A Look At The DMCA's Chilling Effects On Security Research

from the sad dept

Thu, Jun 18th 2009 2:29pm — Mike Masnick

Michael Scott points us to a column over at BetaNews recounting many of the examples of how the DMCA has created a chilling effect on security research. The column talks about the importance of hacking and tinkering, and then reminds us of all those stories we've heard: Ed Felten (threatened for both his research into DRM and e-voting), Alex Haldeman's DRM research. Seth Finklestein on censorware. Dmitry Sklyarov spending months in jail for discovering a security flaw. Eric Corley for daring to publish the basic DeCSS code in a magazine. Most of these stories you should already be familiar with, but it seems that the massive chilling effects of the DMCA on security research haven't been discussed in a while -- and it's certainly worth putting some of these famed cases together in one spot to remind people that the problems with the DMCA remain and are doing great damage to our security -- at exactly the time when the government claims we need to improve our cybersecurity.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dmca, research, security, stifling

27 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 18 Jun 2009 @ 3:12pm

"security research"

Is that a polite term for hacking and helping other people get stuff for free?

Come on Mike, the intention of DMCA is EXACTLY that, to stop people from hacking. Nice attempt try to twist the words around.
[ link to this | view in thread ]
Anonymous Coward, 18 Jun 2009 @ 3:16pm

The heck with the DMCA. Take a look at the Thomas verdict.

First trial - $220,000.

New trial - $1,920,000

Apparently the jury deemed the infringements to be wilfull and awarded damages in the amount of about $80,000/each.

Even I am surprised by the amount, but certainly less so than counsel for the defendant (former students of Mr. Nesson at HLS).

If the EFF is inclined to make what I believe are premature announcements about patent busting, I can only begin to imagine the announcement that will be made by the plaintiff record labels.
[ link to this | view in thread ]
Anonymous Coward, 18 Jun 2009 @ 3:24pm

Re:
BTW, if the defendant has any sense (doubtful given her actions throughout all these proceedings) she will accept an offer from the labels for a token damages settlement and then go back to Brainerd, MN and never again use P2P to illegally download content.
[ link to this | view in thread ]
Matt Tate (profile), 18 Jun 2009 @ 3:27pm

Re:
First off: Troll.

OK, now that that's out of the way: did you even read the post? Is publishing basic code or researching software used to determine the who will be the most powerful man in the world "helping other people get stuff for free"? How about looking at what is forcefully installed on your computer? Shouldn't these things be allowed and encouraged? It's also clear that you don't have a clue what hacking is. Hackers are hired by companies to test for security flaws. If that company uses 3rd party security software, it is now a violation of the law for them to test it. Is this what the DMCA was designed to prevent? Does that stop people from getting stuff for free?
[ link to this | view in thread ]
Anonymous Coward, 18 Jun 2009 @ 3:31pm

Re:
Research and hacking are not the same thing. Do you really trust security that has never been tested? I do not, I have no faith in security schemes that cannot be tested or questioned.

Perhaps its better to have a friendly researcher point out a flaw privately rather than having an unfriendly hacker just start abusing a flaw.

If you think that Ed Felton, director of Princeton's Center for Information Technology Policy, is interested in 'helping other people get stuff for free' then you are crazy. You obviously do not know what you are talking about.
[ link to this | view in thread ]
Anonymous Coward, 18 Jun 2009 @ 3:33pm

Think Like The Pirate Party
"Security Research" is a timid term. Think like the Pirate Party folks. Go ahead and call it Hacking. That's what it is and just because nobody outside of geekdom knows that hacking is more a term of goodness than badness doesn't mean we should fear.

Security Research, may ass.
[ link to this | view in thread ]
Anonymous Coward, 18 Jun 2009 @ 3:39pm

Re: Think Like The Pirate Party
All 'hacking' is research. The term 'security research' refers to friendly hacking - folks looking to find flaws and fix them. 'Hacking' is generally used to refer to unfriendly research - folks looking to find flaws and fix them. The DMCA does not differentiate. There are perfectly valid reasons to test security - so that you know it really works and so you can improve it if it does not.
[ link to this | view in thread ]
Sarah Black, 18 Jun 2009 @ 3:57pm

