The Case For Full Disclosure In The Linux Changelog 234
titurel writes: "This article on SecurityFocus takes up some interesting thoughts about how Alan Cox's choice not to unveil securitychanges in the kernel changelog could affect other developers." And Jon Lasser is no security dummy -- Along with Jay Beale, he's one of the guys behind Bastille Linux, and the author of the excellent Think Unix.
This mean that Linux devs and Microsoft agree.. (Score:2)
The kernel is the one thing on my systems that I don't update all that regularly. Mostly because it tends to trash my systems out for whatever reason - so I can see where keeping the security changes out might obfuscate openings for people. But then again - if I know that someone can break into my system because I'm running 2.2.13 - I'm more likely to upgrade, fixing the problem.
-T
Re:This mean that Linux devs and Microsoft agree.. (Score:5, Insightful)
You really need to follow the news more closely, as does Jon Lasser.
Alan Cox did not release the changelogs for Linux kernel 2.20 in the United States for fear of prosecution under the DMCA.
Cox did release the changelogs internationally, and some of us mirror the censored logs on sites accessible inside the U.S. The reason for the censoring of the logs is that they specify particular applications that can be used to exploit the kernel bug, which could well be interpreted under the DMCA as giving directions to script kiddies.
Re:This mean that Linux devs and Microsoft agree.. (Score:1)
While at least some of the security changes made in the prerelease of the 2.2.20 Linux kernel have already been discussed elsewhere, Cox claims that describing these changes might be in violation of the same anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA) used to prosecute Russian programmer Dmitri Sklyarov, and cited by Professor Felten in his initial decision not to publish a paper describing weaknesses in SDMI.
i would say that the author is aware of the reasoning. if you read on you might see his side of the story.
Re:This mean that Linux devs and Microsoft agree.. (Score:3, Interesting)
Actually, I did read the article, and I stand by my complaint about Lasser. Of course, he's much closer to the truth than the /. poster I was replying to, but I still think he's overstating the case.
Cox did release the changelogs. He just didn't release them in the United States. Lasser doesn't mention that fact. Apparently, he's unaware of the world past the land of the DMCA.
Re:This mean that Linux devs and Microsoft agree.. (Score:2)
Re:This mean that Linux devs and Microsoft agree.. (Score:2)
If you track my posts, you'll discover that I'm a Canadian.
I'm willing to risk arrest if I visit the United States in order to pursue a claim that the DMCA is unconstitutional. I don't believe it is the law in the United States because it violates the Constitution, and I'm willing to risk arrest and imprisonment if I'm wrong.
I am also willing to allow whichever Americans that view my website to take the same risk as I am willing to.
That doesn't mean I think Alan Cox is wrong to do what he did... His situation is different from mine.
Re:This mean that Linux devs and Microsoft agree.. (Score:4, Informative)
Whether full disclosure is good or bad in general is a completely different question and not much related to the question whether it is legal or illegal in the U.S. now.
Alan won't release due to DMCA not security (Score:1)
that isn't a terribly considerate thing to do (Score:2, Informative)
Re:that isn't a terribly considerate thing to do (Score:1)
Not everyone updates their systems to the latest kernel as soon as it is released, so pointing out vulnerabilities in the ChangeLog along with the names of the 'cracker toolz' that exploit them increases the likelihood that systems running older kernels will be attacked.
This very same problem was seen on the Windows platform with the IIS vulnerabilities exploited by the Code Red worm and it's 'offspring'.
-Miki
When to disclose security vunlnerabilities: (Score:2)
However, you are right: The issue today is when and whether to document the exact nature of security issues.
Regarding software, I am a strong proponent of full disclosure. System and network security has several aspects, and the real security is found in how the network is designed, so that it can minimize security risks. Two networks running the same software and hardware may posess very different degrees of security due to their underlying infrastructure, etc. So disclosing the exact nature of a software vulnerability is not the same as giving instructions on how to break into a system.
However full disclosure does accomplish several things:
1: A reliable way to see which systems are vulnerable.
2: A clear understanding of what the log signatures of an attack would look like.
3: A clear understanding of how the exploit works so that administrators can make intelligent choices as to how to reduce or mitigate that risk.
The first one was covered in the article, but I see the second two as extrmely important as well.
Comment removed (Score:5, Funny)
Re:Shhhh, Keep this news a secret! (Score:2, Funny)
I will now disclothe for all the non-disclosure people in this room. Thank you.
For God's sake (Score:3, Insightful)
how many times does it have to be repeated: Disclose, Disclose, Disclose.
Full disclosure is essential to the success of any project, especially where security is involved. Heck, even Suits (ornery business types) understand this: in a corporation or LLC, lack of disclosure can lead to loss of limited personal liability.
