Feeds

Linux update withholds security info on DMCA terror

Pulling a Felten

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Citing a controversial U.S. copyright law, a top Linux developer announced this week that Americans would not be given details about the security fixes in an update to the open source operating system, a first for a software development community that prides itself on transparency.

An update to version 2.2 of the Linux kernel, an older version of Linux that's still in wide use, was released Monday, conspicuously shorn of information about a number of security holes patched in the software.

In an email to a Linux developer's mailing list, U.K.-based Linux guru Alan Cox wrote that the self-censorship was necessary to avoid running afoul of the U.S. Digital Millennium Copyright Act (DMCA), a law that makes it a crime to create or distribute software "primarily designed" to circumvent a copy protection scheme.

Cox controls the 2.2 release, and is generally considered Linux's second-in-command after creator Linus Torvalds.

The DMCA has been under fire from computer programmers and electronic civil libertarians who argue that it is an unconstitutional impingement on speech, and interferes with consumers' traditional right to make personal copies of books, movies and music that they've purchased.

In July, the first criminal prosecution under the Act kicked-off with FBI agents arresting Dmitry Sklyarov, a Russian computer programmer who was visiting the U.S. to give a talk at a security conference. Sklyarov is the author of a computer program that cracks the copy protection scheme used by Adobe Systems' eBook software.

"With luck, the Sklyarov case will see that overturned on constitutional grounds," Cox wrote on the list. "Until then U.S. citizens will have to guess about security issues."

America Boycotted
But U.S. Linux developers and users suspect Cox of using them to carry a political message.

"My personal belief is that certain people are using this as an excuse to draw attention to the dangers inherent in the DMCA," says Birmingham system administrator Wayne Brown. "I'm sympathetic to their efforts, but not at all happy that people who need access to this information will be denied just to make a point... It seems to me to be contrary to the whole spirit of free software development."

"I still think this is an extremist view of the DMCA," wrote U.S. Linux developer Tom Sightler, in a post to the developer's list. "I don't see where it keeps you from posting information about security fixes to your own code."

Cox didn't respond to a reporter's inquiry, but on the mailing list, he wrote that the new closed policy was necessary because Linux's standard security features may be used for "rights management" of copyrighted work. He declined to elaborate further "on a list that reaches U.S. citizens."

The programmer plans to post Linux security information exclusively on a Web site that will block access from the U.S.

Despite Cox's fears, describing security holes or patches in Linux doesn't violate the DMCA, because the information isn't primarily designed for the purpose of circumvention, says attorney Jennifer Granick, director of the Stanford Law School's Law and Technology Clinic.

"He seems to be assuming that the DMCA prohibits discussion about any kind of security, and that's not what it does," says Granick. "The DMCA is bad, but it's not that bad."

"Part of the problem with the DMCA is it doesn't make intuitive sense to people who are practicing in this field, so even after reading the statute, people don't understand exactly what they are or aren't allowed to do," says Granick.

Copyright © 2001 SecurityFocus.com, all rights reserved.

Beginner's guide to SSL certificates

More from The Register

next story
ONE MILLION people already running Windows 10
A third of them are doing it in VMs, but early feedback focuses on frippery
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Do Moan! MONSTER 6-day EMAIL OUTAGE hits Domain Monster
Customers freaked out by frightful service
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.