"There is one safeguard which is an advantage and security to all,
but especially to democracies as against despots. What is it? Distrust." - Demosthenes
     
SubSections
Recipes
Racetrack Playa
MOO
Store
My Flickr
My Twitter
My Facebook
My Last.fm


Bookmarks
Wulfgar
Mom
Sharon
Cuppa
Erik Burrows
SD Festivals
Digitalcity LA
Digitalcity SD
Cheese Course
Cheese Mistress
Cheese Under
Cheese by Hand
curdnerds
Steve Jenkins



Listening To:

log in or register



www.flickr.com

Twitter Updates
    follow me on Twitter

    Previous Day | Next Day
    - Jul 19th, '01


    DMCA Sucks Ass

    Some background - A Russian programmer gave a talk at the DEFCON computer security conference this month on some gapping security holes he had found in Adobe Corp's eBook product. During the presentation he showed exactly how to break Adobe's encoding for the eBook files.

    Adobe called the FBI and had him arrested for violating the DMCA.

    There are three reasons why what he did is both reasonable and, in my opinion, vital. 1) The eBook product violates laws that require software to allow a user to create usable backups. 2) Researching and exposing security and privacy flaws in software protects all of us. 3) Adobe marketing is giving authors a wildly false expectation that their product is secure.

    Did he break the law? Yes. But the law is so wrong that I feel it should be broken on a regular basis. It was once illegal for women to vote. It's still illegal in some places to have anal sex. In this context, the DMCA is just as silly and even more dangerous.

    Okay, enough background, what's my point?

    Hackers play a vital role in the evolution of computer software by exposing the dangers inherent in bad software. Before the DEFCON convention there was a flaw in the way I had built this site that would have allowed anyone to take over the homepage, write anything they wanted there, change every post I'd ever written, and delete most of the database. Ouch!

    But thanks to the hackers who spoke at the conference, I learned about the vulnerability and fixed the problem. Without them poking at the security holes in HTML and Javascript I never would have found out about this and eventually someone malicious would have hosed my whole site.

    This is the same thing that the Russian programmer was doing. Adobe built a faulty product. The programmer pointed that out. And Adobe told the FBI to arrest him.

    Here's an analogy - Let's pick on Ford. The DMCA says that I'm not allowed to talk about faulty security in software. Kind of like if I buy a Ford car and find out that if I tap on the hood in a certain way, all the doors will unlock. Obviously everyone who owns a Ford should know that they need to get this fixed. And we'd expect that Ford would bend over backward to contact owners and fix the problem on Ford's dime (stop snickering Patti). And we know they'd try and make things right because they released a faulty product and would be financially libel for the consequences.

    But the DMCA turns this common sense notion on it's head. Even telling people that there is a problem is a crime. The law takes away your free speech rights in order to make life easier for software companies. Adobe doesn't have to worry as much about releasing faulty software because it's now illegal to research or discuss faults.

    Let's take a look at what the programmer is being arrested for. In fact let's just break the same law he did and see how silly it is. Here, watch closely.

    Some eBooks use ROT13 encoding to ensure that the content will only be seen by people who have paid for it. But ROT13 is ridiculously weak encoding. If I gave my mother (a retired Home Econimics teacher with no computer background) a sheet of text which had been ROT13'ed, I'll bet money she could decode it in under 15 minutes. Especially since the technical sounding "ROT13 encoding" is simply rotating the letters of the alphabet around 13 places. It's like a freakin' plastic decoder ring!

    There, I just violated the DMCA. Does this make sense to anyone?

    Instead of just saying nasty things about the programmer and then fixing the problem, Adobe is attempting to shutdown all future criticism by showing the world what it will do to people who question their security. In effect, programmers don't write better software - lawyers do. Why spend the extra money to ensure security and privacy when it's easier to arrest a couple people and pretend that the problem doesn't exist?

    And that's exactly what Adobe wants - to pretend that by arresting the white-hat hackers, the black-hat hackers will somehow magically disappear.