This is unacceptable. I could understand a project admin not disclosing trivial changes that didn't go into a release of a product/system, but failing to disclose non-trivial changes that did go in is inexcusable.
We depend on the proper functioning of group development and understanding in Linux. From folks who just want to keep boxes on their home DSL/cable lines secure, to others (such as myself) who are involved in web hosting businesses, the need is real for disclosure.
This is very troubling. Surely I'm not getting the whole story here, at least I hope I'm not.
Re:For God's sake (Score:2)
In any case, pushing people towards breaking the DMCA is no solution at all.
Put up or shut up (Score:5, Insightful)
And did you write your representative in United States Congress yet? Did you submit an amica brief at Dmitry's preliminary hearing? Did you join the EFF [eff.org] to help battle the DMCA? Did you at least buy a Free Dmitry t-shirt [thinkgeek.com] so some of your purchase goes to stop the DMCA?
If you have, then I applaud your actions and encourage you to continue engaging in constructive solutions. If not, then put up or shut up. Far too many people are bitching about this problem and taking no substantive action.
It is unreasonable to expect Cox to behave differently. He's seen what happened to Dmitry. He knows what could happen if he were to disclose this information to Americans, then set foot in the United States. Cox did the right thing.
Re:Put up or shut up (Score:2)
And did you write your representative in United States Congress yet? Did you submit an amica brief at Dmitry's preliminary hearing? Did you join the EFF [eff.org] to help battle the DMCA? Did you at least buy a Free Dmitry t-shirt [thinkgeek.com] so some of your purchase goes to stop the DMCA?
The answer is Y-E-S to all but the second action. To be more precise, bought t-shirts for myself and a number of friends. Participated heavily in loads of debate on the subject. Donate routinely to the EFF (it's just a good idea anyhow).
I do not believe Cox is behaving reasonably. It would be an EXTREMELY tough twist of logic to apply the DMCA to this at all in a real-world situation. I despise the damned law as much as the rest of us on this topic, but I also know what the law says. Cox is essentially using Linux as his own personal soapbox to cry out against the DMCA, possibly partly in humour (since he knows the "true" changelogs will circulate around eventually anyhow).
Linux is not Cox's soapbox. I have to wonder how Linus feels about this. Nobody seems to be asking that particular question.
I acknowledge the fact that the DMCA could be twisted to prosecute someone on these grounds, but that's about as likely as a meteor hitting my girlfriend and getting her pregnant.
I've put up, so I guess I won't be shutting up...
Re:For God's sake (Score:2, Insightful)
This means that "foreign hackers" have free access to the information and that US sysadmins do not have access to the information.
It's a stupid law that in this case puts American security at risk. Since we did it to ourselves, there is no reason to expect a brit to emperil himself to attempt to rescue us from our own stupidity.
I support Cox (Score:5, Insightful)
Careful - Europe is not that far behind... (Score:2, Interesting)
Re:I support Cox (Score:2)
The United States may have been the land of the free for YOU in the 1960s, but it sure as hell wasn't for everybody.
Just because you guys now have some stupid laws, does not mean everything is worse than it used to be.
The dangers of illegality (Score:4, Insightful)
A debatable point, as the US Constitution Article XVIII, ratified in 1919, forbade the "manufacture, sale, or transportation of intoxicating liquors". This article was repealed in 1933, after prohibition proved its total uselessness in preventing alcohol consumption, but there are similar laws today prohibiting the use of several recreational drugs. The main effect of such prohibition is creating a strong incentive for organized crime. The prohibition is no obstacle to former drug users becoming presidents of the USA, for instance.
As Robert Heinlein said: "I am free, no matter what rules surround me. If I find them tolerable, I tolerate them; If I find them too obnoxious, I break them. I am free because I know that I alone am responsible for everything I do" (The Moon is a Harsh Mistress, 1966).
This doesn't mean that we should tolerate any such stupid laws as the DMCA or drug prohibition. Those laws have the very dangerous side effect of creating a large number of corrupt law enforcement officers. Corruption in law enforcement is, IMHO, a much greater danger to freedom.
Re:The dangers of illegality (Score:2, Interesting)
It just struck me that they had to pass a CONSTITUTIONAL AMENDMENT in order to make liquor illegal, but for all the illegal drugs today just a law was passed. Seems like a case of reinterpretation of what freedoms are protected under the constitution. I'll have to look into it by seeing when the drug laws were passed and such, but it's an interesting topic.
I'm starting to get very dissapointed in my US history as I learned in High School (I took mostly world history in college). They teach you about when the US got all these great freedoms but they don't teach you about when they were taken away again.
Re:The dangers of illegality (Score:2)
You are trying to learn about the history of the US from the US in the US. What makes you think the US will be objective in presenting it's own history within it's own borders knowing full well that vast majority of the people will never look further.
