Slashdot Mirror
The Case For Full Disclosure In The Linux Changelog
titurel writes: "This article on SecurityFocus takes up some interesting thoughts about how Alan Cox's choice not to unveil securitychanges in the kernel changelog could affect other developers." And Jon Lasser is no security dummy -- Along with Jay Beale, he's one of the guys behind Bastille Linux, and the author of the excellent Think Unix.
Comment removed based on user account deletion
how many times does it have to be repeated: Disclose, Disclose, Disclose.
Full disclosure is essential to the success of any project, especially where security is involved. Heck, even Suits (ornery business types) understand this: in a corporation or LLC, lack of disclosure can lead to loss of limited personal liability.
This is unacceptable. I could understand a project admin not disclosing trivial changes that didn't go into a release of a product/system, but failing to disclose non-trivial changes that did go in is inexcusable.
We depend on the proper functioning of group development and understanding in Linux. From folks who just want to keep boxes on their home DSL/cable lines secure, to others (such as myself) who are involved in web hosting businesses, the need is real for disclosure.
This is very troubling. Surely I'm not getting the whole story here, at least I hope I'm not.
The United States hasn't been the land of the free since the 1960s, and the DMCA just puts us one step closer towards not having freedom of speech. If Alan Cox feels that he needs to block all Americans from seeing the Linux changelogs to make his point, so be it. It's not like he's blocking people who live in free countries from viewing the changelogs. And if the US repeals the DMCA and doesn't pass a similar law, Cox will open up the changelogs again - he believes in keeping them open but doesn't want to get arrested for it, unlike Microsoft who wants to keep them closed as a business strategy.
You really need to follow the news more closely, as does Jon Lasser.
Alan Cox did not release the changelogs for Linux kernel 2.20 in the United States for fear of prosecution under the DMCA.
Cox did release the changelogs internationally, and some of us mirror the censored logs on sites accessible inside the U.S. The reason for the censoring of the logs is that they specify particular applications that can be used to exploit the kernel bug, which could well be interpreted under the DMCA as giving directions to script kiddies.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
Dude. One of the worst aspects of the DMCA is that it makes violation a federal crime. No lawsuit is required.
This is a pretty good discussion of the whole debacle for The register.
No, Alan Cox is not pro non-disclosure. But it does seem to have been an unintended side affect of his swipe at the DMCA
The international nature of Linux development makes it a potential platform for protest and discontent, but at the same time, developers can and do seem to recognize the importance of their role in the endeavor. They should be excused for occasionally "acting out", imho.
Politicians aren't made overnight.
Am I totally missing something? If you really want to know what was changed (if not why), can't you just diff the code of the two versions?
I don't think we really need to know HOW the bad code could be exploited...the smart people should be able to figure that out for themselves by looking at the code. Why help the script kiddies. "Fixed some major security flaws" type message is good enough for me as a user.
-Pete
Soccer Goal Plans
Of course, it is a content protection system. The file permissions protect the content of certain files to be read by certain users.
So if you have a copyright protected file on your Linux server and only members of the animator group have permission to access it and then some guest or visitor has an account on that server and uses the information in the kernel changelog to get to that file, copy it and distribute it on the net, you have
a copyright violation case with the breaking of a content protection system covered under the DMCA.
And guess whose fault is was for publishing the
information in the changelog.
Next time Alan Cox comes to the US, he is arrested
and prosecuted under the DMCA.
As ridiculous as the example is, it is possible.
***Quis custodiet ipsos custodes***
...he just doesn not want to go to jail.
The way to deal with the DMCA is not to pretend it does not exists, but to show how ridiculous it is, and that means obeying it and showing how it limits development. You cannot think about computer security without considering the legal aspects. Of course full disclosure would be better, but at what price?
Cox could *actually* go to jail in his next visist to the USA in case he did it. (Think not? Dimitry also didn't believe it could happen.) I am sure you can get the information of what was changed in the kernel by other means (linux-kernel?), but it is very important to be registered in the log that we are being limited by the DMCA. I don't know, perhaps in a nicer future someone will look back at these logs and ask why he didn't describe the problems, and then they will remember how the abuse of corporate power has changed law in a uncostitutional and limiting way.
