O'Reilly Digital Media

Related link: http://www.terminator3.com/

I just saw Termintor 3. No midichlorians; no jungle-beat rave freaking; just good, old robots trying to take over the world. If you haven’t yet, you should see it.

Update July 22

Security through obscurity crumbles yet again: Mr. or Mrs. Anonymous posts the exploit below:

The tool being used is GraphEdit, a part of Microsoft’s SDK for DirectShow.

It show’s the underlying encoders/decoders/stream splitters used to get from a file to an output device such as a soundcard, your monitor, or (and this is the ‘crack’ bit) another encoder’s input and a subsequent file.

It generally is lossy, because you are reencoding the decoded stream = generational loss.

But it’s possible that the bits could be caught before decoding, and shunted into a custom-written filter that instead of decoding the bitstream, just writes it to a file after decryption.

Update #2

Followup info is that the exploit Anonymous documented is a different one than I was originally looking for, meaning that there are two, and that the one which is not yet known does produce listenable audio.

Secondly, the issue is not whether the re-encoding is lossy, which some people have been microfocused on, but whether it’s listenable. As long as you either re-encode with the same encoder used originally or re-encode without compression, the exploit given by Anonymous should sound the same as the file with DRM. (I’m just restating the point made by Tom below.)

Update July 19

Score one for security through obscurity. I haven’t found a detailed explanation of the exploit, and I’m out of time for looking. The best documentation I have is mails from the wm-talk list, which I have archived here in mbox format — you’ll need to import these into your mailer to make the file readable.

Worth pointing out: check out the post below titled “Digital becomes Analog.”

Update July 15

The crack turns out to be lossy. It grabs the audio stream at rendering time, so doesn’t have access to the unencrypted bytes.

That said, this is all gossip. I still don’t have access to either the details of the exploit or technical documentation, so can’t judge for myself. There’s no public documentation on the design of WM9 DRM (or iTunes DRM, for that matter).

If any regulars on AVSForums run across the original reference, I’d be grateful for a pointer.

Folks on AVSforums say they have successfully used tools from the
Microsoft software development kit to rip and re-encode audio
protected by Microsoft DRM in the WindowsMedia 9 format. This is only a rumor at this point — I haven’t seen the crack myself, but WM9 developers seem to be taking it as gospel.

How did these criminal masterminds
pull off this incredible feat? Did they crack an encryption key? Did
they beat an MS employee with a rubber hose? Did they heat a CPU in a
microwave oven? Was it a buffer overflow? An underflow? What was
this remarkable feat?

Incredibly, there was no exploit needed. These wily crackers merely
had to write a program using well documented 100% aboveboard functions
provided by Microsoft. It was not hard, involved no breakthroughs,
did not depend on reverse engineering, and did not need a key. All
they did was build the right DirectShow graph, and since DirectShow is
a tool for third party software developers to build shipping software,
ISVs can easily offer an all-in-one solution to strip DRM from content
without fear of the DMCA.

What this means is that the DRM on which both Microsoft and their many
partners in the RIAA and MPAA are counting on is nothing but a sham.
There is no DRM in MS DRM.

The Friday morning keynotes at OSCON were a bit off the beaten path with George Dyson discussing John von Neumann’s role in creating the ENIAC computer in 1945 at IAS, and Miguel de Icaza and Nat Friendman talking about Mono and Dashboard.

George Dyson had the opportunity to dig in the archives at IAS (Princeton Institute for Advanced Studies) and examine the records that were kept during the creation of the ENIAC computer. Dyson presented how the project came to be and the evolving friction between the residents at IAS who were focused on theoretical research and the ENIAC creation team. Throughout the presentation Dyson presented an endless number of slides — memos, design diagrams, debugging notes, testing logs. Each of the slides had the most crucial elements highlighted for easy digestion by the audience. Many of the slides elicited laughter from the audience as we could see bits and pieces of ourselves in the notes of the ENIAC engineers.

A few of these slides outlined heated memos from the theoretical researchers at the IAS, complaining about the ENIAC team. The ENIAC team was exhibiting prototypical geek behaviours that are still present in todays geek culture. Von Neumann was not only an engineer who was ahead of his time, but he was also a leader and a geek who set the tone of the geek culture that was to follow him.

I really enjoyed Dyson’s lighthearted talk — it was action packed with warm fuzzy content to make everyone smile and feel good about being a geek. It was a warm welcome to contrast the other excellent but far more serious keynotes.

Miguel and Nat followed suit in the lighthearted tone in their keynote when they spoke about the progress that Mono had made in the last year. They talked about the common runtime code and how many languages will compile to the common runtime code, including Java. To demonstrate this feat, they compiled IBM’s Eclipse to bytecodes and then translated them to Mono’s common runtime and then ran it from there — quite impressive.