The best way to learn about any country is look outside of itself. Or to quote the butthole surfers "you never know just how you look in other peoples eyes."
Re:The dangers of illegality (Score:2)
Oh, that was easy. Cocaine was banned because of all the coked up niggers raping white women.
This was the honest-to-god media propagated justification for banning cocaine. Opium and heroin went because of all the Chinese doping up and raping white women.
If you find it hard to believe that Joe Voter bought these lurid "exposes", consider the media portrayal of the Taliban right now, and how quick we are to believe any story that gives us someone identifiably different to hate and fear, and how easily we pass laws on the back of that fear.
And how many of us, in this, ahem, more enlightened age, even bother to question that portrayal, or look for the other side of the story?
Re:The dangers of illegality (Score:2)
As written, the Constitution provides the Federal government with very little power, except in a number of well-defined areas. However, there have been many areas in which "interstate commerce" (which a single clause allows the Federal government to regulate) has been used as an excuse to allow in influence. Does your business sell anything to out-of-state customers, or buy supplies from the same? Guess what -- the Federal government can now regulate what you do and how!
It wasn't always like this, and there are those who'd put most governmental power back where it belongs -- with the states and the people. Take a close look at the Libertarian Party [lp.org] -- they're the strongest proponents of freedom I've seen yet.
And who exactly.... (Score:2, Interesting)
Alan has done some great work. But he really needs to step off of his soap box for a few minutes.
NO LAWSUIT NEEDED. DMCA = FEDERAL CRIME (Score:3, Informative)
Re:NO LAWSUIT NEEDED. DMCA = FEDERAL CRIME (Score:1)
This is completely false. It may indeed be a federal crime, but there is a lawsuit. The US Federal government is the ones that has to pursue the lawsuit.
Dinivin
Re:And who exactly.... (Score:5, Informative)
I believe the suggested exchange would go something like this:
Now, while you may be eager to spend several years in Jail, Mr. Cox is not.
Re:And who exactly.... (Score:4, Informative)
Dmitry was arrested by the FBI based on a "tip" they received from Adobe. Adobe withdrew their complaint, but that didn't stop the FBI. The FBI concluded that criminal law was being violated, and that Dmitry should be prosecuted.
If all it takes is one relatively credible tipster to cause the arrest of Cox for violating the DMCA, then Cox's actions seem perfectly reasonable. If he were to visit the United States, he'd like to go home when he's done.
DMCA? (Score:2, Interesting)
Re:DMCA? (Score:5, Informative)
So if you have a copyright protected file on your Linux server and only members of the animator group have permission to access it and then some guest or visitor has an account on that server and uses the information in the kernel changelog to get to that file, copy it and distribute it on the net, you have
a copyright violation case with the breaking of a content protection system covered under the DMCA.
And guess whose fault is was for publishing the
information in the changelog.
Next time Alan Cox comes to the US, he is arrested
and prosecuted under the DMCA.
As ridiculous as the example is, it is possible.
Hrm. (Score:3, Insightful)
File permissions are really more for privacy then they are for IP control. And remember, judges are supposed to go by the spirit of the law, not necessarily the letter. Just because you could theoretically rig something up to be a content control mechanism, doesn't mean that the courts would look on them as such.
And also, I don't believe that you can be convicted for circumventing your own technology, any more then you could be sued for violating the GPL on software you wrote (and own the copyright on).
There needs to be a plaintiff after all.
Re:Hrm. (Score:3, Interesting)
I'm not sure that's true, but even if it is I don't see how it makes a difference. The most likely scenario is a content creator uses his network drive while creating the content. Somebody else who has access to the machine hacks it and steals the content.
I'm not sure that's really true either, but by the time the case gets to the courts the poor programmer has already spent several months in jail. Think about this for a second. Why should a U.K. citizen risk getting embroiled in the American legal system? He doesn't live there, vote there, or have any particular interest in becoming a martyr like Dimitri. Would you get involved in human rights protests in China while on vacation there? I doubt it. You can sympathize, but in the end it's not your battle. It's the same with Alan.
Re:Hrm. (Score:2, Informative)
And nobody using Linux ever creates any valuable, original content? Gosh, an author writing his new bestselling novel on a multi-user Linux system may be surprised to hear that. So might the programmers of the "next big thing" who are also writing their new whiz-bang software on Linux systems and collaborating over the Internet.
Last weeks Reg news - Today! (Score:3)
No, Alan Cox is not pro non-disclosure. But it does seem to have been an unintended side affect of his swipe at the DMCA
Re:Last weeks Reg news - Today! (Score:1)
No, Alan Cox is not pro non-disclosure
wtf? want to include some more double negatives in there?