We are not talking about boys playing in a BBS, we are talking about real men with real families, people important in our community, that could go to jail because of stupid laws in the lack of this responsability.
This is only being restricted to the US. The rest of us all have this information.
If you really want to see it, click here:
kernel-2.2.20.log
kernel-2.2.20pre11.log
I'm sure Alan knows that people will do this, he'd probably rather stay away from it and make the moral point to US law. Ironic since in an earlier post in another topic the US-posters were praising their First Amendment.
http://saveie6.com/
Actually, I did read the article, and I stand by my complaint about Lasser. Of course, he's much closer to the truth than the /. poster I was replying to, but I still think he's overstating the case.
Cox did release the changelogs. He just didn't release them in the United States. Lasser doesn't mention that fact. Apparently, he's unaware of the world past the land of the DMCA.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
Whether full disclosure is good or bad in general is a completely different question and not much related to the question whether it is legal or illegal in the U.S. now.
Second, why is everyone here so upset? Oh, hang on. This affects, um who was it? Oh thats right, the Americans. We really shouldn't upset them should we? Most of the comments that I have seen modded up so far basically say one of the following things:
Well, sadly:
Hands up all of the americans who have written their senator, state and federal. Hands up to all of those who have given financial, or other, support to movements who are trying to repeal the DMCA. Hands up all those who would just rather whinge when that law inconveniences them. Hmm. Thought so, on that last question the number of hands went up by 10.
If you are really so cut up about it, figure out what has changed (it isn't really that hard, it has been talked about in the previous article) and post it yourself. Then to prove to Alan what a fool he is, walk down to the DA's office and get a written statement saying that they will not prosecute you for releasing that information. Make entirely clear to them that you have released information that could help people circumvent rights management, and get the DA to sign saying that they would not prosecute you for releasing this information.
Personally, I don't think that this will happen, since most people would rather make Alan the bad guy over taking any personal risk. I dare you to prove me wrong.
Maybe we would all do better following Linus's methods. Let's say you need to turn in an Essay on Lord Of The Flys, it's simple:
As you can see, this eases your everyday life. It gets rid of the unintended problems that spring from caring about anything but the task at hand.
--Josh
There are exactly 42,935,718 letter sized sheets in a square mile.
That's an interesting scenario, but I believe the content needs to be protected by the creator, not a user. So, if I perchance some MP3s, and someone hacked my account to grab them, That hack wouldn't be considered illegal under the DMCA.
File permissions are really more for privacy then they are for IP control. And remember, judges are supposed to go by the spirit of the law, not necessarily the letter. Just because you could theoretically rig something up to be a content control mechanism, doesn't mean that the courts would look on them as such.
And also, I don't believe that you can be convicted for circumventing your own technology, any more then you could be sued for violating the GPL on software you wrote (and own the copyright on).
There needs to be a plaintiff after all.
autopr0n is like, down and stuff.
Is why people think software with its encryption is any different from other products.
Is Ford or Firestone sueing the group that discovered the flaw when you put an Explorer on Firestone tires?
Are lockmakers sueing those that pick locks?
Why do software companies think they're so "special" in that regard?
Isn't there a consumers' association in the US?
If there is, I don't know how they act, but in many countries this sort of association tries to keep regular companies on their toes by regularly testing their products and giving them a thumbs-up or thumbs-down verdict. Also if consumers are having problems with a company due to a breach of contract or bad sale or whatever, the association has a bunch of lawyers on their payroll who are willing to sue.
Wouldn't it just be a great idea if encryption-breakers could team up with that kind of organisation? I mean, it is of course in the consumer's interest that this sort of work goes on.
Remember, the DMCA covers encryption on copyrighted works.
People keep repeating this, where does it come from? The DMCA is not specifically about encryption. It is about technological measures that effectively control access to copyrighted works. Based on court cases so far we can safely say that encryption appears to count as one such technological measure, but that doesn't suddenly mean that it's the only measure. If it was meant to apply specifically to encryption then I think the language used would be very different.
Linux is technological, even if you don't like the particular techonology. Linux is used to control access to copyrighted works, including text files, programs, music, graphics, whatever. It isn't difficult to conclude that the security measures in Linux are technological measures that effectively control access to copyrighted works.
