[free-sklyarov] Linux update withholds security info on DMCA terror

[Vladimir Katalov]

http://www.theregister.co.uk/content/4/22536.html
http://www.securityfocus.com/news/274

Citing a controversial U.S. copyright law, a top Linux developer
announced this week that Americans would not be given details about
the security fixes in an update to the open source operating system, a
first for a software development community that prides itself on
transparency.

An update to version 2.2 of the Linux kernel, an older version of
Linux that's still in wide use, was released Monday, conspicuously
shorn of information about a number of security holes patched in the
software.

In an email to a Linux developer's mailing list, U.K.-based Linux guru
Alan Cox wrote that the self-censorship was necessary to avoid running
afoul of the U.S. Digital Millennium Copyright Act (DMCA), a law that
makes it a crime to create or distribute software "primarily designed"
to circumvent a copy protection scheme.

Cox controls the 2.2 release, and is generally considered Linux's
second-in-command after creator Linus Torvalds.

The DMCA has been under fire from computer programmers and electronic
civil libertarians who argue that it is an unconstitutional
impingement on speech, and interferes with consumers' traditional
right to make personal copies of books, movies and music that they've
purchased.

In July, the first criminal prosecution under the Act kicked-off with
FBI agents arresting Dmitry Sklyarov, a Russian computer programmer
who was visiting the U.S. to give a talk at a security conference.
Sklyarov is the author of a computer program that cracks the copy
protection scheme used by Adobe Systems' eBook software.

"With luck, the Sklyarov case will see that overturned on constitutional grounds," Cox wrote on the list. "Until then U.S. citizens will have to guess about security issues." 

America Boycotted 
But U.S. Linux developers and users suspect Cox of using them to carry
a political message.

"My personal belief is that certain people are using this as an excuse
to draw attention to the dangers inherent in the DMCA," says
Birmingham system administrator Wayne Brown. "I'm sympathetic to their
efforts, but not at all happy that people who need access to this
information will be denied just to make a point... It seems to me to
be contrary to the whole spirit of free software development."

"I still think this is an extremist view of the DMCA," wrote U.S.
Linux developer Tom Sightler, in a post to the developer's list. "I
don't see where it keeps you from posting information about security
fixes to your own code."

Cox didn't respond to a reporter's inquiry, but on the mailing list,
he wrote that the new closed policy was necessary because Linux's
standard security features may be used for "rights management" of
copyrighted work. He declined to elaborate further "on a list that
reaches U.S. citizens."

The programmer plans to post Linux security information exclusively on
a Web site that will block access from the U.S.

Despite Cox's fears, describing security holes or patches in Linux
doesn't violate the DMCA, because the information isn't primarily
designed for the purpose of circumvention, says attorney Jennifer
Granick, director of the Stanford Law School's Law and Technology
Clinic.

"He seems to be assuming that the DMCA prohibits discussion about any
kind of security, and that's not what it does," says Granick. "The
DMCA is bad, but it's not that bad."

"Part of the problem with the DMCA is it doesn't make intuitive sense
to people who are practicing in this field, so even after reading the
statute, people don't understand exactly what they are or aren't
allowed to do," says Granick.