Unintended consequences not a Pandora's Box (Score:3)
The international nature of Linux development makes it a potential platform for protest and discontent, but at the same time, developers can and do seem to recognize the importance of their role in the endeavor. They should be excused for occasionally "acting out", imho.
Politicians aren't made overnight.
Re:Unintended consequences not a Pandora's Box (Score:3, Insightful)
There is already a problem. It's called the DMCA. Alan Cox is neither responsible for the existence of the problem or the consequences of the said problem as he's not a US citizen and therefore gets no "say" in making laws there.
Re:Unintended consequences not a Pandora's Box (Score:2)
Perhaps Mr. Cox is simply speaking out for the little guy. That's ok, but my government is gonna need some time and support to work out the fine distinctions of hat colors now that the information age is upon them. Maybe there aren't just two, after all.
In fact, the more I think about this, the more I am sure that Mr. Cox thought very carefully about this before doing it. But Linux should transcend these concerns. And imho, should not be used as a political platform at this time.
Pandora's Box? (Score:2)
I think not! Pandora's Box [microsoft.com] is a Microsoft product! It would be really amusing if Cox opened it.
Of course, Pandora's Box really describes my thoughts of NT...
diff the code? (Score:4, Insightful)
I don't think we really need to know HOW the bad code could be exploited...the smart people should be able to figure that out for themselves by looking at the code. Why help the script kiddies. "Fixed some major security flaws" type message is good enough for me as a user.
-Pete
Re:diff the code? (Score:3, Informative)
There are problems with this line of reasoning, as I will attempt to describe.
Yes, we could all just diff the code, and we could even set up a secondary website(s) to discuss the impact of the changes we find. However, this is a very inefficient mode of operation when it comes to something as critical as security.
Your comment about "helping the script kiddies" is disturbing in that it sounds way too close to Microsoft's "plea to the security community". That's just no good; I want to see the full details of other peoples' reasoning on these things so I'll be better able to intelligently digest and evaluate the information myself. I'm not an outstanding C coder (although I do a lot of Perl and C), so I could easily miss important things.
The other trouble with this is that since this deals with open source software, the "user" has the immediate option of contributing in a meaningful way to the project. Unlike traditional "closed source" models, the average user (at least currently) of high security impact open source software is likely to have a few more than average clues on security topics.
If you make it harder for these people (read: us) to get at the requisite information, you're not only putting security at risk; you're also defeating a large part of the open source / free software philosophy. Nowhere in the GPL or any other similar license that I'm aware of does it say that changelogs are subject to geographic censorship. Now, IANAL, but I also don't think the DMCA really has anything to do with this, from my following of other threads here related to all that mess.
Just my thoughts, nothing more. Thank you.
Re:diff the code? (Score:5, Funny)
If you keep speaking like that, peterdaly, then diff might become a circumvention device under the DMCA and thus, will be banned in the United States.
If you want to keep various GNU Tools such as diff, cat, cp, and ghex, then you have to hide the fact that they are usefull for anything other than taking up space. Otherwise we risk them becoming circumvention devices under the DMCA.
Re:diff the code? (Score:3)
On the other hand, most people couldn't care less which has been changed in the kernel. When did kernel ChangeLogs show up? In 1999? Or in 2000? It was pretty late anyway, and I remember that Felix von Leitner was flamed for suggesting them a few years ago, so that you could follow changes to internal interfaces more easily. Of course, ChangeLogs are a nearly a must-have documentation tool, but Linux kernel development is possible without them. (In fact, Linux kernel development deliberately doesn't use a few tools many people consider essential for (operating system development).
Re:diff the code? (Score:3, Insightful)
Even if you can spot these easily, there is still a lot more work involved in going through diffs, than just being told what was fixed.
That Alan Cox coment was a protest! (Score:2, Interesting)
There is full disclosure. Just look the diff.
I can't understand how people can claim to understand free software development and then have these claims.
Hugs, Cyclops
Re:That Alan Cox coment was a protest! (Score:2)
I'm not a kernel hacker and I'm also not that much of a programmer. When a new version of the kernel comes out and I want to determine how it effects me I'm probably not going to step up and diff the source tree. If one thing had changed then I could probably figure out what had changed, but if 30 or 40 things had been fixed, diff's arent going to make alot of sense to someone who isn't familar with the code. Diffs are not going to make no sense to someone who doesn't program for a living.
so for a moron like me, who just wants to _use_ linux, changelogs are more useful (if not necessary).
Re:That Alan Cox coment was a protest! (Score:2)
The Patches are already a diff to the source tree, so that job is already done for you. I assume that you're running a vanilla kernel, of course.
Cox does not think disclosure is bad... (Score:5, Insightful)
The way to deal with the DMCA is not to pretend it does not exists, but to show how ridiculous it is, and that means obeying it and showing how it limits development. You cannot think about computer security without considering the legal aspects. Of course full disclosure would be better, but at what price?
