[Reader-list] Why D.M.C.A. ends net & computer security
menso at r4k.net
Tue Sep 11 06:02:00 IST 2001
For some time now the Digital Millenium Copyright Act has been in
effect, from 1998 to be precise. In the beginning the results of this
new law were quite unclear and not much written about.
In short the DMCA does the following:
"The DMCA gives publishers the power to prevent you from printing a
page, loaning a book to your friends or in some cases, even
reading it out loud. For example, if you purchase and download an
electronic book from the Internet and figure out how to circumvent
the reader software so that you can print it out to read in the
bathroom, the DMCA makes what you have done a federal crime, and if
you tell anyone how you did it, you can be looking at a fine of up
to $500,000 and 5 years in prison. This has happened."
Now, this is one of the consequences. For those not familiar with the
recent Sklyarov case: Sklyarov discovered that the 'encryption' used
to secure E-Books by adobe and several others was stuff your kid sister
might come up with to prevent others from reading her diary.
He held a talk about this on DefCon, a big US hacker conference held
each year and... got arrested. According to the D.M.C.A. Sklyarov had
no business giving this talk.
The D.M.C.A. makes it illegal to distribute "circumvention technology",
such as systems that break copyright protection schemes.
Now that we've reached the core of the problem, let me continue to
explain why this is a major threat to all computer and data security.
The way computer security tends to work is that someone or some company
releases a program or OS and says "This is secure". Then, a big amount
of people work with them, find flaws in them, discover that they are
not secure. Some people have even made their jobs out of this and get
paid by companies to check if the systems they are using are secure or
This is a good thing: instead of someone selling you a doorlock and
saying it is uncrackable you actually get worlds most skilled thieves
that give a go at it and, when it fails, explain what they did and how
it can be prevented. This is a good thing since you'll now know that
the lock isn't as perfect as they told you it would be and you can take
extra measures to prevent people from entering your building.
In computer terms this means that you, for example, buy a firewall
system that's supposed to be 100% secure. You put your trust in this
product to secure your own or customer data, your networks, etc.
Then someone finds a flaw in the product, which is a bad thing. The
person who found the flaw figures that others will find it too and
might abuse it. So he/she notifies the rest of the world about the
flaw he found and how it can be solved.
Pretty sweet system indeed.
Now with the D.M.C.A. the situation is more as follows:
You buy a lock that is supposed to be 100% secure to prevent people
from entering your house. People who buy this lock or work for
companies who bought the lock are curious to just how secure it is.
One of them opens the lock to see how it works internally and finds
a way to open it with a paperclip when inserted under the right angle.
"This sucks! Millions of people rely on this lock and it is no good,"
this person thinks and he starts notifying others about it.
Then he receives a letter from the company that builded the lock which
says: "It has come to our attention that you have opened a lock and
written a paper on how it's internals work. That information is
He gets a $500.000 fine and 5 years in prison for what he did.
As you can see the D.M.C.A. kills the security system of lots of
people checking to see if a product really is secure and will cause
a major new risk in computer and network security. While the system
administrators might not know about a certain security bug, thousands
of hackers already might and they are pounding at your door as we
speak. Already people are not publishing new bugs they found in so-
called 'secure' products because of fear of prosecution.
One of them is Niels Ferguson, a man who has proofed himself time
after time: he has found serious flaws in earlier IPSEC implementations,
helped develop the TwoFish algorithm and has now been working for
Counterpane for the past several years. (Counterpane is a company
started by Bruce Schneier, author of "Applied cryptography" and
"Secrets & Lies" which explains computer security on a somewhat
more theoretical level, a must read!)
When a man like Niels Fergusson says he has found a new flaw, he has.
He has found a flaw in HDCP. HDCP is a cryptographic system developed
by Intel that encrypts video on the DVI bus. The DVI bus is used to
connect digital video cameras and DVD players with digital TVs, etc.
The aim of HDCP is to prevent illegal copying of video contents by
encrypting the signal. According to Ferguson any IT person can do what
he did and get the same result (retrieve the masterkey). When this
is done the entire HDCP becomes useless.
We all know that this key *will* be posted on the net sooner or later,
probably around the time the HDCP is already being implemented in
hardware and thus Intel cut's it's own fingers with the DMCA.
More information: www.anti-dmca.org Anti DMCA site
www.macfergus.com/niels/dmca/ Niels Ferguson
Anyway, the :// part is an 'emoticon' representing a man with a strip
of sticky tape across his mouth. -R. Douglas, alt.sysadmin.recovery
More information about the reader-list