On Mon, Jun 29, 2009 at 11:26:59PM -0700, Paul Ferguson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Michael Lynn flashback...
On that note, this article, whose money quote is dead-on:
"We made ourselves stupid and now we must pay."
---Rsk
> From: Richard Forno <[email protected]>
> Date: Thu, 18 Jun 2009 20:25:00 -0400
> Subject: [Infowarrior] - DMCA endangering American security
>
> The DMCA is endangering American security
> Lockdown with Angela Gunn
>
> Why government cybersecurity's a joke as long as security research is
> hamstrung.
>
> By Angela Gunn | Published June 11, 2009, 6:41 PM
>
> http://www.betanews.com/article/The-DMCA-is-endangering-American-security/1244758683
>
> I've had the the government's 60-day Cyberspace Policy Review sitting
> on my desk for many days now, dutifully highlighted and marked up with
> notes about how this bit could turn out interesting and that section
> looks a lot like what we've previous heard from DC about cybersecurity
> and that passage over there appears to have been lifted from the
> questionable financial-loss statistics one hears from the RIAA and BSA
> and MPAA and such. And I see one gigantic self-inflicted wound that I
> fear the current administration will ignore like the last two have --
> ignored it since 1998, in fact.
>
> Lockdown with Angela GunnThe cybersecurity review says we need to
> improve academic and industry collaboration on cybersecurity and other
> technology issues. It also states we should "expand university
> curricula; and set the conditions to create a competent workforce for
> the digital age."
>
> What the cybersecurity review should have said is, "We are raising a
> nation of timid technophobes who mistake using MyTwitFace for being a
> geek. Meanwhile, we have comprehensively, at every educational level,
> stripped away useful teaching tools and criminalized modes of research
> and inquiry in the name of copyright and liability laws, and sooner
> rather than later we are going to reap the whirlwind."
>
> Or, putting it simply: We made ourselves stupid and now we must pay.
>
> Since the rise of the Information Age, America has convinced itself
> that safety is a better choice than knowledge, and that anyone who
> doesn't make safety a priority over knowledge is Dangerous And Up To
> No Good. The 1998 Digital Millennium Copyright Act, which is entering
> its twelfth year of chilling security research, acts in direct
> opposition to the government's alleged goal of improving American
> cybersecurity by criminalizing the research and inquiry that make
> security products, and thus security, stronger.
>
> And not only have we attained this vulnerable position step by step,
> special-interest groups such as liability lawyers and the
> entertainment industry -- not to mention the computer industry itself
> -- have paved the path for us, making us easily fleeced, easily
> frightened, and easily led.
>
> We'll start with the little ones. I'm willing to bet that you, as a
> young geek, had a certain amount of curiosity about science. Did you
> own a chemistry set? Do you remember some of the chemicals that
> shipped in it, some of the reactions you could test? Enjoy your
> memories of, as Oliver Sacks put it in Uncle Tungsten, "stinks and
> bangs." As Steve Silberman has written about so effectively in Wired,
> legislators and law enforcement now send a loud-and-clear message that
> science is something best left to the professionals. As geekish youth
> will discover over and over, the claim that "someone could get hurt!"
> is the way that people who are unnerved by smart people make sure that
> no one actually gets smart.
>
> Head for the schools -- the elementary schools, even. The
> entertainment industry hasn't been as successful as it would like in
> eliminating fair use for educational purposes. But it has managed to
> get its point of view into the classroom starting in third grade with
> Music Rules, which "informs students about the laws of copyright and
> the risks of online file-sharing." Parents are cautioned against the
> dangers of "songlifting" (the RIAA's preferred new term for
> downloading and/or ripping) and the program handouts conflate music
> downloading with exposure to online predators. The "someone could get
> hurt" motif continues, with the introduction of the "and you'll be a
> criminal if you try it" theme.
