Re: Criminalizing crypto criticism + 802.11b access
Declan, It's pretty bad. The exemption (2) only applies if the intent is to advance the state of the art in general or in the development of products. The means to negate the exemption look like they're deeply embedded in the code. (2)(A) is certainly easy to meet - woohoo. (2)(B) is not too bad unless someone decides that your intent goes beyond pure research (3)(A) makes it easier to call the intent impure, especially if the dissemination is general rather than confined to the guild (3)(B) is another thin end of the wedge to get a guild system up and running (3)(C) is not too bad unless it is determined that partial disclosure might indicate a non-research intent (4)(A) is redundant (4)(B) looks like it can be used to severely restrict dissemination to anyone not closely associated with the researcher All in all it's pretty shitty because it looks ( to a non-lawyer ) like it defines the exemptions in such a way as to make it easy to prosectute a person who decides to follow their curiosity and distributes widely. What the fuck is a "legitimate course of study?" Whatever congress and your local prosecutor say it is, right? The carpetbaggers are in control. Rapid, broad, anonymous publishing is the only way to fight it. Re: the Starbucks/MS Wallet access points - big surprise. Who here expected the ideal gateway for anonymity to be handed to us on a silver plater? Wilde was right and life is looking very much like a Gibson novel. Mike On Thu, Jul 26, 2001 at 10:53:02PM -0400, David Jablon wrote:
With these great new laws, there is no longer any risk of being legally criticised for using even the most glaringly flawed cryptography -- just use it for Copy Protection, and TADA! Negative criticism magically disappears. Almost by definition.
Flaws can only be exposed by those who won't show their work, or from anonymous sources, who nobody will trust without confirmation [...] [...] We seem to be entering the twilight zone -- the end of an exciting, but brief era -- of public cryptography.
The DMCA may be bad, but it's not *that* bad. It contains a broad prohibition against circumvention ("No person shall circumvent a technological measure that effectively controls access") and then has a bunch of exceptions. One of those -- and you can thank groups like ACM for this, if my legislative memory is correct -- explicitly permits encryption research. You can argue fairly persuasively that it's not broad enough, and certainly 2600 found in the DeCSS case that the judge wasn't convinced by their arguments, but at least it's a shield of sorts. See below. -Declan PS: Some background on Sklyarov case: http://www.politechbot.com/cgi-bin/politech.cgi?name=sklyarov PPS: Note you only get the exemption if you make "a good faith effort to obtain authorization before the circumvention." Gotta love Congress, eh? http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR: `(g) ENCRYPTION RESEARCH- `(1) DEFINITIONS- For purposes of this subsection-- `(A) the term `encryption research' means activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these activities are conducted to advance the state of knowledge in the field of encryption technology or to assist in the development of encryption products; and `(B) the term `encryption technology' means the scrambling and descrambling of information using mathematical formulas or algorithms. `(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if-- `(A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work; `(B) such act is necessary to conduct such encryption research; `(C) the person made a good faith effort to obtain authorization before the circumvention; and `(D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986. `(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include-- `(A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security; `(B) whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; and `(C) whether the person provides the copyright owner of the work to which the technological measure is applied with notice of the findings and documentation of the research, and the time when such notice is provided. `(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to-- `(A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and `(B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2).
Like I said, I'm not defending the DMCA. I was merely correcting the fellow who didn't know the exemption (of sorts) existed. -Declan On Fri, Jul 27, 2001 at 09:18:38AM -0700, mmotyka@lsil.com wrote:
Declan,
It's pretty bad.
The exemption (2) only applies if the intent is to advance the state of the art in general or in the development of products. The means to negate the exemption look like they're deeply embedded in the code.
