A Look At The DMCA's Chilling Effects On Security Research

from the sad dept

Michael Scott points us to a column over at BetaNews recounting many of the examples of how the DMCA has created a chilling effect on security research. The column talks about the importance of hacking and tinkering, and then reminds us of all those stories we've heard: Ed Felten (threatened for both his research into DRM and e-voting), Alex Haldeman's DRM research. Seth Finklestein on censorware. Dmitry Sklyarov spending months in jail for discovering a security flaw. Eric Corley for daring to publish the basic DeCSS code in a magazine. Most of these stories you should already be familiar with, but it seems that the massive chilling effects of the DMCA on security research haven't been discussed in a while -- and it's certainly worth putting some of these famed cases together in one spot to remind people that the problems with the DMCA remain and are doing great damage to our security -- at exactly the time when the government claims we need to improve our cybersecurity.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dmca, research, security, stifling


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 18 Jun 2009 @ 3:12pm

    "security research"

    Is that a polite term for hacking and helping other people get stuff for free?

    Come on Mike, the intention of DMCA is EXACTLY that, to stop people from hacking. Nice attempt try to twist the words around.

    link to this | view in chronology ]

    • icon
      Matt Tate (profile), 18 Jun 2009 @ 3:27pm

      Re:

      First off: Troll.

      OK, now that that's out of the way: did you even read the post? Is publishing basic code or researching software used to determine the who will be the most powerful man in the world "helping other people get stuff for free"? How about looking at what is forcefully installed on your computer? Shouldn't these things be allowed and encouraged? It's also clear that you don't have a clue what hacking is. Hackers are hired by companies to test for security flaws. If that company uses 3rd party security software, it is now a violation of the law for them to test it. Is this what the DMCA was designed to prevent? Does that stop people from getting stuff for free?

      link to this | view in chronology ]

      • identicon
        bigpicture, 18 Jun 2009 @ 5:06pm

        Re: Re: Troll?

        He probably still has the Sony root kit on his PC, and wonders why it is so slow.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Jun 2009 @ 3:31pm

      Re:

      Research and hacking are not the same thing. Do you really trust security that has never been tested? I do not, I have no faith in security schemes that cannot be tested or questioned.

      Perhaps its better to have a friendly researcher point out a flaw privately rather than having an unfriendly hacker just start abusing a flaw.

      If you think that Ed Felton, director of Princeton's Center for Information Technology Policy, is interested in 'helping other people get stuff for free' then you are crazy. You obviously do not know what you are talking about.

      link to this | view in chronology ]

    • identicon
      Sarah Black, 18 Jun 2009 @ 3:57pm

      Re: "security research"

      Security Research? If it wasnt for independently contracted companies such as, Gotham Digital Science and there dedication to Security Research, many companies wouldn't even know the security flaws in their products. http://www.gdssecurity.com/g/a.php

      I read what Mike wrote and I wholeheartedly agree with what he is so obviously pointing out. I am also quite shocked with the trolling to call "Security Researchers" as "a polite term for hacking and helping other people get stuff for free"... it is in fact a term used to PREVENT malicious persons from obtaining secure goods - while learning about and assessing the security of a product, thus the term, "Security Research".

      link to this | view in chronology ]

    • identicon
      Rekrul, 18 Jun 2009 @ 4:22pm

      Re:

      So, you don't want the flaws in electronic voting machines to be analyzed and corrected? You don't want to know if your bank has a major security flaw that could allow people to easily steal money from your account? You don't want people testing the software you use to keep your computer safe from viruses, to see if it actually does what it says it will?

      link to this | view in chronology ]

    • identicon
      Paul`, 18 Jun 2009 @ 4:26pm

      Re:

      You, sir, are an idiot.

      link to this | view in chronology ]

    • identicon
      CleverName, 18 Jun 2009 @ 6:18pm

      Re:

      security research is a "polite term for hacking"

      I suppose, to a certain extent. For example, it did take a bit of hacking to remove the Sony rootkit installed by a legit CD purchased with real money and no indication of the included payload.

      "intention of DMCA is EXACTLY that, to stop people from hacking."