That doesn't mean I'm convinced that posting this particular information would be contrary to the DMCA, I'm really not sure, but that has nothing to do with whether or not encryption is involved, which is a complete red herring.
We all know that that is illegal in the USA, thanks to the DMCA, and in a little over one year, will also be illegal in most of Europe, thanks to the EUCD - European Union Copyright Directive.
My question is: Why should he take the risk ? Until know, Sklyarov is still in jail, Felten hasn't got the courts permission to present his article and I still can't get a DVD player with any GNU/Linux distribution. Isn't this enough to make one think twice before entering the security field ?
Everything a person needs to know to circumvent access controls is in the operating system source code. Therefore, publishing source code to an OS is a violation of the DMCA.
I believe the suggested exchange would go something like this:
Now, while you may be eager to spend several years in Jail, Mr. Cox is not.
Point being, a couple of days ago there was an article linked there to Newsforge with an interview with Alan Cox about his views on the DMCA and these changelogs.
For the lazy, the essential point is that AC has gotten legal advice that he very well could be charged in the US for posting the vulnerabilities based on an interpretation of the DMCA, but that no "sane" US court would convict him. However, he does not want to spend 6 months in the US to go through the process.
So, basically, he's making a political point about stupid laws. He's welcome to if that what he wants. As others have said, it's not like most people interested in kernel changes can't use diff.
Glenn
The DMCA does not specifically cover 'encryption' on 'copyrighted works'.
It covers COPYRIGHT PROTECTION MECHANISMS. You just assume those must be encrypted.
ie: Let's say a new CD format came out that just used a couple of bits to determine if a work is permitted to be copied (and requires a new player to play, etc). Someone who reveals a way to 'ignore' those bits, ie: by hotwiring the device is also violating the DMCA.
The linux kernel could very well have someone's copyrighted work on it, and giving someone the ability to obtain root access without authorization in order to copy that work could be constituted as a violation of the act. Yes, it's a stretch.. but not completely out to lunch. That's how broad the language of the DMCA is.
As for the 'sheer stupidity' of a British Citizen doing this... what about that Russian Citizen who was arrested for this very law?
If Alan wants to ever visit the US, say, to go to a conference, or the Superbowl, or whatever... he'll have to make sure he stears clear of US law, no?
Alan isn't a proponent of security through obscurity. He's a proponent of not getting arrested upon entering the United States.
This is unacceptable. I could understand a project admin not disclosing trivial changes that didn't go into a release of a product/system, but failing to disclose non-trivial changes that did go in is inexcusable.
And did you write your representative in United States Congress yet? Did you submit an amica brief at Dmitry's preliminary hearing? Did you join the EFF to help battle the DMCA? Did you at least buy a Free Dmitry t-shirt so some of your purchase goes to stop the DMCA?
If you have, then I applaud your actions and encourage you to continue engaging in constructive solutions. If not, then put up or shut up. Far too many people are bitching about this problem and taking no substantive action.
It is unreasonable to expect Cox to behave differently. He's seen what happened to Dmitry. He knows what could happen if he were to disclose this information to Americans, then set foot in the United States. Cox did the right thing.
My car gets 40 rods to the hogshead, and that's the way I likes it!
The DMCA cannot only applied in civil litigation; it can also be applied in a criminal prosecution. Case in point: Dmitry Sklyarov.
Dmitry was arrested by the FBI based on a "tip" they received from Adobe. Adobe withdrew their complaint, but that didn't stop the FBI. The FBI concluded that criminal law was being violated, and that Dmitry should be prosecuted.
If all it takes is one relatively credible tipster to cause the arrest of Cox for violating the DMCA, then Cox's actions seem perfectly reasonable. If he were to visit the United States, he'd like to go home when he's done.
My car gets 40 rods to the hogshead, and that's the way I likes it!
A debatable point, as the US Constitution Article XVIII, ratified in 1919, forbade the "manufacture, sale, or transportation of intoxicating liquors". This article was repealed in 1933, after prohibition proved its total uselessness in preventing alcohol consumption, but there are similar laws today prohibiting the use of several recreational drugs. The main effect of such prohibition is creating a strong incentive for organized crime. The prohibition is no obstacle to former drug users becoming presidents of the USA, for instance.
