Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Case For Full Disclosure In The Linux Changelog

Posted by timothy on from the asking-and-telling dept.

titurel writes: "This article on SecurityFocus takes up some interesting thoughts about how Alan Cox's choice not to unveil securitychanges in the kernel changelog could affect other developers." And Jon Lasser is no security dummy -- Along with Jay Beale, he's one of the guys behind Bastille Linux, and the author of the excellent Think Unix.

12 of 234 comments (clear)

  1. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  2. I support Cox by psicE · · Score: 5, Insightful

    The United States hasn't been the land of the free since the 1960s, and the DMCA just puts us one step closer towards not having freedom of speech. If Alan Cox feels that he needs to block all Americans from seeing the Linux changelogs to make his point, so be it. It's not like he's blocking people who live in free countries from viewing the changelogs. And if the US repeals the DMCA and doesn't pass a similar law, Cox will open up the changelogs again - he believes in keeping them open but doesn't want to get arrested for it, unlike Microsoft who wants to keep them closed as a business strategy.

  3. Re:This mean that Linux devs and Microsoft agree.. by hearingaid · · Score: 5, Insightful

    You really need to follow the news more closely, as does Jon Lasser.

    Alan Cox did not release the changelogs for Linux kernel 2.20 in the United States for fear of prosecution under the DMCA.

    Cox did release the changelogs internationally, and some of us mirror the censored logs on sites accessible inside the U.S. The reason for the censoring of the logs is that they specify particular applications that can be used to exploit the kernel bug, which could well be interpreted under the DMCA as giving directions to script kiddies.

    --

    my old sig used to be funny, but then slashcode ate it and now it's not funny anymore

  4. Re:DMCA? by mocm · · Score: 5, Informative

    Of course, it is a content protection system. The file permissions protect the content of certain files to be read by certain users.
    So if you have a copyright protected file on your Linux server and only members of the animator group have permission to access it and then some guest or visitor has an account on that server and uses the information in the kernel changelog to get to that file, copy it and distribute it on the net, you have
    a copyright violation case with the breaking of a content protection system covered under the DMCA.
    And guess whose fault is was for publishing the
    information in the changelog.
    Next time Alan Cox comes to the US, he is arrested
    and prosecuted under the DMCA.

    As ridiculous as the example is, it is possible.

    --
    ***Quis custodiet ipsos custodes***
  5. Cox does not think disclosure is bad... by Karpe · · Score: 5, Insightful

    ...he just doesn not want to go to jail.

    The way to deal with the DMCA is not to pretend it does not exists, but to show how ridiculous it is, and that means obeying it and showing how it limits development. You cannot think about computer security without considering the legal aspects. Of course full disclosure would be better, but at what price?
    Cox could *actually* go to jail in his next visist to the USA in case he did it. (Think not? Dimitry also didn't believe it could happen.) I am sure you can get the information of what was changed in the kernel by other means (linux-kernel?), but it is very important to be registered in the log that we are being limited by the DMCA. I don't know, perhaps in a nicer future someone will look back at these logs and ask why he didn't describe the problems, and then they will remember how the abuse of corporate power has changed law in a uncostitutional and limiting way.

    We are not talking about boys playing in a BBS, we are talking about real men with real families, people important in our community, that could go to jail because of stupid laws in the lack of this responsability.

  6. Oh Enough of this already... by GC · · Score: 5, Informative

    This is only being restricted to the US. The rest of us all have this information.

    If you really want to see it, click here:

    kernel-2.2.20.log

    kernel-2.2.20pre11.log

    I'm sure Alan knows that people will do this, he'd probably rather stay away from it and make the moral point to US law. Ironic since in an earlier post in another topic the US-posters were praising their First Amendment.

  7. Re:diff the code? by grammar+nazi · · Score: 5, Funny
    WATCH WHAT YOU SAY!!

    If you keep speaking like that, peterdaly, then diff might become a circumvention device under the DMCA and thus, will be banned in the United States.

    If you want to keep various GNU Tools such as diff, cat, cp, and ghex, then you have to hide the fact that they are usefull for anything other than taking up space. Otherwise we risk them becoming circumvention devices under the DMCA.

    --

    Keeping /. free of grammatical errors for ~5 years.
  8. A better excuse for non-full disclosure by Kirkoff · · Score: 5, Funny
    Alan Cox could just use the Linux Comment System(TM). You know, how Linus will implement a whole new VM and the changelog states "VM Fixes." Using Linus's model for this, Alan Cox would definatly just state "Fixed security issues" for most any bug. Heck, he could even put it in the "Random Fixes" catchall. Then all Alan has to do is run around saying to people stuff like "I don't really care about Micro*cough* - The DMCA. It bores me."

