Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: A bad and dangerous law

From: Dave Farber <farber () cis upenn edu>
Date: Sun, 30 Apr 2000 05:00:11 -0700



Date: Mon, 17 Apr 2000 13:30:26 -0500
From: Bruce Schneier <schneier () counterpane com>
Subject: UCITA, the Uniform Computer Information Transactions Act

  [From CRYPTO-GRAM, April 15, 2000, with permission]

Virginia Gov. James S. Gilmore III signed the UCITA, and it is now law in
Virginia.  The Maryland legislature overwhelmingly passed the bill, and it
is on its way to become law in that state.

I put this horrible piece of legislation in the Doghouse last month, but
it's worth revisiting one portion of the act that particularly affects
computer security.

As part of the UCITA, software manufacturers have the right to remotely
disable software if the users do not abide by the license agreement.  (If
they don't pay for the software, for example.)  As a computer-security
professional, I think this is insane.

What it means is that manufacturers can put a back door into their products.
By sending some kind of code over the Internet, they can remotely turn off
their products (or, presumably, certain features of their products).  The
naive conceit here is that only the manufacturer will ever know this disable
code, and that hackers will never figure the codes out and post them on the
Internet.

This is, of course, ridiculous.  Such tools will be written and will be
disseminated.

Once these tools are, it will be easy for malicious hackers to disable
peoples' computers, just for fun.  This kind of hacking will make Back
Orifice look mild.

Cryptography can protect against this kind of attack -- the codes could be
digitally signed by the manufacturer, and the software wouldn't contain the
signature key -- but in order for this to work the entire system has to be
implemented perfectly.  Given the industry's track record at implementing
cryptography, I don't have high hopes.  Putting a back door in software
products is just asking for trouble, no matter what kinds of controls you
try to put into place.

The UCITA is a bad law, and this is just the most egregious provision.  It's
wandering around the legislatures of most states.  I urge everyone to urge
everyone involved not to pass it.

Virginia:
<http://www.washingtonpost.com/wp-dyn/articles/A6866-2000Mar14.html>

Maryland:
<http://www.idg.net/idgns/2000/03/29/UCITAPassesMarylandHouse.shtml>
Previous By Date Next
Previous By Thread Next

Current thread: