DMCA Forces Cox To Censor Changelog?

Ross Vandegrift writes: "Alan Cox released 2.2.20pre10 today, which includes security fixes. He is refusing to indicate what security holes have been fixed, as Unix-style permissions could be used as an anti-circumvention device. The thread starts here. " It'd be great if people could read the threads here and try to figure out what is going on. I'm a little lost, but it looks like he's being overzealous.

Overzealous, eh?

[Satai]

Hey, remember that time Felten wrote a paper and couldn't release it cuz it was a circumvention device?

Or that time I wanted to play DVDs in Linux and couldn't because I needed a circumvention device?

Or when some Russian dude got locked up away from his family because he wanted to let blind people use eBooks?

Overzealous my ass. This is a problem and we need to take a stand, whether it's "reasonable" or not. People need to understand what is at stake - and what better way to help that process than by showing them?

just making a point

[lophophore]

It seems to me that Alan is just trying to make a point about how ridiculous the DMCA is in this case by taking this relatively extreme position how the DMCA throws a wet blanket onto legitimate security discussions.

he's just trying to "make a point"

[jlv]

Here's his key points in the thread (and the points that he was responding to)

> > 2.2.20pre11
> > o Security fixes
> > | Details censored in accordance with the US DMCA
>
> Care to elaborate?

On a list that reaches US citizens - no. File permissions and userids may
constitute and be used for rights management.

> Are you saying that we can't divulge security problems in our own software
> anymore for fear of being sued by affected parties?

Not even affected parties - the government can do it too without anyone else
and indeed even if their are contractual agreements between parties
permitting the data to be released..

I hope to have the security stuff up on a non US citizen accessible site in
time for 2.2.20 final

> Putting pressure on US people to have them influence their
> legislation? Aka. every people have the rulers they deserve? Won't work
> out.

"Until they become conscious they will never rebel, and until after
they have rebelled they cannot become conscious."

> Seriously, are you kidding?

The current interpretation of the DMCA is as lunatic as it sounds. With luck
the Sklyarov case will see that overturned on constitutional grounds. Until
then US citizens will have to guess about security issues.

> This would then presumably lead to password protected access for US kernel
> developers that need to know? And some kind of NDA?

US kernel developers cannot be told. Period.

> 'IANAL', and neither are you, are you sure this sillyness is necessary?

Its based directly on legal opinion.

I stopped reading at this point.

too late

[jayhawk88]

It'd be great if people could read the threads here and try to figure out what is going on.

Unfortunately, it looks like the site might already be hosed. How about if we just speculate wildly, make irrational calls-to-action that will never commence, throw in a few anti-government rants, and top it all off with a good old fashion linux/bsd flamewar?

You know, the usual.

Cox successful: Senator Fritz Hollings recants!

[hoggoth]

In related news today Senator Fritz Hollings, author of the SSSCA proposal, recanted stating:
"I just downloaded the latest 2.2.20pre10 and found censored changelogs! This will seriously impact my l33t hax0r activities. I finally see how my SSSSCA proposal will impact freedom. I am official withdrawing my proposal effective immeditely."

Apparently Alan Cox's plan to publicly demonstrate the absurdity of the DCMA and SSSCA in a place that would hit congress where it hurts has paid off.

Thefreeworld.net Re:Overzealous, eh?

[Rik+van+Riel]

Indeed, the US outlawing something is one thing. That's their business, if it turns out to hurt them too much they can always revert the law. It's a democratic country, isn't it ?

OTOH, the US outlawing something shouldn't mean that all these good things are suddenly no longer available to the rest of the world. We need a place to publish the things which are outlawed in the US, without getting prosecuted for publishing these things to the US.

Such a site has been started (well, not quite, but we're busy getting it up and running) and we hope there will soon be a place to publish crypto research, security information and other useful tools which are not allowed in the US. The only small gotcha is that in order to publish it legally, some kind of access controll will have to be put in place so US citizens cannot get at the archive. Unfortunate, but so be it.

The site? http://thefreeworld.net/

Re:Using the Linux community as pawns

[debrain]

But it is obvious that he is using his public role (in the kernel and in usenix) to achieve a political end: namely, the repeal of the DMCA.

Funny, I thought he was obeying the law.

Political ends are may be a side effect of that, and indeed this has all the writings of a political snub, but it's nevertheless undeniable that he would be commiting criminal acts by not making this pointed omission.

Re:Using the Linux community as pawns

[Kaa]

Alan needs to realize that, although the DMCA does have important and evil implications for the freedom to code and speak in the U.S., it would not be used against a legitimate programmer such as himself. The people who have been targeted by the DMCA have been crackers: people who defeat lame encryption schemes and distribute point-and-click software that allows the masses to pirate. Although I fully support 2600 and Dmitri in their efforts (I have been a security engineer and I appreciate the truly talented invididuals in the field), DeCSS and the PDF utility are simply not in the same class as the Linux kernel and the other software Cox has worked on. He is simply a non-target and he needs to stop pretending that the DMCA affects him.

First they came for the Communists,
and I didn't speak up,
because I wasn't a Communist.
Then they came for the Jews,
and I didn't speak up,
because I wasn't a Jew.
Then they came for the Catholics,
and I didn't speak up,
because I was a Protestant.
Then they came for me,
and by that time there was no one
left to speak up for me.

by Rev. Martin Niemoller, 1945

Re:Using the Linux community as pawns

[antientropic]

it would not be used against a legitimate programmer such as himself

While it is unlikely that Alan would be arrested for fixing security bugs in the Linux kernel, he is quite right in saying that under the letter of the law, he might be. Even if you merely can be arrested for such an activity, then the DMCA is a bad law and must be repealed, or at least modified very substantially. So Alan should be applauded for taking a stand, even if (or exactly because!) that inconveniences some people temporarily.