The best part of the keynote was when Nat started demonstrating the new dashboard application they dreamt up. Dashboard takes in cluepackets (packets of information) from other applications (such as IM clients) and requests that the various back-ends for dashboard retrieve information related to the data in the cluepacket. Nat demonstrated this concept by sending an instant message to the IM client which then passed off a cluepacket derived from the IM message to the dashboard application. Dashboard promptly pulled up Miguel’s personal information (including his real-live cellphone number, which was shown to all audience members), pictures and other related links.

Given that the application took only a few days to write, it was quite impressive. If you’d like to know more about Dashboard, check out DJ Adams’ write up.

And a note to Miguel — if you’re going to have someone show off your cellphone number to the audience, you should remember to turn off your cellphone before your speech. :-)

As usual, this O’Reilly conference rocked the house — the keynotes, presentations, exhibition and the watercooler discussions in the hallways were lively and interesting. Never a dull moment; action from morning until late at night — its hard to write about the conference when there is so much to do. But there are worse things in life. :-)

Finally, I have a few random observations to make that don’t fit into any other topic:

• Random overheard quote: “Novell, the failed satan. — Alan Nugent, Novell”
• C++ is dead. Miguel de Icaza dislikes C++, and many more people had plenty of negative things to say about it. Personally, I hope to be able to wean myself off C++ in the near future.
• The geek gender ratio is still severly out of whack. The women’s restroom at the conference was converted into another men’s restroom. Sad, but logistically necessary.
• The subversion source control system seems to be getting more talk than other source control systems that hope to replace CVS.
• Many people are unhappy with SourceForge. Users from Asia seem to be very unhappy with the connectivity to SF. This combined with the fact that public CVS access lags behind the developer CVS access by 24 hours, does not spell out a promising future for SF. I’ve overheard a few conversations about developers looking at gforge as a replacement for SF.

And I really liked the new Portland location for the conference. Overall I give an enthusiastic two thumbs up to Nat and the O’Reilly conferences staff for putting on an excellent conference.

What did you think of the conference?

Thursday morning at OSCON 2003 was kicked off by Stormy Peters’ keynote speech about open source in the enterprise and how Hewlett-Packard is involved in the open source community. She talked about a number of business aspects of open source, but I really appreciated hearing about the open source review board at HP. This board reviews cases where HP employees wish to open source applications from within HP and it ensures that code that is released is fully owned by HP and has no intellectual property restrictions. This review board has established the following business cases for when to open source applications:

• The product commoditizes a market you do not currently control.
• The product would make a technology pervasive.
• The product would promote the use of a proprietary piece of software.
• Open source would lower the product’s overall cost to the company.
• The product promotes hardware (or other value add).
• Open sourcing creates a custom solution for a customer.
• You can provide profitable services in relation to the product.
• Open source the product allows you to exit a business.
• Open sourcing the product allows you to leverage resources from others.

On the flipside, there are a number of cases where it does not make sense to open source applications:

• Product is a control point for you.
• The product should be obsoleted.
• The cost does not justify the benefit.
• Misdirection and defocusing of resources.
• The intellectual property risk cannot be justified.
• To compete against the open source community.
• Just because its cool technology.

And HP’s rationales for using open source software are:

• You would like to promote and existing standard.
• There is already an existing, pervasive technology.
• Refocus your resources on value add.
• No risk of accidentally copylefting an exisiting product.

And rationales for not using open source software:

• The technology direction does not match your strategy.
• The chief architect does not agree with the proposal.
• Time to market is critical (you cannot control open source release schedules!).

Stormy’s presentation was enlightening — its good to see that companies have people who are in charge of formulating open source policies and are leveraging the work of open source developers while crafting sane policies that will maintain a good relationship with the community.

What are your experiences with open source in the enterprise?

Microsoft is sponsoring the lunches here at OSCON 2003. During today’s lunch, they hung this banner over the lunch tables:

Very witty and appropriate!

After hearing much hype and drama in the press about the SCO vs IBM lawsuit, it was refreshing to hear more down to earth prespectives from Bradley Kuhn (Free Software Foundation), Alan Nugent (Novell), and attorney Lawrence Rosen (Open Source Initiative). The panel was moderated by Chris DiBona (of Slashdot fame).

