Eleven years ago, when Jon Lech Johansen was a 15-year-old kid in Norway, he sat at his computer and banged out code that would become known worldwide as DeCSS, the base for a program allowing people to copy encrypted DVDs.
This was shortly before Johansen quit high school. It was before he won awards — including the EFF Pioneer Award — for his work. It was before he moved to San Francisco and became known for reverse engineering other software. And it was before he — and his unknown accomplices — were sued in Norway and the United States for cracking the anti-copy code put onto DVDs.
And it was years before he was cleared of the charges that he had violated the United States’ anti-circumvention law.
A quick survey turns up very few other precedents for the hacker-to-media-security journey. So to write about the relationship between the two, we must take a look at whether Johansen taught media companies anything about hackers, security, and content.
Media companies, as we know, have a lot on their plates right now — shrinking ad sales, revenue loss, hemorrhaging readership, job cuts — but there’s another problem that doesn’t often get talked about (at least not in the editorial departments). That’s this: Have media companies invested enough in the skills and expertise to operate effectively in the digital age?
Last week, we wrote about a loophole in The New Yorker’s paywall. To determine whether a user who “hopped” over a paywall, either by editing code or by guessing a password, would be in legal trouble, we turned to Louis J. Alex, a copyright lawyer at Cook Alex Ltd., a Chicago firm specializing in intellectual property and technology law.
Alex agreed to speak in general terms about future anti-circumventing litigation. Here’s what he said: “Whether or not something would be unlawful would be a very fact-intensive inquiry.”
Meaning, we can infer, that evidence and intent will play large roles in prosecuting cases against hackers.
We had some tense conversations about how specific our details about the paywall’s inadequacies should be; after all, 2600, the magazine that publicized Johansen’s DeCSS, was successfully sued by the content providers. Programmers we talked with varied in their opinion, ranging from the take-the-big-media-company-down argument to the let-them-know-and-help-them-fix-it strategy.
Carole Theriault, a senior security consultant with Sophos Ltd., said, “Once they have fixed the problem, then you publish your story. You could also agree on a time for publication with them. If you play ball, they might give you a quote.”
It’s important to note that The New Yorker didn’t actually write this code. It seems that they outsourced the software development to an Australian company called Realview. We sent off messages to both The New Yorker and Realview and are waiting for a reply.
For now, here’s a taste of our findings:
The first file contains the encryption and decryption code. It’s been obfuscated, a common practice that makes it harder for humans to read. But this is by no means a security measure because code that is obfuscated can always be un-obfuscated.
We showed this to a few programmers, and the consensus wasn’t good. Essentially, the paywall is so poorly designed — to the point of being amateurish — that The New Yorker might as well not have one up. The way to create a secure system is to protect the content on a company’s server, not on the client side. This is true for any type of media, whether it’s music, movies, or writing. That the entire digital archive is hosted on Realview servers makes the vulnerability worse because Realview had the opportunity to protect it but didn’t. Unfortunately, this isn’t a bug that can quickly be patched in one day. It could take weeks.
To make matters worse, this affects not only The New Yorker but also any of Realview’s client publications using the paywall code — which is pretty much all of them.