Re: Advanced Workshop and Summer School on Architectures for Trustworthy Computing

[David Farber <dave () farber net>]

Begin forwarded message:

From: "Seth Johnson" <seth.johnson () realmeasures dyndns org>
Date: April 28, 2009 8:40:35 AM EDT
To: "David Farber" <dave () farber net>, "ip" <ip () v2 listbox com>
Subject: Re: [IP] Advanced Workshop and Summer School on Architectures  
for Trustworthy Computing


Hi Dave -- perhaps IP-suitable :-) . . .


In light of this workshop, reflecting the progress of "virtualization"
technology which proceeds apace despite the failure in our policy
channels to distinguish private interest concerns from the concerns and
purposes of copyright policy; and in light of the upcoming DMCA
Exemptions Hearings by the US Copyright Office, I thought folks would
find the following submissions and testimony from the 2006 and 2003 DMCA
exemptions hearings of no small interest:


New Yorkers for Fair Use's 2006 Request for an Exemption (drafted by Jay
Sulzberger):
> http://www.copyright.gov/1201/2006/reply/10sultzberger_NYFU.pdf

Jay's testimony at the hearing itself begins on page 36 here (the text
is pasted below as well):
> http://www.copyright.gov/1201/2006/hearings/transcript-mar31.pdf

Jay's testimony at the 2003 hearing may also be found to be salient.
Here's a good transcript (also pasted below):
> http://thread.gmane.org/gmane.org.dmca-activists/570/focus=572

It starts at the bottom of page 171 of the official transcript here:
> http://www.copyright.gov/1201/2003/hearings/transcript-may2.pdf


Note that the discussion proceeds further both years, and you can track
that in the copyright.gov transcript links above.

This year's hearings are imminent:
http://www.copyright.gov/1201/hearings/2009/


Seth Johnson
Corresponding Secretary
New Yorkers for Fair Use

---

Request for an Exemption, 2006:

> http://www.copyright.gov/1201/2006/reply/10sultzberger_NYFU.pdf


This is a comment on the class of works proposed by Edward W. Felten and
Deirdre K. Mulligan to be exempt from the prohibition on circumvention
of DRM under the DMCA.

Our comment is that the Felten-Mulligan class is drawn too narrowly. We
present an amended definition of the Felten-Mulligan class of works,
with brief arguments.

0. The class of works which should be exempt from the Anti-Circumvention
Clauses of the DMCA consists of all malicious software, including
viruses, worms, spywares, trojan horses, remote controllers, rootkits,
and more. The phrase "malicious software" designates programs which
cause harms to a computer and/or its owner, and which are placed on the
computer against the owner's wishes and without the owner's express
consent. Malicious software might be delivered with a computer or be
installed later. Some malicious software may be contained in, or make
use of, components installed as hardware.

1. Harms from not granting the exemption: Millions of home and business
computer owners have had to remove malicious software from their
computers. Many computer owners have had credit card numbers and bank
passwords appropriated and compromised. If the circumvention of
Technological Protective Measures preventing malicious software from
being detected, analyzed, or removed, were illegal, then the DMCA would
be used as a shield against computer owners' rights to maintain control
over their computers.

The numbers here are easy to estimate as being in the billions of
dollars per year losses caused by malicious software, and the number of
people adversely affected by malicious software as being in the  
millions.

2. Harms from granting the exemption: Some malicious software works are
under copyright. The malicious software author would lose an apparent
right of concealment, and thus, often, the practical ability to commit a
crime, or crimes, against the intended victim or victims. In some cases
the author, or other rightsholder, might be unable to make a living by
making and distributing malicious software, or software which is in part
malicious.

The numbers here are harder to estimate, since we know of no successful
suit by a malicious software rightsholder against a person who has
discovered the malicious software and removed it, on the basis of
copyright infringement, or DMCA violation. Perhaps a thousand, or
perhaps ten thousand, malicious software authors/rightsholders might
lose their chance to sue their victims under the DMCA Anti-Circumvention
Clauses.

