this post was submitted on 27 Jul 2023
913 points (98.3% liked)

Malicious Compliance

19557 readers
5 users here now

People conforming to the letter, but not the spirit, of a request. For now, this includes text posts, images, videos and links. Please ensure that the “malicious compliance” aspect is apparent - if you’re making a text post, be sure to explain this part; if it’s an image/video/link, use the “Body” field to elaborate.

======

======

Also check out the following communities:

!fakehistoryporn@lemmy.world !unethicallifeprotips@lemmy.world

founded 1 year ago
MODERATORS
 

In 2000, I wrote a Linux device driver that "decrypted" the output of a certain device, and my company, which hosted open-source projects, agreed to host it.

The "encryption" was only a XOR, but that was enough for the maker of said device to sue my company under 17 U.S.C. § 1201 for hundreds of millions in damages.

The story got a lot of press back then because it highlighted how stupid the then-new DMCA was, and also because there was a David open-source enthusiasts vs. Goliath heartless corporation flavor to it.

Our lawyer decided to pick up the fight to generate free publicity for our fledgling company. For discovery, the maker of the device requested "a copy of any and all potentially infringing source code". They weren't specific and they didn't specify the medium.

So we printed the entire Linux kernel source code including my driver in 5-pt font and sent them the boxes of printouts. Legally they had been served, so there was nothing they could do about it.

top 50 comments
sorted by: hot top controversial new old
[–] CheshireSnake@iusearchlinux.fyi 152 points 1 year ago* (last edited 1 year ago) (2 children)

So we printed the entire Linux kernel source code including my driver in 5-pt font

Please tell me you used comic sans.

[–] ExtremeDullard@lemmy.sdf.org 91 points 1 year ago (2 children)

I hope they did. Now that you mention it, it would have been an amusing twist :)

[–] TauZero@mander.xyz 84 points 1 year ago (1 children)

The year is 2025. A massive geomagnetic storm has fried all forms of technology, wiping out hard drives and solid-state drives alike, and scrambled all backup tapes. Coincidentally, a new plastic-eating bacterium has munched on all the compact discs without anyone noticing.

Humanity will rebuild...

The computer chip manufacturing pipeline has been restored, but there is no software to run them. In a dusty office previously owned by a lawyer from a long-defunct dotcom, a treasure trove is discovered. Five metal cabinets filled with paper: the printed Linux kernel source code, in 5-pt comic sans font. One brave soul will enter to transcribe. Mistakes are not an option. We all thank you for your sacrifice.

[–] LeFantome@programming.dev 23 points 1 year ago

Final twist, nobody can compile it because it uses GCC extensions that no recovered compiler supports.

[–] iks@lemmy.world 27 points 1 year ago

Printed in wingdings + given ascii conversion table to decypher

[–] BeigeForce@lemmy.world 13 points 1 year ago* (last edited 1 year ago)

Doubly-devilish as it’s not fixed width. Microsoft Bob would be proud.

[–] Ret2libsanity@infosec.pub 117 points 1 year ago (4 children)

I stare at Linux source code very often looking for vulnerabilities.

I unironically have printed pages out to sit down with.

The idea of having the whole kernel printed… is… fun. Lol. How would your organize it for reading? Different chapters that are the directories of the kernel code ?

[–] MxM111@kbin.social 84 points 1 year ago* (last edited 1 year ago) (1 children)

Why would they organize it in any way? It was not one of the requirements… so, alphabetically.

[–] EN20@feddit.de 23 points 1 year ago (1 children)

Obviously and we are talking per line and not per file are we?

[–] Llewellyn@lemmy.ml 12 points 1 year ago (2 children)
[–] MxM111@kbin.social 11 points 1 year ago (1 children)

Alphabetically, per bite. It is beautiful.

load more comments (1 replies)
load more comments (1 replies)
[–] a1studmuffin@aussie.zone 23 points 1 year ago (2 children)

I'd love to hear more about this - do you do it professionally (for preventative reasons), as a side hobby, or as an attacker for malicious/selfish reasons? No judgement, genuinely curious as it takes a certain personality type to do this kind of work and I find it really interesting.

[–] ngdev@lemmy.world 33 points 1 year ago (2 children)

I think they just stare at it, hoping the vulnerabilities come to them in a moment of revelation. A Linux Joseph Smith, the kernel playing the part of the Golden Plates.

[–] HamBrick@programming.dev 11 points 1 year ago

The small overlap of my two largest hobbies, programming and making fun of Mormons. Perfect.

[–] morgan_423@lemmy.world 7 points 1 year ago

OP said this happened in Utah, so maybe so!

[–] Ret2libsanity@infosec.pub 22 points 1 year ago (10 children)

Professionally

My title is senior vulnerability researcher. Focus on mobile devices. That’s all I can really say without doxing too much

But the Linux kernel is always a juicy target because of the coverage and exploit there gets you.

load more comments (10 replies)
load more comments (2 replies)
[–] Kinglink@lemmy.world 93 points 1 year ago (2 children)

Legally they had been served, so there was nothing they could do about it.

