Previous Day | Next Day
- Jul 19th, '01
DMCA Sucks Ass
Some background - A Russian programmer gave a talk at the DEFCON computer security conference this month on some gapping security holes he had found in Adobe Corp's eBook product. During the presentation he showed exactly how to break Adobe's encoding for the eBook files.
Adobe called the FBI and had him arrested for violating the DMCA.
There are three reasons why what he did is both reasonable and, in my opinion, vital. 1) The eBook product violates laws that require software to allow a user to create usable backups. 2) Researching and exposing security and privacy flaws in software protects all of us. 3) Adobe marketing is giving authors a wildly false expectation that their product is secure.
Did he break the law? Yes. But the law is so wrong that I feel it should be broken on a regular basis. It was once illegal for women to vote. It's still illegal in some places to have anal sex. In this context, the DMCA is just as silly and even more dangerous.
Okay, enough background, what's my point?
Hackers play a vital role in the evolution of computer software by exposing the dangers inherent in bad software. Before the DEFCON convention there was a flaw in the way I had built this site that would have allowed anyone to take over the homepage, write anything they wanted there, change every post I'd ever written, and delete most of the database. Ouch!
This is the same thing that the Russian programmer was doing. Adobe built a faulty product. The programmer pointed that out. And Adobe told the FBI to arrest him.
Here's an analogy - Let's pick on Ford. The DMCA says that I'm not allowed to talk about faulty security in software. Kind of like if I buy a Ford car and find out that if I tap on the hood in a certain way, all the doors will unlock. Obviously everyone who owns a Ford should know that they need to get this fixed. And we'd expect that Ford would bend over backward to contact owners and fix the problem on Ford's dime (stop snickering Patti). And we know they'd try and make things right because they released a faulty product and would be financially libel for the consequences.
But the DMCA turns this common sense notion on it's head. Even telling people that there is a problem is a crime. The law takes away your free speech rights in order to make life easier for software companies. Adobe doesn't have to worry as much about releasing faulty software because it's now illegal to research or discuss faults.
Let's take a look at what the programmer is being arrested for. In fact let's just break the same law he did and see how silly it is. Here, watch closely.
Some eBooks use ROT13 encoding to ensure that the content will only be seen by people who have paid for it. But ROT13 is ridiculously weak encoding. If I gave my mother (a retired Home Econimics teacher with no computer background) a sheet of text which had been ROT13'ed, I'll bet money she could decode it in under 15 minutes. Especially since the technical sounding "ROT13 encoding" is simply rotating the letters of the alphabet around 13 places. It's like a freakin' plastic decoder ring!
There, I just violated the DMCA. Does this make sense to anyone?
Instead of just saying nasty things about the programmer and then fixing the problem, Adobe is attempting to shutdown all future criticism by showing the world what it will do to people who question their security. In effect, programmers don't write better software - lawyers do. Why spend the extra money to ensure security and privacy when it's easier to arrest a couple people and pretend that the problem doesn't exist?
And that's exactly what Adobe wants - to pretend that by arresting the white-hat hackers, the black-hat hackers will somehow magically disappear.
Fine. Whatever. But you don't have an eBook, so why is this important to you? Because it's not just eBooks, it's your Quicken tax software, your bank's online banking, the medical records your doctor has, and on and on. Bad people are out there trying to break, steal, or scribble on anything they can. Without people willing to do the work to find and expose these vulnerabilities we are all forced to trust our security to programmers who are underpaid and working under ridiculous deadlines.
Adobe wants us to accept, under threat of federal law, that their security is fine. They want us to pretend that malicious hackers will stop attacking us if we arrest a few people doing legitimate research.
Oh! What am I talking about there? Researchers can be arrested? That can't be right. But in fact, the DMCA can be used to shutdown encryption research. Here's more silliness. SDMI put out a challenge to hackers to try to break their proposed watermarking and protection mechanisms. Well, when a group of researchers at Princeton University broke all of the protections and then tried to publish their results, SDMI threatened to have them arrested under the DMCA. I'm not making this up.
I'm beginning to rant and foam at the mouth, so here's the bottom line - The DMCA doesn't protect anything other than bad programming. It threatens software users by making it illegal to expose faulty products. It forces us, under penalty of law, to pretend our data is secure.
By having the Russian programmer arrested Adobe has sent the message that it's marketing is more important than good software.