Fallout From Def Con: Ebook Hacker Arrested by FBI

Richard and many other people sent in news about Dmitry Sklyarov, a programmer at Russian software company Elcomsoft, who was arrested after giving a talk at Def Con 9 in Las Vegas titled "eBook Security: Theory and Practice." Elcomsoft publishes a program to remove restrictions from encrypted PDF files, which has severely annoyed Adobe Corporation. Adobe was apparently responsible for the arrest, charging that Elcomsoft is violating the Digital Millennium Copyright Act by publishing the software and giving the presentation at Def Con. (The presentation, by the way, is great - he compares the claimed features of ebook protection schemes with their actual features.) Also at Def Con 9: Hacking for Human Rights.

Re:Doesn't the DMCA specifically protect this?

then this seems like a great case for blowing the DMCA farce wide open.

It would be rather ironic if a Russian citizen would end up fighting an American law restricting his free speech.

Absolutely Incredible

[nathanh]

Some of the "security" algorithms this white-hat whistleblower has exposed are incredibly poor. Here are some samples:

• The Acrobat Signed Plugin authentication code only checks the header of the binary. So just take a non-malicious signed plugin, modify the binary after the header, and you can send out a "signed" plugin with malicious code as the payload. What a joke!
• One of the products costs $3000 and is derived from a rot13 encoder.
• Another product is claiming "100% burglar-proof" but the "encryption" is nothing more than an XOR against a single magic byte.

If I was a shareholder in any of these companies I would be demanding an investigation. This isn't just shoddy, it's an outright scam! None of these companies should be getting away with this. The customer is being ripped off, yet these shyster companies have the NERVE to use the law against the whistleblowers.

I'm disgusted.

Doesn't the DMCA specifically protect this?

[JohnnyX]

IIRC, there is a clause in the DMCA that protects encryption research specifically. As the presentation was an informational survey of eBook protection claims vs. actual abilities, I don't see how that would be something they could arrest him for.

Now the publication of a tool to circumvent the security of PDF documents, that's another story. Does anywone know which he was arrested for?

Yours truly,
Mr. X

...stupid stupid FBI...

Dear Adobe:

[CokeBear]

Dear: Adobe

Please become an Acrobat and stick your PDF up your own ass using some good Live Motion. Then see how fast you can Type on Call for you Illustrator. Then with it in you ass please go to the local Photoshop and laydown on the Page Maker untill you Indesign. At this point you will need Type Management and have no Postscript to bail yourself out.

Incredible

[augustz]

This guy showed that a bunch of "super secure" products costing $2500-$3000 were basically junk and could be instantly decrypted. This includes a HARDWARE dongle security solution. Mother of god, imagine you are the company that bought 500 of these and payed $3000 per document to encode them, only to find out that someone can open it FASTER than you on a computer WITHOUT the dongle.

Instead of being arrested, he should be given a cut of the money the goverment fines adobe and its security partners for. The REAL criminals in cases like this where the money grubbing BS is exposed are often the companies themselves.

And I can count the number of times the DMCA has been used against real criminals on the palm of my hand. Never.

Luckly, slashdot's got a bunch of folks who actually make tech decisions. Let's try and wipe out these security plugins, and make it crystal clear to Adobe that they should be spending more time improving their products rather than going after the guy who blew the whistle on their BS. Call them today, again in a week, again in a month.

USA extending its law beyond its borders

[jamesk]

Wasn't there a time when crimes needed to be committed within the sovereign territory of the country involved before someone got arrested (Terrorism, murder, et al aside). Since this person didn't crack PDFs within the USA, nor is the software sold here directly by that person (it needs to be imported), what gives the US Govenment the right to arrest him (other then it can).

There was a time when the West condemned the Communists governments for heavy-handed treatment of those who committed "economic crimes against the state", holding up the free market model as an example (including its civil courts as a resolution mechanism).

Who needs to wait for a world government -- its already here -- just open a corporation, make the right size contributions to your favourite party and you too will be "given" the right to be heard.

Mirrored copy

[MikeBabcock]

I have a copy mirrored here (in Canada).

cf. FibreSpeed

Re:DMCA = Legitimization of a Corporate Police Sta

[MikeBabcock]

But only where laws like the DMCA exist would publishing a paper on how to circumvent a copyright method be a violation in itself. That's more the point -- without the DMCA, only the actual infringing uses of this information would be illegal, not the published information itself.

For example: knowing how to make a cable TV descrambler was never illegal -- using one to get free cable was.

Re:Adobe responsible for the arrest?

[antibryce]

could we please clarify what government agency actually made the arrest and on what basis?

My guess is Adobe contacted the FBI, told them what the guy did, and had their lawyers politely explain to the Feds how that violates the DMCA. Now if I were to contact the FBI and demand they arrest the guy who DDoS'd my DSL line a few months ago (I do know who it is, and have ample evidence) they'd laugh at me.

Government for the corporations, by the corporations, and of the corporations.

c.

Not to mention consumer protection...

[iconnor]

This has highlighted some false claims made by a company in marketing. Does this mean that next time someone claims their software is secure, it is illegal to prove it is not?
What about consumer protection laws - this is misleading conduct on the behalf of the companies involved.

