[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[dvd-discuss] Re: [DMCA_discuss] Linux kernel security fixes censored by theDMCA
- To: dmca_discuss(at)lists.microshaft.org, dvd-discuss(at)cyber.law.harvard.edu
- Subject: [dvd-discuss] Re: [DMCA_discuss] Linux kernel security fixes censored by theDMCA
- From: "John Zulauf" <johnzu(at)ia.nsc.com>
- Date: Wed, 24 Oct 2001 16:45:41 -0600
- References: <20011022141551.E61071@networkcommand.com>
- Reply-To: dvd-discuss(at)cyber.law.harvard.edu
- Sender: owner-dvd-discuss(at)cyber.law.harvard.edu
I was walking through the "why would linux security patches constitute a
DMCA risk" logic and this was I came up with.
Under the Berne convention, all creative works by an author, from my
.cshrc to my latest white paper are automatically considered the
copyrighted works of the author, whether published or not, registered
for copyright or not.
On a multi-user system, the rights of a user to control access and
copying of his or her files is emodied in the "su" user id control,
along with the file user id and group id, and finally the permissions on
the files and directories.
Each of these, and particularly the ability to "su", constitute a
technical protective measure (TPM) that controls access to a work -- the
very language of the DMCA.
In order to access the copyrighted works of an author (their files) one
needs either the users file permissions, their password, or the root
password.
Any crack that would allow access to these files which bypasses
circumvents the permissions or passwords thus circumvents a TPM
controlling access to a work.
Information regarding these cracks (include demonstration programs)
could be considered "a technology... or component thereof" of a
circumvention device. The recent court case treated software as a
"device" under the law. Certainly the threats to Prof. Felton et. al.
(if you publish you may be liable for criminal prosecution) seems to
imply a very broad stroke regarding "a component thereof".
So there we have it:
(a) a TPM that controls access to a work with the authorization of the
copyright holder (the DMCA
(b) information about a crack which circumvents this TPM (typically
gaining root access)
(c) dissemination of that "device... or component thereof" -- i.e. any
demo code or documentation sufficient to reproduce that crack
QED -- the next time Alan visits the US, the FBI could visit him if he
does (c).
I wish I could find hole in that simple minded logic (though it is drawn
from the style of the FBI complaint against Sklyarov). What bothers me
is that this logic could be extended to a "rescue" floppy that boots a
system and grants instant root access to all present hard disks --
though the counter logic would be that anyone with physical access to a
multi-user server better have authority to be there. However, under the
logic of the DMCA (and the DeCSS and Sklyarov cases) the legitimate uses
of a technology are irrelevant if what the "device" does is "circumvent"
and a rescue floppy certainly does that. Other problems would be "key
recovery" or "passwd crack" software -- both are useful tools of "white
hat" cracking. However, once one releases that all user files are
copyrighted works -- then all tools that do passwd bypass (or recovery)
through any encryption or other system are "circumvention devices".
This of course brings me back to my initial worry.... just how are we
supposed to get our jobs done without legal liability and risk of felony
charges.