Cox could *actually* go to jail in his next visist to the USA in case he did it. (Think not? Dimitry also didn't believe it could happen.) I am sure you can get the information of what was changed in the kernel by other means (linux-kernel?), but it is very important to be registered in the log that we are being limited by the DMCA. I don't know, perhaps in a nicer future someone will look back at these logs and ask why he didn't describe the problems, and then they will remember how the abuse of corporate power has changed law in a uncostitutional and limiting way.
We are not talking about boys playing in a BBS, we are talking about real men with real families, people important in our community, that could go to jail because of stupid laws in the lack of this responsability.
Re:Cox does not think disclosure is bad... (Score:2)
The way to deal with the DMCA is not to pretend it does not exists, but to show how ridiculous it is, and that means obeying it and showing how it limits development.
So, slightly tongue-in-cheek, is this what Gandhi or Thoreau would call civil obedience?
Re:I simply do not understand (Score:3, Interesting)
As the DMCA is a federal law, the complainant in that case would be the same as the complainant the next time someone gets busted by the DEA for importing cocaine. The US federal government. No need for a "real person" to file a complaint or anything like that.
Would they not have to demonstrate some kind of damage that resulted from the alleged misdeed?
That's not included in the DMCA, sorry. No need to actually prove that any damage was done.
Surely, he's just making a point, right?
Nope, he's genuinely concerned about going to jail. Mr. Cox has apparently checked with a lawyer (always a good idea when unsure of what the law really is) and has been advised as follows:
(a) It is unlikely but not out-of-the-question that he would be arrested and incarcerated in the US for publishing the changelogs.
(b)It is extremely unlikely (almost impossible) that he would actually be CONVICTED under the DMCA.
Having considered the matter, Mr. Cox takes the not unreasonable position that he would rather not take a chance of being arrested and tossed into jail until he eventually gets to trial. It's a small chance, sure, but the possibility does apparently exist.
I don't see how anyone can fault Mr. Cox for taking action to insure that he does not get tossed into jail in the USA the next time he visits there, He's checked with a lawyer and been advised that there is a risk; he chooses not to take that risk.
Re:I simply do not understand (Score:2)
No, he's just using his position of power to make a political point... and while there's nothing wrong with that, it's disingenuous to pretend otherwise.
(a) It is unlikely but not out-of-the-question that he would be arrested and incarcerated in the US for publishing the changelogs.
It is unlikely, but not out of the question that Alan will be struck by a meteorite. Perhaps he should be taking some precautions against that too?
Re:I simply do not understand (Score:2)
You can't have it back. It costs too much and you can't afford it.
Oh Enough of this already... (Score:5, Informative)
If you really want to see it, click here:
kernel-2.2.20.log [homeip.net]
kernel-2.2.20pre11.log [homeip.net]
I'm sure Alan knows that people will do this, he'd probably rather stay away from it and make the moral point to US law. Ironic since in an earlier post in another topic the US-posters were praising their First Amendment.
Re:Oh Enough of this already... (Score:2)
OK, I give. What's the bit that's worrying Alan? Nothing (immediately) leapt out, poked me in the eye, and said "This is information that enables someone to bypass the technical protection on a copyrighted work."
I have an idea.... (Score:1)
How is a changlog a circumvention dev ? (Score:3, Interesting)
Right... (Score:2, Insightful)
Although commercial tools are available that scan for vulnerabilities, the lag time between development of the exploit and the next periodic update to security scanning packages is too long for many enterprises.
Not to mention that the commercial tools usually cost $$$, and have their own problems and shortcomings; the alternative being to download the exploit from bugtraq and try it yourself against your machines.
From my experience - I work as a unix sysadmin for a small-to-medium software company - waiting for vendor updates (any vendor, from Sun to M$) is akin to giving up... blocking the traffic in the firewall is to survive. You have to know what to block, obviously.
So, IMHO there is nothing like first-hand experiencing the exploits. I know the script-kiddies say the same thing.
Amazing...simply....Amazing! (Score:4, Insightful)
Second, why is everyone here so upset? Oh, hang on. This affects, um who was it? Oh thats right, the Americans. We really shouldn't upset them should we? Most of the comments that I have seen modded up so far basically say one of the following things:
Well, sadly:
Hands up all of the americans who have written their senator, state and federal. Hands up to all of those who have given financial, or other, support to movements who are trying to repeal the DMCA. Hands up all those who would just rather whinge when that law inconveniences them. Hmm. Thought so, on that last question the number of hands went up by 10.
