The C-32 bill before parliament this session is a reboot of the failed C-61 bill we saw die after Parliament’s dissolution in 2008. While the bill has come a small way to providing a fairer balance between industry and consumer interest there is a glaring flaw in the digital locks provision that nullifies many of these balances.

The Bill makes it illegal to break a digital lock, period, regardless of who you are or what you are doing. You may ask, “But picking locks is wrong, of course it should be illegal?”. That type of knee-jerk mental reaction is off base and wrong, here’s why.

C-32 allows for individuals to copy and transfer copyrighted contents for private use, which means you’re going to be able copy that song you bought online to a CD or your ipod or whatever new fangled device you buy in the future. You bought the song you’re allowed to copy it for your own use. UNLESS, the company you bought it from puts a digital lock on it. See you still have the right to copy it, but  in order to be able to copy it you need to break that digital lock first, the breaking of the lock is illegal even though why your breaking it is not.

Another example would be a librarian or educator, C-32 makes specific provisions in the bill for these professions to use copyrighted material, to store, copy and remix it for educational purposes. However if you’re trying to access or remix a video for a project in a Digital Arts class, or catalog and archive a digital work that’s fallen out of copyright you are stopped if the provider used a digital lock. While again these uses are perfectly legal and right, you can not exercise that right b/c of the digital lock, no matter what your purpose the act of breaking of that lock is illegal.

Finally, just a few years ago the NBA.com spent a few years selling downloadable versions of it’s games that were digitally locked. Every time you copied your legal purchase to another computer or had to reinstall Windows your digital lock had to be re-verified by an NBA.com server. This system was eventually replaced with newer technology and the lock verifier was removed. Users who had bought videos, paid money for the right to have them on their computer and to watch them as many times were suddenly unable to. Without the server they could not copy the videos to a new computer when their old one died, they could not watch them after they got a virus and had to reinstall windows, b/c the lock was broken and stuck in the locked position they could not enjoy what they had bought. Under the old law users effected by this in Canada found and shared ways on the NBA forums to remove the digital locks, this was legal b/c the act of breaking the lock was not illegal, and they had to legal rights to the content behind the lock.

I’ll cut my examples short at that, but you can be sure I have at least three more good ones just off the top of my head.

The main problem with C-32 is this digital locks provision. We need to look to the physical/real world for our guidance here. It’s not breaking the lock that should be illegal it’s whether you broke that lock for an illegal purpose. I speak from experience, as a Network Specialist I personally break digital locks all the time, I do so with a high ethical standard and for the purpose of giving access to owners who locked themselves out of their own computers or networks. Even having these tools in my bag would become illegal under this bill, I’m a professional and I wont’ even be able to do my job without breaking a ridiculous provision in C-32.

If you put your CD collection in a box and locked it you would be perfectly fine to break that lock when you lost the key. So why would you want a law that made the digital equivalent illegal.

Keith Page, Nelson BC

It really surprises me when some people can continue to take their personal creativity to new arena’s.  At times I struggle to simply understand new concepts in my own field of expertise. So when I see a painter experimenting with dioramas, or  stitching  stuffed robots it inspires me to push my own boundaries out.

Check out some of her other work at www.kellyshpeley.com

Recently I received a Delivery Notice in my email from deliver4@canadapost.ca, a few days passed and nothing was delivered as promised by the note. Attached to the notice was a PDF that consisted of only one page simply stating “this page is intentionally left blank”.

A call to Canada Post customer service quickly sorted the problem out, the rep informed me that it was a virus going around. Given the spat of PDF embedded viruses that were used to attack Gmail Customers in the high profile Chinese Google hacking case the blank PDF now made perfect sense, thank god I was on a Mac and not a Windows system. How many thousands of calls have they gotten and how many people are now compromised?

Part of what made this virus email look so legitimate was that the  sender successfully used the actual canadapost.ca email address. This ability to spoof a domain ( like canadapost.ca ) in email was identified years ago as a hole in email security. To plug that hole the industry introduced a technically simple way for email providers to protect themselves. It’s called SPF, it’s free, and it’s simple and Canada Post is not doing it.

dig txt canadapost.ca

; <<>> DiG 9.6.1-P2 <<>> txt canadapost.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14041
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;canadapost.ca.            IN    TXT

SPF is simply a list you publish as a DNS records. Using SPF tells the world what mail servers in the world are allowed to send mail from canadapost.ca and what a receiving provider should do if mail saying it’s canadapost.ca comes from server that’s not on that authorized list. Should that mail server reject the mail outright or should it just submit it to more intensive scrutiny, like an invasive virus scan.

Our mail servers here at Green-Light Communications look for an SPF record when receiving email, as many reputable mail provider do. When a domain owner does not publish an SPF we don’t have enough information to know when email coming from that domain is being sent illegally.

CanadaPost.ca, should publish an SPF record to protect its domain and to protect everyday netcitizens. This is a serious matter, canadapost.ca reputation has hijacked and used to help scammers steal peoples life savings. The cost to stop a re-occurrence is practically nil.

You, Canada Post, Government Corporation Extraordinary have a responsibility to act with diligence.

Keith Page
CIO, Green-Light Communications Inc.

We’re slated to be fully completed and moved in by May 1st, 2010, before and after pictures will hopefully be posted shortly after.

HOW TO: Use Google Desktop as a Centralized Server

You will need:

• DNKA – Google Desktop Proxy
• Google Desktop 4.2006.627 (newer version won’t work with DNKA )

1. Download and install Google Desktop.
2. We’re mapping a network drive so we add the following to our login.bat script, or we create a login.bat and place it startup, however you want to do this.
   Dirty Code
   
net use /delete * /y
subst z: "E:\netshare"


   The reason is we want to map our local location to be the same drive as the client computer. We use Subst b/c it creates a drive letter that will match our clients drive letter, b/c it’s a substitute path windows will access it natively and not over the network stack, consuming much less resources.