    Fine. Whatever. But you don't have an eBook, so why is this important to you? Because it's not just eBooks, it's your Quicken tax software, your bank's online banking, the medical records your doctor has, and on and on. Bad people are out there trying to break, steal, or scribble on anything they can. Without people willing to do the work to find and expose these vulnerabilities we are all forced to trust our security to programmers who are underpaid and working under ridiculous deadlines.

    Adobe wants us to accept, under threat of federal law, that their security is fine. They want us to pretend that malicious hackers will stop attacking us if we arrest a few people doing legitimate research.

    Oh! What am I talking about there? Researchers can be arrested? That can't be right. But in fact, the DMCA can be used to shutdown encryption research. Here's more silliness. SDMI put out a challenge to hackers to try to break their proposed watermarking and protection mechanisms. Well, when a group of researchers at Princeton University broke all of the protections and then tried to publish their results, SDMI threatened to have them arrested under the DMCA. I'm not making this up.

    I'm beginning to rant and foam at the mouth, so here's the bottom line - The DMCA doesn't protect anything other than bad programming. It threatens software users by making it illegal to expose faulty products. It forces us, under penalty of law, to pretend our data is secure.

    By having the Russian programmer arrested Adobe has sent the message that it's marketing is more important than good software.

    23 Comments


    Comments:

    Don't forget your chicken soup :)....Hope you feel better soon.... By the way...what's gonna happen to that Russian dude? Is he really gonna have to go to prison for just for revealing a problem? How said if it's true....
    Posted by Valerie at 7:41 AM EST on Jul 19th, '01

    To some degree, Mr. Sklyarov's fate is in Adobe's hands. There is building backlash (you go, Jon) against not only DMCA, but against Adobe's fascist application of it. Their actions were anti-consumer, which wasn't very smart considering that Adobe has a remarkably well educated clientele. The harsher reality is this; Adobe can plead leniency on Sklyarov's behalf, but the legal machinery is already in motion. There will be a prosecution and conviction (or hopefully a plea bargain). It's up to the ignorance or understanding of a Federal court judge. Since I have a growing belief that Fed judges are only ruled by the emotional political wind blowing around them any more, it is absolutely important that EVERYBODY who knows what's going on here make as much noise as possible.
    Posted by Wulfgar! at 8:26 AM EST on Jul 19th, '01

    He's being held without bail in federal custody. The only way to fix the problem is to get the DMCA thrown out and replaced with something that works in the real world instead of just on the floor of the congress. Here's the Powerpoint presentation of the talk that got the programmer arrested. If you were to make this information available to people all over the world, you'd be violating the DMCA. I wasn't at this particular talk, but after going through the slides I can easily imagine everyone laughing histaricaly at the ridiculously bad security Adobe is trying to protect. It's not just bad. It's silly. Especially when bracketed by Adobe's own marketing claims about how secure the product is.

    Don't know much about what you are talking about ,but remember a few things. Arrest does not mean much. Charges can be dropped. Civil rights times and Viet Nam protests produced 100,000s of arrests. Few people ever went to jail. Charges dropped !! Corporations go to the cops , cops arrest ,charges dropped. However , this guy may need a GOOD lawyer. Russian in this country !! Those that invited him maybe the most liable. Legal foundations are murky in this case ,I'll bet

    Any reasonably intelligent lawyer could get this guy off. That being said, he may not get a reasonably intelligent lawyer.

    I'm not so sure he'll be able to get off easily. The DMCA was pretty much written specifically to act in this exact manner. It would have to be declared unconstitutional for him to get off. And I think it's already been upheld once. On top of that Adobe is known for the way it loves to make examples of people. They won't back down. I'm sure they helped write the DMCA in the first place.

    It actually doesn't have to be found unconstitutional, if his lawyers can A) prove that he acted in good faith with no exception of reward and get jury nullification rolling (since, despite everyone's best efforts to pretend otherwise, that is perfectly legal) or B) that the DMCA contradicts other laws which preceded it. I don't know if there are any such laws, but I'd bet a good lawyer with a good paralegal could find one.




