[ISN] Security workers: Copyright law stifles

From: InfoSec News (isnat_private)
Date: Fri Sep 07 2001 - 00:04:26 PDT

  • Next message: InfoSec News: "[ISN] Big Blue: Enemies are everywhere"

    By Robert Lemos
    Special to CNET News.com 
    September 6, 2001, 11:45 a.m. PT 
    Two well-known computer security experts pulled down their works from
    the Internet this week for fear of being prosecuted under 1998's
    Digital Millennium Copyright Act.
    Along with the threatened lawsuit of Princeton computer-science
    professor Edward Felten, and the arrest of Russian encryption expert
    Dmitry Sklyarov, the incidents are the latest to point at what is
    quickly becoming a touchy environment for security experts.
    "When they started to arrest people and threaten researchers, I
    decided the legal risk was not worth it," said Fred Cohen, a
    well-known security consultant and a professor of digital forensics,
    who took his evidence-gathering tool--dubbed Forensix--off his Web
    site earlier this week.
    Dug Song, a security expert at network-protection company Arbor
    Networks, pulled his own site down in protest as well. Now the only
    text on the site, "Censored by the Digital Millennium Copyright Act,"
    links to a DMCA protest site, Anti-DMCA.org.
    And last month, fearing retribution, Dutch encryption expert Niels
    Ferguson refused to publish his discovery that Intel's encryption
    scheme for Firewire connections, known as the high-bandwidth digital
    content protection (HDCP) system, had a major flaw.
    "I travel to the U.S. regularly, both for professional and for
    personal reasons," he said in an online statement. "I simply cannot
    afford to be sued or prosecuted in the U.S. I would go bankrupt paying
    for my lawyers."
    Lawyers and proponents of the law argue that the response from the
    security community is at best a misinterpretation of the law and more
    likely protest veiled as legitimate fear.
    "Some of the opponents of the DMCA are trying to resurrect this issue
    to get another day in court," said Robert Holleyman, president and CEO
    of the Business Software Alliance, the piracy-fighting organization
    that represents the lion's share of software companies. "Security
    testing is definitely permitted under the DMCA."
    The DMCA, passed in 1998, prohibits the circumvention of copy
    protection and the distribution of devices that can be used to
    circumvent copyrights--even if their users don't do anything illegal
    once they've broken the security. Software makers, Hollywood and the
    music industry make up the core proponents of the law.
    The BSA says such laws are necessary to head off software piracy,
    which the group estimates cost software companies $11 billion in lost
    revenue last year.
    Yet, for many security researchers the question is whether
    stress-testing the security of software products and publicizing
    vulnerabilities and how they were taken advantage of violates the
    The Man bites watchdog?
    "There are provisions in the law for certain security research," said
    Mark Smith, a network-security engineer and spokesman for
    Anti-DMCA.org, "but you shouldn't have to hire a lawyer to make sure
    you are not breaking a law."
    That's a problem in an industry where a large number of security
    vulnerabilities are found by individuals and small groups of
    hackers--the people without the deep pockets to fend off a lawsuit or
    hire lawyers to review research prior to its release.
    That pretty much turns the question of publishing into a business
    decision, said consultant Cohen. "From a risk-management standpoint, I
    can't afford to deal with the issue," he said. "Some big businesses
    can afford to sell the product. I can't."
    But Marc Zwillinger, an intellectual-property attorney and partner at
    Washington, D.C., law firm Kirkland & Ellis, calls Cohen's move a
    political one.
    "I don't think that forensics software would (be considered illegal)
    under any reading of the DMCA," said the former Department of Justice
    attorney, who now files suit on behalf of copyright holders.
    He said Cohen's forensics tool is a program that is not primarily
    designed to circumvent the protections of copyrighted work, so his
    actions are unnecessary. And the Dutch researcher has little to worry
    about, at least from U.S. authorities, Zwillinger said. "You cannot be
    arrested under the DMCA unless you are selling software for profit,"
    he said.
    Yet the willingness of software makers and media companies to sue over
    any potential threat makes security researchers nervous.
    In 1999, the movie industry filed multiple lawsuits against the
    creators of a program to decrypt DVD disks. Originally, the program
    had been created to add DVD playback ability to the Linux operating
    This April, Princeton's Felten found himself on the sticky side of a
    threatened lawsuit when he planned to release research questioning the
    effectiveness of a purported Secure Digital Music Initiative.
    Following the filing of his own suit, the professor presented his
    paper at the USENIX Security Conference in August.
    But it was the arrest and criminal indictment of Russian encryption
    expert Dmitry Sklyarov at the Def Con hacking conference that really
    drove the point home. The incident also unnerved Russian programmers
    thinking of visiting the United States.
    "We would like to draw the attention of all the Russian software and
    programming specialists cooperating with U.S. firms that, regardless
    of a final decision in the Sklyarov case, provisions of the 1998 Act
    may be used against them on the territory of the United States," the
    Russian Ministry of Foreign Affairs said in a statement issued last
    Already, some security researchers are going underground.
    Last week, when an encryption expert reportedly found a hole in
    Microsoft's e-Book format, he anonymously went to the news media
    rather than face arrest.
    According to Anti-DMCA.org's Smith, the DMCA could dramatically set
    back computer security.
    "We crash test cars to create stronger, safer vehicles," he said. "We
    need to crash test software to promote stronger, safer software. But
    with the DMCA, a company can do minimal research on security, and if
    someone does crack their software, they can sic the FBI on them."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 02:17:37 PDT