April 20, 2014

avatar

Pro-Tinkering Speech from White House Cybersecurity Czar

Richard Clarke, the White House cybersecurity czar, in a speech today at the Black Hat conference, called for legal protection for tinkering by security researchers.

According to an Associated Press article by D. Ian Hopper, Clarke “encouraged the nation’s top computer security professionals and hackers Wednesday to try to break computer programs, but said they might need protection from the legal wrath of software makers.” The article also quotes Clarke as saying that security researchers “have an obligation to find the vulnerabilities.”

This is just common sense. Still, it’s refreshing to hear that somebody in official Washington understands the value of tinkering and open debate about technology.

avatar

Vaidhyanathan: Copyright as Cudgel

Nice article on copyright abuses by Siva Vaidyanathan in the latest Chronicle of Higher Education. The Chronicle is read mostly by professors, so the article talks at length about the harm to scholarship caused by the recent copyright expansion.

Vaidhyanthan identifies two common arguments used by those opposed to copyright expansion. The first, which he calls commons talk promotes the value of the ever-shrinking public domain. The second (unnamed) strategy is to enlist public support by pointing out how routine and accepted activities of Joe Public, such as backups and party mixes, are endangered.

As the scope of “intellectual property” continues to expand, I think we’ll see a third argument, based on collateral damage. The idea is that new laws, while apparently intended to protect the flank of copyright by giving copyright holders or technology makers new powers to restrict their competitors’ activities, will increasingly choke off beneficial and clearly-legal innovations.

avatar

Berman-Coble Bill: Green Light for Cyber-Attacks

In the current climate of concern about cyber-attacks, it’s astonishing that Congress is considering a bill that would legalize a wide range of cyber-attacks – yet that is just what the proposed Berman-Coble bill would do.

The bill allows the owner of a copyright to interfere with the computer or network of anybody who is thought to be using the copyrighted material without authorization. The bill allows any attack, so long as it does not mess with any files on the victim’s computer (other than copyrighted ones). For example, they can cut off your network connection, or even crash your computer.

I am not totally opposed to the idea of self-help for parties whose legal rights are being violated. But this bill goes way, way too far. For example, the bill allows attacks on anybody making “unauthorized” use of a work, even if that use is legal. (Under copyright law, if you own a legimate copy of a work, there are certain things you can do with that work whether the copyright holder likes it or not; so a use can be unauthorized but still legal) And the bill doesn’t do much to hold the attackers accountable for any collateral damage they cause.

Text of the proposed bill is available at http://www.politechbot.com/docs/berman.coble.p2p.final.072502.pdf

avatar

Australian DMCA Does Not Prohibit Mod Chips

An Australian judge has ruled that the Australian version of the DMCA does not apply to the sale of “mod chips” for Sony PlayStation game consoles.

Technological background: Sony PlayStation is a game console that plugs into the back of a TV. PlayStation games come on a compact disk that is plugged into a CD drive on the PlayStation console. The disk contains a kind of authentication code that can be verified by the console, and the console refuses to play games that lack the authentication code. The “mod chips” sold and installed by Mr. Stevens change the console so that it will accept CDs that lack the authentication code.

I read the judge’s ruling as saying that under Australian law, mechanisms that merely authenticate content, as opposed to preventing it from being copied or from being accessed on standard CD drives, are not really copy control devices, and thus the Australian DMCA does not apply to them. Under the judge’s reasoning, a scheme that encrypted the CD’s contents (as opposed to merely authenticating them) would be covered. So this decision appears to be of limited application.

Laws like this are often vague about what they cover and what they don’t. I suspect that this vagueness reflects the drafters’ confusion about what they were trying to do. (Sometimes vaguely worded statutes reflect an artful compromise between legislative factions, but I don’t think that’s the case here.)

avatar

Edelman, ACLU File Anti-DMCA Suit

Ben Edelman, a soon-to-be law student at Harvard, has filed, with help from the ACLU, a lawsuit challenging restrictions on his right to disassemble and study a Web censorware product from a company called N2H2. The suit challenges the validity of an anti-tinkering clause in N2H2′s license agreement, and of the DMCA provisions that apply to Edelman’s proposed research. The complaint filed by Edelman and the ACLU is light on technical details about N2H2′s product.

Edelman says he wants to tinker with N2H2′s product, in order to determine the list of Web sites that it blocks, and to create and distribute a software tool that lets others extract the list (in case the list changes).

It looks like the main event will be the challenge to the license agreement, with the DMCA issues more remote and hence less likely to be ruled upon by the court. It seems to me that if the Court upholds the validity of the license provisions, then the DMCA issue is moot. And the DMCA’s prohibition on acts of circumvention doesn’t apply, because there is an exception that protects efforts to extract the blocking lists of censorware products. That exception doesn’t apply to the dissemination of technologies for extracting blocked-site lists, so Edelman’s distribution of his proposed list-extraction tool would appear to be prohibited by the DMCA.

avatar

Princeton Accused of “Hacking” Yale

[This is slightly off-topic, but as a Princeton person I have gotten lots of questions about this incident.]

Somebody in Princeton’s admissions office, probably an associate dean of admissions, apparently accessed without authorization a Web site that Yale set up for people who had applied for admission to Yale. Yale says that 11 students’ records were accessed, on 18 occasions. Princeton admits that the accesses occurred, and has suspended the associate dean in question pending an investigation. The FBI is sniffing around.

I don’t have any direct knowledge of the relevant facts, so I’ll just assume for now that the press reports are accurate.

Three comments are in order. First, Yale was pretty irresponsible to put applicants’ private information on the Web with only the applicant’s social security number and birthdate as “passwords.” It’s no secret that it is easy to learn anybody’s SSN and birthdate, so Yale’s scheme left the applicants’ information open to almost any unscrupulous person. According to today’s Washington Post, the Yale site was designed and built by a Yale junior. I wonder how much adult supervision he had. (Of course, none of this can excuse the improper accesses that Princeton people, or anybody else, might have made to the site.)

Second, the Princeton admissions person who apparently made the accesses told the press that he was just trying to verify the insecurity of the Yale system. Whether the facts (e.g. the pattern of accesses) are consistent with this excuse remains to be seen. In any case, it’s an utterly lame excuse, as one could have verified the insecurity of the site without breaching it. This excuse was Slate’s Whopper of the Week.

Finally, this case illustrates one of the differences between computer intrusions and tinkering. An intrusion like this is wrong not because somebody disapproves of it, and not because somebody gains an advantage by doing it, but because it involves an unauthorized access to a system that belongs to somebody else. People often apply the same kind of rhetoric (i.e. “hacking”) to cases of tinkering, where the purported crime is to “break in” to one’s own property.