Thursday, March 10, 2016

Code is expressive. Full Stop. (FBIvApple)

I write code. More than a $billion of products have been sold where my code is the key component. I've written more than a million lines of it. I point this out because I want to address this FBIvApple fight from the perspective of a coder -- from the perspective of somebody who the FBI proposes to conscript into building morally offensive code. Specifically, I want to address the First Amendment issue, whether code is expressive speech. I demonstrate expressiveness, far beyond what the government in this case imagines.


Consider Chris Valasek (@NudeHabasher), most recently famous for his car-hacking stunt of hacking into a Jeep from the Internet (along with Charlie Miller @CharlieMiller).

As Chris tells the story, he was on an airplane without WiFi writing code for his "CANbus-hack" tool that would hack the car. Without the Internet, he didn't have access to reference information, such as for strtok(). But he did remember from years earlier working on my (closed-source) code, and used the ideas he remembered to solve his immediate problem. No, he didn't remember the specifics of the code itself, and in any case, his CANbus-hack was unrelated to that code. Instead, it was the ideas expressed my code that he remembered.

What he came up with was this:



While this is CAN-bus functionality, you'll notice a certain similarity with code in my open-source masscan port-scanner:



The first piece of car hacks computers inside your car. The second piece of code scans the entire Internet. They are wholly unrelated in every way that two pieces of code can be unrelated -- except that both share an idea. That idea, state-machine parsers, was communicated by my original code, then adopted for a wholly different purpose by Chris many years later.

The government claims that computer code has limited expressiveness:


That's wrong. My code expressed an important idea to Chris Valasek, unrelated to the variable names or comments.

Only JK Rowling could've created the Harry Potter books. Only Joss Whedon could've created the first Avengers movie. Only Frank Lloyd Wright could've created Falling Water. Only I could've made something specifically like masscan (thought other similar tools exist like zmap). Only Chris Valasek could've created his specific car hacking code (thought other related code exists). These are artistic, creative works, unique to their creators. They express unique ideas, far from the mechanics of code.

It's art, but it's also revolution. How universities teach this sort of code is wrong. Many of us, especially those focused on the field "LANGSEC" like Sergey Bratus @SergeyBratus and Meredith Patterson (@maradydd), are trying to change that with different ideas. State-machine parsers is how I tackle this. I could explain these ideas with a 500 page book, but it's easier with 1000 lines of code.


I've cited here a specific example of expressive code, even if you strip the comments and randomize the variable names. Code is creative speech. The government has asserted, without evidence, that it's not significantly expressive. They are wrong.

While my code is designed for defenders, it's used by hackers and "cyber-terrorists". It's licensed, with the GPL. I can imagine that some day the court will compel code/speech out of me, when going after hackers/terrorists. This is a violation of my rights.




So, below is somebody who read my X.509 code today. The point isn't that my code is "cool", but that it so expressive that it will cause some people to say "Duuuuuuuude!!". It's been known to trigger the opposite reaction from other people who think I'm an idiot. Either way: expressive.












No comments:

Post a Comment

Note: Only a member of this blog may post a comment.