Belmont Club

The Xbox Defense

Andrew “Bunnie” Huang describes the underlying issues in “USA v. Crippen, where for the first time an individual, Mr. Crippen, was charged with an alleged violation of the criminal portion of the DMCA statute”. Crippen was found to be modifying Xboxes, but the government withdrew the case after their own witness established that the prosecution failed to provide a key fact on which the prosecution based its case. It is an interesting incident which may in the end, illustrate how Julian Assange plans to defend himself.

Bunnie had been called as expert witness in the case. “The 35-year-old Huang argues that modding is not a violation of the Digital Millennium Copyright Act, which makes it unlawful to circumvent technology designed to prevent copyright infringement. He said he hopes to prove that point to jurors via a step-by-step tutorial.”

“Basically, what he did was insufficient on his own to violate anything,” Huang said in a recent telephone interview from Singapore, where he serves as vice president of hardware and general manager for Chumby’s operations in Asia.

The crux of his argument is that all the information required to read an Xbox game is in technical plain sight on the medium and on the pirated copy as well. The mods essentially told the Xbox to ignore the fact that the media was “unwatermarked” and proceed to read an “answer table” by other means to continue where an unmodified machine would stop. Therefore it was an open question whether Crippen violated the statute as it was written because he didn’t commit enough of a crime to cross the line.

So the first question upon which a jury must deliberate is: given that the document is entirely readable despite anti-counterfeit measures, do these anti-counterfeit measures constitute an effective access control that requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work? …

The most important fact to be cognizant of in this system is that the “answer table” is not contained anywhere within the Xbox360 ODD mod applied by Mr. Crippen. Without the user of the modification also contributing the “answer table”, the mod is entirely incapable of performing any function. This is demonstrated by what happens if, for example, the “answer table” is missing or damaged …

In the case that the “answer table” is lacking from the disk inserted into the ODD, the disk will not play. Thus, the question is: given that the user of the modified Xbox360 (in this case, the private investigators and agents that the government hired) must also materially participate in the “process” by providing an “answer table”, is the mod alone sufficient to justify felonious conduct?

Modding the Xboxes were only ‘half a crime’ awaiting the action of the customer. Until a pirated disk was actually inserted into the device, the entire crime was incomplete. The prosection tried to plug that hole by offering testimony that Crippen had inserted a pirated disk into the modified Xbox. Wired reported the government witnesses testimony:

during his testimony, Rosario also said Crippen inserted a pirated video game into the console to verify that the hack worked. That was a new detail that helped the government meet an obligation imposed by the judge that very morning, when Gutierrez ruled that the government had to prove Crippen knew he was breaking the law by modding Xboxes.

But nowhere in Rosario’s reports or sworn declarations was it mentioned that Crippen put a pirated game into the console. During the opening statements shortly before Rosario’s testimony, defense attorney Koren Bell told jurors that there would be no evidence of that kind. …

Defense attorney Callie Steele objected to the new testimony. And as court was to get underway here early Thursday, prosecutor Chiu told the judge that he first learned of Rosario’s newfound recollection days before trial. Chiu conceded he never forwarded that information to the defense.

The defense attorney spotted the problem and pounced on it. The judge threw the case out. And that was that. But the most interesting aspect of Bunnie Huang’s exposition is the tutorial he never delivered, wherein he describes the distinction between various modes of data controls: encryption, digital signatures and watermarking. Essentially encryption can render content unreadable, digital signatures are a cryptographic method of making sure that a document with a digital signature cannot be altered without compromising the signature and watermarking should only allow the reading device to know whether the information is on authorized media. It goes to the heart of what is true and authentic in the digital world, and as Bunnie points out, that property is essential.

In the case of Wikileaks the core problem has always been what I’ve called the Nazis on the Moon question. If you have classified information claiming there are Nazis on the dark side of the moon, how do you confirm if it cannot be publicly verified? You cannot in principle. Maybe you can observe the moon and monitor it for signals. But confronted with a secret satellite photo of Nazis roosting there, you would ask where did you get this? If the answer is “Donald Rumsfeld”, then you have to prove Donald Rumsfeld sent it. And that gets to digital signatures or watermarks.