Civil Obedience

[Per+Abrahamsen]

Imagine a law so stupid that civil obedience becomes an efficient way to fighting it...

Re:Does DMCA apply here?

[Mr+Z]

And if you read the thread, you'll see that Alan Cox's assertion is that UNIX-style permissions can be used for digital rights managment purposes. That is, they can be used as an access control to protect copyrighted works that are covered under the DMCA. Therefore, disclosing a security vulnerability which can subvert UNIX-style permissions is equivalent to describing how to circumvent an access-control device as described under the DMCA.

I would guess that the specific DMCA clause that Alan's affected by is this one:

• (2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that--

  • (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;

    (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or

    (C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.

It would seem Alan's conjecture is that describing a specific vulnerability in the Linux kernel that allows subverting some aspect of Linux's permission structure (which can be used as an access control device to a protected work) constitutes "traffic[king] in any technology [...] or part thereof" that would allow someone to circumvent the access control. Under the current interpretation of the law (re: Skylarov), detailing a security weakness in a product seems to (a) constitute such trafficking, and (b) seems to fit one of the three clauses 2(A), 2(B), or 2(C) above. (Notice they're connected by an 'or', so it's is necessary to fit only one of the three to be in violation of DMCA. I'm guessing the kernel information would fit 2(A).)

I'm so proud to be an American, where at least I know I'm free[*]. :-P

--Joe

[*] For a suitably narrow definition of free.

Re:Using the Linux community as pawns

[CmdrTroll]

Then I guess the moral of the story is, "don't live in America." Think about it:

• You can be stopped, searched, and arrested anytime you're in public if a police officer doesn't like the way you look. If you're lucky, your case will get thrown out or the cop will be nice. Cops have the right to tear your car apart looking for drugs, and not pay for damage if they don't find any.
• Civil forfeiture means that if you break any of the millions of anal, petty laws in the U.S., you can lose your house, your car, or any other property you own. Watch the first 20 minutes of Traffic to see how it works.
• Software and media piracy can land you in prison for five years and subject you to up to $250,000 in fines, per violation. (Naturally this bill was signed by our Democratic friend, Bill Clinton). It's a steep penalty for something so trivial.
• "Disorderly conduct" is a catch-all crime which can be used to arrest people for a reason of the officer's choosing. Ask any minority about it and you're certain to hear a few stories.
• Many forms of sexual activity (such as oral or anal sex) are banned in several states. Most people in the country (besides the Slashdot crowd) are guilty of one or more of these offenses.
• It is widely known that most powerful politicians can trigger an IRS audit on their political enemies.
• The ATA has made it legal for authorities to detain foreign nationals indefinitely, without presenting evidence of a crime or making a formal arrest.

The DMCA is only one of the many laws which make the USA into a police state. AC's intentions are good but he's got a lot more battles in front of him before the U.S. can be considered safe from authority abuse.

-CT

Re:People! He's Joking!

[Simon+Brooke]

I don't think he's joking at all. I think he's dead serious, and I think he's absolutely right to be. European programmers can no longer travel to the United States without risking being arrested for doing things which are perfectly legal where they did them (and in 95% of the rest of the world). Until you guys get this sorted, you have to face up to the fact that the rest of us can't safely share stuff with you.

Things to realise about Alan Cox

[pubjames]

Firstly, he's a Brit. They have a sense of humour which is sometimes very subtle and is usually based on 'irony' (as in the saying something different to what you mean, rather than the more American 'Alanis Morissette' use of the word). Some Americans take ironic statements at face value, as is often seen on Slashdot.

Secondly, he's a clever guy. He's being stubborn about this to make a point. If he wasn't stubborn about it, the point wouldn't be made. He is acting correctly according to an unjust law to highlight the danger of it.

He is not being 'dumb' or deliberately annoying, he's highlighting the potential effects of a worrying development in the American legal which could have significant negative impact on all Open Source software developers.

Disgusted to be an American

[haplo21112]

I used to be proud to be a Citizen of US. But it seems everyday that the "land of the Free" becomes a little less free. This is beginning to reach insane proportions. Everyday we seem to pass more and more laws that are seemingly(to me anyway) directly in conflict with Our Constitution. Our politicans don't listen to us anymore. I am disgusted...and angry...so much so i can't even think of words to express my rage at what is being done to this great nation. Our laws were ment to protect our citizens, and ensure the right to "life, liberty and the persuit of happiness" I feel as if I have none of these lately.

--"The refuses to bend, he refuses to fall, he's always at home with his back to the wall" --Bill Joel- Angry Young Man.

Just got back from the Post Office.

[Speare]

The SSSCA, which could become DMCA's darker sibling, has even more for Alan Cox to ponder. In fact, I just finished a weekend writing a fairly long letter to my representatives, and sent it only a few moments ago, so that it may get there in time for a Senate Commerce Committee hearing on the 25th.

The full letter is at http://www.halley.cc/ed/politics/2001-10-22.conten t.control.html. I welcome comments, and the letter may be reprinted with attribution.

Re:Reason behind this.

[mpe]

And the REST of the world must suffer because some american law (which has no jurisdiction OUTSIDE america) exists?

They harrassed an Norwegian, kidnapped a Russian over this law. A good reason for the rest of the world to take notice...