Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

Responsible crypto?

By iGrrrl in MLP
Tue Jul 10, 2001 at 04:42:09 PM EST
Tags: Security (all tags)

There's a quiet little story on cryptonomicon.net with the curious title of Socially Responsible Crypto. It asks the question:

There are several sites out there on the net that are offering DVD Decryptors, DiVX crackers, password file hackers, etc. Is this ethical?
I think the question is valid. It comes from the thought that if corporations primarily see (and can point to) hackers "using their powers for evil" then they have more leverage for getting laws like the DMCA passed.

The scope of this problem is bigger than just the hassle of not being able to play your DVDs on any machine in any part of the world. From the article:
The standard party line amongst crypto-anarchists is that corporate interest is incapable of restricting access to intellectual property by technical means, so they're forcing a reinterpretation of intellectual property laws to make academic research illegal (or at least an action with civil liability.)
[emphasis mine] All this makes me wonder about the notion of self-policing in order not to spook corporations. The argument over whether there is or isn't "hacker culture" feeds into the question of whether one can have a social responsibility to hacker culture or culture at large. Do "white hat" hackers have an obligation to keep quiet about what they can do or at least apply it within the law? Or is self-policing as bad as legal restrictions?


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


"Information wants to be free!"
o No, some of it is protected intellectual property. 25%
o I have the DeCSS T-shirt. 19%
o I patent all my algorithms. 0%
o Your information may be free, but I use PGP. 26%
o I bought all the security books Inoshiro listed, but never read them. 5%
o Some of the above. 12%
o None of the above. 10%

Votes: 56
Results | Other Polls

Related Links
o cryptonomi con.net
o Socially Responsible Crypto
o Also by iGrrrl

Display: Sort:
Responsible crypto? | 9 comments (6 topical, 3 editorial, 0 hidden)
False dichotomy (4.33 / 3) (#3)
by DesiredUsername on Tue Jul 10, 2001 at 02:35:06 PM EST

"Do "white hat" hackers have an obligation to keep quiet about what they can do or at least apply it within the law? Or is self-policing as bad as legal restrictions?"

The assumption being that we need to avoid "spooking" corporations. I disagree with the assumption. These companies are sticking their heads in the sand. They already know that "copy protection" doesn't work--that's why they purchased DMCA and friends. But what makes them think a piece of paper in Washington, DC (a law) is any more effective than a piece of paper in Redmond, WA (a EULA)? It isn't. And therefore the legal method is doomed to fail as well. Companies that are "spooked" into recognizing this fact will be a lot better off--and we'll be better of sharing a marketplace with them.

In any case, self-policing won't work. To a black hat, "self"-policing is identical to other-policing--which isn't working now.

Play 囲碁
One example (4.80 / 5) (#5)
by ucblockhead on Tue Jul 10, 2001 at 02:54:45 PM EST

I've used a password cracking program. Am I a cracker, a vandal, bent on causing chaos and disruption? No, I merely wanted to run it against my own password file to ensure the passwords chosen were secure.

One wasn't.

I did this on the recommendation of a book on security, and I'm damn glad I did. If this one "cracking" tool was not available, at least one system in the world would be less secure.
This is k5. We're all tools - duxup

Same for me and more so (5.00 / 1) (#8)
by ZorbaTHut on Wed Jul 11, 2001 at 04:22:41 AM EST

I remember a few years ago at my high school, we had an admin who didn't have the faintest clue what he was doing. At one point I was puttering around on the Linux box and decided to see if I could get root. Snagged the password file and ran a password cracker. Fifteen accounts in as many seconds - more than two thirds of them with the name of the school! They had been created by the admin with a default password and just left there. And the root password was cheese.

I tried to tell the school how insecure the box was . . . no luck. So I hacked in and maintained it, including tightening up security (disabling all those accounts, since nobody had ever used any of them) and eventually backing off a hacker who got in I-have-no-idea-how. Probably wasn't too secure at that point, but I'll never know how the hacker got in since the admin spontaneously decided to reformat the box :P (yes, linux.) (and he never knew about the hacker, so it wasn't because of that.) He never got it talking to the network again, so we lost our linux box, but . . . maybe we got an extra few months of use out of it?

Anyway. Yeah. Since then, I tend to run occasional password cracks on any box I admin, just to see if anyone has insecure passwords, and every once in a while I get one and promptly inform the user. I've never gotten around to automating it, but I will someday.

My point is that this utility will be available even if it's not publicly available - some hacker would have coded it and put it in whatever distribution channels hackers have. So . . . yeah.

[ Parent ]
Security issues (3.00 / 1) (#6)
by Orion Blastar on Tue Jul 10, 2001 at 03:24:15 PM EST

anytime someone comes up with a copy protection method the pirates/crackers will find a way around it. I have found that a lot of Russian or Chiense web sites have ways around copy protection and devices that are prohibited for sale in the US. I recall at one time, they had video game console backup units to copy SNES, Genesis, etc games to Floppy disk or Zip disks. Then mod chips for Playtstation (1 and 2), Dreamcast, etc systems to play copied CD/DVD disks.