3. General argument for exemption: Decrypting lists of blocked sites in
filtering software presently enjoys an exemption to the
anti-circumvention provisions of the DMCA. Computer owners throughout
the world are today at great risk of infestation by malicious software.
If an exemption were not available for circumvention of malicious
software, the scale of harm that would ensue would be far greater than
for filtering software. Fewer computer owners are at risk of
missing/seeing some sites due to false positives and false negatives on
blocked sites lists. The danger from malicious software is in most cases
much higher.

The harms our exemption would defend against are not hypothetical:
Recently many computers have been infested by the Sony BMG rootkit, and
the rootkit has been used by other distributors of malicious software to
compromise home and business computers. The Sony BMG rootkit attempts to
conceal itself, is under copyright (though it likely also infringes
others' copyrights) and is itself malicious software, in that it is
installed without consent and damages the computer. Our exemption would
prevent Sony BMG from successfully claiming that the computer owner who
gains access to the rootkit has violated the Anti-Circumvention Clauses
of the DMCA.

For information on the Sony BMG rootkit see:
http://www.eff.org/IP/DRM/Sony-BMG

The Sony BMG rootkit is an example of a kind of DRM which Microsoft, in
cooperation with Intel, IBM, and various computer vendors, intend to
place in many home computers in the next few years. The Sony BMG rootkit
is weak in practice, in that an expert in Microsoft OSes, if hired to
find, analyze, and craft defenses against it, would almost surely
succeed pretty quickly. The system of DRM once called by Microsoft
"Palladium", and today called by Microsoft "NGSCB", would offer to
licensees of Microsoft the same cloaking capabilities as the Sony BMG
rootkit does today. But Palladium is much harder to crack open and
remove than the Sony BMG rootkit. And Palladium offers other services to
authors of malicious software beyond what the Sony BMG rootkit has made
available.

Here is a quote which shortly conveys part of the threat Palladium poses
to owners of home computers:

From
http://zgp.org/linux-elitists/20031211171507.GK3918 () cannabis html#20031211164911.V52507 
@shaitan.lightconsulting.com

Re: [linux-elitists] Monday 15 Dec: first all-Open Source System-on-Chip
Jason Spence <jspence () lightconsulting com>
Thu, 11 Dec 2003 16:49:11 -0800 rfc822
mailmethis

On Thu, Dec 11, 2003 at 01:23:33PM -0600, D. Joe Anderson wrote:
> w00t! Here's a good start to the the back-up plan if
> TCPA/Longhorn/Palladium/"Fritz-chips"* get out of hand.

You know, the black hat community is drooling over the possibility of a
secure execution environment that would allow applications to run in a
secure area which cannot be attached to via debuggers and such.

-Jason
Last known location: 2.5 miles northwest of MOUNTAIN VIEW, CA

Under a government which imprisons any unjustly, the true place for a
just man is also a prison.

--Henry David Thoreau

End quote.

Our exemption would, in part, lift the burden of legal risk a computer
owner would face in the attempt to remove malicious software that lies
behind the cloak of Palladium.

For information about Palladium see
http://en.wikipedia.org/wiki/Trusted_computing
http://en.wikipedia.org/wiki/Talk:Next-Generation_Secure_Computing_Base

4. Our proposed exemption differs from some proposed exemptions in that
our exemption is not aimed at preserving decades old textbook examples
of fair use rights, such as the right to quote a work in argument, the
right of parody, etc.. Rather, our exemption, if granted, would defend
important personal property, that is, the home computer. The exemption
would also defend privacy and free speech rights, because of the use of
home computers to communicate using the world's Net. The dangers our
exemption defends against cannot be classed as picayune inconveniences
nor as negligible impairments of rights. Our exemption would help defend
fundamental human rights.