If you are really so cut up about it, figure out what has changed (it isn't really that hard, it has been talked about in the previous article) and post it yourself. Then to prove to Alan what a fool he is, walk down to the DA's office and get a written statement saying that they will not prosecute you for releasing that information. Make entirely clear to them that you have released information that could help people circumvent rights management, and get the DA to sign saying that they would not prosecute you for releasing this information.
Personally, I don't think that this will happen, since most people would rather make Alan the bad guy over taking any personal risk. I dare you to prove me wrong.
True. This place... (Score:1)
I mean, on the one hand you've got a bunch of people crying that this assists firms like Microsoft. On the other, you've got users who copy verbatim writings they've already posted at other weblogs.
I'm beginning to think even reading comments (1 or below) at Slashdot is a waste of time. What do you think?
A better excuse for non-full disclosure (Score:5, Funny)
Maybe we would all do better following Linus's methods. Let's say you need to turn in an Essay on Lord Of The Flys, it's simple:
As you can see, this eases your everyday life. It gets rid of the unintended problems that spring from caring about anything but the task at hand.
--Josh
Is this RedHat's fault? (Score:1)
What I don't understand about the DMCA... (Score:3, Insightful)
Is Ford or Firestone sueing the group that discovered the flaw when you put an Explorer on Firestone tires?
Are lockmakers sueing those that pick locks?
Why do software companies think they're so "special" in that regard?
Isn't there a consumers' association in the US?
If there is, I don't know how they act, but in many countries this sort of association tries to keep regular companies on their toes by regularly testing their products and giving them a thumbs-up or thumbs-down verdict. Also if consumers are having problems with a company due to a breach of contract or bad sale or whatever, the association has a bunch of lawyers on their payroll who are willing to sue.
Wouldn't it just be a great idea if encryption-breakers could team up with that kind of organisation? I mean, it is of course in the consumer's interest that this sort of work goes on.
Well.. (Score:2)
It's also not about flaws in tires, or bugs in software.
It's about technological systems that protect copyrighted works.
ChangeLog Might Not Be Appropriate... (Score:2)
Why should Cox risk jailtime ? (Score:5, Insightful)
We all know that that is illegal in the USA, thanks to the DMCA, and in a little over one year, will also be illegal in most of Europe, thanks to the EUCD - European Union Copyright Directive.
My question is: Why should he take the risk ? Until know, Sklyarov is still in jail, Felten hasn't got the courts permission to present his article and I still can't get a DVD player with any GNU/Linux distribution. Isn't this enough to make one think twice before entering the security field ?
M.I.B's (Score:2, Funny)
The M.I.B's (Microsofties In Black)would be proud.
Just claim "you don't need to know".
And the 'Little Flashie Thingies' don't hurt either.
Alan Cox yet again (Score:1, Flamebait)
Mr. Cox, do you adhere to all the rules of the U.S. as a british citizen? I suppose you keep a library of U.S. lawbooks at your house so you won't violate any of our laws while in your home country.
The DMCA is a U.S. law. Dmitri Skylarov was arrested while breaking the DMCA on U.S. soil. Even if AC broke the DMCA in England and then came here, he'd have to break the DMCA here in order to get arrested.
The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention. This is simply ridiculous. You can't be put in jail for publishing changelogs to your own code.
Oh my god...last week I tried to hack my own linux box! I'm a fugitive from justice!
Personally, I vote Alan Cox finds him a nice little therapist somewhere in merry old England and tries to get some help.
Re:Alan Cox yet again (Score:2)
This is most definitely not the point. Alan Cox is making a protest against the DMCA. He's chosen a public forum, but not big enough to actually inconvenience a lot of people too much (witness mirrors).
Dmitri Skylarov was arrested while breaking the DMCA on U.S. soil. Even if AC broke the DMCA in England and then came here, he'd have to break the DMCA here in order to get arrested.
Nope! He did it in Russia, came over to a convention to promote the product, got arrested by Adobe^H^H^H^H^Hthe FBI there.
Alan Cox - defender of freedom in America (Score:5, Informative)
Not a law student, I take it. If Alan makes information available across the Internet to Americans, that violates a US law, Alan has violated US law and can be arrested when he enters the country. To take a less ephemeral example, imagine if a Colombian mails you a package of cocaine and puts his name and return address on the package. You don't think he could be arrested on entry to the US? By your logic, Osama bin Laden could not be arrested if he flew into JFK tomorrow, because he has never personally committed a crime on US soil.
The federal goverment does not actively seek out violators of the DMCA without a "victim" bringing the violation to their attention.
Do you think Sklyarov knew that his "victims" had filed a complaint against him, before he was arrested? How is Alan going to know when it is or isn't safe to travel to the US? Tivo might decide to bring a complaint because Alan has enabled people to more easily crack their boxes, for example. Linux has far wider scope, and many more applications, than anything Sklyarov ever did.
