RSSThe DMCA is endangering American security
By Angela Gunn | Published June 11, 2009, 6:41 PM
I've had the the government's 60-day Cyberspace Policy Review sitting on my desk for many days now, dutifully highlighted and marked up with notes about how this bit could turn out interesting and that section looks a lot like what we've previous heard from DC about cybersecurity and that passage over there appears to have been lifted from the questionable financial-loss statistics one hears from the RIAA and BSA and MPAA and such. And I see one gigantic self-inflicted wound that I fear the current administration will ignore like the last two have -- ignored it since 1998, in fact.
The cybersecurity review says we need to improve academic and industry collaboration on cybersecurity and other technology issues. It also states we should "expand university curricula; and set the conditions to create a competent workforce for the digital age."
What the cybersecurity review should have said is, "We are raising a nation of timid technophobes who mistake using MyTwitFace for being a geek. Meanwhile, we have comprehensively, at every educational level, stripped away useful teaching tools and criminalized modes of research and inquiry in the name of copyright and liability laws, and sooner rather than later we are going to reap the whirlwind."
Or, putting it simply: We made ourselves stupid and now we must pay.
Since the rise of the Information Age, America has convinced itself that safety is a better choice than knowledge, and that anyone who doesn't make safety a priority over knowledge is Dangerous And Up To No Good. The 1998 Digital Millennium Copyright Act, which is entering its twelfth year of chilling security research, acts in direct opposition to the government's alleged goal of improving American cybersecurity by criminalizing the research and inquiry that make security products, and thus security, stronger.
And not only have we attained this vulnerable position step by step, special-interest groups such as liability lawyers and the entertainment industry -- not to mention the computer industry itself -- have paved the path for us, making us easily fleeced, easily frightened, and easily led.
We'll start with the little ones. I'm willing to bet that you, as a young geek, had a certain amount of curiosity about science. Did you own a chemistry set? Do you remember some of the chemicals that shipped in it, some of the reactions you could test? Enjoy your memories of, as Oliver Sacks put it in Uncle Tungsten, "stinks and bangs." As Steve Silberman has written about so effectively in Wired, legislators and law enforcement now send a loud-and-clear message that science is something best left to the professionals. As geekish youth will discover over and over, the claim that "someone could get hurt!" is the way that people who are unnerved by smart people make sure that no one actually gets smart.
Head for the schools -- the elementary schools, even. The entertainment industry hasn't been as successful as it would like in eliminating fair use for educational purposes. But it has managed to get its point of view into the classroom starting in third grade with Music Rules, which "informs students about the laws of copyright and the risks of online file-sharing." Parents are cautioned against the dangers of "songlifting" (the RIAA's preferred new term for downloading and/or ripping) and the program handouts conflate music downloading with exposure to online predators. The "someone could get hurt" motif continues, with the introduction of the "and you'll be a criminal if you try it" theme.
Speaking of online predators, move to the higher grades. We don't really like teenagers in America if they're not Miley Cyrus or the Jonas Brothers (so clean-cut, such radio-friendly unit shifters!), so despite multiple studies indicating that most teens know enough to ignore online weirdos and most teens are smart enough not to go a-sexting and most teens can deal with "cyberbullying," social networking and mobile phones are as reliably panic-inducing in the mainstream media as rock-and-roll and long hair were back in the day. Again, "someone could get hurt" (especially teenaged girls, whose interest in tech when they could be interested in makeup and clothes is already unseemly and suspicious); but teenagers being generally scary, we're equally convinced that they're out to get each other.
Meanwhile, we're at the age when the hacker gene expresses. Criminalizing young men (and women) who hack is old fare, documented as far back as Cap'n Crunch and Joe Engressia and a couple of Steves (Jobs and Wozniak), and where social pressures didn't push status-conscious kids away from exploring computers, legal pressures often did. Ask anyone who attended 2600 meetups back in the day -- even those meetups destined for nothing more subversive than a really bad movie -- what percentage of "attendees" were cops hoping to get lucky.
Onward to the world -- to college and adult lives. Those who still have the geek fever by now -- and US university enrollment rates in science and computer science curricula tell us it's not very many these days -- may hope to connect with worthwhile research projects and really dig into what makes systems tick. And here's where the DMCA works its wonders for security researchers (and I mean real security researchers, not hopeful political appointees putting together a 60-day job application) by chilling research and collaboration.
