On Wed, 1 Aug 2001, Rick Smith at Secure Computing wrote:
I had suggested that a large number of crypto researchers take the proactive (or rather, prophylactic) step of informing *all* vendors of copy protection that the researchers are interested in studying the encryption used in their products. The notion of this would be that such an act by a large group would reduce the risk of retribution against individuals who participated.
Trying to get a large group of any profession to do one thing is next to impossible. I can see what this is going to do to third party due dilligance. Say you have a company that wants to use product X. But the lawyers set in and say "prove it is reasonably secure" as a CYA measure. There are many cases where you do not want to give the company advanced warning that you are doing this, otherwise they may try and skew the results. (Making "special" versions that don't work the same as the normal one. Taking out especially dangerous features.) BTW, this is *not* a hypothetical example. I worked on a project under contract to break a security method used by an e-commerce system. When the company found out what we discovered, they were very pissed off. If we had not had one of the bigger computer companies backing us up on the project, they would have probably sent lawyers after us. (At some point, the information will get out. The details of snake-oilness are pretty funny, in a sad sick way.) The security industry is going to be seriously burned by this. If I were to get a group of people together, it would be the security profesionals. I would have them boycott the US Govenment and any of the supporters of the DMCA. Just refuse to do work for them and explain why. (Something like "If I do my job, you might decide to put me in jail on a whim".)
At 05:43 PM 7/31/2001, Alan Olsen wrote:
All they have to do is make a messy example out of one or two. (It also helps if you can get a prosecutor that is working on a promotion to help out.)
I Am Not A Lawyer, so someone more knowledgeable may correct me if I'm wrong, but...
There's nothing here for a prosecutor to do. There's nothing illegal about a bona fide crypto researcher informing a vendor of an intent to study their product, which is offered to sale to the public. In fact, the researcher is complying with the legal requirements.
I don't see any way the vendor could file an injunction or take other legal action simply because someone (especially one of a large number of people) announced an intent to study their product, again, as a bona fide crypto researcher, as stated in the law.
Rick.
alan@ctrl-alt-del.com | Note to AOL users: for a quick shortcut to reply Alan Olsen | to my mail, just hit the ctrl, alt and del keys. "All power is derived from the barrel of a gnu." - Mao Tse Stallman