New Yorkers for Fair Use
http://www.nyfairuse.org
Jay Sulzberger
jays () panix com
US Mail Address:
New Yorkers for Fair Use
622A President Street
Brooklyn, NY 11215

---

2006 Opening Testimony:


MR. SULZBERGER: My name is Jay Sulzberger, and I’m a working member of
New Yorkers for Fair Use. I’d like to address Matthew Schruers’ last
statement and expand on it. I think lawyers are terribly important here
and, of course, the part of the law that is terribly important in these
considerations is not copyright law. It’s the law of private property.
It’s the law of privacy. Those are the parts of the law.

Now, Matthew also mentioned that should we be handing the entire
computer and communications infrastructure of the United States and the
world over to copyright holders in cooperation with hardware
manufacturers and Microsoft? And the answer is of course not. But we
have to first be clear on this. This is so obvious when stated in those
terms that I believe there’s not a single person in this -- just a
moment. Is there anybody here who is disabled from understanding the
concept of private property? If anybody is not clear on it, and I know
lawyers will raise all sorts of objections because there’s a too simple
notion of a perfect freehold, a perfect ownership of a chattel. But
look. Your computer and your house, your relationship and ownership to
it, if you’ve bought it and are legally running it and you’re not
violating, you’re not committing copyright infringement by publishing
for profit other people’s works for which you don’t have a license,
copyright holders should not be inside your computer, and they shouldn’t
have pieces of code that you can’t look at to get control of your  
computer.

And I had a sentence in my comment up on Professor Felten’s proposal for
an exemption, and, of course, people would think, "Oh, he’s being  
witty."

I’m not being witty. Who are the copyright holders? For whom do you have
to give authorization under the Section -- I’ll have to check it -- J, I
think, of the 1201(j) of the DMCA, you have to get authorization from
people who’ve written a piece of malware that’s gotten on your machine
without your express consent that’s damaging your machine. I think
there’s no member of the panel and I think there’s no member of the
people up on the dias who can possibly defend the concept that United
States copyright law is going to require me to go and get permission
from somebody who’s invaded my machine, done damage to my machine, cost
me hours of effort, and, if I’m a business, perhaps cost me thousands
and thousands of dollars. These are the issues.

Now, why are we unclear on this? It’s because we don’t know what a
computer is. Copyright has already been misused to allow Microsoft and
Apple to place stuff in our machine when we go to the store we’re not
allowed to look at. It’s my right to look at every darn piece of code.
It’s my right to publish what the code does. It’s my right to decompile.

You might find me agreeing it’s not my right to sell an improved version
of their operating systems without getting a copyright license for it,
but that’s quite a separate issue. The issue here is private ownership
and wiretapping. And this is ridiculous that the DMCA should be
misinterpreted so as to actually defend people who write malware. We
have heard testimony from people who have tried to get the people who
wrote the malware to do something about it, and their response was
nothing or, "We promise not to sue you," or, "Maybe we’ll sue you." This
isn’t okay.

Every lawyer here has taken a course or one or two or more on the law of
private property. And, my gosh, copyright law can never say that I lose
my right of ownership of a computer because some copyright holder
appeals to the DMCA after they’ve written a trojan, a virus, whatever it
is they’ve written, something that goes into my machine, a rootkit.

Now, I was going to explain more, but I think I’ve come to the end of my
time. I see these introductory comments are short. And what I wanted to
do was explain how Sony BMG rootkit is negligible in its damage compared
to what the DMCA anticircumvention clauses are enabling in the near
future. They’re enabling Microsoft, as announced, it announced in 2002
that it was going to install and license a rootkit to anybody who paid
the money. The system, the OS, and the hardware together, let’s briefly
call them Palladium -- they’ve changed the name, I think I made the same
joke three years ago, into mom’s apple pie and the anti-terrorist
loveable operating system with lots of bright, shiny colors. I’ve
forgotten if that’s their latest name for it.