      I do not agree. I was under the impression that it was about providing additional protections to the holders of copyright.

      link to this | view in chronology ]

    • identicon
      teknosapien, 19 Jun 2009 @ 2:59pm

      Re: Wrong on so many counts

      Face it there are a bunch of people who don't care about laws that do this for the sole purpose of exploiting the problems and taking your money/vote/whatever
      its the people that research the problems with security that save us from really bad things from happening. the fact that they publish the findings should speak volumes of their intent. the big issue here is that these people did somethings that went against a large company who's product was not as secure as they claimed to be. We havent seen this type of backlash from the DNS systems issues that brought about DNSSec protocols implementation. we've only seen this backlash from companies who's supposed products are SUPPOSED to be secure.

      Time to start thinking on your own and stop shouting the party line

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jun 2009 @ 3:16pm

    The heck with the DMCA. Take a look at the Thomas verdict.

    First trial - $220,000.

    New trial - $1,920,000

    Apparently the jury deemed the infringements to be wilfull and awarded damages in the amount of about $80,000/each.

    Even I am surprised by the amount, but certainly less so than counsel for the defendant (former students of Mr. Nesson at HLS).

    If the EFF is inclined to make what I believe are premature announcements about patent busting, I can only begin to imagine the announcement that will be made by the plaintiff record labels.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Jun 2009 @ 3:24pm

      Re:

      BTW, if the defendant has any sense (doubtful given her actions throughout all these proceedings) she will accept an offer from the labels for a token damages settlement and then go back to Brainerd, MN and never again use P2P to illegally download content.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jun 2009 @ 3:33pm

    Think Like The Pirate Party

    "Security Research" is a timid term. Think like the Pirate Party folks. Go ahead and call it Hacking. That's what it is and just because nobody outside of geekdom knows that hacking is more a term of goodness than badness doesn't mean we should fear.

    Security Research, may ass.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Jun 2009 @ 3:39pm

      Re: Think Like The Pirate Party

      All 'hacking' is research. The term 'security research' refers to friendly hacking - folks looking to find flaws and fix them. 'Hacking' is generally used to refer to unfriendly research - folks looking to find flaws and fix them. The DMCA does not differentiate. There are perfectly valid reasons to test security - so that you know it really works and so you can improve it if it does not.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Jun 2009 @ 4:22pm

        Re: Re: Think Like The Pirate Party

        Oops, thats "'Hacking' is generally used to refer to unfriendly research - folks looking to find flaws and abuse them."

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Jun 2009 @ 4:28pm

    The only thing the DCMA did was to kill innovation in the US. When it is illegal to examine the security of software or device then the company will never be forced to correct the flaw. It is much cheaper to threaten you with jail time.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Jun 2009 @ 4:34pm

      Re:

      It is illegal when the methods used to "examine" the software involve decoding the files to get to the base coding of the product. Reverse compiling to figure out how the product works isn't security testing, it's just hacking, plain and simple.

      Just as important - if these people do such a good job, they should offer their services to companies to check their security and get a waiver to allow them to do the work. Just randomly "checking" someone and then announcing a "flaw" isn't exactly white hat work.

      I am sure someone will come up with a convoluted way to say that 0 day exploits are somehow good. RIGHT.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Jun 2009 @ 5:19pm

        Re: Re:

        Reverse compiling to figure out how the product works isn't security testing, it's just hacking, plain and simple.

        Wrong. Also, its not a easy as it sounds to reverse compile. Why would a researcher limit the tools at his disposal?

        and get a waiver to allow them to do the work

        What waiver? From whom? It would be great if there was such a thing, that would be much better than the current DMCA rules that make every kind of security research a crime.

        Get a clue.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 18 Jun 2009 @ 5:47pm

          Re: Re: Re:

          Wake up!

          It isn't easy to reverse compile, but it is possible - and one of many tools available. But if you hack the encoding, you have broken the copyright law, and that ends that.

          "What waiver? From whom? It would be great if there was such a thing, that would be much better than the current DMCA rules that make every kind of security research a crime."

          If they were working on a company's project, in the clear, announced, and known to be working on it, I am sure the company would issue them a waiver (after all, the employees of the firm aren't hacking, are they?). heck, they could probably doa better job if they actually had access to the full source code, no?

