Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Case For Full Disclosure In The Linux Changelog

Posted by timothy on from the asking-and-telling dept.

titurel writes: "This article on SecurityFocus takes up some interesting thoughts about how Alan Cox's choice not to unveil securitychanges in the kernel changelog could affect other developers." And Jon Lasser is no security dummy -- Along with Jay Beale, he's one of the guys behind Bastille Linux, and the author of the excellent Think Unix.

7 of 234 comments (clear)

  1. Re:DMCA? by mocm · · Score: 5, Informative

    Of course, it is a content protection system. The file permissions protect the content of certain files to be read by certain users.
    So if you have a copyright protected file on your Linux server and only members of the animator group have permission to access it and then some guest or visitor has an account on that server and uses the information in the kernel changelog to get to that file, copy it and distribute it on the net, you have
    a copyright violation case with the breaking of a content protection system covered under the DMCA.
    And guess whose fault is was for publishing the
    information in the changelog.
    Next time Alan Cox comes to the US, he is arrested
    and prosecuted under the DMCA.

    As ridiculous as the example is, it is possible.

    --
    ***Quis custodiet ipsos custodes***
  2. Oh Enough of this already... by GC · · Score: 5, Informative

    This is only being restricted to the US. The rest of us all have this information.

    If you really want to see it, click here:

    kernel-2.2.20.log

    kernel-2.2.20pre11.log

    I'm sure Alan knows that people will do this, he'd probably rather stay away from it and make the moral point to US law. Ironic since in an earlier post in another topic the US-posters were praising their First Amendment.

  3. Re:This mean that Linux devs and Microsoft agree.. by Florian+Weimer · · Score: 4, Informative
    Does this mean that Linux devs and Microsoft agree that full disclosure is bad?
    No, Alan's decision simply reflects that full disclosure is already illegal in the U.S. under some circumstances. That's why I think it's very unfair to call Alan's behavior "self-censorship". In fact, it's censorship by the government. I find it hard to believe that publishing ChangeLogs of your own software can conflict with DMCA requirements, but apparently, Alan consulted a lawyer and he told him that it did.

    Whether full disclosure is good or bad in general is a completely different question and not much related to the question whether it is legal or illegal in the U.S. now.

  4. Re:And who exactly.... by RickHunter · · Score: 5, Informative

    I believe the suggested exchange would go something like this:

    • L33T H4X0R H finds Linux vulnerability mentioned in kernel changelog.
    • Knowing that many sites do not keep their kernels up-to-date for a variety of reasons, H creates an exploit for said vulnerability.
    • Big Company R has their servers broken into by H, and valuable "intellectual property" is stolen, including copyrighted materials and trade secrets.
    • Big Company R consults with its Lawyers.
    • Big Company R concludes that H is going to be too expensive to track down. The Lawyers, however, have a different target. The Linux changelog was a crucial component in a circumvention device intended to breach protections on R's valuable "intellectual property"!
    • Kernel Hacker A, who happens to be responsible for writing changelogs, visits America on a routine business trip.
    • Federal forces waiting for A grab him, throw him in jail, and leave him there for several months before trying him, convicting him under the DMCA, and leaving him there for several years.

    Now, while you may be eager to spend several years in Jail, Mr. Cox is not.

  5. AC interview on Newsforge, linked on Linuxtoday by Anonymous Coward · · Score: 4, Informative
    OK people, the Linux community has a great news article summary site called Linuxtoday.

    Point being, a couple of days ago there was an article linked there to Newsforge with an interview with Alan Cox about his views on the DMCA and these changelogs.

    For the lazy, the essential point is that AC has gotten legal advice that he very well could be charged in the US for posting the vulnerabilities based on an interpretation of the DMCA, but that no "sane" US court would convict him. However, he does not want to spend 6 months in the US to go through the process.

    So, basically, he's making a political point about stupid laws. He's welcome to if that what he wants. As others have said, it's not like most people interested in kernel changes can't use diff.

    Glenn

  6. Re:And who exactly.... by pbryan · · Score: 4, Informative

    The DMCA cannot only applied in civil litigation; it can also be applied in a criminal prosecution. Case in point: Dmitry Sklyarov.

    Dmitry was arrested by the FBI based on a "tip" they received from Adobe. Adobe withdrew their complaint, but that didn't stop the FBI. The FBI concluded that criminal law was being violated, and that Dmitry should be prosecuted.

    If all it takes is one relatively credible tipster to cause the arrest of Cox for violating the DMCA, then Cox's actions seem perfectly reasonable. If he were to visit the United States, he'd like to go home when he's done.

    --

    My car gets 40 rods to the hogshead, and that's the way I likes it!

  7. Alan Cox - defender of freedom in America by alienmole · · Score: 5, Informative
    The DMCA is a U.S. law. Dmitri Skylarov was arrested while breaking the DMCA on U.S. soil.

    Not a law student, I take it. If Alan makes information available across the Internet to Americans, that violates a US law, Alan has violated US law and can be arrested when he enters the country. To take a less ephemeral example, imagine if a Colombian mails you a package of cocaine and puts his name and return address on the package. You don't think he could be arrested on entry to the US? By your logic, Osama bin Laden could not be arrested if he flew into JFK tomorrow, because he has never personally committed a crime on US soil.

    The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention.

    Do you think Sklyarov knew that his "victims" had filed a complaint against him, before he was arrested? How is Alan going to know when it is or isn't safe to travel to the US? Tivo might decide to bring a complaint because Alan has enabled people to more easily crack their boxes, for example. Linux has far wider scope, and many more applications, than anything Sklyarov ever did.

    This business of having draconian laws which are enforced at the authorities discretion is very dangerous. It restricts freedom in all sorts of ways, and often results in people restricting their own freedoms, and those of others - as Alan has done - in order to "play it safe". Laws like this take away basic freedoms in an insidious, indirect way that would never be possible if done directly.

    If you're saying that you support the DMCA as written, then I suppose we have a total different argument which we haven't even begun to address. But if you don't support the DMCA, you should respect Alan Cox's right to respond to it.

    Alan Cox is doing more for freedom in America than you have ever done. Think about that the next time you criticize.