Larry Rosen, an attorney who is familar with open source legal issues had a few interesting points to offer:

• Contrary to the misleading panel title (IP Wars: SCO vs Linux) this lawsuit is not an intellectual property lawsuit — it’s a contract dispute lawsuit since the key issue lies in the interpretation of the contract between IBM and SCO.
• The lawsuit must prove that SCO was harmed by IBM’s actions. Was SCO harmed in this case? Larry believes that this is not the case and will be difficult to prove in court.
• On how people should regard this case: “People ought to chill out. There is a lot of premature worry.” Chances that SCO is going to win this suit are slim. IBM easily disputed nearly all the facts alleged in the lawsuit (except the part that IBM is a New York corporation, which is true).
• The letters that SCO sent out informing corporate Linux users of the SCO vs IBM lawsuit mean nothing and only the outcome of the lawsuit will determine the real effects. The letters were merely sent out to create FUD.

Brad Kuhn from the FSF thought that: “The goal [of this lawsuit] is to make the GPL and Linux look bad.” I couldn’t agree more — there seems to be little other merit in the suit.

Along the same lines, it was discussed that Microsoft licensed the IP from SCO after the case was filed, thus infusing SCO with much needed cash for pushing this lawsuit. But, what on earth is Microsoft going to do with this IP? Microsoft has not embraced UNIX since back in the XENIX days and even that was tenous at best.

Furthermore, one of the panelists remarked that Linus Torvalds prefers to accept patches only from people he knows, and that the Linux kernel is generally considered one of the harder projects to get a patch accepted. So, how could the offending code have made it into the Linux kernel?

I have a hard time thinking that someone close enough to Linus would be dumb enough to jeopardize Linux by including proprietary code. Often times the Linux kernel hackers mock other flavors of UNIX which makes it seem unlikely that the developers would even be tempted to include proprietary code.

We will see how this plays out — Larry pointed out that the suit had been moved from a state court into a federal court and that federal judges didn’t want cases lingering for too long. He didn’t think that the case is significant enough to take a long time to resolve — 1 to 2 years by his judgement.

Finally, it doesn’t sound like the FUD attack that SCO planned is working out. Internet Week reports that “SCO’s Linux lawsuit and threats seem to be having little affect on IT managers except to make them angry.”

Do you think the SCO suit amounts to anything more than FUD?

Tim’s keynote speech took a close look at where open source software may be headed in the future. Over the past few years the open source community has worked hard to establish itself and to nail down the processes and terminology for our new method of developing software. Now that open source begins to mature and becomes more accepted, it’s time to look towards the future and make sure we’re not getting caught off guard by new trends.

The common misconception is that Linux has no killer applications, when
Linux’s killer applications are Google, Amazon, PayPal, and Yahoo Maps (FreeBSD). Yet, these killer applications are not open source — they are fiercely competitive and the binary distribution clauses of the open source licenses do not apply to these killer applications.

In the early days of the IBM PC, IBM made the decision to open up the hardware of the PC and allow others to create compatible hardware. This attitude created an open market for hardware which lead to the commoditization of hardware components. This trend caused IBM and Compaq to surpass Apple with its closed architecture.

A similar shift is about to come to the open source community and Tim suggested: “Open architecture inevitably leads to interchangable parts.” He further calls on open source developers to create plug compatible software components that give users more flexibility over the composition and configuration of software systems.

Tim outlined the three C’s that will be important in the future:

1. Commoditization of software — create plug compatible software components and foster competition by avoiding vendor lock in. Open source drives down margins on for sale software and projects like Apache changed the landscape so that web serving is no longer a revenue model. Proprietary software solutions will not be able to compete unless they become free (as in beer).
2. User Customizable systems — interchangable components give users more power in creating software systems that are more flexible than off-the-shelf solutions. Plus, these systems are not suited for sale, but suited for creating services that can be updated much quicker than traditional software can. More dynamic and customizable systems can be driven by data, rather than being driven by tedious custom code.
3. Network enabled Collaboration — tools like Rendezvous, Hydra and wikis will allow distributed teams to be more effective and will help to bridge geographic and timezone gaps. These tools also allow more people to get involved in the software creation process, since the overall process is more approachable than with previous Cathedral models.

The power of commodity software becomes apparent when you look at Linux’s killer applications: Google, PayPal and Amazon. These applications are great examples of hidden business models that have the power to enable a service based software economy.

In taking these lessons to heart and watching for the paradigm shift, Tim encourages the open source community use commodity software to build a customizable Internet OS, in order to drive prices of software down and to enable more service based business models. Tim also encourages us to look towards the alpha geeks for new trends in technology — for example, geeks writing screen scraping scripts predicted the rise of web services and wireless technology hackers created the concept of community wireless networks.

Its time to think about the future of open source and how to embrace the concepts of commodity software and that data is becoming more important than code, as Amazon and Google are demonstrating with their web service APIs. It’s important for the community to anticipate this paradigm shift and to be ready embrace this change.

What is your take on commodity software?