Re: Fwd: [ISN] Juniper Networks Gags "ATM Jackpot" Researcher

[Rich Kulawiec <rsk () gsp org>]

On Mon, Jun 29, 2009 at 11:26:59PM -0700, Paul Ferguson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Michael Lynn flashback...

On that note, this article, whose money quote is dead-on:

        "We made ourselves stupid and now we must pay."

---Rsk

> From: Richard Forno <rforno () infowarrior org>
> Date: Thu, 18 Jun 2009 20:25:00 -0400
> Subject: [Infowarrior] - DMCA endangering American security
>
> The DMCA is endangering American security
> Lockdown with Angela Gunn
>
> Why government cybersecurity's a joke as long as security research is  
> hamstrung.
>
> By Angela Gunn | Published June 11, 2009, 6:41 PM
>
> http://www.betanews.com/article/The-DMCA-is-endangering-American-security/1244758683
>
> I've had the the government's 60-day Cyberspace Policy Review sitting  
> on my desk for many days now, dutifully highlighted and marked up with  
> notes about how this bit could turn out interesting and that section  
> looks a lot like what we've previous heard from DC about cybersecurity  
> and that passage over there appears to have been lifted from the  
> questionable financial-loss statistics one hears from the RIAA and BSA  
> and MPAA and such. And I see one gigantic self-inflicted wound that I  
> fear the current administration will ignore like the last two have --  
> ignored it since 1998, in fact.
>
> Lockdown with Angela GunnThe cybersecurity review says we need to  
> improve academic and industry collaboration on cybersecurity and other  
> technology issues. It also states we should "expand university  
> curricula; and set the conditions to create a competent workforce for  
> the digital age."
>
> What the cybersecurity review should have said is, "We are raising a  
> nation of timid technophobes who mistake using MyTwitFace for being a  
> geek. Meanwhile, we have comprehensively, at every educational level,  
> stripped away useful teaching tools and criminalized modes of research  
> and inquiry in the name of copyright and liability laws, and sooner  
> rather than later we are going to reap the whirlwind."
>
> Or, putting it simply: We made ourselves stupid and now we must pay.
>
> Since the rise of the Information Age, America has convinced itself  
> that safety is a better choice than knowledge, and that anyone who  
> doesn't make safety a priority over knowledge is Dangerous And Up To  
> No Good. The 1998 Digital Millennium Copyright Act, which is entering  
> its twelfth year of chilling security research, acts in direct  
> opposition to the government's alleged goal of improving American  
> cybersecurity by criminalizing the research and inquiry that make  
> security products, and thus security, stronger.
>
> And not only have we attained this vulnerable position step by step,  
> special-interest groups such as liability lawyers and the  
> entertainment industry -- not to mention the computer industry itself  
> -- have paved the path for us, making us easily fleeced, easily  
> frightened, and easily led.
>
> We'll start with the little ones. I'm willing to bet that you, as a  
> young geek, had a certain amount of curiosity about science. Did you  
> own a chemistry set? Do you remember some of the chemicals that  
> shipped in it, some of the reactions you could test? Enjoy your  
> memories of, as Oliver Sacks put it in Uncle Tungsten, "stinks and  
> bangs." As Steve Silberman has written about so effectively in Wired,  
> legislators and law enforcement now send a loud-and-clear message that  
> science is something best left to the professionals. As geekish youth  
> will discover over and over, the claim that "someone could get hurt!"  
> is the way that people who are unnerved by smart people make sure that  
> no one actually gets smart.
>
> Head for the schools -- the elementary schools, even. The  
> entertainment industry hasn't been as successful as it would like in  
> eliminating fair use for educational purposes. But it has managed to  
> get its point of view into the classroom starting in third grade with  
> Music Rules, which "informs students about the laws of copyright and  
> the risks of online file-sharing." Parents are cautioned against the  
> dangers of "songlifting" (the RIAA's preferred new term for  
> downloading and/or ripping) and the program handouts conflate music  
> downloading with exposure to online predators. The "someone could get  
> hurt" motif continues, with the introduction of the "and you'll be a  
> criminal if you try it" theme.
>
> Speaking of online predators, move to the higher grades. We don't  
> really like teenagers in America if they're not Miley Cyrus or the  