(2)(A) is certainly easy to meet - woohoo. (2)(B) is not too bad unless someone decides that your intent goes beyond pure research (3)(A) makes it easier to call the intent impure, especially if the dissemination is general rather than confined to the guild (3)(B) is another thin end of the wedge to get a guild system up and running (3)(C) is not too bad unless it is determined that partial disclosure might indicate a non-research intent (4)(A) is redundant (4)(B) looks like it can be used to severely restrict dissemination to anyone not closely associated with the researcher
All in all it's pretty shitty because it looks ( to a non-lawyer ) like it defines the exemptions in such a way as to make it easy to prosectute a person who decides to follow their curiosity and distributes widely. What the fuck is a "legitimate course of study?" Whatever congress and your local prosecutor say it is, right? The carpetbaggers are in control.
Rapid, broad, anonymous publishing is the only way to fight it.
Re: the Starbucks/MS Wallet access points - big surprise. Who here expected the ideal gateway for anonymity to be handed to us on a silver plater?
Wilde was right and life is looking very much like a Gibson novel.
Mike
On Thu, Jul 26, 2001 at 10:53:02PM -0400, David Jablon wrote:
With these great new laws, there is no longer any risk of being legally criticised for using even the most glaringly flawed cryptography -- just use it for Copy Protection, and TADA! Negative criticism magically disappears. Almost by definition.
Flaws can only be exposed by those who won't show their work, or from anonymous sources, who nobody will trust without confirmation [...] [...] We seem to be entering the twilight zone -- the end of an exciting, but brief era -- of public cryptography.
The DMCA may be bad, but it's not *that* bad. It contains a broad prohibition against circumvention ("No person shall circumvent a technological measure that effectively controls access") and then has a bunch of exceptions.
One of those -- and you can thank groups like ACM for this, if my legislative memory is correct -- explicitly permits encryption research. You can argue fairly persuasively that it's not broad enough, and certainly 2600 found in the DeCSS case that the judge wasn't convinced by their arguments, but at least it's a shield of sorts. See below.
-Declan
PS: Some background on Sklyarov case: http://www.politechbot.com/cgi-bin/politech.cgi?name=sklyarov
PPS: Note you only get the exemption if you make "a good faith effort to obtain authorization before the circumvention." Gotta love Congress, eh?
http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR:
`(g) ENCRYPTION RESEARCH-
`(1) DEFINITIONS- For purposes of this subsection--
`(A) the term `encryption research' means activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these activities are conducted to advance the state of knowledge in the field of encryption technology or to assist in the development of encryption products; and
`(B) the term `encryption technology' means the scrambling and descrambling of information using mathematical formulas or algorithms.
`(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if--
`(A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work;
`(B) such act is necessary to conduct such encryption research;
`(C) the person made a good faith effort to obtain authorization before the circumvention; and
`(D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.
`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include--
`(A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security;
`(B) whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; and
`(C) whether the person provides the copyright owner of the work to which the technological measure is applied with notice of the findings and documentation of the research, and the time when such notice is provided.
`(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to--
`(A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and
`(B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2).
Declan, What are today's options for anonymous publication? A good summary might be instructive. Regards, Mike
Yikes, editors pay me a few dollars a word to research and write this kinda stuff. Why don't you ask for tips and compile them, if you're interested? -Declan At 10:15 AM 7/27/01 -0700, mmotyka@lsil.com wrote:
Declan,
What are today's options for anonymous publication? A good summary might be instructive.
Regards, Mike
Un-yikes yourself. Since the mail goes to a list I wasn't necessarily asking you to do the job - I'm interested enough that if tips filter in I'll check them out and package them nicely in an FAQ. That is assuming one does not already exist. Mike Declan McCullagh wrote:
Yikes, editors pay me a few dollars a word to research and write this kinda stuff. Why don't you ask for tips and compile them, if you're interested?
-Declan
At 10:15 AM 7/27/01 -0700, mmotyka@lsil.com wrote:
Declan,
What are today's options for anonymous publication? A good summary might be instructive.
Regards, Mike
If you say "Declan, what is the answer to this question?" it is reasonable to conclude you're asking me. I'm happy to participate in debate, but if you want me to perform research, evaluate performance, and compile results, that's closer to real work. TANSTAAFL. -Declan At 10:31 AM 7/27/01 -0700, mmotyka@lsil.com wrote:
Un-yikes yourself. Since the mail goes to a list I wasn't necessarily asking you to do the job - I'm interested enough that if tips filter in I'll check them out and package them nicely in an FAQ. That is assuming one does not already exist.