    Disclaimer: (please obey)

    JonSullivan.com is not responsible for your own dumb ass. For best results, don't be a dumb ass.

    JonSullivan.com is not recommended for children under 13. Parents should be aware that this site contains: discussion of sex with blow up animals, gratuitous amounts of profanity, and really wacky shit we can't even classify, much less recommend to little tikes. Expect misrepresentations, false assertions, and malicious deception.

    While using JonSullivan.com, please refrain from operating power tools, underwater breathing devices, powered enema machines, or the "Thigh Master". Failure to comply with this rule may lead unscrupulous types to hack into your web cam and post incriminating pictures of you at "Am I Hot Or Not?"

    Improper operation of JonSullivan.com can lead to insomnia, dropsy, toe loss, addiction to yogurt, very small fingernails, rapid eye movements, aversion to French cuisine, and spastic colon. Among other things. Don't make us list them all. You get the idea. Just be careful. It's not a toy. You could put an eye out for God's sake!!!

    Notice: Most interesting, useful, or humorous content found here was stolen from other sources without asking, and no return linkage or credit will ever be given. Unless you are named "Arnold P. Fasnock", you may read only the "odd numbered words" (every other word beginning with the first) of the message above. If you have violated that, then you hereby owe the site owner $10 for each even numbered word you have read.

    IMPORTANT: Comments found on this website are intended for the use of the individual(s) they are directed towards and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humor or irrational religious beliefs. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or grammatical use and may be ignored. No animals were harmed in the creation of this website, although the yorkshire terrier next door is living on borrowed time, let me tell you. This message represents the official view of the voices in my head.

    Your eyes are weary from staring at the CRT. You feel sleepy. Notice how restful it is to watch the cursor blink. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise. Sue Jon Sullivan? Never! What a silly idea. Jon Sullivan is a wonderful human being who would never harm or deceive anyone. Jon Sullivan is not like the others. He is your friend.

    The comments & opinions expressed herein are NOT those of my employer, who, if he knew I was sending emails and surfing porno sites, would cut off my gonads and feed them to me for afternoon tea. Activities and vehicle modifications appearing or described in this website may be potentially dangerous. We do not endorse any such activity for others or recommend it to any particular person - we simply describe our experiences and opinions.

    This website is not affiliated with any company, person, entity, organization, fictional character, or any other thing which could at any time be considered to have a legal definition or status, or might for some reason sue me. This website does not reflect the thoughts or opinions of myself, my company, my friends, or anything, or anyone. Terms are subject to change without notice. Illustrations are slightly enlarged to show detail. Any resemblance to actual persons, living or dead, is unintentional and purely coincidental. Do not remove this disclaimer under penalty of law. Hand wash only, tumble dry on low heat. Do not bend, fold, mutilate, or spindle. Your mileage may vary. No substitutions allowed. For a limited time only.

    If any defects are discovered, do not attempt to edit them yourself, but return to an authorized service center. Do not read if safety seal is broken. If rash, irritation, redness, or swelling develops, discontinue reading. If ingested, do not induce vomiting, and if symptoms persist, consult a physician. Disclaimer does not cover misuse, accident, lightning, flood, tornado, tsunami, volcanic eruption, earthquake, hurricanes and other Acts of God, neglect, damage from improper reading, incorrect line voltage, improper or unauthorized reading, broken antenna or marred cabinet, missing or altered serial numbers, electromagnetic radiation from nuclear blasts, sonic boom vibrations, customer adjustments that are not covered in this list, and incidents owing to an airplane crash, ship sinking or taking on water, motor vehicle crashing, dropping the story, falling rocks, leaky roof, broken glass, mud slides, forest fire, or projectile (which can include, but not be limited to, arrows, bullets, shot, BB's, shrapnel, lasers, napalm, torpedoes, or emissions of X-rays, Alpha, Beta and Gamma rays, knives, stones, etc). Other restrictions may apply.

    This website is void where prohibited, taxed, or otherwise restricted. Opening this website may void your warrantee.