I suspect that someone will come up with a way to generate codes for the Office XP and Windows XP registration? Or a way to get around the DVD and MP3 protections? People want their MP3s for free, their DVD copies as well.

You can stop a few web sites, but can you stop them all from using that DVD player open source code?

Hackers, be they White or Black Hat, will still get into that sort of stuff. Privacy and Security will always be issues for them to look into.
*** Anonymized by intolerant editors at K5 and also IWETHEY who are biased against the mentally ill ***

DMCA (4.50 / 2) (#7)
by sigwinch on Tue Jul 10, 2001 at 05:11:00 PM EST

It comes from the thought that if corporations primarily see (and can point to) hackers "using their powers for evil" then they have more leverage for getting laws like the DMCA passed.
I gave the DMCA a close reading and it does not do what the large content corps want you to believe it does. They say the DMCA gives the first user of a cipher monopoly rights to it. On the basis of this theory, they have been trying to enforce their perceived monopoly over CSS.

However, the DMCA does not grant such a monopoly. Here's how the DMCA works:

  1. Copyright holder creates movie. (Note the use of the correct term 'copyright holder', and not the incorrect term 'owner'.)
  2. Holder encodes work with CSS.
  3. Holder sells work.
  4. Infringer sells Screw The MPAA Home Piracy Machine for converting DVDs to video CDs.
  5. Home Piracy Machine has no significant lawful purpose. (DMCA: "no legitimate commercially-significant purpose".)
  6. Home Piracy Machine is an instrumentality for acting contrary to the lawful prerogatives of the Holder under copyright law. (DMCA: "without the authority of the copyright holder".)
  7. Holder enjoins sales of Home Piracy Machine for the previous two items.

(Caveat: it's been a while since I read the DMCA, but I think the above is fairly correct.)

That's the DMCA anti-circumvention measures in a nutshell. Notice that the criteria are "without the authority of the copyright holder" and "no legitimate commercially-significant purpose". In no way can this conceivably be construed as given a monopoly upon a cipher. The anti-circumvention measures do nothing more than explicitly criminalize a particular type of copyright infringement.

So how do you fight this? Here's my proposal:

  1. EFF hires John Waters to produce a seedy low-budget hacker documentary at DefCon. (Working title: "Sex, Lies, and Magnetic Tape".)
  2. EFF encodes movie in CSS.
  3. EFF sells DVDs of encoded movie.
  4. Intensive promotion of Sex, Lies, and Magnetic Tape creates commercially-significant market for it.
  5. EFF sells copies of DVD software. (Make it Linux-only software for the Slashdot coverage.)
  6. MPAA sues EFF for DVD software.
  7. MPAA claims general principle: anyone who uses a enciphering algorithm to protect copyrighted works can control the use of the deciphering algorithm.
  8. MPAA claims specific principle: MPAA uses CSS encoder, therefore MPAA can prohibit EFF from using CSS decoder.
  9. EFF files a counterclaim in the same case: EFF is using CSS, therefore they have the right to prohibit anyone EFF doesn't like from distributing CSS decoders.
  10. EFF files for injunction against MPAA-promoted CSS decoders.
  11. MPAA tries to redefine position.
  12. EFF asks for and is granted estoppel, forcing MPAA to stick to the general priciple that encipherers can enjoin unapproved decipherers. The court will not let you make contradictory statements. If you claim a general principle as a fact of law, then it is a fact for the whole case.
  13. EFF is enjoined from CSS decoding.
  14. MPAA is enjoined from CSS decoding.
  15. MPAA pays congresscritters to "clarify" DMCA.
    • Clarification is onerous and eventual backlash destroys this stupidity forever.
    • Clarification is less onerous.
    Either way, the DMCA is eliminated.

I don't want the world, I just want your half.

"a particular type of copyright infringement& (none / 0) (#9)
by evin on Wed Jul 11, 2001 at 04:11:56 PM EST

It does not criminalize a particular type of copyright infringement.
6. Home Piracy Machine is an instrumentality for acting contrary to the lawful prerogatives of the Holder under copyright law. (DMCA: "without the authority of the copyright holder".)

Almost. The DMCA also prohibits uses which don't violate copyright law. Even if DeCSS had no effect on the ability of people to copy works, it would still be illegal under the DMCA. So it isn't limited to the "lawful prerogatives of the Holder under copyright law." It's whatever the heck the Holder wishes about any use of her work, be it fair use or not.

If the DMCA only prevented devices which aid in copyright violations, it would be largely redundant, as we already have the concept of contributory copyright infringement. DeCSS is indeed contributing to copyright infringement, but the MPAA does not need to show it (they also don't have to show that distributors of it intend/benefit from/etc copyright violations). Kaplan made it clear that the defendants were not being sued under Copyright, as that's crucial to his reading of the DMCA.

But I agree completely with the rest of your comment, and have been thinking since day one that someone should make a movie (dialog including a spoken version of efdtt.c of course) encrypted in CSS in order to provide "significant" other uses for it. Unfortunately, I suspect that this would be seen for what it is: an attempt to get around the law, and not looked upon favorably... It would, however, further demonstrate the ridiculousness of the DMCA.

[ Parent ]

Responsible crypto? | 9 comments (6 topical, 3 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!