This business of having draconian laws which are enforced at the authorities discretion is very dangerous. It restricts freedom in all sorts of ways, and often results in people restricting their own freedoms, and those of others - as Alan has done - in order to "play it safe". Laws like this take away basic freedoms in an insidious, indirect way that would never be possible if done directly.
If you're saying that you support the DMCA as written, then I suppose we have a total different argument which we haven't even begun to address. But if you don't support the DMCA, you should respect Alan Cox's right to respond to it.
Alan Cox is doing more for freedom in America than you have ever done. Think about that the next time you criticize.
legal nonsense (Score:2)
The "nonsense" here is the DMCA. Alan's is actually quite a rational response. If he ever finds himself accused under the DMCA, he can point to the fact that once apprised of his legal situation, he took proactive steps to change it. This would certainly mitigate if not eliminate any liability or guilt he has under the law.
Perhaps I should suggest to the FBI that Alan is a known multiple violator of the DMCA and they should extradite him?
If your copyrights were being violated in some way that had to do with previous Linux changelogs, you might be able to do just that, although it might depend on the details of the extradition treaties. What's your point?
Anyone see how Alan's soapboxism is silly now?
No. As you say, you're not as well known as Alan - and not being well-known, you're not exposed to the legal risks, due to greater scrutiny, to which higher-profile people are often subject. I'm sure Sklyarov is really glad to hear that you don't think the DMCA is anything to worry about.
Re:Alan Cox - defender of freedom in America (Score:2)
Believe it or not, I didn't actually mean that as any kind of insult, just a reflection of the fact that having a more public presence, Cox is more likely to have an impact than you, unless you are actually active in politics in some way, beyond simply voting and writing your congressperson.
By doing what he's doing, Alan Cox is preaching to the choir and alienating americans.
You're only alienated if you choose to be alienated. While you may not have voted for the DMCA, nevertheless your elected representatives did. There's a problem there, which may stem from issues like campaign finance that allow corporations to purchase legislation, and from politicians and their staffs being undereducated on information technology and its social implications. Whatever the reasons, the end result is a problem, and I think it only helps the cause if people outside the US make it clear that they perceive a problem.
Yet, he is "punishing" us because of his ego. He thinks he is important enough that he'll make a difference.
Actually, as some other people have pointed out, his position may be much more pragmatic than political - he doesn't want to expose himself to unnecessary risks. Either way, though, I think you underestimate the value of apparently "token" actions like those Alan has taken. It all adds up. Symbolic gestures are often the things that get people thinking about something, and they propagate through society in unexpected and unpredictable ways. If everyone simply sits back and accepts the situation, you can be sure that nothing will ever change. Alan has made it clear that he perceives a problem, and that's important.
If we're not making a difference here, he won't make a difference concealing details about something most, if not all, congressmen have never even heard of.
But he can now be pointed to as an example of how the DMCA is affecting the willingness of the international community to collaborate on technological projects with the U.S. There are similarities to the Felten case. This hasn't happened yet, but he's just one more piece of evidence in the case against the DMCA. He alone is certainly unlikely to change anything, but again, change has to start somewhere.
Taking action in the certain expectation of criticism like yours is part of what makes what Alan's actions admirable. He's doing what he thinks is right and necessary. You're choosing to interpret that as some kind of personal insult, but I think you're wrong to see it that way. Alan, whether wrong or right, is at least taking a stand and a position that has a chance to have an effect.
I, for one, am just glad that he's not going to maintain the 2.4 kernel.
I don't really understand the connection - this just seems petty to me. You can get hold of the changelogs if you want them, just not from Alan, so that's not really an issue. You object to anyone outside the US pointing to the stupidity of a US law? Why? He's on your side, whether you realize it or not. Don't be so sensitive - the US can withstand a bit of bashing, especially when it deserves it, and it doesn't have to be a reflection on you personally.
Publishing source violates DMCA (Score:3, Interesting)
Everything a person needs to know to circumvent access controls is in the operating system source code. Therefore, publishing source code to an OS is a violation of the DMCA.
AC interview on Newsforge, linked on Linuxtoday (Score:4, Informative)
Point being, a couple of days ago there was an article linked there to Newsforge with an interview with Alan Cox about his views on the DMCA and these changelogs [newsforge.com].
For the lazy, the essential point is that AC has gotten legal advice that he very well could be charged in the US for posting the vulnerabilities based on an interpretation of the DMCA, but that no "sane" US court would convict him. However, he does not want to spend 6 months in the US to go through the process.
So, basically, he's making a political point about stupid laws. He's welcome to if that what he wants. As others have said, it's not like most people interested in kernel changes can't use diff.
