by Matthew Skala

lot of my friends in the user group community were pretty surprised when I became an overnight celebrity as one of the defendants in a big copyright infringement lawsuit over my breaking of Cyber Patrol. I have a reputation for helping beginning computer programmers, encouraging young people to do constructive things, and setting a high ethical standard. Why would someone like me participate in "breaking" a piece of software designed to protect children from dangerous ideas? In this article I'll try to answer that question. Some of my other friends, who know me a bit better, weren't surprised by my actions at all; maybe after reading this, you'll understand why.

The factual story of my court cases has already been covered so much in the news media that there's not much point in my going through all the details again here. Instead I'm going to direct you to my Web-posted FAQ file on the breaking of Cyber Patrol, That FAQ includes links to many, but by no means all, of the online news stories about me.

It's appropriate that I should write this article for the Big Blue and Cousins newsletter, because BB&C actually deserves a good measure of credit or blame for my activities. I joined when I was 10 years old, because my family had a new computer and I wanted to learn everything about it. The membership benefits included access to the club's electronic bulletin board system (BBS). That was like a key to the candy store.

On a BBS, members connect to a central system with their computers and post messages; others read the messages and post replies; the replies generate replies of their own; and so a group of people can have an ongoing discussion of any topic that interests them. This was before Internet technology became available to the public, but services like Usenet are a modern-day equivalent to the BBS universe. The BB&C BBS attached everyone's name to their messages, but that was all. The system did not propagate any other personal information.

Nobody had to know that "Matthew Skala" was 10 years old unless I chose to tell them. So the BBS gave me a free pass through the social baloney of "children should be seen and not heard". Prejudiced people who would never dream of conducting a serious discussion face to face with someone my age, were perfectly willing to give me all the respect my ideas could command in the electronic realm.

I don't want to become excessively vehement here - I find that easy to do on this particular topic - but there aren't many other places where our society treats children as fully human. About the only other public place I could count on a little respect, was the public library. It's a real liberation to realize that you're allowed to read any book on the shelf, and the only limitation is your own ability to comprehend the contents. Is the similarity of "library" and "liberty" just a coincidence?

But the BBS wasn't just for fun. Over 13 years of writing messages on a daily basis on the BB&C BBS, and Usenet when it became available, I've had a lot of practice in expressing my ideas in unambiguous words. When you're only judged by the words you write, you have to learn to write well if you want to be taken seriously. My experience on the BBS may have something to do with the high grades I've always gotten in English, and the recognition I've received for my writing, from the University of Victoria, the Communications Security Establishment, Big Blue and Cousins, the voting readers of talk.bizarre, and numerous other places.

I think I'm a better person, a more productive member of society, for having been able to use computer networks as a child without any restrictions. I would recommend that part of my upbringing to any child who wants to be smart, although I must admit that I think spending a lot of time at the library is even more important. Anyone who tried to tell me I couldn't have full access because of my age, would have been doing me a grave disservice. If I'd been limited to a "suitable for children" subset of the online universe, it would have been worthless to me.

So whenever someone suggests that we ought to limit what children can see on the Net, my fingers itch, and I reach for my keyboard. I've been studying computer programming since I was 6 years old and can now claim some degree of proficiency at it, as well as my skills in written English, so a keyboard in my hands is no joke. Many of my peers in the computing community had similar childhood experiences to mine. There are a lot of people with a whole lot of talent who believe that it's a good thing for children to have unrestricted access to the Net.

But one of the bad things about allowing the general public onto the Net is that the general public includes some people you really wouldn't want to meet. I'm especially unhappy about the fact that we ever allowed advertisers onto the Internet, but other people have been making noises about pornography and hate literature. Everyone agrees that there are things on the Net that they don't like, even if not everyone agrees on just what material is undesirable.

That's where filtering packages like Cyber Patrol come in. People on my side of politics refer to them as "censorware" because they're the software equivalent of the good old black Magic Marker. People who approve of these packages prefer to use terms like "parental control software". The details vary with the package, but the general technology involves lists of forbidden Web sites and dirty words. Network connections are checked against those lists; if you try to visit a Web site that's listed as "bad", or which contains a forbidden word, you're prevented from doing so. These systems promise to technologically solve the human problem of undesirable material on the Net. Install one on your computer, the advertisements claim, and your children's sensitive minds and precious bodily fluids will be "protected" from the evils of the unrestricted Internet.

This kind of claim seems to be based on the idea that ideas are things with a life of their own that can somehow harm people's mental health in the same way that a biological virus could harm people's physical health. If you believe that theory, then it might make sense that you should protect yourself and those you love from ideas that could be harmful. That seems to be the basis for "protecting" children from the Internet. It's obvious to most people that the computer isn't about to explode and kill your kid - but maybe something more insidious could happen?

I'd like to take the biological analogy one step further. If you want to protect someone from infection, do you do it by keeping them in quarantine, in a sterile sealed plastic bubble? That would in fact be extremely foolish. People raised in such environments fail to develop normal immune systems. When the bubble breaks, the person inside often dies from an infection that a normal person would have resisted. Children grow up eventually. Do you want them to grow up with functioning immune systems?

In just the same way, I believe that "protecting" children from "harmful" ideas hurts them, even if you believe that there are such things as "harmful" ideas to begin with. Much better to let them develop the critical thinking skills, the mental immune system, that can only derive from exposure to the complete range of human thought. Then their minds will become self-protecting. One of the wonderful things about the human mind is that it will automatically grow and develop all by itself if given half a chance.