>
> Speaking of online predators, move to the higher grades. We don't
> really like teenagers in America if they're not Miley Cyrus or the
> Jonas Brothers (so clean-cut, such radio-friendly unit shifters!), so
> despite multiple studies indicating that most teens know enough to
> ignore online weirdos and most teens are smart enough not to go a-
> sexting and most teens can deal with "cyberbullying," social
> networking and mobile phones are as reliably panic-inducing in the
> mainstream media as rock-and-roll and long hair were back in the day.
> Again, "someone could get hurt" (especially teenaged girls, whose
> interest in tech when they could be interested in makeup and clothes
> is already unseemly and suspicious); but teenagers being generally
> scary, we're equally convinced that they're out to get each other.
>
> Meanwhile, we're at the age when the hacker gene expresses.
> Criminalizing young men (and women) who hack is old fare, documented
> as far back as Cap'n Crunch and Joe Engressia and a couple of Steves
> (Jobs and Wozniak), and where social pressures didn't push status-
> conscious kids away from exploring computers, legal pressures often
> did. Ask anyone who attended 2600 meetups back in the day -- even
> those meetups destined for nothing more subversive than a really bad
> movie -- what percentage of "attendees" were cops hoping to get lucky.
>
> Onward to the world -- to college and adult lives. Those who still
> have the geek fever by now -- and US university enrollment rates in
> science and computer science curricula tell us it's not very many
> these days -- may hope to connect with worthwhile research projects
> and really dig into what makes systems tick. And here's where the DMCA
> works its wonders for security researchers (and I mean real security
> researchers, not hopeful political appointees putting together a 60-
> day job application) by chilling research and collaboration.
>
> Ask Ed Felten about his research on flaws in e-voting machines.
>
> Ask Seth Finkelstein about his research on censorware.
>
> Ask J. Alex Haldeman about the Sony-BMG rootkit. For that matter, ask
> the researchers who'd previously requested an exemption to the DMCA to
> examine that rootkit, a request denied by the Copyright Office. (I
> find, by the way, no evidence in the Cybersecurity Policy Review that
> Melissa Hathaway or any of her minions spoke to the Copyright Office
> to ask who the hell they think they are to make security decisions. I
> wish somebody would.)
>
> Ask Dmitry Sklyarov about that five-month detention, and getting
> arrested at DEFCON.
>
> Ask Luigi Auriemma about informing GameSpy of vulnerabilities and
> getting no answer but a DMCA cease-and-desist. (Apparently GameSpy's
> lawyers were as excellent as their coders, since Mr. Auriemma lives in
> Italy and had no intention of coming to the US to be prosecuted, but
> oh well.)
>
> Ask Eric Corley about simply attempting to publish the DeCSS software
> code -- in a printed magazine -- in 2600.
>
> Ask former cybersecurity chief Richard Clarke how much traction he got
> after he told a Boston newspaper that the DMCA needed rethinking,
> because "I think a lot of people didn't realize that it would have
> this potential chilling effect on vulnerability research." (Hint: He
> was out of government in 2003.) Want to dig into a software program
> the way we used to dig into a car engine or an unexplored continent?
> For shame; you're obviously attempting to steal something. In the wake
> of 9/11 copyright holders and the law-enforcement folk who do their
> work have managed to turn the "steal something" gripe into "ZOMG
> TERRORISTS!," but otherwise, we're in the second decade of
> intellectual curiosity being a pre-crime condition. Meanwhile... need
> I say more than "China" and "India?"
>
> The new administration doesn't need to plead for better cybersecurity
> education for the masses; in fact, considering what's passing for
> "education" on that front these days I'd prefer that education stuck
> with the basics -- reading, writing, arithmetic, and blowing stuff up
> with chemistry sets that actually teach something besides "lawyers
> want to ruin your fun." It needs to put muscle behind the idea of
> "expanding academic curricula," re-establishing the importance of the
> freedom to conduct research and to communicate the results without
> fear of hearing from lawyers for a company that simply doesn't want
> anyone to know they're shipping vulnerable products. The DMCA is
> deeply dishonest legislation, and -- as it continues to undermine
> security research -- deeply dangerous to our future.
>
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