Look. They’ve got something called the curtain. When you pay Microsoft a
certain amount of money in the future, they claim they will let you
write programs that are hidden behind the curtain. You can never look at
them. The Sony BMG rootkit is a joke today. It’s based on the Microsoft
operating system. You can get around it in a few weeks, if you’re really
competent and have hotshot students or if you’ve a professional and know
what you’re doing and know about Microsoft operating system. You can get
right around it, and, of course, it always has the joke get-around that
I think if you press the shift key while the thing is loading there’s
certain circumstances it doesn’t get installed.

Look. That’s nothing. You should hardly be concerned about it, except we
know that people who write viruses and trojans that damage your machines
will appeal to the anticircumvention clauses in the DMCA. It’s a joke
how little damage it’s caused compared to what’s coming down the pike
real soon unless you act.

I know it seems ridiculous. You’re specialists in copyright. You’re
specialists in learning, publication, making sure authors get paid, what
are the rights here, what are the rights there. It’s because the country
has gone crazy and because people don’t know what ownership of computers
means that we have this thing.

I think I’ve come to the end of my opening statement. I’m sorry to rant
so hard, but I know that you’re prepared for it.

---

2003 Opening Testimony:


I'm Jay Sulzberger, and I'm here to represent New Yorkers for Fair Use.

Well, I was a little bit puzzled as to what to say on this panel,
because seemingly this particular panel is about very specific harms of
a very specific part of a big, complex law.

But as a matter of fact, I've been provided by the first three panelists
with a parade of horribles.  Mr. Montoro seems to have an 86 page parade
of horribles, and of course CERT has an extraordinary parade of
horribles -- things that one would not have thought could happen in
America, things that one would have expected in the old Russian
Communist empire.  And of course, Mr. Band has just brought up the
problem of the looting, spontaneous or planned, of ancient libraries of
Earth's heritage [as had been reported in Iraq -- Seth].

I will just try to make what I thought was a difficult argument: We
should not be discussing particular exemptions of particular clauses of
the DMCA.  But I think that with the three panelists before me, the
pattern is clear: There's no excuse for any anticircumvention law in the
United States of America.  Because in each and every case, it is not
that we have a parade of particular offenses against good sense,
offenses against our freedom, attacks on free markets, attacks on
scientific research, attacks of artists rights, attacks on our right to
free speech, and most important, a fundamental, general and effective
attack upon our present right of private ownership of computers.

Computers today are printing presses -- and it's shocking!  I have
certain conservative tendencies; I am also sympathetic to the
socialists.  But the idea that everybody who's a member of the middle
classes can pick up a computer for 300 bucks, and pay their 20 bucks a
month and get Internet access, and set up a web page -- it's shocking!
Democracy is one thing, but mob rule is another.  But yet, there's
nothing that America can do about this.  I hope there isn't.

But it looks as though there is.  The DMCA anticircumvention clauses, in
combination with the loose association, the alliance of cartels,
oligopolies and monopolies which I term the englobulators, is in process
of placing spy machinery and remote control machinery at this very
moment, into every single Intel motherboard that's going to be sold in
the next year.  When Microsoft completes the software part of its system
of DRM called Palladium, this will end, completely, your right of
ownership, your right of private use of your Palladiated computer.

Now, the question arises:  This can't be true, what I'm saying.  I'm a
nut, I'm an extremist, I'm strident.  Yes.  (Laughter)  But I'm not
nearly as much of a nut, I'm not nearly as much of an extremist, and I'm
not nearly as crazy, vicious and strident, as the englobulators.

The question arises as: Why hasn't the press picked up on the fact that
I'm the less extreme of the extremists?  I believe in the Constitution
-- even though I didn't sign it; that's my anarchist side.  I think
there's something to the first ten Amendments.  And I think we should
take the Fourth Amendment very seriously.  I think also the Fifth has
something to say about takings.

Why doesn't the press get it?  It's a very simple reason -- I'm talking
about rights and powers.  I'm talking about fundamental rights of
ownership, fundamental rights of free speech, fundamental rights of free
association using our Internet and our computers.  Why doesn't the press
get it?  Because in practice today, most people run a damaged,
malfunctioning and obsolete operating system, usually called Microsoft
Windows -- there's several versions.

