A Look At The DMCA's Chilling Effects On Security Research
from the sad dept
Michael Scott points us to a column over at BetaNews recounting many of the examples of how the DMCA has created a chilling effect on security research. The column talks about the importance of hacking and tinkering, and then reminds us of all those stories we've heard: Ed Felten (threatened for both his research into DRM and e-voting), Alex Haldeman's DRM research. Seth Finklestein on censorware. Dmitry Sklyarov spending months in jail for discovering a security flaw. Eric Corley for daring to publish the basic DeCSS code in a magazine. Most of these stories you should already be familiar with, but it seems that the massive chilling effects of the DMCA on security research haven't been discussed in a while -- and it's certainly worth putting some of these famed cases together in one spot to remind people that the problems with the DMCA remain and are doing great damage to our security -- at exactly the time when the government claims we need to improve our cybersecurity.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Is that a polite term for hacking and helping other people get stuff for free?
Come on Mike, the intention of DMCA is EXACTLY that, to stop people from hacking. Nice attempt try to twist the words around.
[ link to this | view in chronology ]
Re:
OK, now that that's out of the way: did you even read the post? Is publishing basic code or researching software used to determine the who will be the most powerful man in the world "helping other people get stuff for free"? How about looking at what is forcefully installed on your computer? Shouldn't these things be allowed and encouraged? It's also clear that you don't have a clue what hacking is. Hackers are hired by companies to test for security flaws. If that company uses 3rd party security software, it is now a violation of the law for them to test it. Is this what the DMCA was designed to prevent? Does that stop people from getting stuff for free?
[ link to this | view in chronology ]
Re: Re: Troll?
[ link to this | view in chronology ]
Re:
Perhaps its better to have a friendly researcher point out a flaw privately rather than having an unfriendly hacker just start abusing a flaw.
If you think that Ed Felton, director of Princeton's Center for Information Technology Policy, is interested in 'helping other people get stuff for free' then you are crazy. You obviously do not know what you are talking about.
[ link to this | view in chronology ]
Re: "security research"
I read what Mike wrote and I wholeheartedly agree with what he is so obviously pointing out. I am also quite shocked with the trolling to call "Security Researchers" as "a polite term for hacking and helping other people get stuff for free"... it is in fact a term used to PREVENT malicious persons from obtaining secure goods - while learning about and assessing the security of a product, thus the term, "Security Research".
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
I suppose, to a certain extent. For example, it did take a bit of hacking to remove the Sony rootkit installed by a legit CD purchased with real money and no indication of the included payload.
"intention of DMCA is EXACTLY that, to stop people from hacking."
I do not agree. I was under the impression that it was about providing additional protections to the holders of copyright.
[ link to this | view in chronology ]
Re: Wrong on so many counts
its the people that research the problems with security that save us from really bad things from happening. the fact that they publish the findings should speak volumes of their intent. the big issue here is that these people did somethings that went against a large company who's product was not as secure as they claimed to be. We havent seen this type of backlash from the DNS systems issues that brought about DNSSec protocols implementation. we've only seen this backlash from companies who's supposed products are SUPPOSED to be secure.
Time to start thinking on your own and stop shouting the party line
[ link to this | view in chronology ]
First trial - $220,000.
New trial - $1,920,000
Apparently the jury deemed the infringements to be wilfull and awarded damages in the amount of about $80,000/each.
Even I am surprised by the amount, but certainly less so than counsel for the defendant (former students of Mr. Nesson at HLS).
If the EFF is inclined to make what I believe are premature announcements about patent busting, I can only begin to imagine the announcement that will be made by the plaintiff record labels.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Think Like The Pirate Party
Security Research, may ass.
[ link to this | view in chronology ]
Re: Think Like The Pirate Party
[ link to this | view in chronology ]
Re: Re: Think Like The Pirate Party
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Just as important - if these people do such a good job, they should offer their services to companies to check their security and get a waiver to allow them to do the work. Just randomly "checking" someone and then announcing a "flaw" isn't exactly white hat work.
I am sure someone will come up with a convoluted way to say that 0 day exploits are somehow good. RIGHT.
[ link to this | view in chronology ]
Re: Re:
Wrong. Also, its not a easy as it sounds to reverse compile. Why would a researcher limit the tools at his disposal?
and get a waiver to allow them to do the work
What waiver? From whom? It would be great if there was such a thing, that would be much better than the current DMCA rules that make every kind of security research a crime.
Get a clue.
[ link to this | view in chronology ]
Re: Re: Re:
It isn't easy to reverse compile, but it is possible - and one of many tools available. But if you hack the encoding, you have broken the copyright law, and that ends that.
"What waiver? From whom? It would be great if there was such a thing, that would be much better than the current DMCA rules that make every kind of security research a crime."
If they were working on a company's project, in the clear, announced, and known to be working on it, I am sure the company would issue them a waiver (after all, the employees of the firm aren't hacking, are they?). heck, they could probably doa better job if they actually had access to the full source code, no?
The problem is most of these security guys are just hackers hoping to find a flaw to get their names in lights. very, very few of them are professional, and they still fail to get permission before working. Like I said, if you are working for the company, you aren't violating anything.
[ link to this | view in chronology ]
Re: Re: Re: Re:
This is the problem. Other people and companies who PURCHASE the product cannot verify that the product is truly secure. They are dependant on the honesty of the company that makes the product and the "third party" security analysts paid for by the manufacturer.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
How hard is that to do?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
How hard is that to do?
Wait, why should they need permission? You do realize that the *bad* hackers out there don't ask for permission. A big part of the point of security research is to highlight the problems with software that the creators of that software want hidden. So they're unlikely to give permission -- but that puts everyone at risk by not knowing the problems with the software.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
You don't think that companies do this already? Most software makers already have extensive bugtests going through the entire development process.
The fact that you think that this method would actually create foolproof security is laughable. A million people throwing every inconceivable situation at your software will always, always be more effective at catching flaws than a limited test scope performed by a handful of employees.
[ link to this | view in chronology ]
Define Hacking?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
DMCA testimony
[ link to this | view in chronology ]
[ link to this | view in chronology ]