On Fri, 27 Jul 2001 mmotyka@lsil.com wrote:
What are today's options for anonymous publication? A good summary might be instructive.
Is there anything new on the horizont, apart from the canonical two? http://freenet.sourceforge.net/ http://www.mojonation.net/
freenet. Unless I'm mistaken a node keeps a reference ( even if only temorarily ) to the originating node when data is added. So if I publish sooper-infringer.tar.gz and the neighboring node that gets it is a narc I'm screwed. Identify your dissidents and put in informants as neighbors. Admittedly I didn't read everything yet. What did I miss? Mike Eugene Leitl wrote:
On Fri, 27 Jul 2001 mmotyka@lsil.com wrote:
What are today's options for anonymous publication? A good summary might be instructive.
Is there anything new on the horizont, apart from the canonical two?
On Fri, 27 Jul 2001 mmotyka@lsil.com wrote:
Unless I'm mistaken a node keeps a reference ( even if only temorarily ) to the originating node when data is added. So if I publish sooper-infringer.tar.gz and the neighboring node that gets it is a narc I'm screwed. Identify your dissidents and put in informants as
Aye, that's the rub. Even if you're acting as a relay, even if you're just serving out a sliver of the content, even if it's sitting there encrypted on your hard drive, even if it's ephemeral -- if you serve a packet (while not spoofing your IP), and legislation makes that prosecutable, yer goose is cooked ("Your Honour, he's a part of a global terrorist network!"). I'm not sure how you can prevent that, apart from the spoofing or legislation changing business. Oh, and only making links into legal compartments guaranteeing maximum persecution friction. So, if your traffic is unfilterable (it looks like a SSL session), and it comes from Cuba, the guilty party seems to be more or less immune.
neighbors. Admittedly I didn't read everything yet. What did I miss?
I'm really not completely clued-in to all of the publishing options but my gut instinct says that the more rapid and widespread the dispersal the better. The originator of proscribed information needs to be anonymous but it seems that if the recipients are many and diverse then the level of guilt associated with reception can be ameliorated. A mixmaster chain firing the info off into a whole shitload of lists looks like a pretty good way to ensure that information is not made extinct. If a DeCSS source+bin zip had been anonymously mailed to 40 million people the terrain for the legal fight might have been different. I think JQPublic hasn't yet grasped the absurdity of "illegal information" and might react unpredictably if told that possessing or forwarding certain e-mails was a crime. Non-techie people I've spoken with about the state of affairs flat out didn't believe me. Eugene Leitl wrote:
On Fri, 27 Jul 2001 mmotyka@lsil.com wrote:
Unless I'm mistaken a node keeps a reference ( even if only temorarily ) to the originating node when data is added. So if I publish sooper-infringer.tar.gz and the neighboring node that gets it is a narc I'm screwed. Identify your dissidents and put in informants as
Aye, that's the rub. Even if you're acting as a relay, even if you're just serving out a sliver of the content, even if it's sitting there encrypted on your hard drive, even if it's ephemeral -- if you serve a packet (while not spoofing your IP), and legislation makes that prosecutable, yer goose is cooked ("Your Honour, he's a part of a global terrorist network!").
I'm not sure how you can prevent that, apart from the spoofing or legislation changing business. Oh, and only making links into legal compartments guaranteeing maximum persecution friction. So, if your traffic is unfilterable (it looks like a SSL session), and it comes from Cuba, the guilty party seems to be more or less immune.
neighbors. Admittedly I didn't read everything yet. What did I miss?
On Mon, Jul 30, 2001 at 10:42:01AM -0700, mmotyka@lsil.com wrote:
If a DeCSS source+bin zip had been anonymously mailed to 40 million people the terrain for the legal fight might have been different. I
That's pretty much what happened. Your hypothetical wouldn't have changed the legal fight. -Declan
At 12:30 PM -0400 7/27/01, Declan McCullagh wrote:
Like I said, I'm not defending the DMCA. I was merely correcting the fellow who didn't know the exemption (of sorts) existed.
