Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Comment on DMCA, Security, and Vuln Reporting

From: "Burton M. Strauss III" <bstrauss3 () attbi com>
Date: Fri, 2 Aug 2002 17:02:51 -0500
Maybe and maybe not.

Firstly, I'm not a lawyer... but...

Truth: The DMCA is - albeit not fully tested in the courts - the law of the
land (USA) until such time as the courts speak.  Plus, if it's like most
laws, it will be subject to a series of decisions as the courts struggle to
find a balance between two opposing positions.  Meaning?  It may not be
clear for years - if ever...

European?  Don't be so smug until you read the EU directive on copyrights...
http://www.eurorights.org/eudmca/ - at least as an American I can fight it
in court, call and yell at my CongressCritter, etc.

Second, despite what you all wish, the 1st Amendment (to the US
Constitution) is not absolute.

"Congress shall make no law respecting an establishment of religion, or
prohibiting the free exercise thereof; or abridging the freedom of speech,
or of the press; or the right of the people peaceably to assemble, and to
petition the Government for a redress of grievances."

A great discussion is at
http://caselaw.lp.findlaw.com/data/constitution/amendment01/

Remember, this is "Congress shall" - it says NOTHING about and provides NO
LIMITS for private limits on speech.  And, even with the explicit wording of
the 1st amendment, there have long been recognized exceptions.  From Whitney
v. California, 274 U.S. 357, 375 -76 (1927) (Justice Brandeis concurring):

"But, although the rights of free speech and assembly are fundamental, they
are not in their nature absolute. Their exercise is subject to restriction,
if the particular restriction proposed is required in order to protect the
State from destruction or from serious injury, political, economic or
moral."

This leads to accepted limits where "free speech" is:

- Against public policy, e.g. obscene material, child por*******y (as
differentiated from regular old por*******y), etc.
- Libel and Slander
- etc.


People frequently forget that there is whole category of speech, "Commercial
speech" which is entitled to much weaker protection.  Discussed at
http://caselaw.lp.findlaw.com/data/constitution/amendment01/17.html

"Commercial Speech .--In recent years, the Court's treatment of ''commercial
speech'' has undergone a transformation, from total nonprotection under the
First Amendment to qualified protection."
<snip />
"While commercial speech is entitled to First Amendment protection, the
Court has clearly held that it is not wholly undifferentiable from other
forms of expression; it has remarked on the commonsense differences between
speech that does no more than propose a commercial transaction and other
varieties."

Don't think this is relevant... what about "Our XYZ OS is the most secure OS
in the Solar System"?  Or "One remote hole in the default install, in nearly
6 years!"?  Trade claims and such may well make it commercial??


Another restriction?  You can - as part of a valid contract - give up your
1st Amendment rights, for example by accepting employment with the
government you may give up the right to say certain things.  Or the famous
EULA's which prohibit publication of disparaging comments about the
software...



Let's face it - the only thing you can do is to vote with your feet and
dollars (euros, pesos, whatever).  Don't like the restrictions in the EULA -
don't use the software.  Don't like a vendor's policy on "full disclosure" -
find another vendor.


-----Burton



-----Original Message-----
From: Stephen Samuel [mailto:samuel () bcgreen com]
Sent: Friday, August 02, 2002 12:58 PM
To: Richard Forno
Cc: bugtraq () securityfocus com; vuln-dev () securityfocus com;
johnmacsgroup () yahoogroups com
Subject: Re: Comment on DMCA, Security, and Vuln Reporting


If something like this HP attack on security research actually flies
in court, then I think there is a very good chance that it can be killed
on the basis of the first amendment.

To play with the analogy used in one supreme court decision on the first
amendment:

    This law makes it illegal to stand up and yell "fire" in a crowded
theatre--
    but only if there really is a fire.

Richard Forno wrote:

Given the recent news about HP using DMCA to shutter a Bugtraq disclosure

of

Tru64 vulnerability, I felt it appropriate to chime in. I hope you find my
comments of-value and worthy of relaying onto the list.

.....

The way we're going, thanks to HP's legal geniuses, we may as well call
NIST, NSA, SANS, and IETF to rewrite a new 'industry standard' definition
for 'computer security' that places the vendor's profit and public image
above the confidentiality, integrity, and availability of end-user data

and

systems. For all intents and purposes, Congress has already done that with
DMCA and Berman's proposed "Hollywood Hacking" Bill -- they just forgot to
inform (or seek counsel from) those of us working in the real information
security community.

Bleeping idiots. Congress and Corporate America. When it comes to

technology

policy, neither has the first clue . No wonder we're in the state we're

in.


--
Stephen Samuel +1(604)876-0426                samuel () bcgreen com
                   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.
Previous By Date Next
Previous By Thread Next

Current thread: