One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 2087760 |
| Date de publication | 2020-12-09 15:25:45 (vue: 2020-12-09 21:06:08) |
| Titre | The deal with DMCA 1201 reform |
| Texte | There are two fights in Congress now against the DMCA, the "Digital Millennium Copyright Act". One is over Section 512 covering "takedowns" on the web. The other is over Section 1201 covering "reverse engineering", which weakens cybersecurity.Even before digital computers, since the 1880s, an important principle of cybersecurity has been openness and transparency ("Kerckhoff's Principle"). Only through making details public can security flaws be found, discussed, and fixed. This includes reverse-engineering to search for flaws.Cybersecurity experts have long struggled against the ignorant who hold the naive belief we should instead coverup information, so that evildoers cannot find and exploit flaws. Surely, they believe, given just anybody access to critical details of our security weakens it. The ignorant have little faith in technology, that it can be made secure. They have more faith in government's ability to control information.Technologists believe this information coverup hinders well-meaning people and protects the incompetent from embarrassment. When you hide information about how something works, you prevent people on your own side from discovering and fixing flaws. It also means that you can't hold those accountable for their security, since it's impossible to notice security flaws until after they've been exploited. At the same time, the information coverup does not do much to stop evildoers. Technology can work, it can be perfected, but only if we can search for flaws.It seems counterintuitive the revealing your encryption algorithms to your enemy is the best way to secure them, but history has proven time and again that this is indeed true. Encryption algorithms your enemy cannot see are insecure. The same is true of the rest of cybersecurity.Today, I'm composing and posting this blogpost securely from a public WiFi hotspot because the technology is secure. It's secure because of two decades of security researchers finding flaws in WiFi, publishing them, and getting them fixed.Yet in the year 1998, ignorance prevailed with the "Digital Millennium Copyright Act". Section 1201 makes reverse-engineering illegal. It attempts to secure copyright not through strong technological means, but by the heavy hand of government punishment.The law was not completely ignorant. It includes an exception allow what it calls "security testing" -- in theory. But that exception does not work in practice, imposing too many conditions on such research to be workable.The U.S. Copyright Office has authority under the law to add its own exemptions every 3 years. It has repeatedly added exceptions for security research, but the process is unsatisfactory. It's a protracted political battle every 3 years to get the exception back on the list, and each time it can change slightly. These exemptions are still less than what we want. This causes a chilling effect on permissible research. It would be better if such exceptions were put directly into the law.You can understand the nature of the debate by looking at those on each side.Those lobbying for the exceptions are those trying to make technology more secure, such as Rapid7, Bugcrowd, Duo Security, Luta Security, and Hackerone. These organizations have no interest in violating copyright -- their only concern is cybersecurity, finding and fixing flaws.The opposing side includes the copyright industry, as you'd expect, such as the "DVD" association who doesn't want hackers breaking the DRM on DVDs.However, much of the opposing side has nothing do with copyright as such.This notably includes the three major voting machine suppliers in the United States: Dominion Voting, ES&S, and Hart InterCivic. Security professionals have been pointing out security flaws in their equipment for the past several years. These vendors are explicitly trying to coverup their security flaws by using the law to silence critics.This goes back to the struggle mentioned at the top of this |
| Envoyé | Oui |
| Condensat | $10 not 1201 1880s 1998 512 ability able about above abuse abused access accidentally accountable accurate act activities actor add added adding address advanced afraid after again against algorithm algorithms all allow allowing along already also always amazon american anarchists anonymous another any anybody anything apple approach appropriate are argue argument around asking association attached attack attempt attempts authority available back bad banging base battle bear because been before being belief believe best better between big bigger billions bits blatantly blogpost books born bought bounties break breaking breaks brief: brings bug bugcrowd bugs built bunch but buy bypass call calls can cannot car cases causes center certified challenge change chilling churches claimed claiming clear clueless code collaborate combination come commercial commits common companies company compared completely composing computer computers con conceive concern conclusionthe conditions conducted conference conferences confidence congress connected constitution contact contacting content control controlling copied copying copyleft copyright copyrighted copyrights corollary cost counterintuitive course covering coverup coverups create credible crime critical critics current cybersecurity danger dark deal debate decades def defend degree depend designated details development devices dhs didn die digital directly disclose discover discovering discussed dmca does doesn doing dollars dominion don done download driven drm duo during dvd dvds eac each easily ebay effect effort election elections else embarrassing embarrassment enabled encourage encouraging encryption end ends enemy engineering enormous enough ensuring entire equipment es&s even eventually every everything evildoers exact examine example example: exception exceptions exemption exemption:the exemptions existence expect experience expert experts explicitly exploit exploited exposed expressed fair faith fallacy far fear fears federal fights filing film find finding finds fine firms first fixed fixes fixing flaw flaws focuses forbidden formal formalized forms forward found free freedom from fruits get getting give given giving goes going google gotchas gotten government governments grandparent grid hack hackerone hackers had hand happens hart has have having heart heavy hide high hinders hire history hobbyists hoc hold hollywood hostile hotspot how however huge ignorance ignorant illegal imagine imagining impact important imposing impossible improve incentive includes incompetent indeed independent individual industrial industries industry infinite influence informal information infrastructure insecure instead intellectual intercivic interest interests internet invest iot issues its itself jail jealously jolting journalists just keep kerckhoff key keys kid kids know known labs large last latest laughable law laws leading legitimate less license licensed like limited list little lobbying long look looking luta machine machines made major make makes making manufacturing many market matter maybe meaning meaningful meaningless means mentioned microsoft millennium minor misguided mobile mockery modern modified monkey monkeys month more most movies mpaa much music myself naive nation national nature necessary need needs never not notably nothing notice notices now number obscure off offer office officially officials often once one ones only open openly openness opposing opposite opposition organizations original other out over overblown own pacemaker parent particular partnership past patch pee people perceive perfected permissible permission person phone piece piracy pirating play player playing plays point: pointing poking political pool position possible post posting power practice praise preaches presented press prevailed prevent prime principle privately probe probed problem process product products professionals programs promise proper property proponents prosecute prosecuted protect protected protection protects protracted proven proves provide providers public public |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.