New RedHat Kernel Patch Illegal to Explain to U.S. Users

Russellkhan writes "The Register is running a story about a new RedHat kernel patch that cannot be explained to U.S. citizens or others in the U.S. because of DMCA restrictions. The illegal explanation is hosted at Thefreeworld.net, a site created specifically to deal with these DMCA issues."

Re:Use the source?

[loply]

Yes, ofcourse, but you may not be able to fathom out what the patch does from the source. A security fix which prevents a buffer overflow could be as simple as adding or removing a typecast, which, if the kernel coders themselves didnt realise could be a security issue - Most Joe User's wont notice either... :(

Still, as a principal, it is a bit silly to disallow a text describing the change but allow the source which IS the change. Stupid law.

Re:I'd comment, but

[rmadmin]

I'd agree. I'd really like to know what the problem is. And where the DMCA has any damn right to tell me I can't read it. I cannot fathom what could be in that stupid text that would violate the DMCA. Anyway. Since this is an explination of the changes made to the software that I run, that I risk my data on, I think I have the right to that text. And if the goverment disagrees, then I'll take my ass and my money, and my vote over seas.

Clever tactic

[akookieone]

Sounds to me like this is a stunt. Clearly they will get media attention (thanks Register) and hopefully get picked up by major media in the states. This is especially possible if there is a nice long stream of indignation from folks on Slashdot (including mine). That said, what a great stunt, and for what a great cause. Some one at RedHat is smart enough to be motivated not by legal paranoia (however recently justified) but by political savvy.

Re:One day...

[Quixote]

You're right. The signature at the bottom of the DMCA is:



(signed) All American Citizens


In a democracy, you are responsible for the actions of those you elect.
There is still time. Your elected representatives will pay attention to you, the American voters, only for the next 3 weeks or so. Mobilize if you can; otherwise suffer 2 more years of the same but please don't complain!.

New Kernel patch?

[Nighttime]

That patch was released on 2002-08-20, nearly two months ago, and was available through RH's up2date system so many US users will have updated to it. It's only now being reported as news about the DCMA restrictions?

Re:Sound familiar?

[boogy+nightmare]

'Furthermore, they are members of an enemy force'

Considering that they are being held with no reason, trial or lawyer present, the fact that nothing has been proven then unfortunantly this statement is terribly inaccurate (like my spelling) Simply becuase they are not given POW status means that they are being held for no reason other than paranoia. It woiuld be like putting you in a lock up for 2 years in case you had something to do with drinking and looking at a car.

Remember you are supposidly a free country with 'apparent' freedom of speech, religion or beleif, becuase it is suddenly a bad thing to be against 'mainstream America' those rights are consistanly forgotten.

Akira

Re:Hysterical rubbish

[Scarblac]

Posting this in the US would not be a violation of the DMCA except if you used some ludicrously tortured logic.

Tell that to Skylarov, who wrote a program that was mandatory in Russia under Russian law, and who found himself in jail in the US under the DMCA. It doesn't matter if he wins in the end, or isn't even allowed back in or whatever. He's totally innocent, has nothing to do with the US and shouldn't have been treated like that.

You can make up any BS laws you want for yourselves over there, but totally innocent people who have nothing to do with the US end up in jail because of them. I think the thefreeworld.net site is a brilliant idea.

If there's even the tiniest chance that some information posted could be illegal under some strange law of a country you have nothing to do with (and this security info certainly could be), and they're known to get (innocent, foreign, never been to the US) people jailed over this stupid law, then the prudent thing to do is post that info only on sites like this.

Unfortunately, given how few people in the US even know their own laws, it's practically impossible for people in Russia, Norway etc to be aware of all the weird quirks in US law, and they don't even know they should be aware of them. And people from those countries were still jailed for doing something perfectly legal. The US is a threat.

I'm sorry for ranting, mod me a troll or something, I can get real angry over stuff like this.

Ok then, can someone explain

[beleg777]

Ok, this looks to me to be the same as any other patch documentation. My impression is that the reasons it's illegal are the same sections and logic used to indight Skylarov. If I'm not mistaken in those two things, isn't all patch documentation illegal under the DMCA?

Quick word of commentary, it wouldn't surprise me at all if this were true by the letter of the law. This is exactly why we have been complaining for so long, because the law is overly broad, and restricts things that it obviously shouldn't. On the other hand, I didn't think it was so broad as to cover all security documentation.

