[ISN] Re: [DMCA_discuss] Linux kernel security fixes censored by the DMCA

From: InfoSec News (isnat_private)
Date: Tue Oct 30 2001 - 01:32:45 PST

  • Next message: InfoSec News: "[ISN] Comment: Hacking is not terrorism"

    Forwarded from: Jei <jeiat_private>
    ---------- Forwarded message ----------
    Date: Wed, 24 Oct 2001 16:45:41 -0600
    From: John Zulauf <johnzuat_private>
    To: dmca_discussat_private, dvd-discussat_private
    Subject: Re: [DMCA_discuss] Linux kernel security fixes censored by the DMCA
    I was walking through the "why would linux security patches constitute
    a DMCA risk" logic and this was I came up with.
    Under the Berne convention, all creative works by an author, from my
    .cshrc to my latest white paper are automatically considered the
    copyrighted works of the author, whether published or not, registered
    for copyright or not.
    On a multi-user system, the rights of a user to control access and
    copying of his or her files is emodied in the "su" user id control,
    along with the file user id and group id, and finally the permissions
    on the files and directories.
    Each of these, and particularly the ability to "su", constitute a
    technical protective measure (TPM) that controls access to a work --
    the very language of the DMCA.
    In order to access the copyrighted works of an author (their files)  
    one needs either the users file permissions, their password, or the
    root password.
    Any crack that would allow access to these files which bypasses
    circumvents the permissions or passwords thus circumvents a TPM
    controlling access to a work.
    Information regarding these cracks (include demonstration programs)
    could be considered "a technology... or component thereof" of a
    circumvention device.  The recent court case treated software as a
    "device" under the law.  Certainly the threats to Prof. Felton et. al.
    (if you publish you may be liable for criminal prosecution) seems to
    imply a very broad stroke regarding "a component thereof".
    So there we have it:
    (a) a TPM that controls access to a work with the authorization of the
    copyright holder (the DMCA
    (b) information about a crack which circumvents this TPM (typically
    gaining root access)
    (c) dissemination of that "device... or component thereof" -- i.e. any
    demo code or documentation sufficient to reproduce that crack
    QED -- the next time Alan visits the US, the FBI could visit him if he
    does (c).
    I wish I could find hole in that simple minded logic (though it is
    drawn from the style of the FBI complaint against Sklyarov).  What
    bothers me is that this logic could be extended to a "rescue" floppy
    that boots a system and grants instant root access to all present hard
    disks -- though the counter logic would be that anyone with physical
    access to a multi-user server better have authority to be there.  
    However, under the logic of the DMCA (and the DeCSS and Sklyarov
    cases) the legitimate uses of a technology are irrelevant if what the
    "device" does is "circumvent" and a rescue floppy certainly does that.  
    Other problems would be "key recovery" or "passwd crack" software --
    both are useful tools of "white hat" cracking.  However, once one
    releases that all user files are copyrighted works -- then all tools
    that do passwd bypass (or recovery) through any encryption or other
    system are "circumvention devices".
    This of course brings me back to my initial worry.... just how are we
    supposed to get our jobs done without legal liability and risk of
    felony charges.
    DMCA_discuss mailing list
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 03:35:11 PST