As Robert Heinlein said: "I am free, no matter what rules surround me. If I find them tolerable, I tolerate them; If I find them too obnoxious, I break them. I am free because I know that I alone am responsible for everything I do" (The Moon is a Harsh Mistress, 1966).
This doesn't mean that we should tolerate any such stupid laws as the DMCA or drug prohibition. Those laws have the very dangerous side effect of creating a large number of corrupt law enforcement officers. Corruption in law enforcement is, IMHO, a much greater danger to freedom.
If the kernel change logs can be used to provide information to hackers that would result in criminal liability, does not the entire kernel source provide the same information?
Doesn't that imply that the entire Linux Kernel Source should be closed and only Binaries provided?
If Alan Cox is allowed to use Linux as his own political soapbox, then Linux itself is history. Where the hell is Linus?
If Alan Cox really wants to make a point, he should put his money where his mouth is and LET himself be open to a suit under the DMCA. His current approach, hiding the changelogs, does nothing to stop the DMCA, and by submitting to it he's giving its backers exactly what they want.
Laws don't get changed if nobody has the guts to challenge them. If Alan wants to get his point across, he should let himself be sued (not that it would actually happen, because I doubt any company really gives a damn what he puts in his changelog). Then he, like Felten and Sklyarov, has a great case to challenge the law with.
Instead, this "spectacle" seems to be Alan submitting to the DMCA, then trying to attract as much attention as possible to his crying about it. I have no pity for this, and I hope the rest of his audience feels the same.
-- Imagine how much more advanced our technology would be if we had eight fingers per hand.
Not a law student, I take it. If Alan makes information available across the Internet to Americans, that violates a US law, Alan has violated US law and can be arrested when he enters the country. To take a less ephemeral example, imagine if a Colombian mails you a package of cocaine and puts his name and return address on the package. You don't think he could be arrested on entry to the US? By your logic, Osama bin Laden could not be arrested if he flew into JFK tomorrow, because he has never personally committed a crime on US soil.
The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention.
Do you think Sklyarov knew that his "victims" had filed a complaint against him, before he was arrested? How is Alan going to know when it is or isn't safe to travel to the US? Tivo might decide to bring a complaint because Alan has enabled people to more easily crack their boxes, for example. Linux has far wider scope, and many more applications, than anything Sklyarov ever did.
This business of having draconian laws which are enforced at the authorities discretion is very dangerous. It restricts freedom in all sorts of ways, and often results in people restricting their own freedoms, and those of others - as Alan has done - in order to "play it safe". Laws like this take away basic freedoms in an insidious, indirect way that would never be possible if done directly.
If you're saying that you support the DMCA as written, then I suppose we have a total different argument which we haven't even begun to address. But if you don't support the DMCA, you should respect Alan Cox's right to respond to it.
Alan Cox is doing more for freedom in America than you have ever done. Think about that the next time you criticize.
I mean, who would be the complaintant in the case?
As the DMCA is a federal law, the complainant in that case would be the same as the complainant the next time someone gets busted by the DEA for importing cocaine. The US federal government. No need for a "real person" to file a complaint or anything like that.
Would they not have to demonstrate some kind of damage that resulted from the alleged misdeed?
That's not included in the DMCA, sorry. No need to actually prove that any damage was done.
Surely, he's just making a point, right?
Nope, he's genuinely concerned about going to jail. Mr. Cox has apparently checked with a lawyer (always a good idea when unsure of what the law really is) and has been advised as follows:
(a) It is unlikely but not out-of-the-question that he would be arrested and incarcerated in the US for publishing the changelogs.
(b)It is extremely unlikely (almost impossible) that he would actually be CONVICTED under the DMCA.
Having considered the matter, Mr. Cox takes the not unreasonable position that he would rather not take a chance of being arrested and tossed into jail until he eventually gets to trial. It's a small chance, sure, but the possibility does apparently exist.
I don't see how anyone can fault Mr. Cox for taking action to insure that he does not get tossed into jail in the USA the next time he visits there, He's checked with a lawyer and been advised that there is a risk; he chooses not to take that risk.
If you're a zombie and you know it, bite your friend!
Feel free to cut and paste and modify.
The wheel is turning, but the hamster is dead.