Re: "security research"
Security Research? If it wasnt for independently contracted companies such as, Gotham Digital Science and there dedication to Security Research, many companies wouldn't even know the security flaws in their products. http://www.gdssecurity.com/g/a.php

I read what Mike wrote and I wholeheartedly agree with what he is so obviously pointing out. I am also quite shocked with the trolling to call "Security Researchers" as "a polite term for hacking and helping other people get stuff for free"... it is in fact a term used to PREVENT malicious persons from obtaining secure goods - while learning about and assessing the security of a product, thus the term, "Security Research".
[ link to this | view in thread ]
Rekrul, 18 Jun 2009 @ 4:22pm

Re:
So, you don't want the flaws in electronic voting machines to be analyzed and corrected? You don't want to know if your bank has a major security flaw that could allow people to easily steal money from your account? You don't want people testing the software you use to keep your computer safe from viruses, to see if it actually does what it says it will?
[ link to this | view in thread ]
Anonymous Coward, 18 Jun 2009 @ 4:22pm

Re: Re: Think Like The Pirate Party
Oops, thats "'Hacking' is generally used to refer to unfriendly research - folks looking to find flaws and abuse them."
[ link to this | view in thread ]
Paul`, 18 Jun 2009 @ 4:26pm

Re:
You, sir, are an idiot.
[ link to this | view in thread ]
Anonymous Coward, 18 Jun 2009 @ 4:28pm

The only thing the DCMA did was to kill innovation in the US. When it is illegal to examine the security of software or device then the company will never be forced to correct the flaw. It is much cheaper to threaten you with jail time.
[ link to this | view in thread ]
Jake S. (profile), 18 Jun 2009 @ 4:29pm

Define Hacking?
Any computer technician or technically savvy person has hacked in his lifetime. Any code that I may have, I WANT others to tell me the flaws and help me fix it. Not because I like to be wrong, but to make it better. DMCA takedowns are being abused to allow people who don't like what another is doing to throw it into the court system. STUPID. I have hacked...LEGALLY...just in order to get a windows machine running correctly requires a bit of manipulation and hacking. The point here is that people are being stupid and misusing the DMCA takedown proccess and how that has caused fear in people from actually HELPING others. Hello World! Wake up and work together!
[ link to this | view in thread ]
Anonymous Coward, 18 Jun 2009 @ 4:34pm

Re:
It is illegal when the methods used to "examine" the software involve decoding the files to get to the base coding of the product. Reverse compiling to figure out how the product works isn't security testing, it's just hacking, plain and simple.

Just as important - if these people do such a good job, they should offer their services to companies to check their security and get a waiver to allow them to do the work. Just randomly "checking" someone and then announcing a "flaw" isn't exactly white hat work.

I am sure someone will come up with a convoluted way to say that 0 day exploits are somehow good. RIGHT.
[ link to this | view in thread ]
bigpicture, 18 Jun 2009 @ 5:06pm

Re: Re: Troll?
He probably still has the Sony root kit on his PC, and wonders why it is so slow.
[ link to this | view in thread ]
Anonymous Coward, 18 Jun 2009 @ 5:19pm

Re: Re:
Reverse compiling to figure out how the product works isn't security testing, it's just hacking, plain and simple.

Wrong. Also, its not a easy as it sounds to reverse compile. Why would a researcher limit the tools at his disposal?

and get a waiver to allow them to do the work

What waiver? From whom? It would be great if there was such a thing, that would be much better than the current DMCA rules that make every kind of security research a crime.

Get a clue.
[ link to this | view in thread ]
Anonymous Coward, 18 Jun 2009 @ 5:47pm

Re: Re: Re:
Wake up!

It isn't easy to reverse compile, but it is possible - and one of many tools available. But if you hack the encoding, you have broken the copyright law, and that ends that.

"What waiver? From whom? It would be great if there was such a thing, that would be much better than the current DMCA rules that make every kind of security research a crime."

If they were working on a company's project, in the clear, announced, and known to be working on it, I am sure the company would issue them a waiver (after all, the employees of the firm aren't hacking, are they?). heck, they could probably doa better job if they actually had access to the full source code, no?