Interestingly, critics of Wikileaks have claimed that it uses a broken digital signature system to verify the digital signatures of the material that is sent to them.  Since authenticity cannot be completely divorced provenance and provenance can’t be entirely established with a broken digital signature system, then how does anyone know Assange got the stuff where he says he got them?

Wikileaks still uses a broken MD5 hash function for its supposedly secure SSL connection, that is used to upload sensitive documents to them.

In an attack on MD5 published in December 2008, a group of researchers used a new technique to fake the validity of SSL certificates. US-CERT of the U.S. Department of Homeland Security said MD5 “should be considered cryptographically broken and unsuitable for further use, and most U.S. government applications will be required to move to the SHA-2
family of hash functions after 2010. This broken md5 hash function is however still in use by the https://secure.wikileaks.org/ SSL connection.

The same issues were raised by defenders of Bradley Manning, who argue that the documents presented as his are fakes. They haven’t realized the half of it. What is true and what is fake is at the heart of the Wikileaks problem. Most of the attention around Wikileaks has focused on the publishing aspects. Relatively little attention has been focused on the data lineage and authenticity. These issues are slowly coming to the fore.  The problem has already scammed newspapers around the world.  The Pakistani media was recently rocked by revelations they had duped by “fake” Wikileaks leaks which depicted aggression by India.

The same problem had to be solved by those who were willing to buy the data.  One question yet to be answered is how the consumers of Wikileak’s “info” knew they were getting the good stuff. Because they were willing to pay they had a vested interest in ensuring authenticity. The Washington Post reported that Wikileaks was paid to give five newspapers an exclusive. The New York Times, got scrupulous or got advice from its lawyers and got its hands on 250,000 “cables” from the Guardian, for unspecified reasons. The WaPo wrote:

WikiLeaks had worked with the Times this summer in releasing about 90,000 documents prepared by U.S. military sources about the wars in Iraq and Afghanistan.

But the group pointedly snubbed the Times this time around, offering the State Department cables to two other American news outlets, CNN and the Wall Street Journal. Both turned WikiLeaks down, deciding that its terms – including a demand for financial compensation under certain circumstances – were unacceptable.

John Young, one of the early supporters of Wikileaks, has “leaks” of his own describing the backroom negotiations. He basically said the negotiations were conducted through a cut-out. Authenticity was provided by social proof, that is, the intermediary was trusted. Assange necessarily had to control the distribution to those who paid up, but he didn’t do it well enough to keep  the NYT from stealing the story. They pirated his game.

“An intermediary asked for $100k for ‘production costs.’ We declined. We investigated but could not prove the money was to go to Julian Assange or Wikileaks. It seems a British public interest production company produced news pieces for BBC and Channel 4 based on access to the material. Al Jazeera paid 60k British pounds. BBC paid 100k, Channel 4 160k. Again, we couldn’t prove any of it went to Assange.”

But if Wikileaks were the anti-American warriors they say they are, why not simply do the obvious. One site wrote, “this is getting ridiculous. Why doesn’t Wikileaks just host all their content in a Git repository and use GPG to sign their releases? Then it would be impossible to take down the site, and anyone could easily spin up a mirror.” Maybe because if you allowed anyone to clone a digitally signed document into Git repository then you couldn’t sell exclusives. What would the intemediary do?

Instead there’s one monolithic distribution site which isn’t decoupled from their submission network. The site is frequently down during a fundraiser, and due to how they run it other people can’t easily directly contribute resources to run mirrors of the site.

I’m beginning to think that Wikileaks is not as interested in actually getting leaks out as it is furthering Julian Assange’s personal indispensability.

Former Wikileaks associate John Young basically accuses Assange of “selling classified information” for profit on New York’s WABC Radio. “I think it is a money-making operation, no doubt,” Young said of WikiLeaks. In his view, Assange is no different from a fence.