> Jonas Brothers (so clean-cut, such radio-friendly unit shifters!), so  
> despite multiple studies indicating that most teens know enough to  
> ignore online weirdos and most teens are smart enough not to go a- 
> sexting and most teens can deal with "cyberbullying," social  
> networking and mobile phones are as reliably panic-inducing in the  
> mainstream media as rock-and-roll and long hair were back in the day.  
> Again, "someone could get hurt" (especially teenaged girls, whose  
> interest in tech when they could be interested in makeup and clothes  
> is already unseemly and suspicious); but teenagers being generally  
> scary, we're equally convinced that they're out to get each other.
>
> Meanwhile, we're at the age when the hacker gene expresses.  
> Criminalizing young men (and women) who hack is old fare, documented  
> as far back as Cap'n Crunch and Joe Engressia and a couple of Steves  
> (Jobs and Wozniak), and where social pressures didn't push status- 
> conscious kids away from exploring computers, legal pressures often  
> did. Ask anyone who attended 2600 meetups back in the day -- even  
> those meetups destined for nothing more subversive than a really bad  
> movie -- what percentage of "attendees" were cops hoping to get lucky.
>
> Onward to the world -- to college and adult lives. Those who still  
> have the geek fever by now -- and US university enrollment rates in  
> science and computer science curricula tell us it's not very many  
> these days -- may hope to connect with worthwhile research projects  
> and really dig into what makes systems tick. And here's where the DMCA  
> works its wonders for security researchers (and I mean real security  
> researchers, not hopeful political appointees putting together a 60- 
> day job application) by chilling research and collaboration.
>
> Ask Ed Felten about his research on flaws in e-voting machines.
>
> Ask Seth Finkelstein about his research on censorware.
>
> Ask J. Alex Haldeman about the Sony-BMG rootkit. For that matter, ask  
> the researchers who'd previously requested an exemption to the DMCA to  
> examine that rootkit, a request denied by the Copyright Office. (I  
> find, by the way, no evidence in the Cybersecurity Policy Review that  
> Melissa Hathaway or any of her minions spoke to the Copyright Office  
> to ask who the hell they think they are to make security decisions. I  
> wish somebody would.)
>
> Ask Dmitry Sklyarov about that five-month detention, and getting  
> arrested at DEFCON.
>
> Ask Luigi Auriemma about informing GameSpy of vulnerabilities and  
> getting no answer but a DMCA cease-and-desist. (Apparently GameSpy's  
> lawyers were as excellent as their coders, since Mr. Auriemma lives in  
> Italy and had no intention of coming to the US to be prosecuted, but  
> oh well.)
>
> Ask Eric Corley about simply attempting to publish the DeCSS software  
> code -- in a printed magazine -- in 2600.
>
> Ask former cybersecurity chief Richard Clarke how much traction he got  
> after he told a Boston newspaper that the DMCA needed rethinking,  
> because "I think a lot of people didn't realize that it would have  
> this potential chilling effect on vulnerability research." (Hint: He  
> was out of government in 2003.) Want to dig into a software program  
> the way we used to dig into a car engine or an unexplored continent?  
> For shame; you're obviously attempting to steal something. In the wake  
> of 9/11 copyright holders and the law-enforcement folk who do their  
> work have managed to turn the "steal something" gripe into "ZOMG  
> TERRORISTS!," but otherwise, we're in the second decade of  
> intellectual curiosity being a pre-crime condition. Meanwhile... need  
> I say more than "China" and "India?"
>
> The new administration doesn't need to plead for better cybersecurity  
> education for the masses; in fact, considering what's passing for  
> "education" on that front these days I'd prefer that education stuck  
> with the basics -- reading, writing, arithmetic, and blowing stuff up  
> with chemistry sets that actually teach something besides "lawyers  
> want to ruin your fun." It needs to put muscle behind the idea of  
> "expanding academic curricula," re-establishing the importance of the  
> freedom to conduct research and to communicate the results without  
> fear of hearing from lawyers for a company that simply doesn't want  
> anyone to know they're shipping vulnerable products. The DMCA is  
> deeply dishonest legislation, and -- as it continues to undermine  
> security research -- deeply dangerous to our future.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.