Security workers: Copyright law stifles

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-7079519.html?tag=tp_pr

By Robert Lemos
Special to CNET News.com 
September 6, 2001, 11:45 a.m. PT 

Two well-known computer security experts pulled down their works from
the Internet this week for fear of being prosecuted under 1998's
Digital Millennium Copyright Act.

Along with the threatened lawsuit of Princeton computer-science
professor Edward Felten, and the arrest of Russian encryption expert
Dmitry Sklyarov, the incidents are the latest to point at what is
quickly becoming a touchy environment for security experts.

"When they started to arrest people and threaten researchers, I
decided the legal risk was not worth it," said Fred Cohen, a
well-known security consultant and a professor of digital forensics,
who took his evidence-gathering tool--dubbed Forensix--off his Web
site earlier this week.

Dug Song, a security expert at network-protection company Arbor
Networks, pulled his own site down in protest as well. Now the only
text on the site, "Censored by the Digital Millennium Copyright Act,"
links to a DMCA protest site, Anti-DMCA.org.

And last month, fearing retribution, Dutch encryption expert Niels
Ferguson refused to publish his discovery that Intel's encryption
scheme for Firewire connections, known as the high-bandwidth digital
content protection (HDCP) system, had a major flaw.

"I travel to the U.S. regularly, both for professional and for
personal reasons," he said in an online statement. "I simply cannot
afford to be sued or prosecuted in the U.S. I would go bankrupt paying
for my lawyers."

Lawyers and proponents of the law argue that the response from the
security community is at best a misinterpretation of the law and more
likely protest veiled as legitimate fear.

"Some of the opponents of the DMCA are trying to resurrect this issue
to get another day in court," said Robert Holleyman, president and CEO
of the Business Software Alliance, the piracy-fighting organization
that represents the lion's share of software companies. "Security
testing is definitely permitted under the DMCA."

The DMCA, passed in 1998, prohibits the circumvention of copy
protection and the distribution of devices that can be used to
circumvent copyrights--even if their users don't do anything illegal
once they've broken the security. Software makers, Hollywood and the
music industry make up the core proponents of the law.

The BSA says such laws are necessary to head off software piracy,
which the group estimates cost software companies $11 billion in lost
revenue last year.

Yet, for many security researchers the question is whether
stress-testing the security of software products and publicizing
vulnerabilities and how they were taken advantage of violates the
DMCA.

The Man bites watchdog?

"There are provisions in the law for certain security research," said
Mark Smith, a network-security engineer and spokesman for
Anti-DMCA.org, "but you shouldn't have to hire a lawyer to make sure
you are not breaking a law."

That's a problem in an industry where a large number of security
vulnerabilities are found by individuals and small groups of
hackers--the people without the deep pockets to fend off a lawsuit or
hire lawyers to review research prior to its release.

That pretty much turns the question of publishing into a business
decision, said consultant Cohen. "From a risk-management standpoint, I
can't afford to deal with the issue," he said. "Some big businesses
can afford to sell the product. I can't."

But Marc Zwillinger, an intellectual-property attorney and partner at
Washington, D.C., law firm Kirkland & Ellis, calls Cohen's move a
political one.

"I don't think that forensics software would (be considered illegal)
under any reading of the DMCA," said the former Department of Justice
attorney, who now files suit on behalf of copyright holders.

He said Cohen's forensics tool is a program that is not primarily
designed to circumvent the protections of copyrighted work, so his
actions are unnecessary. And the Dutch researcher has little to worry
about, at least from U.S. authorities, Zwillinger said. "You cannot be
arrested under the DMCA unless you are selling software for profit,"
he said.

Yet the willingness of software makers and media companies to sue over
any potential threat makes security researchers nervous.

In 1999, the movie industry filed multiple lawsuits against the
creators of a program to decrypt DVD disks. Originally, the program
had been created to add DVD playback ability to the Linux operating
system.

This April, Princeton's Felten found himself on the sticky side of a
threatened lawsuit when he planned to release research questioning the
effectiveness of a purported Secure Digital Music Initiative.
Following the filing of his own suit, the professor presented his
paper at the USENIX Security Conference in August.

But it was the arrest and criminal indictment of Russian encryption
expert Dmitry Sklyarov at the Def Con hacking conference that really
drove the point home. The incident also unnerved Russian programmers
thinking of visiting the United States.

"We would like to draw the attention of all the Russian software and
programming specialists cooperating with U.S. firms that, regardless
of a final decision in the Sklyarov case, provisions of the 1998 Act
may be used against them on the territory of the United States," the
Russian Ministry of Foreign Affairs said in a statement issued last
week.

Already, some security researchers are going underground.

Last week, when an encryption expert reportedly found a hole in
Microsoft's e-Book format, he anonymously went to the news media
rather than face arrest.

According to Anti-DMCA.org's Smith, the DMCA could dramatically set
back computer security.

"We crash test cars to create stronger, safer vehicles," he said. "We
need to crash test software to promote stronger, safer software. But
with the DMCA, a company can do minimal research on security, and if
someone does crack their software, they can sic the FBI on them."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.