Asked specifically whether he was charging WikiLeaks with selling classified information and documents, Young replied, “Yes.”

Klein then asked, “When you were at WikiLeaks initially, was your impression they were trying to sell information?”

Young responded, “Well, it only came up in the topic of raising $5 million the first year. That was the first red flag that I heard about. I thought that they were actually a public interest group up until then, but as soon as I heard that, I know that they were a criminal organization.”

But proving the crime may prove harder than it seems. Interestingly enough, Assange can try to defend himself by using the Xbox defense. He can claim he didn’t know where the information came from, thus only committing half a crime. It required someone with classified access to complete the crime. With his broken chain of custody, how was he to know?  In this, the use of insecure digital signatures would a plus for Assange. It would be hard to prove he knew where the information was coming from. The Australian Broadcasting Corporation describes the problem Bradley Manning is facing.  Prosecutors can show he knew he was committing a crime. But Assange can claim to know nothing.

Federal prosecutors are looking for any evidence that Assange conspired with Manning or somehow was an accessory before the fact. They want to prove he was more than a passive recipient of the documents. Did Assange encourage Manning to extract classified military and State Department files from a government computer system?

Without seeking to help the US construct its case, the problem for us is how would Assange have been able to identify Manning as a possible source of information, deep as he was in the bowls of the US defence department? Assange, even at that time, had a significant public profile, it is far more plausible that Manning contacted Assange and in which case it was not about arranging a game of squash but to sound out Assange on the material that Manning had access to and was capable of downloading.

The New York Times has already noted that “By bringing a case against Mr Assange as a conspirator the government would not have to confront awkward questions about why it was not prosecuting traditional news organisations or journalists who also disclosed information the government said should be kept secret….

Like the man who made the Xbox mods, Assange could claim you needed to insert the disk to consummate the crime. Simply operating a website to receive information and possibly sell it to whoever was credulous enough to buy it wasn’t by itself a crime.  That would leave Bradley Manning holding the bag and Julian Assange counting the bucks — for now. In fact Assange’s critics ask how do you know the money you are sending to Bradley Manning’s defense through Wikileaks actually gets there? It’s the same lineage and custody problem as on the information side of the equation.  Bradley Manning’s site writes:

Immediately following Bradley’s arrest in late June 2010, the whistle-blower website Wikileaks publicly solicited donations specifically for Bradley’s legal defense expenses. In July 2010, Wikileaks pledged to contribute a “substantial amount” towards Bradley’s legal defense costs. Since Bradley’s selection of David Coombs as his civilian defense attorney in August 2010, the Bradley Manning Support Network has unsuccessfully attempted to facilitate the pledged Wikileaks contribution.

“We understand the difficult situation Wikileaks currently faces as the world’s governments conspire to extinguish the whistle-blower website,” explained Jeff Paterson, Bradley Manning Support Network steering committee member and project director of Courage to Resist (www.couragetoresist.org). “However, in order to meet Bradley Manning’s legal defense needs, we’re forced to clarify that Wikileaks has not yet made a contribution towards this effort. We certainly welcome any contribution from Wikileaks, but we need to inform our supporters that it may not be forthcoming and that their continued contributions and support are crucial.”

Well if you don’t really know if the money you’re sending to Wikileaks is really being received by it and no way of knowing whether any such moneys are really sent to Bradley Manning then what can you know about its workings at all? Why should anyone believe Wikileaks are authentic anyway if nothing is known about the chain of custody?

Stuart Brand is credited with coining the phrase “infomation wants to be free”, but Brand’s entire quote is more subtle. “Information Wants To Be Free. Information also wants to be expensive. … That tension will not go away.” Wikileaks is a perfect example of that tension. Assange cannot completely be serious in claiming “information wants to be free” when he asks people to pay for it.


Link to Wretchard’s novel “No Way In” print edition
Link to Wretchard’s novel “No Way In” Kindle Edition”