Re:BTW

[ichimunki]

Editor's Note [from the article]: (17 July 2001 0100 PDST) Vladimir Katalov has informed Planet eBook that Dmitry Sklyarov, author of the "Advanced eBook Processor", was in fact arrested, and that he is being held in a Las Vegas prison waiting for subsequent judgement in California.

Under normal circumstances the authorities cannot detain citizens without arresting them, since doing so is paramount to an arrest. However, this case involves a non-citizen being barred from boarding a plane at an airport, and his detention was merely a temporary condition prior to his arrest.

Re:Entrapment?

[ichimunki]

NO. They should have arrested him in the middle of the presentation for maximum effect, and yes they can warn him but are under no burden to do so. However, it is unlikely that they were even present at the conference (in this capacity)-- and even if they were, maybe once they saw this complex and new "crime" being committed they felt they should wait for the okay from their own FBI lawyers (rather than the Adobe jackals) before proceeding.

The crime here is not cracking the "protection" but sharing the method used to perform the crack. While it is not a crime to describe in detail how to kill someone (if you do it without being inciteful), how to manufacture drugs, how to build a bomb, how to cheat on your wife, how to molest children, it is a crime to discuss methods of cracking anti-consumer "protections" on copyright restricted materials on digital media. This Russian guy broke that blatantly illegal law on US soil (using information he obtained at home in Russia where he may not have been violating any laws). Ergo, he gets arrested.

To quote Bulldog, "This sucks. This is total BS."

Tell Adobe

[rabtech]

Don't just lament how wrong this is. TELL Adobe what you think of them and their actions. But PLEASE, be polite. Messages like "j00 suX0r Adobe!" get thrown in the PLOINK-bin faster than you can blink, and without a second thought. But a well-written message detailing why you are not happy with them, and what they can do about it, would be most helpful. Here are some PR contacts at adobe:

jcristof@adobe.com
dstyerwa@adobe.com
lvacante@adobe.com
ablatchf@adobe.com
skrueger@adobe.com
gbabbit@adobe.com
wsaso@adobe.com

Don't forget to give them a ring on the tele:
(408) 536-6000

And lastly, we have the executive's email addys (I think. I have not verified these addresses, so they may not work. The ones above will for sure though.)

jwarnock@adobe.com
cgeschke@adobe.com
bchizen@adobe.com
snarayen@adobe.com
mdemo@adobe.com
gfreeman@adobe.com
cpouliot@adobe.com
jstephens@adobe.com
ttownsley@adobe.com
mdyrdahl@adobe.com
blamkin@adobe.com

Go out there and tell them! Corporations are run by people, just like us. Sometimes those people do very stupid things and need correction; that is what I plan to do, and everyone who reads this message should do the same.
-- russ

Re:Tell Adobe

[rabtech]

OK, here is a short but sweet form letter:

==

Dear Sir/Madam:

I am writing today to express my displeasure concerning the way Adobe has conducted itself in regards to Dmitry Sklyarov and Elcomsoft. It would seem that, rather than thanking Mr. Sklyarov for exposing serious flaws in your products, and then correcting them, you have chosen to persue a course of litigation and intimidation via the misuse of law enforcement.

I believe that copyright holders must have methods to secure their works. But as is obvious thanks to Elcomsoft's work, the protection afforded by Adobe's eBook products is easily overcome. There is no doubt that THOUSANDS of people have been taking advantage of this, silently, and thus ripping off legitimate copyright holders. Elcomsoft has only vocalized what was already occuring.

As an Adobe customer, here is what I want: The persuit of better products, and not more litigation. We have enough of that already. I fear one day that my children may be imprisioned for pointing out flaws in corporate products, or for engaging in legitimate research of code and computer products. Perhaps, if you have children, they will be too. So I urge Adobe to "back off" as it were and refocus the money that would have been spent on lawyers into developing a more secure and better eBook system.

Thank-you for your time, and I look forward to yout reply!
-- [INSERT NAME]

==

Happy now? You lazy people :)
-- russ

Hit them where it hurts--stock price

[acceleriter]

We need to hop on the Fool and other stock boards and articulately discuss the fact (to which Adobe surely will have to attest) that this guy did irreperable damage to Adobe's potential revenue stream by releasing this technology. Be sure to explain that despite his arrest, the code is out there, and like DeCSS, is sure to be copied and mirrored widely. Perhaps the publicity associated with having had one's product cracked lowering one's stock price will deter others from having researchers arrested.

While I don't advocate and don't intend to cause harm to anyone's person or Adobe's physical plant, I would shed no tears if Adobe's HQ burned to the ground, preferably with the decision-maker responsible for this inside.

If tables were reversed?

[Arakonfap]

What would the U.S. do if Germany arrested an american citizen on vacation for previously selling Nazi related materials over the internet?

I don't think that would go over well. Can anyone explain a difference to me? Or would the U.S. accept this arrest without problem?

Mod parent up!

[hivolt]

I've done my duty and emailed Adobe politely about this abuse of a bad law. Perhaps at the next DefCon, presentations on how to circumvent this Adobe flaw will be distributed to the public as encrypted PDF's, so that DCMA supporters will not have access to content they find objectionable.