For people who disagree with my view of such matters, it may seem attractive to buy a computer program that will relieve parents from the irksome necessity of paying attention to their children. Despite the strength of my own convictions on censorware, I do believe that people have a right to disagree with me, and although it hurts, I even believe that parents have a right to use this software if they think it's a good idea. But given that I have so much faith in the inquisitive human nature, I believe I have the natural right to look critically at any idea that comes my way. I have the right to take things apart and see how they work.

It's especially interesting to take apart censorware packages. I'm interested in all computer programs, and I'm especially intrigued by secrets and secrecy, a field known as "cryptology". Cryptology splits into "cryptography", the practice of writing secret messages, and "cryptanalysis", the practice of defeating cryptography by mathematics. Censorware packages are a good challenge because they're usually designed to resist analysis. The manufacturers consider their lists of "harmful" Web sites to be valuable secrets. There are documented cases of censorware companies copying each others' blocking lists without permission. If you're a conspiracy theorist, you might think that a censorware company would also conceal its list in order to protect a hidden political agenda. More on that later.

There is an ongoing effort to expose the secrets of censorware. Skilled computer programmers have been working for a number of years to find out how each popular package works and what sites it blocks. Even if you don't agree with my side of the questions, anyone who wants to have an informed debate on the topic of censorware will benefit from knowing exactly what the software blocks. There is also a consumer protection angle: parents who might buy censorware have a right to know what they're getting.

The secrecy of the lists raises other issues. Maybe it's okay for private individuals to buy censorware without knowing exactly what they're getting. But these packages are also marketed aggressively to schools and libraries. Cyber Patrol, the package I worked on, is in use at the Greater Victoria Public Library and all the schools in the Vancouver school district. Some US States even have legislation requiring public institutions to use filtering packages. With censorware in a school or library, the software publisher is in the position of setting policy for a public institution. The teacher or librarian can't control what policy the software is enforcing, or even find out what policy is being enforced, because the list of blocked sites is secret.

The first censorware break I remember was brought to public attention by Bennett Haselton, of Peacefire. He published the fact that CYBERsitter used an embarrassingly weak form of encryption to hide its list of blocked sites from prying eyes. The secret list of "pornographic", "hateful", or otherwise "inappropriate" Web sites included www.now.org - the US National Organization of Women. Needless to say, the feminists were not amused.

America Online has a built-in "parental control" feature, which under some settings permits children to visit the Web site of the US Republican Party, while blocking the site of the Democratic Party. It also dips into the gun control issue (which, for those of us in Canada who don't know, is an issue they take Very Seriously in the USA), by blocking sites on one side of the question and not the other. That system was actually based on technology licensed from Cyber Patrol.

Peacefire itself was added to the list in short order, apparently as retaliation for publishing the inadequacies of CYBERsitter. A later version of the censorware package would actually scan the user's browser history on install. If you had visited the Peacefire Web site in recent history, CYBERsitter would refuse to install with a mysterious error message. It's almost unbelievable, but true. CYBERsitter would actually scan your browser history to figure out whether you had visited the site critical of it, and it would refuse to install, without telling you why, if you had.

Last year I encountered an article called The Reversal of NetNanny, written under the pseudonym Saruman by a programmer in Sweden named Eddy Jansson. Eddy's essay revealed the usual range of questionable politics in the blocking list, but unlike previous censorware work, the NetNanny essay took a tutorial approach, giving details of the steps involved in analyzing the software. I enjoyed reading the document, and Eddy and I exchanged a little bit of email about it.

It's worth pointing out that the practice of taking things apart to see how they work, called "reverse engineering", is an important part of what computer programmers do. There's even a reverse engineering research group at the University of Victoria, where I go to school. Eddy's NetNanny essay drew a lot of favorable comment from people who teach computer programming; the academic researchers who hang out in sci.crypt on Usenet were pleased to have a good step-by-step description of a practical reverse engineering project. Reverse engineering is an important skill, so teaching it to beginning programmers fits well into my general aims of encouraging people to learn.

That brings us to the start of my adventure with Cyber Patrol, and the end of this article. In late January of 2000, I got an email from Eddy Jansson inviting me to help with his project of reverse engineering Cyber Patrol, and writing an essay about it similar to the NetNanny essay. He'd already made a lot of progress on the software reverse engineering side, but had found that its security measures were more cryptographically sophisticated than most. My mathematical skills would be useful. Would I care to join him?

I hope that now I've described some of the underlying issues, you'll see why I was glad to help. I saw it as just another thing to do to promote education of computer users, just like the tutorials I run for this club. The political consequences, of course, were valuable too. Eddy and I worked together on Cyber Patrol for about six weeks, eventually finding holes in virtually all of its security features. We found several significant and specific mistakes the authors of Cyber Patrol had made. We also found some questionable entries on the block list, suggesting that the list was not carefully or even-handedly constructed. We posted an essay on the Web called The Breaking of Cyber Patrol(R) 4, describing what we had found and including some example software that would decode the hidden information in the censorware. The rest, as they say, is history.

Matthew Skala is a graduate student in Computer Science at the University of Victoria, Victoria BC Canada. He is the winner of a prestigious Natural Sciences and Engineering Research Council of Canada scholarship. He is also the Systems Director of Big Blue and Cousins and the Secretary of the Victoria Linux Users Group. He will be teaching a Perl course to BB&C members during June and July. Matthew is also one of the authors of the GNU Privacy Guard software -- "like PGP, only better".