Copyright law has already been, I think, dreadfully misapplied for the
last twenty years, to prevent people from gaining control of their own
property in their own homes.  This is important property.  We know that
Microsoft -- and as a matter of fact all other vendors and makers of
source-secret operating systems -- it's almost impossible not to give in
to the temptation to spy somewhat on your users, particularly if they're
connected to the Internet.  Sun has done it; other companies have done
it.  It's mainly Microsoft because it was only interested in the
Internet after 1990, although some of us have used the Net since 1970.
Now most people have a computer.  It is their means of personal
communication; it's also their means of authorship, and their means of
publication.

Now, let me deal with the accusation of copyright infringement.  Yeah,
sure -- there's going to be a heck of a lot more very serious copyright
-- of the most dreadful sort -- because there are computers on the
Internet, and I don't give a good gosh-darn about it.  The invention of
writing was dreadful to the ancient and honorable profession of the
singing poet.  The invention of the printing press did terrible things
to the Catholic Church's position in Europe, particularly once the Bible
was translated and then printed.

Things change.  And the cries of a small, unimportant industry -- I mean
the whole of the "content providers" side -- who of course refuse to
admit there are any more content providers -- I really enjoy my own
stuff much more than anything Disney has made since 1935.  I stand equal
to them, by the way.  New Yorkers for Fair Use, one of our favorite
tropes is: "Nonsense!  We're not consumers; we're owners and we're  
makers."

Okay.  Let me try and outline what anticircumvention laws do, and what
they're about.  This is one of our standard pieces of propaganda; we've
been handing it out since last summer (Shows flyer).

"We are the Stakeholders" -- why do we say we're the stakeholders?  This
is an old joke, everybody knows it, I'm sure I'm not the first person to
say this.  In Washington parlance they say, what is a stakeholder?  It's
some organized group that can afford a full-time lobbyist, that's all.

The bizarre spectacle of seeing small private interests -- when I say
small, I mean small: the cotton subsidies last year in the United States
were about, I think, 40% of the gross of Hollywood.  You don't see huge
articles about particular wrongs and a huge struggle on the basic
principles over how much of a subsidy they should get.

Okay.  I'm not sure I'm actually going to read this whole thing, but --
"Freedom One: You may buy a copy of a movie recorded on DVD, you may
watch this movie whenever you please, you may make copies of this movie,
some of which may be exact copies, others of which may be variant
copies."  We all know that the legal underpinnings of DRM is
anticircumvention.  In the future, you won't be able to do that.

Now, this is an assault on private ownership of computers.  This is
absurd.  There's no need to say it, you all know this: Ernest Miller and
Joan Feigenbaum, both at Yale, suggested that this is just a mistake,
it's going to be corrected.  Copyright law shouldn't say anything about
private copies.  In the first place, technically it's going to be very
hard.  You're going to have an endless line of the most difficult,
subtle things.  For example, something on a news spool.  Is that a copy
or is it something in transmission?

The natural point which will defend us against the dreadful assault on
private property which is all the anticircumvention clauses of the DMCA,
is to draw a natural line.  Inside your house, you've got a copy of
something, if you've lawfully obtained it -- Oh, by the way, we're not
copyright extremists.  I myself am a big supporter of the GPL, which is
a somewhat strict copyright license, and I consider it actually one of
the main foundations of the defense of free software.

If you don't draw the line, if you seek for exemptions, you'll have to
make hundreds of exemptions -- and even if you enforce them -- and you
could enforce them -- the principle would remain: you don't have control
over your machine.  You'd have to get lobbyists, or a grassroots
organization to come to Washington, appear before you every three years,
and beg, on bended knee, for particular exemptions.