Ask Ed Felten about his research on flaws in e-voting machines.
Ask Seth Finkelstein about his research on censorware.
Ask J. Alex Haldeman about the Sony-BMG rootkit. For that matter, ask the researchers who'd previously requested an exemption to the DMCA to examine that rootkit, a request denied by the Copyright Office. (I find, by the way, no evidence in the Cybersecurity Policy Review that Melissa Hathaway or any of her minions spoke to the Copyright Office to ask who the hell they think they are to make security decisions. I wish somebody would.)
Ask Dmitry Sklyarov about that five-month detention, and getting arrested at DEFCON.
Ask Luigi Auriemma about informing GameSpy of vulnerabilities and getting no answer but a DMCA cease-and-desist. (Apparently GameSpy's lawyers were as excellent as their coders, since Mr. Auriemma lives in Italy and had no intention of coming to the US to be prosecuted, but oh well.)
Ask Eric Corley about simply attempting to publish the DeCSS software code -- in a printed magazine -- in 2600.
Ask former cybersecurity chief Richard Clarke how much traction he got after he told a Boston newspaper that the DMCA needed rethinking, because "I think a lot of people didn't realize that it would have this potential chilling effect on vulnerability research." (Hint: He was out of government in 2003.) Want to dig into a software program the way we used to dig into a car engine or an unexplored continent? For shame; you're obviously attempting to steal something. In the wake of 9/11 copyright holders and the law-enforcement folk who do their work have managed to turn the "steal something" gripe into "ZOMG TERRORISTS!," but otherwise, we're in the second decade of intellectual curiosity being a pre-crime condition. Meanwhile... need I say more than "China" and "India?"
The new administration doesn't need to plead for better cybersecurity education for the masses; in fact, considering what's passing for "education" on that front these days I'd prefer that education stuck with the basics -- reading, writing, arithmetic, and blowing stuff up with chemistry sets that actually teach something besides "lawyers want to ruin your fun." It needs to put muscle behind the idea of "expanding academic curricula," re-establishing the importance of the freedom to conduct research and to communicate the results without fear of hearing from lawyers for a company that simply doesn't want anyone to know they're shipping vulnerable products. The DMCA is deeply dishonest legislation, and -- as it continues to undermine security research -- deeply dangerous to our future.
"STOP THE PRESSES!".
you have a desk?
Score: 0
|OMG "WILL SOME ONE THINK OF THE CHILDREN"
Score: 0
|As someone who dabbles in security research, I have found the DMCA to be a hindrance. Several years ago I was doing asset security research for a virtual world. I discovered that it had no asset security, you could download anything you wanted. I approached the company with my findings and they said they knew about the problem... and that they weren't going to do anything about it. The software was Closed Source and commercial. While the DMCA never came up in our discussions, the DMCA still scared me enough that I didn't publishing my findings. You mess with a companies bottom line and they are liable to do anything.
Maybe if I had published, it would have convinced them to address some of the problems I found. But regardless, now that those problems have been exploited on a large scale they have had to fix them.
Score: 1
|Or, to put it much more simplistically...
TO ALL THE KIDS WHO WERE BORN IN THE 1930's 40's, 50's, 60's and 70's
First, we survived being born to mothers who smoked and/or drank while they carried us.
They took aspirin, ate blue cheese dressing, tuna from a can, and didn't get tested for diabetes.
Then after that trauma, our baby cribs were covered with bright colored lead-based paints.
We had no childproof lids on medicine bottles, doors or cabinets and when we rode our bikes, we had no helmets, not to mention the risks we took hitchhiking.
As children, we would ride in cars with no seat belts or air bags.
Riding in the back of a pick up on a warm day was always a special treat.
We drank water from the garden hose and NOT from a bottle.
We shared one soft drink with four friends, from one bottle and NO ONE actually died from this.
We ate cupcakes, white bread and real butter and drank soda pop with sugar in it, but we weren't overweight because...... WE WERE ALWAYS OUTSIDE PLAYING!!
We would leave home in the morning and play all day, as long as we were back when the streetlights came on.
No one was able to reach us all day... And we were O.K.
