Home page logo

isn logo Information Security News mailing list archives

Re: [DMCA_discuss] Linux kernel security fixes censored by the DMCA
From: InfoSec News <isn () c4i org>
Date: Tue, 30 Oct 2001 03:32:45 -0600 (CST)

Forwarded from: Jei <jei () cc hut fi>

---------- Forwarded message ----------
Date: Wed, 24 Oct 2001 16:45:41 -0600
From: John Zulauf <johnzu () ia nsc com>
To: dmca_discuss () lists microshaft org, dvd-discuss () eon law harvard edu
Subject: Re: [DMCA_discuss] Linux kernel security fixes censored by the DMCA

I was walking through the "why would linux security patches constitute
a DMCA risk" logic and this was I came up with.

Under the Berne convention, all creative works by an author, from my
.cshrc to my latest white paper are automatically considered the
copyrighted works of the author, whether published or not, registered
for copyright or not.

On a multi-user system, the rights of a user to control access and
copying of his or her files is emodied in the "su" user id control,
along with the file user id and group id, and finally the permissions
on the files and directories.

Each of these, and particularly the ability to "su", constitute a
technical protective measure (TPM) that controls access to a work --
the very language of the DMCA.

In order to access the copyrighted works of an author (their files)  
one needs either the users file permissions, their password, or the
root password.

Any crack that would allow access to these files which bypasses
circumvents the permissions or passwords thus circumvents a TPM
controlling access to a work.

Information regarding these cracks (include demonstration programs)
could be considered "a technology... or component thereof" of a
circumvention device.  The recent court case treated software as a
"device" under the law.  Certainly the threats to Prof. Felton et. al.
(if you publish you may be liable for criminal prosecution) seems to
imply a very broad stroke regarding "a component thereof".

So there we have it:

(a) a TPM that controls access to a work with the authorization of the
copyright holder (the DMCA
(b) information about a crack which circumvents this TPM (typically
gaining root access)
(c) dissemination of that "device... or component thereof" -- i.e. any
demo code or documentation sufficient to reproduce that crack

QED -- the next time Alan visits the US, the FBI could visit him if he
does (c).

I wish I could find hole in that simple minded logic (though it is
drawn from the style of the FBI complaint against Sklyarov).  What
bothers me is that this logic could be extended to a "rescue" floppy
that boots a system and grants instant root access to all present hard
disks -- though the counter logic would be that anyone with physical
access to a multi-user server better have authority to be there.  
However, under the logic of the DMCA (and the DeCSS and Sklyarov
cases) the legitimate uses of a technology are irrelevant if what the
"device" does is "circumvent" and a rescue floppy certainly does that.  
Other problems would be "key recovery" or "passwd crack" software --
both are useful tools of "white hat" cracking.  However, once one
releases that all user files are copyrighted works -- then all tools
that do passwd bypass (or recovery) through any encryption or other
system are "circumvention devices".

This of course brings me back to my initial worry.... just how are we
supposed to get our jobs done without legal liability and risk of
felony charges.



DMCA_discuss mailing list
DMCA_discuss () lists microshaft org

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]