Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Case For Full Disclosure In The Linux Changelog

Posted by timothy on from the asking-and-telling dept.

titurel writes: "This article on SecurityFocus takes up some interesting thoughts about how Alan Cox's choice not to unveil securitychanges in the kernel changelog could affect other developers." And Jon Lasser is no security dummy -- Along with Jay Beale, he's one of the guys behind Bastille Linux, and the author of the excellent Think Unix.

4 of 234 comments (clear)

  1. Re:DMCA? by mocm · · Score: 5, Informative

    Of course, it is a content protection system. The file permissions protect the content of certain files to be read by certain users.
    So if you have a copyright protected file on your Linux server and only members of the animator group have permission to access it and then some guest or visitor has an account on that server and uses the information in the kernel changelog to get to that file, copy it and distribute it on the net, you have
    a copyright violation case with the breaking of a content protection system covered under the DMCA.
    And guess whose fault is was for publishing the
    information in the changelog.
    Next time Alan Cox comes to the US, he is arrested
    and prosecuted under the DMCA.

    As ridiculous as the example is, it is possible.

    --
    ***Quis custodiet ipsos custodes***
  2. Oh Enough of this already... by GC · · Score: 5, Informative

    This is only being restricted to the US. The rest of us all have this information.

    If you really want to see it, click here:

    kernel-2.2.20.log

    kernel-2.2.20pre11.log

    I'm sure Alan knows that people will do this, he'd probably rather stay away from it and make the moral point to US law. Ironic since in an earlier post in another topic the US-posters were praising their First Amendment.

  3. Re:And who exactly.... by RickHunter · · Score: 5, Informative

    I believe the suggested exchange would go something like this:

    • L33T H4X0R H finds Linux vulnerability mentioned in kernel changelog.
    • Knowing that many sites do not keep their kernels up-to-date for a variety of reasons, H creates an exploit for said vulnerability.
    • Big Company R has their servers broken into by H, and valuable "intellectual property" is stolen, including copyrighted materials and trade secrets.
    • Big Company R consults with its Lawyers.
    • Big Company R concludes that H is going to be too expensive to track down. The Lawyers, however, have a different target. The Linux changelog was a crucial component in a circumvention device intended to breach protections on R's valuable "intellectual property"!
    • Kernel Hacker A, who happens to be responsible for writing changelogs, visits America on a routine business trip.
    • Federal forces waiting for A grab him, throw him in jail, and leave him there for several months before trying him, convicting him under the DMCA, and leaving him there for several years.

    Now, while you may be eager to spend several years in Jail, Mr. Cox is not.

  4. Alan Cox - defender of freedom in America by alienmole · · Score: 5, Informative
    The DMCA is a U.S. law. Dmitri Skylarov was arrested while breaking the DMCA on U.S. soil.

    Not a law student, I take it. If Alan makes information available across the Internet to Americans, that violates a US law, Alan has violated US law and can be arrested when he enters the country. To take a less ephemeral example, imagine if a Colombian mails you a package of cocaine and puts his name and return address on the package. You don't think he could be arrested on entry to the US? By your logic, Osama bin Laden could not be arrested if he flew into JFK tomorrow, because he has never personally committed a crime on US soil.

    The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention.

    Do you think Sklyarov knew that his "victims" had filed a complaint against him, before he was arrested? How is Alan going to know when it is or isn't safe to travel to the US? Tivo might decide to bring a complaint because Alan has enabled people to more easily crack their boxes, for example. Linux has far wider scope, and many more applications, than anything Sklyarov ever did.

    This business of having draconian laws which are enforced at the authorities discretion is very dangerous. It restricts freedom in all sorts of ways, and often results in people restricting their own freedoms, and those of others - as Alan has done - in order to "play it safe". Laws like this take away basic freedoms in an insidious, indirect way that would never be possible if done directly.

    If you're saying that you support the DMCA as written, then I suppose we have a total different argument which we haven't even begun to address. But if you don't support the DMCA, you should respect Alan Cox's right to respond to it.

    Alan Cox is doing more for freedom in America than you have ever done. Think about that the next time you criticize.