Not being an expert on the DCMA, I'm still trying to square the notion of an "exemption for research" (my words, summarizing my understanding of the various clauses) and the fear of the Felten gang that presenting their _research_ paper on the weaknesses in the new Secure Digital Music Initiative (SDMI) scheme could expose them to prosecution. Felten wasn't building commercial devices for sale, he wasn't marketing a product to enable bypassing the SDMI...he and his group were doing standard cryptographic analysis of an algorithm...the bread and butter of determining the strenghts of ciphers and security methods. I think the threatened suit under the terms of the DCMA goes to the point the original poster made: that the way to stop cryptanalysis of a cipher ("Digital Snake Oil Bass-O-Mattic Encryptator 1.0"), or at least the publication of any results, is to do what was done to Felten. I just don't see how if a Princeton professor is not exempted from the DCMA that a guy in a lab in Sunnyvale would be. And so the chilling effect on research is in fact accomlished. The courts will no doubt have their say, but right now the DCMA sure looks to be a ban on publication of research. --Tim May -- Timothy C. May tcmay@got.net Corralitos, California Political: Co-founder Cypherpunks/crypto anarchy/Cyphernomicon Technical: physics/soft errors/Smalltalk/Squeak/agents/games/Go Personal: b.1951/UCSB/Intel '74-'86/retired/investor/motorcycles/guns
On Fri, Jul 27, 2001 at 10:25:42AM -0700, Tim May wrote:
The courts will no doubt have their say, but right now the DCMA sure looks to be a ban on publication of research.
Yeah. Felten could have gone forward and almost certainly not been sued, but his co-authors were far more skittish. The DMCA inclues another exemption for reverse engineering, but let's go back to the research one, which really does seem to limit publication: `(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include-- `(A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security; -Declan
`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include-- `(A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security;
-Declan
I've been rereading this a bunch of times trying to figure out what, if anything, it's supposed to mean. I've come up with two slightly different interpretations: 1) If you release your results at a university-sponsored conference you're an exempt researcher, but if you release identical results at Defcon you're a criminal. 2) Anyone with the financial resources or legal background to get this law overturned on Constitutional grounds is not to be prosecuted in the first place. I think 2 is actually the more accurate reading. George
`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include-- `(A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security;
My reading of these paragraphs is that basically, you don't start out by releasing a program that script kiddies can download and use to break stuff. You can present your paper at defcon, as long as there's not an executable. You can create an executable, with source code, package it up and send it to the copyright owner with a note that says "your protection is broken: here's the proof." You can shout at the top of your lungs that their crypto is broken, on all kinds of forums. You can engage in your right to fair use using your own executable, ie, taking a five-second clip and using it in an original work where it's seen in the background as your protagonists stroll by arguing about the new sushi restaurant. But what it looks like is, you cannot publish that executable, nor make it possible for anybody else to engage in their right to fair use. Something may appear in an anonymous channel, and if it's not traceable to you -- or downloadable from your website, etc -- then they may sue you for having done the research that made it possible, but they will lose. Of course, there is life outside the USA, and I'm sure some kid in Italy or Finland or Russia will cheerfully read your paper and implement the thing you describe and release it. But that kid better not visit the USA anytime real soon unless that kid publishes anonymously. I think a lot of the flaws with the DMCA could be fixed by allowing an exemption for a "notice period" -- one year after you notify them that their crypto is broken, they've had enough time to fix it -- and if they haven't fixed it, they deserve what they get. Bear
At 02:16 PM 7/27/01 -0700, Ray Dillinger wrote:
You can present your paper at defcon, as long as there's not an executable.
No executable, but source. Source code is how some people communicate. Building an executable is another (intentional) behavior. Using that executable is another. Using that executable for *unlicensed* copying is a crime. Nothing else is.
You can create an executable, with source code, package it up and send it to the copyright owner with a note that says "your protection is broken: here's the proof."
How about dropping them a note to send an engineer to DefCon?
You can shout at the top of your lungs that their crypto is broken, on all kinds of forums.
