Silence of a code cracker

[InfoSec News <isn () c4i org>]

http://www.boston.com/dailyglobe2/228/business/Silence_of_a_code_cracker+.shtml

By Hiawatha Bray 
8/16/2001

Princeton computer science professor Ed Felten spilled the beans last
night, revealing his method for breaking into supposedly unbreakable
digital music recordings. And the good news is, Felten didn't even
have to post bail.

I told you about Felten a few months ago. He fell afoul of one of the
nation's weirdest laws, the Digital Millennium Copyright Act. Under
the DMCA, it's a crime to figure out ways to defeat digital encryption
technologies used to block unauthorized access to computer software,
digital music, and movies. Mind you, it's not about actually making
pirate copies - that was illegal before the DMCA was enacted in 1998.
No, the new law makes it illegal to simply tell the world how such
pirate copies can be made.

The music recording industry told Felten that he could be prosecuted
for announcing his discovery at a scientific conference. The music
folks later backed down - Felten is a scientist and the law makes an
exception for scholarly researchers - but that hasn't stopped Felten
from suing to challenge the constitutionality of the DMCA. He and his
supporters argue the DMCA is so vague that even a university research
report could be interpreted as a violation of the law.

In any case, Felten's newfound right to publish didn't cut any ice in
the case of Dmitry Sklyarov. He works for Elcomsoft, a Moscow firm
that makes software to defeat the encryption of electronic books.
Elcomsoft's product is perfectly legal in Russia, and nearly
everywhere else on earth. But when Sklyarov came to Las Vegas to talk
about it in July, the FBI slapped on the handcuffs. After two weeks in
jail, a federal judge finally let Sklyarov post bail last week, but
the FBI is holding his passport, in effect exiling Sklyarov from his
homeland, his wife, and his two young children.

It's the sort of thing to make you think twice about hacking code.
It's certainly had that effect on Niels Ferguson of Amsterdam. He
thinks he's figured out a major weakness in software created by Intel
Corp. to prevent the pirating of digital video recordings. But
Ferguson has decided to shut up about it.

Actually, Ferguson shared his discovery with fellow geeks at a Dutch
hackers' convention last weekend. And he's contacted Intel's crypto
experts, who have expressed interest in his discovery. But Ferguson
has refused to publish the details of his theory, or even to send an
e-mail to Intel headquarters, because Intel is based in the United
States.

Mind you, Ferguson is quite partial to our country; he used to work
for Counterpane Internet Security Inc., a computer security firm in
California. He still pays a visit from time to time; in fact, he'll be
flying in next Saturday. And because Ferguson hasn't published his
research materials, he won't have to worry about the FBI cuffing him
at the airport.

''I'm scared to publish my research and then go to the United
States,'' he says. ''Felten was threatened. Dmitry was arrested.'' And
Ferguson, 35, and self-employed as a crypto consultant, can't afford
the legal bills. Silence is safer.

Silencing people is exactly what the DMCA is meant to do, says Bruce
Schneier, president of Counterpane and Ferguson's former boss. ''The
idea here is to spread the maximum amount of fear and doubt,'' he
says.

Schneier believes most digital security products can be broken.
Indeed, if the stuff worked, there'd be no need for the DMCA. Schneier
thinks companies want to keep making and using unreliable security
software, while pretending everything's fine. ''We're in a situation
where companies are producing bad security, and making it illegal for
you to check,'' he says.

Intel spokesman Chuck Mulloy doubts Ferguson has really found a
practical hack. ''This code was developed to prevent casual copying,''
he said. ''Our view is it still does what it's meant to do.''

He says Intel is interested in getting a peek at Ferguson's work. But
he concedes that publication of the research might make Ferguson a
wanted man in the United States. ''We really can't help him there,''
says Mulloy. ''We don't have the authority to indemnify him or anybody
else from a federal law.''

Indeed, this is a job for the courts or, better yet, for Congress.
Digital media producers and software companies have a legitimate
interest in protecting their intellectual property. But free speech is
the most valuable intellectual property of all.

Hiawatha Bray can be reached by e-mail at bray () globe com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.