Slashdot Mirror
The Case For Full Disclosure In The Linux Changelog
titurel writes: "This article on SecurityFocus takes up some interesting thoughts about how Alan Cox's choice not to unveil securitychanges in the kernel changelog could affect other developers." And Jon Lasser is no security dummy -- Along with Jay Beale, he's one of the guys behind Bastille Linux, and the author of the excellent Think Unix.
Dude. One of the worst aspects of the DMCA is that it makes violation a federal crime. No lawsuit is required.
Of course, it is a content protection system. The file permissions protect the content of certain files to be read by certain users.
So if you have a copyright protected file on your Linux server and only members of the animator group have permission to access it and then some guest or visitor has an account on that server and uses the information in the kernel changelog to get to that file, copy it and distribute it on the net, you have
a copyright violation case with the breaking of a content protection system covered under the DMCA.
And guess whose fault is was for publishing the
information in the changelog.
Next time Alan Cox comes to the US, he is arrested
and prosecuted under the DMCA.
As ridiculous as the example is, it is possible.
***Quis custodiet ipsos custodes***
This is only being restricted to the US. The rest of us all have this information.
If you really want to see it, click here:
kernel-2.2.20.log
kernel-2.2.20pre11.log
I'm sure Alan knows that people will do this, he'd probably rather stay away from it and make the moral point to US law. Ironic since in an earlier post in another topic the US-posters were praising their First Amendment.
There are problems with this line of reasoning, as I will attempt to describe.
Yes, we could all just diff the code, and we could even set up a secondary website(s) to discuss the impact of the changes we find. However, this is a very inefficient mode of operation when it comes to something as critical as security.
Your comment about "helping the script kiddies" is disturbing in that it sounds way too close to Microsoft's "plea to the security community". That's just no good; I want to see the full details of other peoples' reasoning on these things so I'll be better able to intelligently digest and evaluate the information myself. I'm not an outstanding C coder (although I do a lot of Perl and C), so I could easily miss important things.
The other trouble with this is that since this deals with open source software, the "user" has the immediate option of contributing in a meaningful way to the project. Unlike traditional "closed source" models, the average user (at least currently) of high security impact open source software is likely to have a few more than average clues on security topics.
If you make it harder for these people (read: us) to get at the requisite information, you're not only putting security at risk; you're also defeating a large part of the open source / free software philosophy. Nowhere in the GPL or any other similar license that I'm aware of does it say that changelogs are subject to geographic censorship. Now, IANAL, but I also don't think the DMCA really has anything to do with this, from my following of other threads here related to all that mess.
Just my thoughts, nothing more. Thank you.
Whether full disclosure is good or bad in general is a completely different question and not much related to the question whether it is legal or illegal in the U.S. now.
Remember, the DMCA covers encryption on copyrighted works.
People keep repeating this, where does it come from? The DMCA is not specifically about encryption. It is about technological measures that effectively control access to copyrighted works. Based on court cases so far we can safely say that encryption appears to count as one such technological measure, but that doesn't suddenly mean that it's the only measure. If it was meant to apply specifically to encryption then I think the language used would be very different.
Linux is technological, even if you don't like the particular techonology. Linux is used to control access to copyrighted works, including text files, programs, music, graphics, whatever. It isn't difficult to conclude that the security measures in Linux are technological measures that effectively control access to copyrighted works.
That doesn't mean I'm convinced that posting this particular information would be contrary to the DMCA, I'm really not sure, but that has nothing to do with whether or not encryption is involved, which is a complete red herring.
I believe the suggested exchange would go something like this:
Now, while you may be eager to spend several years in Jail, Mr. Cox is not.
Point being, a couple of days ago there was an article linked there to Newsforge with an interview with Alan Cox about his views on the DMCA and these changelogs.
For the lazy, the essential point is that AC has gotten legal advice that he very well could be charged in the US for posting the vulnerabilities based on an interpretation of the DMCA, but that no "sane" US court would convict him. However, he does not want to spend 6 months in the US to go through the process.
So, basically, he's making a political point about stupid laws. He's welcome to if that what he wants. As others have said, it's not like most people interested in kernel changes can't use diff.
Glenn
The DMCA cannot only applied in civil litigation; it can also be applied in a criminal prosecution. Case in point: Dmitry Sklyarov.
Dmitry was arrested by the FBI based on a "tip" they received from Adobe. Adobe withdrew their complaint, but that didn't stop the FBI. The FBI concluded that criminal law was being violated, and that Dmitry should be prosecuted.
If all it takes is one relatively credible tipster to cause the arrest of Cox for violating the DMCA, then Cox's actions seem perfectly reasonable. If he were to visit the United States, he'd like to go home when he's done.
My car gets 40 rods to the hogshead, and that's the way I likes it!
Not a law student, I take it. If Alan makes information available across the Internet to Americans, that violates a US law, Alan has violated US law and can be arrested when he enters the country. To take a less ephemeral example, imagine if a Colombian mails you a package of cocaine and puts his name and return address on the package. You don't think he could be arrested on entry to the US? By your logic, Osama bin Laden could not be arrested if he flew into JFK tomorrow, because he has never personally committed a crime on US soil.
The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention.
Do you think Sklyarov knew that his "victims" had filed a complaint against him, before he was arrested? How is Alan going to know when it is or isn't safe to travel to the US? Tivo might decide to bring a complaint because Alan has enabled people to more easily crack their boxes, for example. Linux has far wider scope, and many more applications, than anything Sklyarov ever did.
This business of having draconian laws which are enforced at the authorities discretion is very dangerous. It restricts freedom in all sorts of ways, and often results in people restricting their own freedoms, and those of others - as Alan has done - in order to "play it safe". Laws like this take away basic freedoms in an insidious, indirect way that would never be possible if done directly.
If you're saying that you support the DMCA as written, then I suppose we have a total different argument which we haven't even begun to address. But if you don't support the DMCA, you should respect Alan Cox's right to respond to it.
Alan Cox is doing more for freedom in America than you have ever done. Think about that the next time you criticize.