Some more bits about UCITA... ----- Forwarded message from Bruce Schneier <[EMAIL PROTECTED]> ----- | Date: Mon, 17 Apr 2000 13:30:26 -0500 | To: [EMAIL PROTECTED] | From: Bruce Schneier <[EMAIL PROTECTED]> | Subject: CRYPTO-GRAM, April 15, 2000 | | ** *** ***** ******* *********** ************* | | The Uniform Computer Information Transactions Act (UCITA) | | | Virginia Gov. James S. Gilmore III signed the UCITA, and it is now law in | Virginia. The Maryland legislature overwhelmingly passed the bill, and it | is on its way to become law in that state. | | I put this horrible piece of legislation in the Doghouse last month, but | it's worth revisiting one portion of the act that particularly affects | computer security. | | As part of the UCITA, software manufacturers have the right to remotely | disable software if the users do not abide by the license agreement. (If | they don't pay for the software, for example.) As a computer-security | professional, I think this is insane. | | What it means is that manufacturers can put a back door into their | products. By sending some kind of code over the Internet, they can | remotely turn off their products (or, presumably, certain features of their | products). The naive conceit here is that only the manufacturer will ever | know this disable code, and that hackers will never figure the codes out | and post them on the Internet. | | This is, of course, ridiculous. Such tools will be written and will be | disseminated. | | Once these tools are, it will be easy for malicious hackers to disable | peoples' computers, just for fun. This kind of hacking will make Back | Orifice look mild. | | Cryptography can protect against this kind of attack -- the codes could be | digitally signed by the manufacturer, and the software wouldn't contain the | signature key -- but in order for this to work the entire system has to be | implemented perfectly. Given the industry's track record at implementing | cryptography, I don't have high hopes. Putting a back door in software | products is just asking for trouble, no matter what kinds of controls you | try to put into place. | | The UCITA is a bad law, and this is just the most egregious | provision. It's wandering around the legislatures of most states. I urge | everyone to urge everyone involved not to pass it. | | Virginia: | <http://www.washingtonpost.com/wp-dyn/articles/A6866-2000Mar14.html> | | Maryland: | <http://www.idg.net/idgns/2000/03/29/UCITAPassesMarylandHouse.shtml> | | ** *** ***** ******* *********** ************* | | CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, | insights, and commentaries on computer security and cryptography. | | To subscribe, visit <http://www.counterpane.com/crypto-gram.html> or send a | blank message to <[EMAIL PROTECTED]>. To | unsubscribe, visit <http://www.counterpane.com/unsubform.html>. Back | issues are available on <http://www.counterpane.com>. | | Please feel free to forward CRYPTO-GRAM to colleagues and friends who will | find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as | it is reprinted in its entirety. | | CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of | Counterpane Internet Security Inc., the author of "Applied Cryptography," | and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served | on the board of the International Association for Cryptologic Research, | EPIC, and VTW. He is a frequent writer and lecturer on computer security | and cryptography. | | Counterpane Internet Security, Inc. is a Managed Security Monitoring | company dedicated to providing 24x7 expert-assisted network security. | | <http://www.counterpane.com> | | Copyright (c) 2000 by Counterpane Internet Security, Inc. ----- End forwarded message -----
