ARP spoofing made everyone’s laptop on that network send their packets to Dan’s laptop instead of to the router. ARP spoofing can be done with a number of little tools that any script kiddie can download and run. And that’s the problem with script kiddies - they actually haven’t done anything innovative… I don’t think Dan Tentler actually wrote any code or ever did anything original - certainly nothing educational to the group - he just ran someone else’s application and harvested everyone’s packets looking for personal information. Any one of us could do that (but none of us have except for him.) The big issue I have with his actions is that at the end of the night we all had a big question mark about what amount of our information was exposed. It would be different if we saw his screen and saw when he started & stopped the capturing, and were able to audit his equipment and personally verify what of our personal data he either did or didn’t have at the end of the night - but instead we have a big question mark. Yes, Dan Tentler says he didn’t log any of the data and that he erased his capture session - but I don’t know him well enough to trust his words on face value like that. I certainly don’t find his actions (either online or in person) that trustworthy. So in my mind that means that any personal data (username, password, IP numbers, etc.) that anyone transmitted to the network on Saturday night is under a big question mark - we can’t verify that he didn’t retain it - no matter what he says about the issue.
He continued in [3]:
When the issue with Dan Tentler being dishonest and stealing people’s passwords first arose on Saturday night, he had numerous chances to be honest, contrite, forthcoming, and at least try to explain himself properly - and he didn’t.[…]
When Chris really found that he was the culprit, he passed it off as if it was some research project. When the issue of having intercepted gmail passwords and such came up - he made the comment that it was all harmless because he wasn’t going to save the log of his capturing activity. Yet he didn’t - he kept right on capturing other packets, and didn’t actually demonstrate that he had cleared the captured log. […]
there were numerous chances during the conversation as it developed that evening, where he could have provided us with a reason to supply that benefit, where we would be generous with our opinions of him - but every time he chose the wrong course, with either denial or dishonesty. […] If you want to give him the benefit of the doubt, please do - but people that started off trying to give the benefit of the doubt were quickly convinced that he didn’t deserve it based on his actions.[…] He has not provided any proof of deniable culpability - and when someone like him is observed doing the activities he was doing - proving to everyone that he was clean should have been the very first thing he did.
All in all, it’s a shameful act for someone who claims to be a security professional. Security professionals only do what’s within their bounds, and don’t shrug at legalities like Dan Tentler did. Security professionals don’t infringe on people’s privacy for sport like Dan Tentler did.
Loren Cress said, in [4]:
He claims to be a “security professional” but Dan Tentler’s unprofessional actions demonstrate his *inexperience, immaturity, and dishonesty*. This kind of thing might have been fun in high school, but it is not the kind of thing I’ve come to expect from a 29-year old adult. […] Dave said “[…] they have the right to be upset about the potential serious loss of privacy.” I disagree - this was not a *potential* loss. It was a *violation of privacy*, period. […] Anybody sitting in that cafe had a “reasonable expectation of privacy.” Dan Tentler violated that privacy, and by being associated with the group, violated the trust of the members.
In summary:
The architecture of Zipline is dubious from a security standpoint, and moreover, we have every reason to believe that its operators are precisely the sort of script-kiddies Zipline purports to protect people from.
Dan, you are the fox, offering hens your services as henhouse manager. Moreover, you expect them to pay for it! The mind boggles.
Ted
1. See the email thread beginning with:
http://socallinux.org/pipermail/linuxusers/2008-December/005946.html
2. http://socallinux.org/pipermail/linuxusers/2008-December/005952.html
3. http://socallinux.org/pipermail/linuxusers/2008-December/005965.html
4. http://socallinux.org/pipermail/linuxusers/2008-December/005978.html
[ link to this | view in chronology ]
zipline
oh, and it sounds like Dan Tentler of Aten Labs just got pwnd!
[ link to this | view in chronology ]
I'd really appreciate it if my email in comment #59 were removed from this page
I didn't authorize the re-posting of my email above, and would appreciate it if it were removed. Thanks!
[ link to this | view in chronology ]
nevermind
[ link to this | view in chronology ]
I had the same exact problem...
[ link to this | view in chronology ]