Somehow I doubt this.

Maybe it's true but legally I know in California you are required to do your briefs in 12 point font. While that's briefs, I would imagine evidence would be under the same banner. It definitely WOULD be illegal to do it in 1 pt font or intentionally making it unreadable. I would imagine if the other side wanted to make it an issue they could back to the judge and he's probably have it out with you.

Maybe the lawyers wisely replaced your malicious compliance with correct sized print with out telling you, maybe the other side didn't care.

[–] ExtremeDullard@lemmy.sdf.org 80 points 1 year ago

This was in Utah. I'm no lawyer. Maybe it wasn't legal. What's what our lawyer said he did.

[–] FeliXTV27@feddit.ch 42 points 1 year ago (1 children)

I don't think the font size matters too much in this, it's just the printing the whole source code, including a lot of not directly relevant things, and sending all of that over in a few boxes instead of sharing the project files with them that is very malicious.

[–] rumckle@lemmy.world 22 points 1 year ago

It's also very common in legal cases to share evidence printed out, instead of in digitally, to make sure it isn't easy for the other side.

[–] MyFairJulia@lemmy.world 57 points 1 year ago (1 children)

So you like source code? Well then! HAVE ALL THE SOURCE CODE IN THE WORLD!

[–] ReginaPhalange@lemmy.world 44 points 1 year ago (1 children)

Just out of curiosity...
How many pages were there?

[–] ExtremeDullard@lemmy.sdf.org 123 points 1 year ago* (last edited 1 year ago) (7 children)

I don't know. I didn't do the printing. The law firm did it. But I remember our lawyer mentioning that they fedexed over 20 cartons of printing paper. Assuming 500 sheets per ream and 5 reams per carton, that would be 50,000 sheets, or 100,000 pages since it was printed on both sides to be even more annoying.

[–] popekingjoe@lemmy.world 37 points 1 year ago

That's beautiful. Simply beautiful.

[–] Danatronic@lemmy.world 26 points 1 year ago (1 children)

Damn. Did they ever find your actual source code in there

[–] ExtremeDullard@lemmy.sdf.org 79 points 1 year ago* (last edited 1 year ago) (5 children)

No idea. That company folded before it could even respond. It was a typical dot-com with a completely ridiculous business model. That's why our lawyer decided to fight the suit: he figured they'd collapse soon anyway, so we might as well milk the lawsuit for the publicity.

load more comments (5 replies)
load more comments (5 replies)
[–] BeigeForce@lemmy.world 35 points 1 year ago (1 children)

You’re the hero that GitHub needs.

[–] JackbyDev@programming.dev 20 points 1 year ago (1 children)

The irony is that nowadays you could just say "well, the codes open source and all hosted on GitHub..."

[–] TeoTwawki@lemmy.world 16 points 1 year ago (1 children)

Double irony is they'd also send a takedown to github claiming the code contains their IP due to being too ignorant to comprehend that none of the code contains any of thiers to do what it does

[–] JackbyDev@programming.dev 8 points 1 year ago

Wikipedia has XOR truth tables and contains my very secret trade secrets!

[–] WhoRoger@lemmy.world 28 points 1 year ago

I was a tech journalist in the early 00's and I remember writing about that story or one like that.

A similar thing happened with Microsoft, who either delivered or was served the full documentation of some office format printed out. It's a pretty popular form of malicious compliance, also paying people in bags of coins.

[–] csm10495@sh.itjust.works 24 points 1 year ago (1 children)

Please tell me all the newlines were removed from the source code and it was minified to save paper.

[–] Jamie@jamie.moe 19 points 1 year ago (2 children)

Oh man, if you gave a programmer minified C code with no comments, whitespace, or newlines in printed paper, they'd probably charge more than your lawyer to read that shit.

load more comments (2 replies)
[–] aard@kyu.de 21 points 1 year ago (1 children)

Did the device happen to be the CueCat?

load more comments (1 replies)
[–] Juvyn00b@lemmy.world 10 points 1 year ago

Should have sent it xor since they already know how to decode it.

[–] nomadjoanne@lemmy.world 9 points 1 year ago

Amazing! What a great story.

[–] slazer2au@lemmy.world 8 points 1 year ago (1 children)

Legally they had been served, so there was nothing they could do about it.

Pretty sure the can go to the judge and as you to deliver the information in a more friendly format.

load more comments (1 replies)
[–] vrighter@discuss.tchncs.de 7 points 1 year ago

"only an xor" would pretty much imply any of most stream ciphers. It's what you xor with that matters.

[–] skookumasfrig@sopuli.xyz 6 points 1 year ago

Was this for the CueCat? Because it sure sounds like that! Bravo!

load more comments
view more: next ›