Forwarded from: Jei <jeiat_private> ---------- Forwarded message ---------- Date: Wed, 24 Oct 2001 16:45:41 -0600 From: John Zulauf <johnzuat_private> To: dmca_discussat_private, dvd-discussat_private Subject: Re: [DMCA_discuss] Linux kernel security fixes censored by the DMCA I was walking through the "why would linux security patches constitute a DMCA risk" logic and this was I came up with. Under the Berne convention, all creative works by an author, from my .cshrc to my latest white paper are automatically considered the copyrighted works of the author, whether published or not, registered for copyright or not. On a multi-user system, the rights of a user to control access and copying of his or her files is emodied in the "su" user id control, along with the file user id and group id, and finally the permissions on the files and directories. Each of these, and particularly the ability to "su", constitute a technical protective measure (TPM) that controls access to a work -- the very language of the DMCA. In order to access the copyrighted works of an author (their files) one needs either the users file permissions, their password, or the root password. Any crack that would allow access to these files which bypasses circumvents the permissions or passwords thus circumvents a TPM controlling access to a work. Information regarding these cracks (include demonstration programs) could be considered "a technology... or component thereof" of a circumvention device. The recent court case treated software as a "device" under the law. Certainly the threats to Prof. Felton et. al. (if you publish you may be liable for criminal prosecution) seems to imply a very broad stroke regarding "a component thereof". So there we have it: (a) a TPM that controls access to a work with the authorization of the copyright holder (the DMCA (b) information about a crack which circumvents this TPM (typically gaining root access) (c) dissemination of that "device... or component thereof" -- i.e. any demo code or documentation sufficient to reproduce that crack QED -- the next time Alan visits the US, the FBI could visit him if he does (c). I wish I could find hole in that simple minded logic (though it is drawn from the style of the FBI complaint against Sklyarov). What bothers me is that this logic could be extended to a "rescue" floppy that boots a system and grants instant root access to all present hard disks -- though the counter logic would be that anyone with physical access to a multi-user server better have authority to be there. However, under the logic of the DMCA (and the DeCSS and Sklyarov cases) the legitimate uses of a technology are irrelevant if what the "device" does is "circumvent" and a rescue floppy certainly does that. Other problems would be "key recovery" or "passwd crack" software -- both are useful tools of "white hat" cracking. However, once one releases that all user files are copyrighted works -- then all tools that do passwd bypass (or recovery) through any encryption or other system are "circumvention devices". This of course brings me back to my initial worry.... just how are we supposed to get our jobs done without legal liability and risk of felony charges. _______________________________________________ ------------------------ http://www.anti-dmca.org ------------------------ DMCA_discuss mailing list DMCA_discussat_private http://lists.microshaft.org/mailman/listinfo/dmca_discuss - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 03:35:11 PST