3. Right click on your Google Desktop icon and visit Google Desktop in a browser. Click “Desktop Preferences” and under “Don’t Search These Items” enable all you local drive except the Z drive we made earlier. Not seeing the z drive … did you run you bat file?
   • Copy  the url that google takes you to initially, http://127.0.0.1:4664/?s=xxxxxxxxxxxxx, you need the xxxx part to give to your clients.
4. Next we install DNKA and run through the defaults with that. They should all be acceptable.
5. Finally we need a user logged in for google desktop to work. So we enable auto login for this computer/server. Choose a user that has only the permissions the majority of your staff use, if you have protected folders under the index drive and you login as Administrator those users will see those file, they will see cached copies of them within google desktop. Either add them to the don’t index list or auto login as a more restricted user.
   • Open Regedit
   • Goto : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   • Open/Create : DefaultUserName – Enter your username
   • Open/Create : DefaultDomain – Enter your domain if you have one
   • Open/Create : DefaultPassword – your password
   • Open/Create : AutoAdminLogon – set to 1
6. For good measure I also set the screensaver password lock and set the timeout to 1 minute. So the screen will lock pretty quickly after a reboot.
7. Lastly take the url you saved in 3 and change the 127.0.0.1 part to the ip or host of the machine you installed google desktop onto. http://theserver:4664/?s=xxxxxxxxxxxx, give this to you users and have them bookmark it. You’re all setup.

After the administrator left a local company Green-Light was called into to regain access to the domain and domain controller. Nothing really malicious occurred here but there were password issues after this staff member left and the organization was left without a local admin password and without the admin password for Active Directory.

Too many organizations find themselves in similar positions at one point or another. I wanted to outline how to recover from this problem.

Attached is a simple script that we’ve made to incorporates the instructions found at Geeks are Sexy. The purpose of this script is to setup a service that will change your domain admin password to ABcd123456.

• Reboot, hit F8 to start in Directory Service Recovery Mode, Login as the Local Admin on the System.
• Download FixPass.zip, Extract and Execute “start.bat”
• The script will setup a service and start a 60 second countdown before rebooting the system.
• When your done your password will be ABcd123456, if you need to change that modify the FixPass.reg file before you run the start.bat script.

**Note: In this particular case we were also locked out of the local admin on the system. Being that the system was running off a RAID controller our handy NT Offline Password tool did not work. A nice side option is to use the Ubuntu Live CD to boot the system. Once started you can download the source for the NT Offline Password tool and run it directly from an ubuntu terminal to reset your local admin.

• Click Thunderbird > Preferences > Attachments
• Select “Save files to..” click “Choose..”
• Hit COMMAND+SHIFT+G and type in /tmp , Hit GO and then Open
• Switch back the toggle back to “Always Ask me where to save files”

Now when you open attachments they will go to the /tmp folder.

Most times a domain squatter will pick up one of these domains and advertise something benign something totally harmless like backpacks, school supplies or baby products. Although they can also host not so benign material. The particular domain squatter that grabbed this domain decided on some rather obscene content instead. The former holder being a family oriented business was shocked when customers started calling and asking why some web searches were taking them to this material.

In hurried panic we were brought in, our first step was to establish trademark rights. Did the customer own the trademark to the name itself? A little bit of digging and the whirl of our fax machine shortly produced a collection of legal documents showing the customer in fact owned the trademark completely and outright. The problem now seems like an easy win. Contact the domain holder, present the documents showing trademark, and pay their modest ransom fee to re-obtain the domain. As we found out, not so easy.

CIRA has decided recently to offer domain privacy as an option. On it’s face this is great, it stops you from being spammed, it stops other registries from sending the less tech savvy domain holders misleading renewal bills. However these protection must be balanced with the legitimate need of the Public to know who is behind a particular domain. For instance, the if domain operator has registered a domain in bad faith and is damaging the trademark holders name and reputation with obscene content one needs this information in order try and resolve the problem in  any method short of a full blown lawsuit.

Going to the Registry of the domain obviously get’s you sent back to CIRA, which does offer a privacy bypass contact form on their site. Using this form you may contact the domain holder, without any of their information being revealed. The form even says that if the domain holder does not respond to contact CIRA after two weeks.This seems like a very fair and balance solution, it protects the majority but seems to indicate that one can still obtain the information if required through a two week waiting process and by going through CIRA directly.

After waiting those two weeks and getting no response we just found out that this is in fact a farce. We received this response from CIRA today.

“Individual registrant information is always private and will not be given out. You can try again to contact the registrant and hopefully they will reply. You message will be again forwarded to the Registrant’s Administrative Contact but CIRA cannot guarantee that messages will be read, and/or responded to.”

It appears that CIRA was not all that enlightened in doing it’s public duty. I’m not quite sure why they bother to even invite us to contact them after two weeks. It seems obvious that while a domain holder has a right to some privacy they also have an obligation to respond to these contacts, and if they fail to do so then they waive that right to privacy. Just as one can do a search in the public registry for who has registered a trademark, or corporation name, so too should one be able to search for who owns a domain.

Allowing domain holders to hide under a complete veil of secrecy invites all sorts of problems. As I stated earlier barriers to this information are fine and very much correct, but complete obstruction undermines the fact that this is ultimately public information. .CA is a domain property owned by Canadians, CIRA is a government body in charge or registration, and most importantly domains are publicly accessible portals.

We have a right to be able to know who is running these portals, and we shouldn’t have to resort lawsuits just to find out who is damaging a trademark. Why are we protecting the needs of domain squatters over the needs of legitimate business? Balance CIRA, balance!