[plug] MS Curriculum at schools and TAFEs ...

[The Thought Assassin]

On Mon, 23 Apr 2001, Christian wrote:
> On Mon, Apr 23, 2001 at 12:32:31PM +0800, The Thought Assassin wrote:
> > > > It isn't even that the present situation particularly
> > > > disadvantages Free Software - there are gratis non-free modules as I
> > > > understand it - but it illuminates Adobe's attitude to their stewardship
> > > > of the standard. If we accept PDF as an open standard because it is "close
> > > > enough" for "practical purposes", we send a message that freedom is
> > > > unimportant and take the first step along a slippery slope.
> > Does that answer your question? :) PDF as it stands right now does not
> > seem to be anything less than an open standard in any practical sense. The
> > theoretical proprietary lock-in and what it says about Adobe's lack of
> > commitment to openness are things that cause me enough concern about the
> > future to avoid actively supporting PDF now.
> I guess it does! *grin*  Honestly though, calling arc4 a "gratis
> non-free module" seems to be stretching things a little.  There are
> numerous free software implementations and the code has been around for
> years.

I wasn't sure of the situation, I just knew that there was nothing
stopping people from using it IRL, but that there was definitely no
guarantee that a truly free version couldn't be challenged legally.

> Obviously I'm not a lawyer but my understanding regarding things
> like trade secrets (which is what RSADSI previously claimed RC4 to be)
> is that if you let them out of the bag and/or don't take protecting them
> seriously then you pretty much lose your rights...

Yes, as long as the information was obtained through legal means. (IANAL,
but I'm fairly sure I'm right about this) Patents were introduced to
prevent people keeping things like this secret, but they introduce
insurmountable legal barriers to Free alternatives. I had assumed that the
algorithm in question was patented, as RSA likes to do.

> I guess what I'm saying is that, while the PDF standard may not be
> technically 100% open, there are 100% open/free implementations that are
> also 100% compatible with it.  I'm not convinced that this implies that
> our stance as a community is "freedom is not important".

I don't really think that's the stance, either, I just worry that if start
to offer inches, miles will be taken - or that the greater populous will
think "even the Free Software people accept quasi-open proprietary
standards, obviously there's no benefit in pushing for complete freedom."

In short, I'm paranoid, but perhaps with good cause.

> > On a related topic...
> > As PLUG's resident security and cryptography "guru", what do you think
> > about the idea of putting the encryption layer within the document format?
> I'm tempted to quote my previous comment the same way you did to me! :P

I saw what you wrote earlier, I just wanted you to expound on it,
basically so that I could write <AOL> at the end of it. :)

> I'm also not sure when I became "PLUG's resident security and
> cryptography ``guru''"! :-)

I don't think there were any other nominations, so you're lumped with it.

> There is very, very little security advantage to including this sort of
> functionality into the file viewer.  The only thing I can think of is
> that if you had a very powerful attacker who already had almost complete
> control over the computer system you were using or was going to
> physically steal it out from under you. By incorporating the encryption
> into the file viewer you no longer need to ever store a plaintext copy
> on the hard disk (except for the usual caveats on virtual memory).

That was roughly my take on it. The encryption is useful if someone is
able to read the file as it travels across a network, or while it is on
your computer. If either of those things is true and is a problem, then
you should encrypt either your communication channel or your hard-drive,
since the likelihood of every sensitive bit of data on your system being
in PDF form is approximately zero. Once you have done that, the encrypted
file format buys you nothing. It is just a pain in the arc4.

As you so astutely point out, the only benefit is if it is designed to
prevent the person viewing the document from getting at the plaintext
version of it. This obviously depends on trusted client software, which is
incompatible with freedom. The only way to trust your client software is
not to license the appropriate parts to those who won't make their clients
behave as specified, and then you're using legal protection, not
technological protection, so why bother making such a nuisance of yourself
with the encryption side of things?

> >From what I've seen it appears that the security/cryptography community
> is somewhat split by this general issue of content protection through
> cryptography.

Yes, some think it is futile, the others wonder how it could ever be a
desirable thing in the first place. :)

> On the one hand I went to a conference at the end of last
> year where about half of the papers being presented were on various
> schemes for content protection.  These were well-respected,
> international researchers trying to accomplish something that seems
> either pointless or just plain impossible.

All of them no doubt relying on legislative protection at a fundamental
level, not presenting an effective technological solution. Except for the
ones relying on secrecy and Oh-god-I-hope-noone-reverse-engineers this.
Or am I wrong?

> The only real solution is to make the device itself less general purpose

At which point in time you are out-competed by those willing to offer your
customers more, even if the extra feature is just copying functionality.
This competition can only be avoided by legalistic or secretive means.

> (i.e., more restricted) which appears to be basically what Microsoft is
> planning on doing with Windows XP.  Doesn't really bother me though -- I
> can't see Linus accepting a kernel patch to only allow certain digitally
> signed MP3's being played...

...and when CDs are obsolete and all music is sold in formats decryptable
only under Windows, what will you do then? We should all care about this.

-Greg Mildenhall