[Infowarrior] - DMCA endangering American security

[Richard Forno]

The DMCA is endangering American security
Lockdown with Angela Gunn

Why government cybersecurity's a joke as long as security research is  
hamstrung.

By Angela Gunn | Published June 11, 2009, 6:41 PM

http://www.betanews.com/article/The-DMCA-is-endangering-American-security/1244758683

I've had the the government's 60-day Cyberspace Policy Review sitting  
on my desk for many days now, dutifully highlighted and marked up with  
notes about how this bit could turn out interesting and that section  
looks a lot like what we've previous heard from DC about cybersecurity  
and that passage over there appears to have been lifted from the  
questionable financial-loss statistics one hears from the RIAA and BSA  
and MPAA and such. And I see one gigantic self-inflicted wound that I  
fear the current administration will ignore like the last two have --  
ignored it since 1998, in fact.

Lockdown with Angela GunnThe cybersecurity review says we need to  
improve academic and industry collaboration on cybersecurity and other  
technology issues. It also states we should "expand university  
curricula; and set the conditions to create a competent workforce for  
the digital age."

What the cybersecurity review should have said is, "We are raising a  
nation of timid technophobes who mistake using MyTwitFace for being a  
geek. Meanwhile, we have comprehensively, at every educational level,  
stripped away useful teaching tools and criminalized modes of research  
and inquiry in the name of copyright and liability laws, and sooner  
rather than later we are going to reap the whirlwind."

Or, putting it simply: We made ourselves stupid and now we must pay.

Since the rise of the Information Age, America has convinced itself  
that safety is a better choice than knowledge, and that anyone who  
doesn't make safety a priority over knowledge is Dangerous And Up To  
No Good. The 1998 Digital Millennium Copyright Act, which is entering  
its twelfth year of chilling security research, acts in direct  
opposition to the government's alleged goal of improving American  
cybersecurity by criminalizing the research and inquiry that make  
security products, and thus security, stronger.

And not only have we attained this vulnerable position step by step,  
special-interest groups such as liability lawyers and the  
entertainment industry -- not to mention the computer industry itself  
-- have paved the path for us, making us easily fleeced, easily  
frightened, and easily led.

We'll start with the little ones. I'm willing to bet that you, as a  
young geek, had a certain amount of curiosity about science. Did you  
own a chemistry set? Do you remember some of the chemicals that  
shipped in it, some of the reactions you could test? Enjoy your  
memories of, as Oliver Sacks put it in Uncle Tungsten, "stinks and  
bangs." As Steve Silberman has written about so effectively in Wired,  
legislators and law enforcement now send a loud-and-clear message that  
science is something best left to the professionals. As geekish youth  
will discover over and over, the claim that "someone could get hurt!"  
is the way that people who are unnerved by smart people make sure that  
no one actually gets smart.

Head for the schools -- the elementary schools, even. The  
entertainment industry hasn't been as successful as it would like in  
eliminating fair use for educational purposes. But it has managed to  
get its point of view into the classroom starting in third grade with  
Music Rules, which "informs students about the laws of copyright and  
the risks of online file-sharing." Parents are cautioned against the  
dangers of "songlifting" (the RIAA's preferred new term for  
downloading and/or ripping) and the program handouts conflate music  
downloading with exposure to online predators. The "someone could get  
hurt" motif continues, with the introduction of the "and you'll be a  
criminal if you try it" theme.

Speaking of online predators, move to the higher grades. We don't  
really like teenagers in America if they're not Miley Cyrus or the  
Jonas Brothers (so clean-cut, such radio-friendly unit shifters!), so  
despite multiple studies indicating that most teens know enough to  
ignore online weirdos and most teens are smart enough not to go a- 
sexting and most teens can deal with "cyberbullying," social  
networking and mobile phones are as reliably panic-inducing in the  
mainstream media as rock-and-roll and long hair were back in the day.  
Again, "someone could get hurt" (especially teenaged girls, whose  
interest in tech when they could be interested in makeup and clothes  
is already unseemly and suspicious); but teenagers being generally  
scary, we're equally convinced that they're out to get each other.

Meanwhile, we're at the age when the hacker gene expresses.  
Criminalizing young men (and women) who hack is old fare, documented  
as far back as Cap'n Crunch and Joe Engressia and a couple of Steves  
(Jobs and Wozniak), and where social pressures didn't push status- 
conscious kids away from exploring computers, legal pressures often  
did. Ask anyone who attended 2600 meetups back in the day -- even  
those meetups destined for nothing more subversive than a really bad  
movie -- what percentage of "attendees" were cops hoping to get lucky.

Onward to the world -- to college and adult lives. Those who still  
have the geek fever by now -- and US university enrollment rates in  
science and computer science curricula tell us it's not very many  
these days -- may hope to connect with worthwhile research projects  
and really dig into what makes systems tick. And here's where the DMCA  
works its wonders for security researchers (and I mean real security  
researchers, not hopeful political appointees putting together a 60- 
day job application) by chilling research and collaboration.

Ask Ed Felten about his research on flaws in e-voting machines.

Ask Seth Finkelstein about his research on censorware.

Ask J. Alex Haldeman about the Sony-BMG rootkit. For that matter, ask  
the researchers who'd previously requested an exemption to the DMCA to  
examine that rootkit, a request denied by the Copyright Office. (I  
find, by the way, no evidence in the Cybersecurity Policy Review that  
Melissa Hathaway or any of her minions spoke to the Copyright Office  
to ask who the hell they think they are to make security decisions. I  
wish somebody would.)

Ask Dmitry Sklyarov about that five-month detention, and getting  
arrested at DEFCON.

Ask Luigi Auriemma about informing GameSpy of vulnerabilities and  
getting no answer but a DMCA cease-and-desist. (Apparently GameSpy's  
lawyers were as excellent as their coders, since Mr. Auriemma lives in  
Italy and had no intention of coming to the US to be prosecuted, but  
oh well.)

Ask Eric Corley about simply attempting to publish the DeCSS software  
code -- in a printed magazine -- in 2600.

Ask former cybersecurity chief Richard Clarke how much traction he got  
after he told a Boston newspaper that the DMCA needed rethinking,  
because "I think a lot of people didn't realize that it would have  
this potential chilling effect on vulnerability research." (Hint: He  
was out of government in 2003.) Want to dig into a software program  
the way we used to dig into a car engine or an unexplored continent?  
For shame; you're obviously attempting to steal something. In the wake  
of 9/11 copyright holders and the law-enforcement folk who do their  
work have managed to turn the "steal something" gripe into "ZOMG  
TERRORISTS!," but otherwise, we're in the second decade of  
intellectual curiosity being a pre-crime condition. Meanwhile... need  
I say more than "China" and "India?"

The new administration doesn't need to plead for better cybersecurity  
education for the masses; in fact, considering what's passing for  
"education" on that front these days I'd prefer that education stuck  
with the basics -- reading, writing, arithmetic, and blowing stuff up  
with chemistry sets that actually teach something besides "lawyers  
want to ruin your fun." It needs to put muscle behind the idea of  
"expanding academic curricula," re-establishing the importance of the  
freedom to conduct research and to communicate the results without  
fear of hearing from lawyers for a company that simply doesn't want  
anyone to know they're shipping vulnerable products. The DMCA is  
deeply dishonest legislation, and -- as it continues to undermine  
security research -- deeply dangerous to our future.