We would spend hours building our go-carts out of scraps and then ride down the hill, only to find out we forgot the brakes. After running into the bushes a few times, we learned to solve the problem.
We did not have Playstations, Nintendo's, X-boxes, no video games at all, no 99 channels on cable, no video tape movies, no surround-sound, no cell phones, no answering machines, no voicemail, no personal computers, no Internet or Internet chat rooms..........WE HAD FRIENDS and we went outside and found them!
We fell out of trees, got cut, broke bones and teeth and there were no lawsuits from these accidents.
We ate worms and mud pies made from dirt, and the worms did not live in us forever.
We were given BB guns for our 10th birthdays,
We made up games with sticks and tennis balls and although we were told it would happen, we did not put out very many eyes.
We rode bikes or walked to a friend's house and knocked on the door or rang the bell, or just yelled for them to come out and play.
Little League had tryouts and not everyone made the team. Those who didn't had to learn to deal with disappointment. Imagine that!!
The idea of a parent bailing us out if we broke the law was unheard of. They actually sided with the law!
This generation has produced some of the best risk-takers, problem solvers and inventors ever!
Score: 1
|PS, most of that applied to those of us born in the 80s too. :)
Score: 0
|Bravo Straspey... you brought a tear to my eye! How in the world did we manage to survive? Big Brother isn't watching over us at all... he's watching over his profit margins. The new motto of corporate America is "Why innovate when you can litigate?" It's very sad.
Score: 0
|Very good article Ms. Gunn and to Capt Turner I wish you the best and I am sorry to so you leave because you sound like the type of person we need now.
Score: 0
|@Angela Gunn: Bloody great article. "We are raising a nation of timid technophobes who mistake using MyTwitFace for being a geek" is a great line.
Score: 4
|Well said but sadly the more things change the more they stay the same.
There are times when I can't speak out when I see that most people fail to understand how all of this interlaces together and makes the job of defending this country against a 1st wave of attack which would be cyber much more difficult.
Will there be change? Probably not but then you do the best you can with a half-empty toolbox.
Every day, there are countless attacks on both the private and public sector and most go unreported but when you try to step up and address these issues you run into the brick wall of Washington. That is also why many do not accept promotions to advance their careers because we feel more is accomplished working on the edges than in the belly of the beast.
And, of course, when the attack does come, we get blame as the cowards in Washington through 3 administrations just don't get it.
Needless to say I am retiring.
One final comment that may surprise people but every example Mz. Gunn gives is a valid example of how hamstrung our R&D is by not only the DMCA but also how it has been used both publically as in the cases Mz. Gunn cites and not so public ones. Both Dmitry and Eric if they had been treated with respect for the knowledge they had might have been able to help in the issues of Cybersecurity. Those that attend the DEFCON conventions do not really pose a risk to our national security unless we treat them as outcasts instead of celebrating their knowledge. Treat people under the guise of the DMCA as outcasts and you are setting in motion people who may someday pose a risk. I have attended DEfCon conventions in part it to keep up with what is going on but also to see if there is anyone that might be worth recruiting. The problem is how these individuals are treated. Probablly the most damaging, from a cyber-security standpoint was the Sony-BMg rootkit which, over time has morphed into a very dangerous and stealthy delivery system. Many of us felt theat the two companies warrented investigation but other agencies saw it differently and now we are faced with the result of those decisions.
Capt. Stuart Turner
Score: 2
|(_________) don't kill people...
Score: 0
|I've been a security researcher both black and white and was against the DMCA before it was signed. It prevents whitehat activities but not blackhat ones. There is where the irony comes in. If you ban security research then only criminals will do security research.
Score: 3
|DMCA is a product of Corporate greed and massive government lobbying for the benefit for very rich people.
Score: 3
|I've disliked the DMCA since before it was signed into law, never considered the security angle before.
Nice article.
Score: 2
|So nice to read an article hear on BN that contains good information in a well put together article. The governments and companies haphazard approach to security (and that is any government, most companies) has put all of us at risk.
Its too bad we don't have lawyers that are also Tech geeks. "Idiocracy" is the future. OW! My Balls! is they future of television.
We all need to act to change this mindset in congress. Perhaps a big IT group with a few lobbyists is the right answer. If you can't beat them, join them.
Score: 0
|