[ISN] Dutch Cryptographer Cries Foul

From: InfoSec News (isnat_private)
Date: Wed Aug 15 2001 - 23:00:53 PDT

  • Next message: InfoSec News: "[ISN] 50 hackers to take part in server-cracking contest"

    By Steve Kettmann 
    10:40 a.m. Aug. 15, 2001 PDT  
    BERLIN -- A Dutch cryptography expert blasted as "horrific" the
    ambiguous legal reach of the U.S. Digital Millennium Copyright Act,
    which he feels bars him from publishing his work, even in the
    Niels Ferguson revealed last weekend at the Hackers at Large
    conference in Enschede, Netherlands that he had found a way around
    Intel Corporation's High-bandwidth Digital Content Protection (HDCP)
    for digital video.
    But he said he would not be publishing his findings out of fear of the
    legal ramifications, and on Wednesday he vowed to campaign against
    what he feels is the inappropriate scope of the DMCA.
    "I've written a paper on this, containing all this information, and I
    decided not to publish it for fear of liability and fear of
    prosecution under the U.S. Digital Millennium Copyright Act," he said.
    "How can I know which laws are applying to me? The principle of
    applying national laws to international jurisdictions is horrific.
    I've had to censor myself, because the risk is too big, but I'm not
    doing it quietly."
    In fact, Ferguson will visit the United States starting Friday for a
    conference on cryptography, Crypto 2001, in Santa Barbara, California,
    and plans to continue speaking out against the DMCA.
    He will not be presenting a paper at the conference, but on Tuesday
    night there is a session intended for just such "late-breaking news"
    as what Ferguson has to share, said event organizer Joe Kilian, a
    cryptographer with Yianilos Labs in Princeton, New Jersey. The DMCA is
    sure to be a major topic of conversation in Santa Barbara, he added.
    "The potential for abuse is tremendous," said Kilian. "Those of us who
    work in digital rights management have to have a realistic perspective
    on what we hope to achieve. The analogy I give is: Encryption is like
    a brick wall. You can encrypt a file and people will have a hard time
    breaking that encryption without a key. But if you're trying to
    protect music or a video, all you can really do is erect speed bumps.
    The Digital Millennium Copyright Act basically says let's make
    everyone pretend that our digital rights management systems are
    stronger than they really are."
    The legal reach of the act remains unclear, and Ferguson is still
    exploring his legal situation.
    "I've talked with a lawyer from the Electronic Frontier Foundation,
    and today I've just spoken to another lawyer in California working on
    this area," Ferguson said.
    "Even publishing this stuff in the Netherlands would open me up to
    civil and criminal liability," he said. "The law is very vague. In my
    opinion, it is so obviously violating the First Amendment. And yet all
    these lawyers are threatening lawsuits over it."
    Ferguson stressed that Intel has in no way threatened him. But he
    worries that if he did publish, and Intel did take legal action, other
    lawsuits may follow -- including, perhaps, one initiated by the Motion
    Picture Association of America.
    He has closely followed the case of Princeton University professor
    Edward Felten, who was able to disable the anti-piracy technology used
    by the music industry.
    Felten decided against explaining his findings at a Pittsburgh
    conference last spring after what he described as legal threats from a
    lawyer representing the Recording Industry Association of America.
    Later, the RIAA said it had no intention to sue Felten or his
    associates, clearing the way for him to share his research.
    "He's in many ways in a similar situation," Ferguson said Wednesday of
    Felten. "But he was actually threatened. I want to make it quite
    clear, Intel has never threatened me. I have no reason to believe
    Intel will be as bad as RIAA."
    The official Intel line follows, as explained by company spokesman
    Daven Oswalt: "We have no problem with Mr. Ferguson presenting his
    research. The information that he's saying, it's certainly his right
    to say it."
    However, when it comes to the DMCA itself, Intel's position appears a
    bit harder. Continues Oswalt: "Even if Intel entered into an agreement
    (not to sue), we'd have no control of what other government
    authorities would decide. It's hard for us to tell what the legal
    ramifications (were of publishing)."
    As Robin Gross, the EFF intellectual property lawyer with whom
    Ferguson has consulted, put it early this week in a statement: "The
    recording industry has done untold damage by their threats to Felten
    and the other researchers, their universities, and the conference
    organizers. The resulting chilling effect on the broader scientific
    community continues unabated."
    For Ferguson, then, the enemy is not Intel, but a vague legal act that
    disrupts the free flow of information worldwide.
    As Ferguson explained Wednesday in a new posting at his website, he
    was left little choice but to "censor" himself, even though sharing
    information is an essential part of his work as a professional
    "Computer security and cryptography are hard," he said. "It is easy to
    make mistakes, and one mistake is all it takes to create a weakness.
    We share our knowledge with others, so that they don't have to repeat
    the same mistake."
    He goes on to explain that HDCP is "fatally flawed. Once you know the
    master key, you can decrypt any movie, impersonate any HDCP device,
    and even create new HDCP devices that will work with the 'official'
    ones. This is really, really bad news for a security system. If this
    master key is ever published, HDCP will provide no protection
    whatsoever. The flaws in HDCP are not hard to find. As I like to say:
    I was just reading it and it broke.'"
    But he is not about to give up traveling to the United States,
    something he might have to do if he published his work and legal
    action was taken against him. Instead, he will speak out against what
    he believes is an injustice, joining Felten and Russian programmer
    Dmitry Sklyarov as high-profile foes of the DMCA.
    "He is charged with violating the DMCA while performing his work in
    Russia as an employee for a Russian firm," Ferguson writes of
    Sklyarov. "As far as we know, what he did was perfectly legal in
    Russia, and in most other countries in the world."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 01:03:53 PDT