    Maybe we would all do better following Linus's methods. Let's say you need to turn in an Essay on Lord Of The Flys, it's simple:
    • Essay Pre-1 "Plane crash"
    • Essay Pre-2 "Establish democrasy"
    • Essay Pre-2 "formed resitance"
    • Essay Pre-3 "War - people died"
    • Essay Pre-4 "Ship arrives restored grownups"


    As you can see, this eases your everyday life. It gets rid of the unintended problems that spring from caring about anything but the task at hand.

    --Josh
    --
    There are exactly 42,935,718 letter sized sheets in a square mile.
  9. Why should Cox risk jailtime ? by jneves · · Score: 5, Insightful
    The article says Cox is wrong because he shoould stand by full disclosure. While I know that Alan did this as a protest, I don't understand the reasoning of those who "attack" his position. Why should somebody like Alan risk to go to jail for disclosing information that can facilitate the circumvention of filesystem's permissions ?

    We all know that that is illegal in the USA, thanks to the DMCA, and in a little over one year, will also be illegal in most of Europe, thanks to the EUCD - European Union Copyright Directive.

    My question is: Why should he take the risk ? Until know, Sklyarov is still in jail, Felten hasn't got the courts permission to present his article and I still can't get a DVD player with any GNU/Linux distribution. Isn't this enough to make one think twice before entering the security field ?

  10. Re:And who exactly.... by RickHunter · · Score: 5, Informative

    I believe the suggested exchange would go something like this:

    • L33T H4X0R H finds Linux vulnerability mentioned in kernel changelog.
    • Knowing that many sites do not keep their kernels up-to-date for a variety of reasons, H creates an exploit for said vulnerability.
    • Big Company R has their servers broken into by H, and valuable "intellectual property" is stolen, including copyrighted materials and trade secrets.
    • Big Company R consults with its Lawyers.
    • Big Company R concludes that H is going to be too expensive to track down. The Lawyers, however, have a different target. The Linux changelog was a crucial component in a circumvention device intended to breach protections on R's valuable "intellectual property"!
    • Kernel Hacker A, who happens to be responsible for writing changelogs, visits America on a routine business trip.
    • Federal forces waiting for A grab him, throw him in jail, and leave him there for several months before trying him, convicting him under the DMCA, and leaving him there for several years.

    Now, while you may be eager to spend several years in Jail, Mr. Cox is not.

  11. Put up or shut up by pbryan · · Score: 5, Insightful

    This is unacceptable. I could understand a project admin not disclosing trivial changes that didn't go into a release of a product/system, but failing to disclose non-trivial changes that did go in is inexcusable.

    And did you write your representative in United States Congress yet? Did you submit an amica brief at Dmitry's preliminary hearing? Did you join the EFF to help battle the DMCA? Did you at least buy a Free Dmitry t-shirt so some of your purchase goes to stop the DMCA?

    If you have, then I applaud your actions and encourage you to continue engaging in constructive solutions. If not, then put up or shut up. Far too many people are bitching about this problem and taking no substantive action.

    It is unreasonable to expect Cox to behave differently. He's seen what happened to Dmitry. He knows what could happen if he were to disclose this information to Americans, then set foot in the United States. Cox did the right thing.

    --

    My car gets 40 rods to the hogshead, and that's the way I likes it!

  12. Alan Cox - defender of freedom in America by alienmole · · Score: 5, Informative
    The DMCA is a U.S. law. Dmitri Skylarov was arrested while breaking the DMCA on U.S. soil.

    Not a law student, I take it. If Alan makes information available across the Internet to Americans, that violates a US law, Alan has violated US law and can be arrested when he enters the country. To take a less ephemeral example, imagine if a Colombian mails you a package of cocaine and puts his name and return address on the package. You don't think he could be arrested on entry to the US? By your logic, Osama bin Laden could not be arrested if he flew into JFK tomorrow, because he has never personally committed a crime on US soil.

    The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention.

    Do you think Sklyarov knew that his "victims" had filed a complaint against him, before he was arrested? How is Alan going to know when it is or isn't safe to travel to the US? Tivo might decide to bring a complaint because Alan has enabled people to more easily crack their boxes, for example. Linux has far wider scope, and many more applications, than anything Sklyarov ever did.

    This business of having draconian laws which are enforced at the authorities discretion is very dangerous. It restricts freedom in all sorts of ways, and often results in people restricting their own freedoms, and those of others - as Alan has done - in order to "play it safe". Laws like this take away basic freedoms in an insidious, indirect way that would never be possible if done directly.

    If you're saying that you support the DMCA as written, then I suppose we have a total different argument which we haven't even begun to address. But if you don't support the DMCA, you should respect Alan Cox's right to respond to it.

    Alan Cox is doing more for freedom in America than you have ever done. Think about that the next time you criticize.