[Reader-list] Why D.M.C.A. ends net & computer security

Menso Heus menso at r4k.net
Tue Sep 11 06:02:00 IST 2001 

Hi all,

For some time now the Digital Millenium Copyright Act has been in
effect, from 1998 to be precise. In the beginning the results of this
new law were quite unclear and not much written about. 

In short the DMCA does the following:

"The DMCA gives publishers the power to prevent you from printing a 
page, loaning a book to your friends or in some cases, even 
reading it out loud. For example, if you purchase and download an 
electronic book from the Internet and figure out how to circumvent 
the reader software so that you can print it out to read  in the 
bathroom, the DMCA makes what you have done a federal crime, and if 
you tell anyone how you did it, you can be looking at a fine of up 
to $500,000 and 5 years in prison. This has happened."
Source: http://www.cryogenius.com/dmca.htm

Now, this is one of the consequences. For those not familiar with the
recent Sklyarov case: Sklyarov discovered that the 'encryption' used
to secure E-Books by adobe and several others was stuff your kid sister 
might come up with to prevent others from reading her diary. 
He held a talk about this on DefCon, a big US hacker conference held
each year and... got arrested. According to the D.M.C.A. Sklyarov had
no business giving this talk. 
The D.M.C.A. makes it illegal to distribute "circumvention technology",
such as systems that break copyright protection schemes.


Now that we've reached the core of the problem, let me continue to 
explain why this is a major threat to all computer and data security.

The way computer security tends to work is that someone or some company 
releases a program or OS and says "This is secure". Then, a big amount 
of people work with them, find flaws in them, discover that they are 
not secure. Some people have even made their jobs out of this and get 
paid by companies to check if the systems they are using are secure or
not. 

This is a good thing: instead of someone selling you a doorlock and 
saying it is uncrackable you actually get worlds most skilled thieves 
that give a go at it and, when it fails, explain what they did and how
it can be prevented. This is a good thing since you'll now know that 
the lock isn't as perfect as they told you it would be and you can take
extra measures to prevent people from entering your building.

In computer terms this means that you, for example, buy a firewall 
system that's supposed to be 100% secure. You put your trust in this 
product to secure your own or customer data, your networks, etc.
Then someone finds a flaw in the product, which is a bad thing. The 
person who found the flaw figures that others will find it too and 
might abuse it. So he/she notifies the rest of the world about the 
flaw he found and how it can be solved.
Pretty sweet system indeed.

Now with the D.M.C.A. the situation is more as follows: 
You buy a lock that is supposed to be 100% secure to prevent people 
from entering your house. People who buy this lock or work for 
companies who bought the lock are curious to just how secure it is. 
One of them opens the lock to see how it works internally and finds 
a way to open it with a paperclip when inserted under the right angle. 
"This sucks! Millions of people rely on this lock and it is no good,"
this person thinks and he starts notifying others about it. 
Then he receives a letter from the company that builded the lock which
says: "It has come to our attention that you have opened a lock and 
written a paper on how it's internals work. That information is 
copyrighted."
He gets a $500.000 fine and 5 years in prison for what he did. 


As you can see the D.M.C.A. kills the security system of lots of 
people checking to see if a product really is secure and will cause
a major new risk in computer and network security. While the system 
administrators might not know about a certain security bug, thousands 
of hackers already might and they are pounding at your door as we 
speak. Already people are not publishing new bugs they found in so-
called 'secure' products because of fear of prosecution. 

One of them is Niels Ferguson, a man who has proofed himself time 
after time: he has found serious flaws in earlier IPSEC implementations, 
helped develop the TwoFish algorithm and has now been working for 
Counterpane for the past several years. (Counterpane is a company 
started by Bruce Schneier, author of "Applied cryptography" and 
"Secrets & Lies" which explains computer security  on a somewhat 
more theoretical level, a must read!)
When a man like Niels Fergusson says he has found a new flaw, he has.
He has found a flaw in HDCP. HDCP is a cryptographic system developed 
by Intel that encrypts video on the DVI bus. The DVI bus is used to 
connect digital video cameras and DVD players with digital TVs, etc. 
The aim of HDCP is to prevent illegal copying of video contents by 
encrypting the signal. According to Ferguson any IT person can do what
he did and get the same result (retrieve the masterkey). When this 
is done the entire HDCP becomes useless.
We all know that this key *will* be posted on the net sooner or later,
probably around the time the HDCP is already being implemented in 
hardware and thus Intel cut's it's own fingers with the DMCA.


Sleep tight,

Menso

More information: 	www.anti-dmca.org		Anti DMCA site
			www.macfergus.com/niels/dmca/	Niels Ferguson 

-- 
---------------------------------------------------------------------
Anyway, the :// part is an 'emoticon' representing a man with a strip 
of sticky tape across his mouth.   -R. Douglas, alt.sysadmin.recovery
---------------------------------------------------------------------

More information about the reader-list mailing list