Re:This is just FUD.

[Scarblac]

There is no way a kernel patch can violate the DMCA for the simple fact that the Linux kernel doesn't enforce any type of copy protection.

Doing it like this is just prudent. Why should someone from Europe have to know all the details of US law, weigh the chances of it being a violation, when non-US people have already gone to jail over it and there's the option of not distributing it to Americans in the first place?

Re:DMCA is a success

[Jorrit]

To me providing a patch in source form is exactly the same as providing a description. Source code is readable. People who can program in the language that the patch was made in, can understand (with a little bit of effort) what is going on there. So to me this patch is a description. It is only given in another language then plain english.

I leave aside what this implies for the DMCA though :-)

Greetings,

Re:This is just FUD.

[ajs]

Ding! This is the correct answer. Yes, telling people about security holes is a DMCA violation under every interpretation of the law that I've seen (other than the cursory, "it only covers copying mp3s d00d!")

Please mod up the parent.

Re:Need a Website

[Blkdeath]

It's easy. vote against incumbents.

There's a saying in Canada, heard frequently come election time; "We don't vote people into office, we vote people out of office."

Go figure. :)

the best part is

[Ender+Ryan]

The best part about this "stunt" is that it is entirely correct. Sure, the U.S. government wouldn't prosecute someone for these changelogs, but they COULD, and that is the key to why the DMCA is such a bad law.

Re:Sound familiar?

[mvdwege]

Again, try learning something of this before declairing things "illegal" that are well within the bounds of the Laws of War.

Somehow I seem to have missed a Declaration of War by the U.S. Congress. Therefore the U.S. can not hold someone as an enemy combatant under the laws of war, because the U.S. is officially not at war.

Since according to international treaties and the U.S. Constitution the U.S. government has no other way to hold someone prisoner without a specific accusation of a crime, the U.S. is violating fundamental human rights at the moment.

Therefore the people imprisoned at Guantanamo Bay are imprisoned illegally, all according to international human rights treaties, the Geneva Conventions and the U.S. Constitution.

Mart

Then almost all security notices violate the DMCA

[Get+Behind+the+Mule]

The issues discussed in the patch notice are pretty mundane, and it took me quite some time to figure out what the hell the problem with the DMCA might be. I'm still not sure.

The reasoning, apparently, is that by documenting the security weaknesses that were fixed, they reveal ways to hack unpatched versions of the kernel. And that would be circumvention, and hence violations of the DMCA. All of the holes were found in code audits, and there are no known exploits, so this announcement documents these problems for the first time. (Maybe it's less of an issue if you announce fixes to holes that someone else already found.)

But if that is really taken as a violation of the DMCA, then almost all public notices of security issues may be illegal, even if the author did not write an exploit, and indeed even if no exploit is known to exist. The entire CERT site is at risk. Bruce Schneier may be one of the rampant criminals on Earth.

I dunno, it certainly would be crazy if the DMCA really has that implication, but are Cox and Co. certain that the law really means that? I'll bet there is no case law suggesting such a thing -- and after all, it's the courts' interpretations that really matter in the end. Has any legal scholar ever suggested that the DMCA can be interpreted this way?

I certainly don't like the DMCA, and I think it's unconstitutional (First Amendment, you know), but I wonder if this stunt will backfire. If it turns out that they're making a big deal out of something that the DMCA doesn't actually forbid, then opponents of the law will end up looking a bit hysterical.

Re:This is just FUD.

[Thomas+Charron]

Next time, actually read the law. The DMCA is VERY broad. Sounds to me like your extent of reading on it was the name, and not the contents of the act itself.

The DMCA makes it illegal to publish any sort of information that provides data relating to any sort of bug that could be potentially exploited. This was, IMHO, added to prevent people from writing applications that would allow individuals to circumvent applications that where protecting copywrited materials, but it's all in the wording.

Re:Sound familiar?

[mvdwege]

War was brought to the US. Perhaps you have missed the events of the past 10 years.

Yet still the U.S. did not react with a reciprocal Declaration of War. Therefore under international law the U.S. is not at war.

Any unilateral actions by the U.S. President are just that, unilateral actions not sanctioned by international laws and treaties. That is why the U.S. is resented by the world at large.

My conclusions are only false if you want to use the viewpoints of the current U.S. administration as canon. The same administration that has declared unilateralism as its policy from the election campaign on forward.

