My former employer, MetaMachine, is retiring from the P2P industry. I think Sam makes some very good points in his testimony to the Senate Judiciary committee:
First: Because the Grokster standard requires divining a company's "intent," the decision was essentially a call to litigate. This is critical because most startup companies just don't have very much money. Whereas I could have managed to pay for a summary judgment hearing under Betamax, I simply couldn't afford the protracted litigation needed to prove my case in court under Grokster. Without that financial ability, exiting the business was our only option despite my confidence that we never induced infringement and that we would have prevailed under the Grokster standard.
Second: The court specifically cites that Grokster's marketing to "former Napster users indicates a principal, if not exclusive intent to bring about infringement." Is this really proof of intent to induce infringement? Does this mean that every advertiser that has advertised in the eDonkey software also has a similar intent? I should hope not, because last summer the campaigns of both President Bush and Senator Kerry ran advertisements on eDonkey. Were they really both courting the "swing infringement vote" or could they have had some other "intent?"
My final point on Grokster is that its inducement standard cannot serve as a long-term equilibrium. Imagine if since eDonkey's inception not only had we not made any statements inducing infringement - but also that we made no statements at all - and instead simply put up a website that read "eDonkey is a peer-to-peer file-sharing application." It seems to me that would not qualify as "affirmatively and actively inducing infringement." If we had never made any other statements would we be in the clear now? If so, new P2P applications will inevitably spring up and easily satisfy Grokster in this way. If we would not be in the clear then the effect of Grokster will go far beyond merely chilling innovation - it will almost certainly freeze it in its tracks.
He wraps up by making a few additional points, one of which is the increasing pressure that innovators are under to do business outside of the US:
As it is, many companies and would-be entrepreneurs simply cannot be sure of where they will stand with respect to the law. As you know, eBay recently acquired the P2P company Skype for more than two billion dollars. Note that Skype was founded offshore; it would be a real tragedy and a blow to our economy should all technology entrepreneurs take their innovations offshore.
In the past decade or so, I've observed an increasing tendency for big businesses to depend on litigation rather than innovation in order to remain relevant. Microsoft, the MPAA, the RIAA, etc., are all guilty of this. I suppose it's the path of least resistance, but it's really hurting the US's position as the technology leader. In fact, I'm sure some would argue that the US has already lost that crown.
If you missed Terry Chay's OSCON talk this year, you're in luck - he has made the talk temporarily available from his web site. Because Brain Bulb has plenty of bandwidth and disk space, I offered to host the video there, so that it has a permanent home:
The video is great - it's really almost as good as seeing the talk live, because you get to see Terry speaking as well as his slides (the slides are shown every time there is a transition or some of Terry's famous Keynote magic happening). I guess it helps that Caitlin happens to be an expert at this video stuff. :-)
Here is Terry's original abstract:
This talk hopes to answer: What do we gain by Remote Scripting? What do we lose? How does one implement it? What is the XMLHTTPRequest object? What are the pitfalls of Remote Scripting? Why do I hate all browsers?
I'll be speaking at NYPHP tomorrow night (Tue, 27 Sep 2005). Directions and other details are available on the web site. If you're in (or near) New York, I hope you'll join us.
I'm also going to be speaking at BostonPHP next week (Thu, 06 Oct 2005). I've never been to Boston, so it should be fun.
Google is now redirecting users to My Google (or "Personal Home" or whatever they call it) if you happen to be logged in. I'm not a big fan of this behavior, but there's a link at the top to return to Classic Home, and this preference is persistent. It's still a bold move for a site that has a solid reputation for simplicity.
If you Add Content and choose Create a Section, you can search for content to add to your personal home. I was happy to see my blog listed for php security:
Chris Cornutt (enygma), of PHPDeveloper.org fame, finally has his own blog. In his words:
I figure that being able to express things here (without having to worry too much that people won't think it's news) will be a nice change. There's been a lot going on in the PHP community - really the web as a whole - and having more of an open forum to express some ideas about it all will be a nice change of pace.
Are you subscribed?
For those of you who visit my personal web site, you'll notice that things look a bit better. Thanks to the design talent of Amy Hoy, both shiflett.org and brainbulb.com have had a bit of a makeover.
This has actually been finished for a while, but I've been far too busy to deploy it. I expect quite a few things to be broken, but I'll hopefully have everything running smoothly again in a few days.
Now it's time to redesign the code. :-)
I gave three talks at this year's phpworks conference. The most popular was PHP Security by Example, a talk that consists entirely of exercises. This approach is unique in the sense that the focus is on first exploiting vulnerable code and then fixing it. I think seeing how easy some exploits are gives people a better appreciation and understanding of the safeguards.
The slides are available in PDF and Flash format:
I'll post the slides to the other talks soon.
A little over a month ago, I finally finished writing Essential PHP Security, a guide to secure PHP programming that I've been working on in my spare time for quite a while.
I'm really happy with the results. The people at O'Reilly have been great to work with, and I was lucky enough to have some of the best technical reviewers an author could ask for (Adam, David, George, and John). The result is a lean 150 page guide that covers what I feel are the most important topics with which a PHP developer should be familiar.
The book is due to be published in October (in time for the Zend PHP Conference and Expo), but you can buy it from Amazon today. As Adam jokingly suggests in his infamous email signature, "avoid the holiday rush - buy your copy today!"
I focus on Apache and MySQL, but the principles apply to any platform. In fact, web developers using languages other than PHP might learn something. I hope so. :-)
Each chapter focuses on a specific category of PHP development, and you are shown the most common and dangerous attacks associated with that particular category. Here is the final table of contents:
Foreword by Andi Gutmans
Defense in Depth
Simple Is Beautiful
Balance Risk and Usability
2. Forms and URLs
Forms and Data
Semantic URL Attacks
File Upload Attacks
Cross-Site Request Forgeries
Spoofed Form Submissions
Spoofed HTTP Requests
3. Databases and SQL
Exposed Access Credentials
4. Sessions and Cookies
Exposed Session Data
Exposed Source Code
6. Files and Commands
Traversing the Filesystem
Remote File Risks
7. Authentication and Authorization
Brute Force Attacks
8. Shared Hosting
Exposed Source Code
Exposed Session Data
A. Configuration Directives
I plan to launch a companion web site in time for the book's publication, and I will post code samples (I created a few utilities in order to demonstrate some attacks) and aggressively keep up with any errata that is discovered.
Now, I can finally start contributing to other things again. :-) I hope you enjoy the book, and I hope it helps.