You don't have to do that.  You are allowed to turn to Congress and say,
we've seen the parade of horribles.  And not just one parade.  All of
the people here, arguing for exemptions -- the principle is the same:
These people can't reach into your house and tell you what to do!  It's
absurd!

I'm going to try to avoid discussing the other side of the bundle of
rights that these people want to take away from us: the right to free
publication, the right to free dissemination -- which are of course
restricted by copyright, which I support strongly.  I don't think it
right that I should be allowed to go down and steal a movie without
paying for it and set up a movie house and charge admission for it.

I'm sorry, I lost my track in one of my sentences -- You know, the Xerox
machine -- it's always the same structure, we all know this here: the
people who have the old methods for publication think their methods have
to go on forever; always the words "business model" are used.  Well, you
know, we're not worried about their business models.  We're worried
about our computers and our rights.

And I believe it is within your commission to turn and then say, "We've
had it."  What are we going to do, have to have these hearings every six
months?  We're going to have to have ten of you up there, and a hundred
of us here, explaining the absolute terrible things that
anticircumvention laws in the United States do to markets, do to freedom
of speech, do to development of better computers, etc., etc., etc.

I think you can turn and say, "We've heard enough.  We suggest that
Congress reconsider the entire bundle of anticircumvention clauses of
the DMCA."

And if I'm asked a specific question, I will be happy to try and connect
by at most three half steps, any particular anticircumvention measure to
truly horrible and very large scale things.

Thank you.


-----Original Message-----
From: David Farber <dave () farber net>
To: "ip" <ip () v2 listbox com>
Date: Tue, 28 Apr 2009 04:33:02 -0400
Subject: [IP] Advanced Workshop and Summer School on Architectures for
Trustworthy Computing

> TIW 2009: TRUSTED INFRASTRUCTURE WORKSHOP: ADVANCED SUMMER SCHOOL ON
> ARCHITECTURES FOR TRUSTWORTHY COMPUTING
> JUNE 8-12, 2009, Carnegie Mellon University, Pittsburgh, PA, USA
>
> When IT infrastructure technologies fail to keep pace with emerging
> threats, we can no longer trust them to sustain the applications we
> depend on in both business and society at large.
>
> Ranging from Trusted Computing, to machine virtualization, new
> hardware architectures, and new network security architectures,
> trusted infrastructure technologies attempt to place security into
> the
> very design of commercial off-the-shelf technologies.
>
> The TIW is an open innovation event modelled as a highly interactive
> summer school, consisting of lectures, workshops, and other lab
> sessions. It is aimed at bringing together researchers in the field
> of
> IT security with an interest in systems and infrastructure security,
> as well as younger Master-1òùs or PhD students who are new to the
> field. Funding is available to support student attendance.
>
> AGENDA HIGHLIGHTS
>
> - 4 keynote lectures
> - 7 technology lectures: Trusted computing architecture, TPM module,
>  attestation, SW-based attestation, virtualization security, network
>  security, and trusted storage.
> - 4 research workshops: HW security, attestation in practice, OS
>  security, verification and formal methods.
> - 3 hands-on labs: TPM, trusted virtualization, trusted network
> connect.
>
> Several social events and networking with other researchers are
> planned.
>
> For more details on the workshop and how to register, please visit
> http://www.cylab.cmu.edu/TIW
>
> TIW SPONSORS
>
> - Carnegie Mellon CyLab
> - Fujitsu
> - HP Labs
> - IBM
> - NSA
> - NSF
> - Seagate
>
> CONTACTS
>
> Workshop details: Michael Willett <michael.willett () seagate com>
> Registration details: Tina Yankovich <tinay () andrew cmu edu>
>
> SPEAKERS
>
> Leaders from academia, industry, and government are delivering the
> lectures, labs, and workshops.
>
> VENUE
>
> CyLab, Carnegie Mellon University
> CIC Building
> 4720 Forbes Avenue
> Pittsburgh, PA 15213
>
>
>
> -------------------------------------------
> Archives: https://www.listbox.com/member/archive/247/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com