Interesting People mailing list archives
IP: A bad and dangerous law
From: Dave Farber <farber () cis upenn edu>
Date: Sun, 30 Apr 2000 05:00:11 -0700
Date: Mon, 17 Apr 2000 13:30:26 -0500 From: Bruce Schneier <schneier () counterpane com> Subject: UCITA, the Uniform Computer Information Transactions Act [From CRYPTO-GRAM, April 15, 2000, with permission] Virginia Gov. James S. Gilmore III signed the UCITA, and it is now law in Virginia. The Maryland legislature overwhelmingly passed the bill, and it is on its way to become law in that state. I put this horrible piece of legislation in the Doghouse last month, but it's worth revisiting one portion of the act that particularly affects computer security. As part of the UCITA, software manufacturers have the right to remotely disable software if the users do not abide by the license agreement. (If they don't pay for the software, for example.) As a computer-security professional, I think this is insane. What it means is that manufacturers can put a back door into their products. By sending some kind of code over the Internet, they can remotely turn off their products (or, presumably, certain features of their products). The naive conceit here is that only the manufacturer will ever know this disable code, and that hackers will never figure the codes out and post them on the Internet. This is, of course, ridiculous. Such tools will be written and will be disseminated. Once these tools are, it will be easy for malicious hackers to disable peoples' computers, just for fun. This kind of hacking will make Back Orifice look mild. Cryptography can protect against this kind of attack -- the codes could be digitally signed by the manufacturer, and the software wouldn't contain the signature key -- but in order for this to work the entire system has to be implemented perfectly. Given the industry's track record at implementing cryptography, I don't have high hopes. Putting a back door in software products is just asking for trouble, no matter what kinds of controls you try to put into place. The UCITA is a bad law, and this is just the most egregious provision. It's wandering around the legislatures of most states. I urge everyone to urge everyone involved not to pass it. Virginia: <http://www.washingtonpost.com/wp-dyn/articles/A6866-2000Mar14.html> Maryland: <http://www.idg.net/idgns/2000/03/29/UCITAPassesMarylandHouse.shtml>
Current thread:
- IP: A bad and dangerous law Dave Farber (Apr 30)