RSSEFF looks to protect developers from legal threats
By Ed Oswald | Published August 6, 2008, 5:37 PM
The Electronic Frontier Foundation has launched the Coders' Rights Project at the annual Black Hat conference in Las Vegas, aiming to give protection to those developers who may be hindered in their research by threats of legal action.
Most of the group's work seems focused on protecting researchers' rights to reverse engineer software to see how it operates, as well as continuing to allow security researchers to publicize vulnerabilities in today's software.
The EFF claims that legal threats to those working in both areas are hindering legitimate security and encryption research. It blames abuse of the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act for these threats by companies.
Under the Coders' Rights Project, work to continue limiting the use of either law would be pursued, and it will publish a best practices document on the project's Web site to guide developers in how to reduce their legal risks when working in either area.
"Those of us doing research on computer security and privacy need to be able to discuss and publish our work without fear of legal threats," EFF Board Member and security researcher Edward Felten said.
For example, under the reverse engineering FAQ, the group advises that disclosing information about non-disclosure agreements concerning contractual code is the most legally risky, as well as bypassing protection measures that protect the code, or copy it into another program.
In the vulnerability reporting FAQ, the EFF suggests that researchers do not make reports detailed, or include proof-of-concept code. It also reminds those working in the field that there are no "whistleblower" protections for those who discover flaws.
Officials hope that the Coders' Rights Project will eventually be able to make the definitions of what constitutes a computer crime more narrow, and limit the power of EULAs to allow for reverse engineering and a consumers "right to tinker."
Just another step in the "we're too lazy and cheap to protect our own shoddy work so we want the taxpayers to foot the bill" process.
Whether it's a lazy cable or telephone company that uses unsecured J-boxes or a recording industry defending an obsolete business model or a software publisher releasing crap code the story is exactly the same.
These investor owned companies constantly try to push their own business expenses on to the taxpayers' backs. These firms won't lift a finger to protect their own products; they want us taxpayers to pay the FBI and local law enforcement to protect their own private property.
It's no different than an individual who is too lazy to lock his own doors demanding that a sheriff's deputy guard his home to prevent a burglary. Ridiculous!!!
Score: 0
|"Most of the group's work seems focused on protecting researchers' rights to reverse engineer software to see how it operates, as well as continuing to allow security researchers to publicize vulnerabilities in today's software"
It's about time.
I recall several of th less enlightened (and intelligent) denizens here whining about how Media Player Classic was "illegal" because it reverse engineered the DVD playback codec. Americans need to remember that they are NOT the center of the universe and just because stupidity is practised in their country does not mean that others are also so inclined (or posessed of such lack of foresight).
The EFF will stand up for freedom of code development, the right to reverse engineer Draconian copy protection for fair use and other rights that The Corps would tun into "priveleges" that they alone control (through a government and political system that they have oft displayed is in their back pocket, of course).
I do think they stopped too short though: there SHOULD be detailed reports AND proof of concept code and it should be made freely available to all. If it is truly reverse engineered, the copyright legality of the code cannot be called into question, although I'm sure The Suits will inevitably try.
The industry is hypocritical anyway: Suse does not include the MPEG2 decoder libraries in their distro but tells you where to get them - in Europe of course, away from American corporate-sponsored legal terrorism (downright amusing since Novell is an American company).
Exposing vulnerabilities is a valuable way to learn How To Plug And Prevent them, which the stupid dullards in Homeland Security would realize if they extracted their heads form their collective anal orifices. It's also a good way to keep The Corps honest and have them perform thorough due diligence.
It's also far more effective than the current "head in the sand, a$$ in the air" approach. Contrary to what the misguided (and paid for) lawmakers believe, the empty and utterly unenforceable gesture of refusing to allow it won't make it go away. That "strategy" is so reminiscent of Prohibition that it's impossible to suppress a chuckle.
I salute those Freedom Fighters of the Internet Age - truly intelligent readers everywhere will too.
Score: 0
|Amen!
Score: 0
|I agree. Never seizes to amaze me that such obvious things have to be pronounced out loud.
Score: 0
|