Might be libel if not true.
On Fri, 27 Jul 2001, David Honig wrote:
You can create an executable, with source code, package it up and send it to the copyright owner with a note that says "your protection is broken: here's the proof."
How about dropping them a note to send an engineer to DefCon?
Not a problem -- as long as what you're making available to the public at DefCon is not a program that script kiddies can download and use to break stuff.
You can shout at the top of your lungs that their crypto is broken, on all kinds of forums.
Might be libel if not true.
Oh, yeah, feature them suing you for libel, and then watching aghast as you enter "exhibit A" -- the source code -- into the trial and the public record. If it successfully decrypts their stuff, it proves that what you said is true. It also goes all over the internet within about twenty minutes. Bear in mind that these people are not dealing from a position of strength, as long as their crypto is actually broken. The only evidence you need is precisely the evidence they don't want on the public record. And if it's produced for the first time in your own defense, in a court of law, I don't think they can press criminal charges on you for producing it. Bear
At 07:08 AM 7/28/01 -0700, Ray Dillinger wrote:
On Fri, 27 Jul 2001, David Honig wrote:
You can create an executable, with source code, package it up and send it to the copyright owner with a note that says "your protection is broken: here's the proof."
How about dropping them a note to send an engineer to DefCon?
Not a problem -- as long as what you're making available to the public at DefCon is not a program that script kiddies can download and use to break stuff.
What's a 'program' in the above sentence? Is source a program? Source without the main() and #includes? Source with an intentionally missing ';'? Precise english description of an algorithm? Math? What exactly are the limits of a 'script kiddie'?
You can shout at the top of your lungs that their crypto is broken, on all kinds of forums.
Might be libel if not true.
Oh, yeah, feature them suing you for libel, and then watching aghast as you enter "exhibit A" -- the source code -- into the trial and the public record. If it successfully decrypts their stuff, it proves that what you said is true. It also goes all over the internet within about twenty minutes.
So they get Mr. Judge to seal the docs.
Bear in mind that these people are not dealing from a position of strength, as long as their crypto is actually broken.
Tell that to Dmitri. :-<
On Sat, 28 Jul 2001, David Honig wrote:
Not a problem -- as long as what you're making available to the public at DefCon is not a program that script kiddies can download and use to break stuff.
What's a 'program' in the above sentence? Is source a program? Source without the main() and #includes? Source with an intentionally missing ';'? Precise english description of an algorithm? Math? What exactly are the limits of a 'script kiddie'?
Oh, please, let's not get into specious crap. I'm totally familiar with the concept that "source code" is considered by some to be a gray area. To me, the distinction is relatively clear. Source code is what enables someone to do X whether or not they understand X. You don't have to understand the weaknesses in a cryptosystem to correct a few syntax errors, figure out what standard libraries to include, or do a conversion between different forms of the source with a perl script. I mean, the code could *help* you understand it, if you were inclined to read it for content -- but if you can get it working without understanding what it does, it probably violates the law. Communication, on the other hand, is what enables someone to *understand* X. And yes, a lot of people, myself included, can and do use source code to communicate ideas. Does it piss me off that this mode of communication is made unavailable by this law? Yes. Am I stupid enough to not figure out what the law means? No.
Bear in mind that these people are not dealing from a position of strength, as long as their crypto is actually broken.
Tell that to Dmitri. :-<
Dmitri released an executable *before* he had the excuse of being required to produce it as evidence. Plus he's a foreign national on US soil, whose government is willing to be anally raped with a two-by-four if they think it will get them more US financial aid. They have evidently left him twisting in the wind. That is not a position of strength. Bear
At 9:09 AM -0700 7/30/01, Ray Dillinger wrote:
On Sat, 28 Jul 2001, David Honig wrote:
Not a problem -- as long as what you're making available to the public at DefCon is not a program that script kiddies can download and use to break stuff.
What's a 'program' in the above sentence? Is source a program? Source without the main() and #includes? Source with an intentionally missing ';'? Precise english description of an algorithm? Math? What exactly are the limits of a 'script kiddie'?
