[ISN] Silence of a code cracker

From: InfoSec News (isnat_private)
Date: Fri Aug 17 2001 - 01:34:44 PDT

  • Next message: InfoSec News: "RE: [ISN] Man arrested in Britain in hacking case"

    By Hiawatha Bray 
    Princeton computer science professor Ed Felten spilled the beans last
    night, revealing his method for breaking into supposedly unbreakable
    digital music recordings. And the good news is, Felten didn't even
    have to post bail.
    I told you about Felten a few months ago. He fell afoul of one of the
    nation's weirdest laws, the Digital Millennium Copyright Act. Under
    the DMCA, it's a crime to figure out ways to defeat digital encryption
    technologies used to block unauthorized access to computer software,
    digital music, and movies. Mind you, it's not about actually making
    pirate copies - that was illegal before the DMCA was enacted in 1998.
    No, the new law makes it illegal to simply tell the world how such
    pirate copies can be made.
    The music recording industry told Felten that he could be prosecuted
    for announcing his discovery at a scientific conference. The music
    folks later backed down - Felten is a scientist and the law makes an
    exception for scholarly researchers - but that hasn't stopped Felten
    from suing to challenge the constitutionality of the DMCA. He and his
    supporters argue the DMCA is so vague that even a university research
    report could be interpreted as a violation of the law.
    In any case, Felten's newfound right to publish didn't cut any ice in
    the case of Dmitry Sklyarov. He works for Elcomsoft, a Moscow firm
    that makes software to defeat the encryption of electronic books.
    Elcomsoft's product is perfectly legal in Russia, and nearly
    everywhere else on earth. But when Sklyarov came to Las Vegas to talk
    about it in July, the FBI slapped on the handcuffs. After two weeks in
    jail, a federal judge finally let Sklyarov post bail last week, but
    the FBI is holding his passport, in effect exiling Sklyarov from his
    homeland, his wife, and his two young children.
    It's the sort of thing to make you think twice about hacking code.
    It's certainly had that effect on Niels Ferguson of Amsterdam. He
    thinks he's figured out a major weakness in software created by Intel
    Corp. to prevent the pirating of digital video recordings. But
    Ferguson has decided to shut up about it.
    Actually, Ferguson shared his discovery with fellow geeks at a Dutch
    hackers' convention last weekend. And he's contacted Intel's crypto
    experts, who have expressed interest in his discovery. But Ferguson
    has refused to publish the details of his theory, or even to send an
    e-mail to Intel headquarters, because Intel is based in the United
    Mind you, Ferguson is quite partial to our country; he used to work
    for Counterpane Internet Security Inc., a computer security firm in
    California. He still pays a visit from time to time; in fact, he'll be
    flying in next Saturday. And because Ferguson hasn't published his
    research materials, he won't have to worry about the FBI cuffing him
    at the airport.
    ''I'm scared to publish my research and then go to the United
    States,'' he says. ''Felten was threatened. Dmitry was arrested.'' And
    Ferguson, 35, and self-employed as a crypto consultant, can't afford
    the legal bills. Silence is safer.
    Silencing people is exactly what the DMCA is meant to do, says Bruce
    Schneier, president of Counterpane and Ferguson's former boss. ''The
    idea here is to spread the maximum amount of fear and doubt,'' he
    Schneier believes most digital security products can be broken.
    Indeed, if the stuff worked, there'd be no need for the DMCA. Schneier
    thinks companies want to keep making and using unreliable security
    software, while pretending everything's fine. ''We're in a situation
    where companies are producing bad security, and making it illegal for
    you to check,'' he says.
    Intel spokesman Chuck Mulloy doubts Ferguson has really found a
    practical hack. ''This code was developed to prevent casual copying,''
    he said. ''Our view is it still does what it's meant to do.''
    He says Intel is interested in getting a peek at Ferguson's work. But
    he concedes that publication of the research might make Ferguson a
    wanted man in the United States. ''We really can't help him there,''
    says Mulloy. ''We don't have the authority to indemnify him or anybody
    else from a federal law.''
    Indeed, this is a job for the courts or, better yet, for Congress.
    Digital media producers and software companies have a legitimate
    interest in protecting their intellectual property. But free speech is
    the most valuable intellectual property of all.
    Hiawatha Bray can be reached by e-mail at brayat_private
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 03:26:18 PDT