This
story appeared on Network World Fusion at
http://www.nwfusion.com/columnists/2001/0910bradner.html
'Net
Insider:
Legally mandated
stupidity
By
Scott Bradner
Network World, 09/10/01
A
couple of weeks ago in this publication, Winn Schwartau pointed out the
stupidity of companies trying to invent their own encryption technologies in a
column headlined "To hell with proprietary encryption algorithms".
This is a good column, but he only covered part of the stupidity - the stupidity
he did not cover is legally mandated.
President Clinton signed the
Digital Millennium Copyright Act (DMCA) into law Oct. 28, 1998 (a copy is
available here).
The law prohibits "any technology, product,
service, device, component, or part thereof, that . . . is primarily designed
or produced for the purpose of circumventing protection afforded by a
technological measure that effectively protects a right of a copyright
owner."
By outlawing tools for circumventing protection, it is
also outlawing tools researchers use to test security systems. The only way to
know if an encryption system works is to try to break it. But having software
that could be used to do this is outlawed by the DMCA.
So if someone
stumbles on a hole in some security system that could conceivably be used to
protect some copyrighted material - that covers just about all security systems
- that person cannot report the problem without opening himself or herself up
for prosecution for possession of the tools used to find the hole.
In
effect, this law says that when a company or organization goes against Winn's
good advice and hires self-proclaimed crypto-experts to create a proprietary
protection scheme and that scheme turns out to be as effective a barrier as wet
tissue paper, no one can tell them about the vulnerability without risk of
arrest. This law mandates ignorance. This makes about as much sense as
outlawing reporting on deaths that occur during drug trials. In effect, the law
mandates crappy security.
And we have recently seen a lot of security
is not as good as inventors originally thought. The list is getting longer by
the day: DVDs, 802.11 Wired Equivalent Privacy, most watermark schemes, Adobe
e-books and, as recently reported, maybe even Microsoft's e-books. Who knows
what other systems have been broken but not reported on because of the threat
of the DMCA?
Security is hard. It is very hard for a developer to find
all the holes in a design or implementation (just ask Microsoft!). Making it
illegal for people to report vulnerabilities does not add to security. (If that
sounds like a reach from the DMCA, see this.)
If you implement
security-related software, the DMCA mandates that you stay in the dark if
someone manages to break your security, on purpose or by accident. It mandates
that no one but the bad guys know about vulnerabilities. It mandates that U.S.
companies create and use poor security on the Internet in the face of concerted
attacks from many parts of the world. This is breathtakingly stupid.
It
may also be an unconstitutional abridgement of free speech - time and the
courts will tell. Meanwhile, rest well, knowing that the U.S. government is
protecting the ability of the bad guys to exploit holes in crappy software.
Disclaimer:
Harvard is not associated with anything crappy, so the above must be my own
opinion.
All contents copyright 1995-2002 Network World, Inc.
http://www.nwfusion.com