          The problem is most of these security guys are just hackers hoping to find a flaw to get their names in lights. very, very few of them are professional, and they still fail to get permission before working. Like I said, if you are working for the company, you aren't violating anything.

          link to this | view in chronology ]

          • identicon
            Travis, 19 Jun 2009 @ 8:46am

            Re: Re: Re: Re:

            "If they were working on a company's project"

            This is the problem. Other people and companies who PURCHASE the product cannot verify that the product is truly secure. They are dependant on the honesty of the company that makes the product and the "third party" security analysts paid for by the manufacturer.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 19 Jun 2009 @ 7:53pm

              Re: Re: Re: Re: Re:

              Again - the company contacts that security software maker, and asks specific permission to have their contractor check the system, including any sort of hack / decrypting / whatever. If they say no, move to another vendor.

              How hard is that to do?

              link to this | view in chronology ]

              • icon
                Mike Masnick (profile), 22 Jun 2009 @ 12:57am

                Re: Re: Re: Re: Re: Re:

                Again - the company contacts that security software maker, and asks specific permission to have their contractor check the system, including any sort of hack / decrypting / whatever. If they say no, move to another vendor.

                How hard is that to do?


                Wait, why should they need permission? You do realize that the *bad* hackers out there don't ask for permission. A big part of the point of security research is to highlight the problems with software that the creators of that software want hidden. So they're unlikely to give permission -- but that puts everyone at risk by not knowing the problems with the software.

                link to this | view in chronology ]

              • identicon
                Anonymous Coward, 22 Jun 2009 @ 12:36pm

                Re: Re: Re: Re: Re: Re:

                Wow, this is just, wow...

                You don't think that companies do this already? Most software makers already have extensive bugtests going through the entire development process.

                The fact that you think that this method would actually create foolproof security is laughable. A million people throwing every inconceivable situation at your software will always, always be more effective at catching flaws than a limited test scope performed by a handful of employees.

                link to this | view in chronology ]

  • icon
    Jake S. (profile), 18 Jun 2009 @ 4:29pm

    Define Hacking?

    Any computer technician or technically savvy person has hacked in his lifetime. Any code that I may have, I WANT others to tell me the flaws and help me fix it. Not because I like to be wrong, but to make it better. DMCA takedowns are being abused to allow people who don't like what another is doing to throw it into the court system. STUPID. I have hacked...LEGALLY...just in order to get a windows machine running correctly requires a bit of manipulation and hacking. The point here is that people are being stupid and misusing the DMCA takedown proccess and how that has caused fear in people from actually HELPING others. Hello World! Wake up and work together!

    link to this | view in chronology ]

  • identicon
    Felix Pleşoianu, 18 Jun 2009 @ 10:57pm

    This post gave me an idea. Why is it that all those famed Russian/Chinese/Romanian crackers seem to focus on U.S. targets? Perhaps because the rest of the world has figured out that security by obscurity doesn't work, period, and without the DMCA to forbid penetration testing they actually, you know, test the security of their systems? Which, in turn, allows them to fix many flaws before a cracker finds a way in?

    link to this | view in chronology ]

    • icon
      BobinBaltimore (profile), 19 Jun 2009 @ 5:44am

      Re:

      More likely it's because the US (or companies somehow HQ'd or with substantial presence in the US) produce a substantial majority of the software and content that bad guys want to get or hack. And, umm, also....there are those pesky remainders of the Cold War that still kinda make the US a target for a lot of former or current "unfriendly" countries. I think those are the simplest explanations, which are usually the most likely ones to be true.

      link to this | view in chronology ]

  • identicon
    Seth Finkelstein, 18 Jun 2009 @ 11:45pm

    DMCA testimony

    Thanks for the mention. One small correction - it's "Seth FinkELstein". People - especially the critics here - might like to read the transcript of my 2003 DMCA testimony. It's even entertaining, I think.

    link to this | view in chronology ]

  • identicon
    Mike, 18 Nov 2009 @ 6:24am

    I think we all know that without hackers and the bad people who write bad code, there would be no antivirus industry. It's common sense, still, to hear it spoken about by figureheads in the security software field leaves an odd taste in my mouth.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.