(A Javascript-enabled browser is required to email me.)

The long, sad tale of cphack

from TBTF for 2000-03-31

        M a r c h   2 0 0 0
Mon Tue Wed Thu Fri Sat
Matthew Skala & Eddy Jansson release cphack package
Mattel sues Skala & Jansson and their ISPs
Judge grants temporary injunction
cphack mirrored across the Web
Lawyers begin emailing threats, spampoenas
Judge grants permission to deliver subpoenas by email
TBTF breaks news that ACLU will defend the Peacefire Three
ACLU announces same
Skala and Jansson settle, turn over all rights in cphack to Mattel
Judge makes (moot) injunction permanent
Wired says cphack was GPL'd
Skala's, Jansson's postings deny GPL status

Breakers of Cyber Patrol get sued and settle on Internet time

To paraphrase Lewis Caroll, the tale of "cphack" is long, but it is very, very ugly

On March 11 two young programmers, Matthew Skala (a Canadian) and Eddy Jansson (a Swede), released [1] on the Net a package of programs and a technical paper titled "The Breaking of Cyber Patrol 4." The package came to be called "cphack," after one of the programs it contained. The document described how the programmers had reversed the protections surrounding the popular Web content filtering program and its list of blocked sites. Using the software in this package, anyone with a copy of Cyber Patrol could generate the entire block list.

The exposure of the block list caused major embarrassment for Microsystems Software Inc., publisher of Cyber Patrol, and its parent company Mattel. The list bared the product's shortcomings and its peculiar and arbitrarily overzealous filtering. (In fairness, Cyber Patrol's blocking list isn't as skewed as those of some other [2] censorware programs; at least it has no discernable political bias [3].) Librarians and and other rowdies were heard to mumble that Cyber Patrol's customers ought to be able to see what sites it blocks.

Perhaps the Cyber Patrol programmers too were embarassed by the demonstrated weakness of its protections. They needn't have been; as Bruce Schnier frequently points out, crypto is hard. Designing good crypto requires the skills of a trained mathemetician, which few programmers possess.

To the surprise of many, Mattel sued [4] the programmers and their ISPs, claiming that the software violates US copyright law. (In the past when censorware programs have been broken, the filter developers have simply released a new version that thwarts the attack. In addition, sites distributing the exploit were usually added to the block list.) In a further surprise, Mattel quickly won a temporary injunction [5] from U.S. District Court Judge Edward F. Harrington, with no lawyer present to represent the defendants.

How, you may ask, can an American court enforce an order on Swedish and Canadian citizens and/or ISPs? It didn't have to; they voluntarily took down the enjoined material. The package, for which the press had begun using the shorthand "cphack" (the name of one of its programs), was quickly mirrored on dozens of sites across the Web [6].

Mattel's lawyers began emailing threats, and even subpoenas, to mirror sites and others [7]. In an extraordinary action, little remarked in the rush of the case, Judge Harrington had granted Mattel's attorney permission to deliver subpoenas by email [8]. Again, no defense attorney was present to argue the obvious issues of authentication and guarantee of delivery. I dubbed these john-doe emails "spampoenas" [9].

On Friday March 24, the ACLU announced [10] that it would defend three mirror-site operators, associates of the anti-censorware site Peacefire, who had received spampoenas. TBTF broke this news to the world on Thursday evening [11] and dubbed the not-quite-defendents the Peacefire Three.

In a one-hour hearing on Monday March 27, Mattel's attorney announced that Skala and Jansson had settled and turned over all of their rights in the cphack package to Mattel [12]. The ACLU defense team, who had no advance notice of the settlement, successfully argued that any restraint on cphack should not immediately be applied to their clients. Two days later the judge made the temporary injunction against Scala and Jansson permanent [13] (even though it was now moot).

Earlier this week Wired Magazine claimed [14] that the cphack package had been released under the GNU Public License, and therefore the mirror sites -- who were granted rights of unlimited use and distribution under the GPL -- were forever beyond Mattel's reach.

Read Skala's [15] and Jansson's [16] statements after the settlement. Cphack was not released under the GPL.

[1] http://pub.anonymizer.com/~johndoe2/cyberpatrol/CP.html
[2] http://www.censorware.org/reports/
[3] http://www.peacefire.org/censorware/CYBERsitter/
[4] http://www.sjmercury.com/svtech/news/breaking/ap/docs/321750l.htm
[5] http://news.excite.com/news/ap/000317/13/internet-decency-hackers?printstory=1
[6] http://www.openpgp.net/censorship/
[7] http://www.politechbot.com/p-01022.html
[8] http://news.excite.com/news/ap/000324/02/justice-in-cyberspace?printstory=1
[9] http://tbtf.com/jargon-scout.html#spampoena
[10] http://aclu.org/news/2000/n032400a.html
[11] http://tbtf.com/blog/2000-03-19.html#7
[12] http://news.excite.com/news/ap/000327/23/internet-decency-hackers?printstory=1
[13] http://news.excite.com/news/r/000328/18/net-tech-hackers?printstory=1
[14] http://www.wired.com/news/print/0,1294,35226,00.html
[15] http://www.islandnet.com/~mskala/
[16] http://slashdot.org/comments.pl?sid=00/03/29/0912240&cid=190

[ TBTF for 2000-03-31 ]

Most recently updated 2000-04-20