Original image by Pavig Lok

After having been served a legal notice by LanSchool, the matter has since been resolved; rather quickly at that.

I would like to personally thank Greg Wilson and Jon Erickson for helping us greatly with this issue; and I’d like to extend this thanks to Anthony Aziz, David Crow, Gianni Chiappetta, and everybody else who helped out, gave advice, or simply offered support. You guys are great!

Since we posted the original legal notice that we received, it’s only fair to continue the process of openness and transparency.

Computer Science Canada (“CompSci.ca”) and myself have always respected the intellectual property of others and taken steps to remove any content we believe to be in violation of Canada’s intellectual property laws. However, we also respect Fair Dealings and freedom of speech and will not remove content from our site when we believe it is not infringing or is covered under fair use, which I believe to be the case in this incident. As such, we are not prepared to censor the review, author’s opinions, or comments. Nor are we prepared to destroy the intellectual property of the author, in the form of the proof-of-concept source code and the compiled application “LanSchooled”.

Emphasis added.

Lawyers were dropped and this kicked off an email discussion, which is now posted on the wiki page that sparked this ordeal. The issue was quickly resolved, and both sides reconciled.

Image cropped from: kishimoto

I’ve also learned a few things from this experience.

1. This community rocks! Seriously.
2. Legal letters mean someone is angry enough with you to spend money on a lawyer. It’s not yet a reason to panic, but take caution. Which leads me into the next point:
3. A serious letter calls for a serious response. I get this feeling that LanSchool might not have completely intended what was said in the letter, and that some of the “standard issue” legal scare tactics simply slipped in pass the review. Though accountability goes both ways, so one should be prepared to take responsibility if their legal construct is not sound.

A number of useful resources came up during the research of the situation. So if anyone else is getting in trouble over similar issues, take note.

• onlinerights.ca — “Online Rights Canada (ORC) is a grassroots organization that promotes the public’s interest in technology and information policy.”
• eff.org — “EFF is the leading civil liberties group defending your rights in the digital world.”

and an exceptionally specific

• EFF’s coders’ rights project — “protects programmers and developers engaged in cutting-edge exploration of technology in our world.”

And as promised, since this issue did not escalate to a lawyer wielding fight, we’ve given the received donations, all $18.22 of them, to EFF.

It appears that Dan, myself, and all of the Computer Science Canada community is being threatened with legal actions, courtesy of LanSchool — a classroom management software, that monitors students’ activity (“now available with USB Limiting and Keystroke Monitoring”).

It seems the cause for concern is this 2 year old review of their software.

Please note that the author of the review and questioned software, Dan, is dyslexic, so excuse the spelling, where applicable.

This page detials a proof of conspect expolite of the lanschool program. CompSci.ca and Hacker Dan do not support, condone or recomend the use of it in real life (So don’t send us e-mails asking how to get it working or how to hack your schools network). Also since this expolit was found and lanschooled was created, lanschool has upgraded there software so it may no longer be expolitable from the attack desrcibled on this page.

The security flaw, revolving around insecure communication channels, has first been diligently reported to the software’s developer, along with suggestions for a fix. The response essentially stated that the security should be enforced at the school-student level, citing “suspension”. So after some time, the review (along with a proof-of-concept application) has been published online.

It seems that in the last two years LanSchool has released a new version of their software, claimed to have fixed the published security issue, but has now decided to threaten legal actions anyway.

Claims include:

1. “unauthorized use of its trade-mark” — even though they have no registered trademark in Canada.
2. “unauthorized use of its logo” — using their logo to refer to the company should fall under fair use.
3. “In other postings you offer detailed advice about how to use “LanSchooled” to breach the security inherent in our client’s software.” — but earlier in the document they stated “you identified and made LanSchool aware of a potential security flaw in LanSchool version 6.5 (which does not exist in the current version 7.1).”
4. “you describe our client’s software as a “trojan horse type program that is used by many school boards in Ontario to spy on their students as well as controlling one or all computers in a given lab … LanSchool has many flaws in its design, and thus many security holes….”" — this would amount to defamation only if the statement was untrue. Though considering that LanSchool is designed to allow remote access to the system, to monitor and log activity, I feel like that is an accurate description. Furthermore LanSchool’s #1 FAQ question is :
   

   My Anti-Virus software is reporting LanSchool as a virus, what should I do?

   Suggesting that the LanSchool software indeed acts in a manner similar enough to a malicious program, to trigger some Anti-Virus applications. The flaws in the design were demonstrated by the proof-of-concept application in question, and were true at the time of publication.