Lets recap:

1. In order to hold someone as an enemy combatant a state of war must exist according to international treaties (which the U.S. signed and ratified B.T.W.)
2. The only way the U.S. can be in a state of war is by a Declaration of War.
3. According to the U.S. Constitution, the only one with the power to issue such a Declaration is the U.S. Congress.

So, notwithstanding the power of the President to deploy troops, the U.S. is not at war, and therefore the defense that normal criminal proceedings are not necessary against anyone the Administration designates an enemy combatant is bogus. Anyone trying to defend that policy knows nothing of international law and is defending an unacceptable breach of human rights.

As an aside, I have nothing to do with Berkeley (sic), as I am not an American. Your ad hominem attacks serve no purpose except to show you as a jingoistic troll.

Wake up and smell the coffee: your own administration has declared that unilateralism is to be the foreign policy. In common English: "Screw the world and what it thinks, screw international law and the treaties we signed, we do whatever we damn well please."

Mart

Re:Again?

[frleong]

These stories (Cox's above and this current issue) are perfect examples of things to send over to that committee collecting comments on the DMCA. Here are software authors who are scared to publish vulnerability details about their own products!

Now I got it. Microsoft consistently refuses to disclose vulnerability details about its own products because many people are IIS and other secure and high-quality MS products as a "copy protection device"!

Re:You have the right to remain silent.

[Grishnakh]

Copyright holders do not have the right to have their business models enforced by the police.

No, copyright holders DO have this right. They've legally purchased this right from Congress. If you want some rights, you need to pay Congress for them too. What did you think, that this was a country by the people, of the people, and for the people?

Security holes have NOTHING to do with the DMCA !!

[Tom7]

This is really stupid and childish. I'll be the first to condemn the DMCA (after my own legal troubles with it), but this is not the way to go about it.

Someone correct me if I'm wrong (I'm not a lawyer though I have studied the DMCA and lawsuits based on it carefully), but the DMCA absolutely does not ban security information. The only related things that it addresses are circumvention (of protection technology in order to access a copyrighted work) and trafficking in circumvention devices. Security information (especially in the form of a vague changelog) is absolutely not either of those. By no stretch of the imagination can I figure out how it's supposed to be a violation of the DMCA.

What's really going on here? Someone (Alan Cox) is trying to make a point about the control that the DMCA gives to copyright holders. He's placed a piece of his copyrighted information that some people want (text of the kernel changelog) behind a click-through license that says you can't access it if you're from the USA. In my opinion this has fuck-all to do with the DMCA (because there is no "technological measure" to circumvent -- please read the definition of technological measure in the DMCA if you disagree with me), just click-through licenses, but, whatever. Then Red Hat decides, well, we can't copy that information because the copyright holder has told us we can't. Assuming that such click-through licenses are legal in the first place, of course, RH would be entirely within its rights for a non-US-citizen to license the document and then summarize it for Red Hat. Either they are too lazy for this, don't understand the issues involved, or are perpetuating this same bizarre notion that the DMCA makes every single thing you'd want to do illegal.

The DMCA only has to do with copyright, and only as far as circumventing technological measures that protect copyrighted material. The court enjoined DeCSS because it found it to be a circumvention device (they did NOT enjoin english descriptions of the algorithm, and especially not security notices about CSS being weak!). I don't agree with the decision, but at least it makes sense in terms of the law. (I also don't agree with the law!!)

The important point I'm trying to make is that to fight dumb laws like the DMCA, we need to understand what they really say and what the actual implications are. There's a tendency for hackers to use logical deduction ("If DeCSS is illegal because it can be used to break DVDs, then hammers must be illegal because they can be used to smash open store windows!") in order to decide the implications of a law. THIS IS NOT HOW COURTS WORK! Law is much more squishy than that. Making these sorts of alarmist claims, as if the DMCA outlaws everything that we'd ever want to do, hurts our cause by spreading misinformation. Instead, we should be educating people about what the DMCA actually addresses (ie, "Did you know it would be illegal for you to create MP3s from SACDs that you bought?" or "Did you know that it's illegal to buy mod chips for your Playstation so that you can play imported games that you also legally purchased?" or "Did you know that it's illegal to use your screen-reader software with the eBook that you legally bought?"). That's how we can convince people that the law is wrong.