Oh, please, let's not get into specious crap. I'm totally familiar with the concept that "source code" is considered by some to be a gray area.
To me, the distinction is relatively clear. Source code is what enables someone to do X whether or not they understand X. You don't have to understand the weaknesses in a cryptosystem to correct a few syntax errors, figure out what standard libraries to include, or do a conversion between different forms of the source with a perl script. I mean, the code could *help* you understand it, if you were inclined to read it for content -- but if you can get it working without understanding what it does, it probably violates the law.
Translate this semantic debate into "bomb-making instructions." There are various forms of the recipes for making a bomb, ranging from a very high-level description to a highly-detailed recipe that nearly any moron could follow. At which point is the description illegal under the Feinstein type of proposal? And where does Felten fit into this spectrum? Felten and his co-workers say they were threatened with a DMCA suit (civil, I presume) if they went ahead and presented their research. (The recording industry claims they had no plans to sue...) The language of the DMCA, which several people have been debating here for the past week or so, certainly suggests that Felten and Co. could have been sued, even prosecuted criminally, under the DMCA. This is my reading. To get back to the "high level" (source code) vs. "low level" (executable) point, there is no meaningful difference between the two. Just a mapping, via either "knowledge" or a "compiler." If detailed bomb-making instructions are banned, then the law will have to "back up" into more general instructions and then back further. The critical point is that Congress is now in the business of criminalizing mere speech. mere research. Whether one quibbles about whether hackers "understand" the instructions on how to bypass crypto protections, or whether bombz d00dz "understand" the chemistry and physics of their bombs, the new outlawing of crypto instructions and bomb-making instructions is the issue. --Tim May -- Timothy C. May tcmay@got.net Corralitos, California Political: Co-founder Cypherpunks/crypto anarchy/Cyphernomicon Technical: physics/soft errors/Smalltalk/Squeak/agents/games/Go Personal: b.1951/UCSB/Intel '74-'86/retired/investor/motorcycles/guns
On Tue, 31 Jul 2001, Tim May wrote:
The critical point is that Congress is now in the business of criminalizing mere speech. mere research. Whether one quibbles about whether hackers "understand" the instructions on how to bypass crypto protections, or whether bombz d00dz "understand" the chemistry and physics of their bombs, the new outlawing of crypto instructions and bomb-making instructions is the issue.
You are absolutely correct. From a human-rights point of view, that is exactly the problem. There are now thought-crimes. However, just because the law happens to be wrong, does not mean that specious crap can prevent a conviction on it in court. It says that "circumvention devices" are illegal, and the opinion of the court is that code -- source *or* executable -- is a "device". At the same time, it says that other information, which promotes *understanding*, but which is not a "device", is legal. At least for now. You can argue about gray areas and fine points all you want in this forum, but if your butt lands in court it will be dismissed as specious crap. Bear
At 10:25 AM 7/27/2001 -0700, Tim May wrote:
I think the threatened suit under the terms of the DCMA goes to the point the original poster made: that the way to stop cryptanalysis of a cipher ("Digital Snake Oil Bass-O-Mattic Encryptator 1.0"), or at least the publication of any results, is to do what was done to Felten.
To further illustrate this effect, a brief summary of the background for the Felten suit might be of interest: 1. RIAA/SDMI invite people to break their new copy protection 2. Copy protection breaks are identified in peer-reviewed academic paper 3. Attorney who is Sr VP at RIAA and Secretary of SDMI threatens suit against researchers after seeing pre-press copy of paper 4. Paper is withdrawn from conference, not published 5. Researchers sue for declaratory relief that they *can* publish 6. RIAA/SDMI says they weren't going to sue, tries to dismiss researchers' suit due to lack of controversy for court to adjudicate -- Greg Broiles gbroiles@well.com "We have found and closed the thing you watch us with." -- New Delhi street kids
participants (8)
-
David Honig -
Declan McCullagh -
Eugene Leitl -
georgemw@speakeasy.net -
Greg Broiles -
mmotyka@lsil.com -
Ray Dillinger -
Tim May