5. “It is evident that you have intentionally set out on a course to harm our client’s software and business.” — absolutely not. The original review explicitly states that “This page detials a proof of conspect expolite of the lanschool program. CompSci.ca and Hacker Dan do not support, condone or recomend the use of it in real life”. Once again, the company has been made aware of the issue well before the publication.

The demands include:

1. Removal of the critical review of their software.
2. Destruction of author’s intellectual property, in the form of the proof-of-concept application.
3. Not making use of any of LanSchool’s software in the future.

What I find interesting in this legal document, is that it asks:

We must caution you not to destroy any records, electronic or otherwise, including website records and logs, and copies of the software in your possession…

Directly contradicting with their demand to “destroy under oath all copies, whether in print or electronic, of your “LanSchooled” software”. I’m not sure what to think of this.

Since they were aware of the issue for quite some time, I’m not sure why it took them 2 years to address the review and discussion around it. I wonder if we are their only legal target, or if this will turn into a full-scale censorship sweep that would name larger companies such as Google, for hosting a YouTube video on disabling their software (or another, this time with an anti-virus.)

I believe it is within our right to publish critical reviews of software products, and so we plan on getting a lawyer to consult with, in order to defend the author, the community, and the right to critical review in Canada.

In the mean time you could leave us a comment with an advice, or let LanSchool know what you feel regarding this issue. PayPal donations towards our legal fees will be appreciated. In an event that LanSchool will not proceed with legal actions further, any unused donations will be donated to EFF.org — “the leading civil liberties group defending your rights in the digital world.”

The matter seems to have been resolved. See the followup post here.

Original image by Dirty Bunny

Rogers, one of the two major Canadian Internet Service Providers, has been busy exercising their position of power. Again. After having been injecting content into HTTP webpages for half a year, Rogers has moved on to hijack DNS as well, replacing “not found” responses with pages full of ads. Though why stop there? Internet comes with many more communication protocols; plenty of opportunities to disrupt expected responses and inject unwanted ads into someone else’s content. All in the name of extra profits.

This is a hypothetical visual study of possible implications. All images below have been edited. It is not the point to single out Rogers; it’s just that they’ve started the trend that users disagree with. The point is that users should disagree with such actions. While not everybody might care about occasional unresolved lookups, there are other services that could be targeted next.

MSN, Yahoo, XMPP (and other) IM protocols

This one might be hitting a lot closer to home, for some, than seeing ads on “missing webpage” responses; even though it’s a similar concept. Only this time in your Instant Messenger. Every once in a while one would send a message just as the contact goes offline… more commonly it’s busy/away/whatever status… so many options to take advantage of!

WHOIS

WHOIS is a query/response protocol used to look up information about a domain. It would be easy to inject some plain-text advertising, along with the requested information. While only a small subset of the internet population uses this protocol, it is also a very specific demographic to be targeted with offers regarding domains and other web-related products.

RDP — Remote Desktop

While technically the data is encrypted, as it should be, it seems that older clients might use weaker protection schemes and be vulnerable to man-in-the-middle attacks. ISPs often happen to be in the middle. If one’s entire desktop is streamed over the internet, why not supplement some of the experience with sponsored offers?

BitTorrent

Actually a lot of ISPs already treat BitTorrent traffic in a special way. Though instead of annoying users with injected downloads and making money, ISPs often unfairly throttle this protocol, annoying users for free.

And more!

• POP3/STMP — inject ads into emails!
• RTP — manipulate streaming audio/visual content.
• IRC — similar to Instant Messaging.

The good news is that we are not there, yet. The bad news is that not enough people seem to be aware of this creeping trend. The worse news would be similar tactics catching on in other communication mediums.

In a way an Internet Service Provider is very similar to a Postal Office. Their services are purchased in order to deliver data. Now imagine Canada Post (or FedEx or UPS) operating in a similar manner. It would be like reverse censorship — instead of taking content out, they’ll be putting more in, along with your original package. I’ll doubt they will get away with such practices for long.

Original image by arbyreed

Is it because snail-mail letters are sealed in envelopes, that we expect a them to be delivered without tampering (HTTP page content injection)? And similarly expect a certain level of privacy, instead of getting a package full of ads on topics of “return to sender” mail (DNS hijacking)? And that we expect any letter, regardless of content, having paid equal postage, to be delivered at a similar level of service (BitTorrent throttling)?

Perhaps we’ll need to start placing our internet packets in envelopes as well. Some people think we should encrypt all internet traffic. Besides implementation and adaptation difficulties, this would also add additional strain to the networks… but at least it would help ISPs to stay more honest. I just hope that we will not be forced to do it this way.