Slashdot Mirror

← Back to Stories (view on slashdot.org)

Feds Expand Security Researchers' Ability To Hack Without Going To Jail (vice.com)

Posted by BeauHD on from the happy-hacking dept.

An anonymous reader quotes a report from Motherboard: Friday, the Librarian of Congress and U.S. Copyright Office renewed several key exemptions (and added a few new ones) to the Digital Millennium Copyright Act. This go round, they've extended some essential exemptions ensuring that computer security researchers won't be treated like nefarious criminals for their contributions to society. As part of an effort to keep the DMCA timely, Congress included a so-called "safety valve" dubbed the Section 1201 triennial review process that, every three years, mandates that activists and concerned citizens beg the Copyright Office and the Librarian of Congress to craft explicit exemptions from the law to ensure routine behavior won't be criminalized.

The exemptions still have some caveats. Specifically, the Copyright Office ruling only applies to "use exemptions," not "tools exemptions" -- meaning security researchers still can't release things like pen-testing tools that bypass DRM, or even publish technical papers exploring how to bypass bootloaders or other Trusted Platform Modules to test the security of the systems behind them. But other modest changes to the rules were incredibly helpful, notes Blake Reid, Associate Clinical Professor at Colorado Law. Specifically, the new exemption removes a "device limitation" from previous exemptions that potentially limited researchers to investigating software only on "consumer" devices; hindering their ability to investigate security vulnerabilities in things like the cryptographic hardware used in banking applications, networking equipment, and industrial control systems. The new exemption also modified the "controlled environment limitation" from the previous exemption, which was often read to imply that researchers had to conduct their work in a formal laboratory, potentially hindering research into things like integrated building systems like internet-connected HVAC systems.

13 of 51 comments (clear)

  1. But don't worry by Opportunist · · Score: 4, Insightful

    We'll do the research for you. We might even sell you the results, provided your industry lets you have them. If not, well, it was nice to know you. Just don't expect us to come over to the US anymore for any security conferences, now that it's becoming more and more like trying to have a porn conference in Saudi Arabia.

    signed, the rest of the world

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re: But don't worry by jd · · Score: 1

      People are often sociopathic, empathy-free and self-indulgent. They don't care when it hurts others, only when it hurts them, and not at all if they don't believe it'll hurt them.

      People cared about global warming when they saw effects. In America, the ambivalence outside of agriculture is because the effects have been small for those isolated from their environment.

      People don't care about far-off wars, only the increased employment that follows.

      People don't care about violence, as long as it's somebody else getting killed.

      Movements based on empathy and mutual support often get trashed by the majority who don't know, don't want to know, don't care and don't mind another beer.

      So if the U.S. (or any other country) is becoming isolated, don't imagine it's because of some new-found maturity. It's because that country stepped on too many toes. Those other countries are looking after themselves, not the welfare of the world.

      If they had, you'd have seen a very different sort of globalism, with no Neuromancer/Shadowrunner-style megacorps. Whether it would have been better or worse is something most people will guess at by their politics/religion and not by any examination. Must be good to know all the answers to questions nobody asked.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    2. Re: But don't worry by jd · · Score: 1

      The Doctor: Good men don't need rules. Today is not the day to find out why I have so many.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    3. Re:But don't worry by Slayer · · Score: 1

      This is not specific to the US, EU has laws just like that already in place, maybe even more restrictive. Next on the list will be crime novels, since these heinous books provide detailed information how to commit and cover up awful crimes, sometimes even murder!

      If you have talent in computer security, you have basically two options: if you also happen to have morals, forget everything you learned until now, study some other subject to pursue a less dangerous professional career, lean back and smile, while stoned 15 year olds from abroad hack deep into our country's most valuable basic infrastructure. If you have no morals, or are willing to sell out to the highest bidder, go work for Palantir or some Russian troll factory. Saudis are looking for talent, too ...

    4. Re:But don't worry by Opportunist · · Score: 1

      The VAE pay better than the Saudis.

      Just saying...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:But don't worry by Opportunist · · Score: 1

      The UAE, of course.

      I always forget that you're still talking English...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Re: can't...even publish technical papers by Anonymous Coward · · Score: 1

    It's so terrible that Trump's administration is censoring the research that Obama's administration flat out criminalized.

  3. Don't you mean the Trump Administration? by Shaitan · · Score: 5, Insightful

    "Friday, the Librarian of Congress and U.S. Copyright Office"

    I've protested every story about an action of any executive agency being referred to as the actions of the Trump administration as if Donald Trump personally makes every call so why is this one "Feds?"

    1. Re: Don't you mean the Trump Administration? by jd · · Score: 1

      Because most of the other actions were instigated by him. That they were invariably stupid is merely a product of that.

      This decision was made by a quasi-independent group of civil servants entirely off their own bat. It's not perfect, but it's about par with decisions made by competent people.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    2. Re: Don't you mean the Trump Administration? by houghi · · Score: 1

      People started listening to you.

      --
      Don't fight for your country, if your country does not fight for you.
  4. It's about money by jd · · Score: 1

    They can't move their research overseas if the bulk of the money they need is from the government, if they rely on a clearance in the U.S., or if they need access to GFE.

    (The Feds are opposed to foreigners having secrets that were public knowledge after the next Defcon anyway.)

    It's also seriously disruptive to families, and few countries want to be seen to be offering space to political refugees from America after the extraordinary rendition in Italy and the U.S. threatening to shoot down the Bolivian president as he flew over Europe. Tends to chill the atmosphere.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  5. Never compromiseNot even in the face of Armageddon by Impy+the+Impiuos+Imp · · Score: 1

    To hell with this! Rule that fans of MMORPG abandonware like City of Heroes can fire up private servers, including for-pay ones.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  6. Re:can't...even publish technical papers by Obfiscator · · Score: 1

    Wait, what? When did that happen?

    To quote Chief Justice Marshall from Foster v. Neilson in 1829: “In the United States, a different principle is established. Our constitution declares a treaty to be the law of the land. It is, consequently, to be regarded in courts of justice as equivalent to an act of the legislature, whenever it operates of itself, without the aid of any legislative provision. But when the terms of the stipulation import a contract—when either of the parties engages to perform a particular act, the treaty addresses itself to the political, not the judicial department; and the legislature must execute the contract, before it can become a rule for the court.”

    If a treaty is "equivalent to an act of the legislature" (or even requires legislature to execute!), and acts of legislature are subject to the Constitution, how can a treaty supersede the Constitution? I would be curious if you have more modern case law which overturns this (I know the Court evolved a lot during the first 50 years or so).

    --
    "Nothing shocks me. I'm a scientist." -Indiana Jones