The problem is most of these security guys are just hackers hoping to find a flaw to get their names in lights. very, very few of them are professional, and they still fail to get permission before working. Like I said, if you are working for the company, you aren't violating anything.
[ link to this | view in thread ]
CleverName, 18 Jun 2009 @ 6:18pm

Re:
security research is a "polite term for hacking"

I suppose, to a certain extent. For example, it did take a bit of hacking to remove the Sony rootkit installed by a legit CD purchased with real money and no indication of the included payload.

"intention of DMCA is EXACTLY that, to stop people from hacking."

I do not agree. I was under the impression that it was about providing additional protections to the holders of copyright.
[ link to this | view in thread ]
Felix Pleşoianu, 18 Jun 2009 @ 10:57pm

This post gave me an idea. Why is it that all those famed Russian/Chinese/Romanian crackers seem to focus on U.S. targets? Perhaps because the rest of the world has figured out that security by obscurity doesn't work, period, and without the DMCA to forbid penetration testing they actually, you know, test the security of their systems? Which, in turn, allows them to fix many flaws before a cracker finds a way in?
[ link to this | view in thread ]
Seth Finkelstein, 18 Jun 2009 @ 11:45pm

DMCA testimony
Thanks for the mention. One small correction - it's "Seth FinkELstein". People - especially the critics here - might like to read the transcript of my 2003 DMCA testimony. It's even entertaining, I think.
[ link to this | view in thread ]
BobinBaltimore (profile), 19 Jun 2009 @ 5:44am

Re:
More likely it's because the US (or companies somehow HQ'd or with substantial presence in the US) produce a substantial majority of the software and content that bad guys want to get or hack. And, umm, also....there are those pesky remainders of the Cold War that still kinda make the US a target for a lot of former or current "unfriendly" countries. I think those are the simplest explanations, which are usually the most likely ones to be true.
[ link to this | view in thread ]
Travis, 19 Jun 2009 @ 8:46am

Re: Re: Re: Re:
"If they were working on a company's project"

This is the problem. Other people and companies who PURCHASE the product cannot verify that the product is truly secure. They are dependant on the honesty of the company that makes the product and the "third party" security analysts paid for by the manufacturer.
[ link to this | view in thread ]
teknosapien, 19 Jun 2009 @ 2:59pm

Re: Wrong on so many counts
Face it there are a bunch of people who don't care about laws that do this for the sole purpose of exploiting the problems and taking your money/vote/whatever
its the people that research the problems with security that save us from really bad things from happening. the fact that they publish the findings should speak volumes of their intent. the big issue here is that these people did somethings that went against a large company who's product was not as secure as they claimed to be. We havent seen this type of backlash from the DNS systems issues that brought about DNSSec protocols implementation. we've only seen this backlash from companies who's supposed products are SUPPOSED to be secure.

Time to start thinking on your own and stop shouting the party line
[ link to this | view in thread ]
Anonymous Coward, 19 Jun 2009 @ 7:53pm

Re: Re: Re: Re: Re:
Again - the company contacts that security software maker, and asks specific permission to have their contractor check the system, including any sort of hack / decrypting / whatever. If they say no, move to another vendor.

How hard is that to do?
[ link to this | view in thread ]
Mike Masnick (profile), 22 Jun 2009 @ 12:57am

Re: Re: Re: Re: Re: Re:
Again - the company contacts that security software maker, and asks specific permission to have their contractor check the system, including any sort of hack / decrypting / whatever. If they say no, move to another vendor.

How hard is that to do?

Wait, why should they need permission? You do realize that the *bad* hackers out there don't ask for permission. A big part of the point of security research is to highlight the problems with software that the creators of that software want hidden. So they're unlikely to give permission -- but that puts everyone at risk by not knowing the problems with the software.
[ link to this | view in thread ]
Anonymous Coward, 22 Jun 2009 @ 12:36pm

Re: Re: Re: Re: Re: Re:
Wow, this is just, wow...

You don't think that companies do this already? Most software makers already have extensive bugtests going through the entire development process.

The fact that you think that this method would actually create foolproof security is laughable. A million people throwing every inconceivable situation at your software will always, always be more effective at catching flaws than a limited test scope performed by a handful of employees.
[ link to this | view in thread ]
Mike, 18 Nov 2009 @ 6:24am

I think we all know that without hackers and the bad people who write bad code, there would be no antivirus industry. It's common sense, still, to hear it spoken about by figureheads in the security software field leaves an odd taste in my mouth.
[ link to this | view in thread ]