MIT's got form

Bunnie Huang: "Back when I was a graduate student there, I extracted security keys from the original Microsoft Xbox video game console. I still remember the crushing disappointment of receiving a letter from MIT legal repudiating any association with my work, effectively leaving me on my own to face Microsoft."


  1. Reading the replies to his blog, it is both disturbing and comical how trolls will attack a person for speaking his or her own opinion.

    I imagine, with a bit of joy, the looks of horror on the faces of the trolls if the tables were turned and they were being attacked by cowardly, anonymous strangers.

    Judging by the comments, it looks like a couple of YouTube commenters or 4chan/b kiddies somehow got misdirected to his site.

    The post gets my upvote, for what that’s worth.

    1. Is this some sort of “hello world” from a turing contest chat-bot? I’ll admit, that’s not a bad opener.

        1. Give me a break, I just broke up with ELIZA.

          Turns out she didn’t really understand me after all…

  2. I am not comparing the cases, but I will take this opportunity to say that this reminds me of one of my favorite response letters of all time: the great letter from Cambridge’s Ross Anderson, Professor of Security Engineering. Here’s a link to the BoingBoing article (which has a link to the entire letter):

    Cambridge university refuses to censor student’s thesis on chip-and-PIN vulnerabilities

  3. Wait so this grad wanted to openly, directly, and willingly break the law and expect the university to foot the bill for their defense?

    The entitlement of this generation…..

    1. I sincerely doubt he “break the law” back then. Terms of Service, perhaps. I don’t know if that could be said today, since there are so many new laws, and we aren’t allowed to even know what those laws are.

      Microsoft is not the government, and if they employed a weak scheme to protect their keys, and that scheme was reversed engineered by a grad student at a university, and that student publishes a paper on it, exposing why that scheme shouldn’t be used, then, as someone that has worked in academia for over thirty years, I support that student.

      From his paper:

      “One lesson of this study is that the use of a high-performance bus alone is not a sufficient security measure, given the advent of inexpensive, fast rapid prototyping services and high-performance FPGAs.”

      – Huang, Andrew (May 26, 2002) (pdf). Keeping Secrets in Hardware: the Microsoft XBoxTM Case Study. AI Memo 2002-008. Retrieved April 19,2008.

      He also doesn’t say that he was wanting MIT to foot the bill for his defense, he was probably just hoping that the university’s public support for his intellectual liberty would be enough, and, as it turned out, it was, when his department rallied around him. The way this works in most universities in the United States is that before any public statement is made in situations like this by a department, it always has to go through the legal department, thus, the letter. His department chose to ignore what the legal department said, and, sure enough, that was enough.

      One of the most maddening things is that governments, and corporations, are more than happy to take the fruits of this research, but are also more than happy to throw the researchers and throw them under the bus. This has, obviously, a chilling effect, until have no researchers doing any research, and then we wonder why there are so many security holes in products, and why there are so few new advances.

    2. Since you obviously can’t be bothered to keep up with and understand the issues here, I’ll include a little more from Bunnie’s blog post.  Please read. And please try not to be so judgmental about stuff which you obviously haven’t grasped.

      “However, in my case, the faculty of my then-lab, the AI lab, were outraged by this treatment. They openly defied MIT legal by publishing my work as an official AI Lab Memo, thereby granting me greater negotiating leverage with Microsoft. Microsoft, mindful of the potential backlash from the court of public opinion over suing an openly legitimized academic researcher, came to a civil understanding with me over the issue”.

    3. Ah yes, another bureaucrat that brings up the law with complete disregard for the humans that get caught in unfair situations.

      Entire regimes strive on people like you…. 

    4. Yeah, how dare these little pissants believe they have a right to speak freely, eh?  Can you believe it?  It’s almost like they think they’re people, even though they aren’t even rich!

      It reminds me of all those slaves who had the temerity to want to be free even though it was against the law.  The entitlement of those people!  How dare anyone place morality, decency or (horrors!) physical freedoms in higher respect than the aweful majesty of the law?  What a travesty of a mockery of a sham!

      1. It has nothing to do with free speech, not proximately at least.  Breaking an encryption scheme is against the DMCA.  I am surprised that a BB reader is not aware of this.

        You may share my view that the DMCA is stupid/bad, but that doesn’t change the fact that it is against the law.  
        Universities are not in the habit of paying for the legal defense of students who break the law in this way.  And why should they?

        1. Please explain how you are not a troll. Do you have nothing to contribute to this conversation, other than this or that IS AGAINST THE LAW?

          Please expand on your thoughts, or go away. Thank you.

        2. Given that tomorrow is MLK day, here’s some schooling for you:

          “There are just laws and there are unjust laws. I would agree with St. Augustine that an unjust law is no law at all… One who breaks an unjust law must do it openly, lovingly…I submit that an individual who breaks a law that conscience tells him is unjust, and willingly accepts the penalty by staying in jail to arouse the conscience of the community over its injustice, is in reality expressing the very highest respect for law.”

          There is exactly no grounds, in my book, for believing that a group of people merits any less expectation of ethical behavior than an individual.

          As an individual who rejects this attitude for the safety of conformism will lose my respect, so too will an organisation.

  4. Once the security flaws had been found, why did the researcher not quietly notify Microsoft so that Microsoft might correct them?  Perhaps the researcher was more interested in the publicity to be had by publishing, without regard to the impact on Microsoft?

    And can we give the “some laws are / have been morally indefensible, therefore we can ignore any law” rationalization a rest? 

    1. Importantly, the economic harm to Microsoft of jailbreaking xboxes is zero. The number of people who are interested in that sort of thing is extremely small, and in fact, that demographic tends to spend *more* money on games, not less.

      Also, tomorrow is MLK day, have some respect civil disobedience! 

      The decision to break an unjust law on moral grounds should be a grave and sacred one. I urge you to reject an attitude that doesn’t treat it this way. 

      The DMCA is fundamentally about privacy. It restricts what an individual can do in the privacy of their own home, without harming themselves or anyone else. 

      Simply gaining the knowledge of how something you own works should not be a crime. 

      The fact that this is true is an ugly, blatant affront to human curiosity, which is one hell of a lot more essential to life and liberty than temporary government-enforced monopolies on consumer goods. 

      You think it’s right that Nabco can tell a brilliant child that she can’t take apart her RC car to see how it works? I’m sorry, but that’s wrong, and if the simple act of disobedience wherein I allow her, or assist her in doing it means I have broken the law, then so be it. 

      I expect the same ethical standard of behavior from the organizations I associate with as I do from the individuals I associate with. The reason we don’t always get it is because we so often don’t even expect it from institutions.

Comments are closed.