Glenn
join the eff (Score:2)
DCMA implies CLOSED SOURCE (Score:3, Insightful)
If the kernel change logs can be used to provide information to hackers that would result in criminal liability, does not the entire kernel source provide the same information?
Doesn't that imply that the entire Linux Kernel Source should be closed and only Binaries provided?
If Alan Cox is allowed to use Linux as his own political soapbox, then Linux itself is history. Where the hell is Linus?
Re: DCMA implies CLOSED SOURCE (Score:2)
Linus is in the USA, and so will have to be very, very careful what he says and does for the forseeable future.
You want to bet that Microsoft wouldn't pull an Adobe and have their Enforcement Division (aka the US legislature) lock up Linus if they thought the benefits would outweigh the costs? It's unthinkable, you say? Why is it unthinkable? All Microsoft would have to do would be to fulfill their patriotic duty to report an un-American protection control bypass in the Linux kernel, then Uncle Sam will do the dirty work for them.
What's the cost to Microsoft of doing that? Bad publicity for them, and good publicity for Linux. What's the benefit? Tie up Linus in court action for years. Have his passport removed. Restrict his ability to travel. As best, have him jailed on remand. The damage that would do to the Linux kernel would be real and immediate. GNU/Linux needs to take desktops from Microsoft now, before .NET gains mindshare, and any kernel splits, delays or even more FUD would give .NET a free run.
Do you really think there isn't a cadre of Microsoft execs and lawyers discussing this right now? Not in terms of right and wrong, just in terms of damage and payoff.
Alan's taking the easy way out (Score:3, Flamebait)
If Alan Cox really wants to make a point, he should put his money where his mouth is and LET himself be open to a suit under the DMCA. His current approach, hiding the changelogs, does nothing to stop the DMCA, and by submitting to it he's giving its backers exactly what they want.
Laws don't get changed if nobody has the guts to challenge them. If Alan wants to get his point across, he should let himself be sued (not that it would actually happen, because I doubt any company really gives a damn what he puts in his changelog). Then he, like Felten and Sklyarov, has a great case to challenge the law with.
Instead, this "spectacle" seems to be Alan submitting to the DMCA, then trying to attract as much attention as possible to his crying about it. I have no pity for this, and I hope the rest of his audience feels the same.
Re:Alan's taking the easy way out (Score:3, Insightful)
Alan is taking a different approach. He's not trying to show the world that breaking the law will get you in trouble. He's trying to show the world that people who obey the law are the ones being hampered. Instead of violating the law (knowingly or not) and then crying foul when he gets charged, he's making the point that complying with the DMCA interferes with legitimate business. It's a subtle difference, but IMO it's a better precedent. I think people will be more apt to see the DMCA as a bad law once they understand that it's the law-abiding citizens who are being effectively punished.
To quote a poster from the original thread on this issue, the DMCA is the only law so stupid that it must be fought through civil obedience!
Shaun
Re:Alan's taking the easy way out (Score:2)
He's not showing the world anything; he's only telling those of us who follow Linux and Slashdot. He's simply "preaching to the choir."
Furthermore, even if this was publicised, it would hardly seem like the case of a poor academic being wronged by and unjust law -- and that's because it isn't. It's a British hacker with no legal expertise stretching this American law so that he can cry out that he was wronged.
You and I and whoever else is reading this know that what he's saying might not be that much of a stretch, and that there is a slight chance this could get him in trouble. But he won't be earning any sympathy from anyone other than us unless that actually happens, and I think it's very unlikely that anyone would ever try to apply the DMCA against him in that manner anyway.
(There goes my karma. Kill the messenger =)
Re:Alan's taking the easy way out (Score:2)
Furthermore, even if this was publicised, it would hardly seem like the case of a poor academic being wronged by and unjust law -- and that's because it isn't. It's a British hacker with no legal expertise stretching this American law so that he can cry out that he was wronged.
You and I and whoever else is reading this know that what he's saying might not be that much of a stretch, and that there is a slight chance this could get him in trouble. But he won't be earning any sympathy from anyone other than us unless that actually happens, and I think it's very unlikely that anyone would ever try to apply the DMCA against him in that manner anyway.
(There goes my karma. Kill the messenger =)
Re:Alan's taking the easy way out (Score:2)
The DMCA is affecting those who are using Linux except Alan Cox and other non-US developers. Its the Americans who should be complaining about how this has affected them.
The US has this habit of charging foreigners with breaking these new laws and getting them extradited or tricking them into coming onto american soil when necessary.
Re:Alan's taking the easy way out (Score:2)
I see. So I should really regard the Changelog as a joke and diff the sources for myself, should I? *bzzzt*, I have real live servers to maintain. If I don't get to know what I'm upgrading and for why, I won't use linux on them at all.
Alan, if you're reading, remember that you're in the UK, not the US, and don't pander to their damn silly DMCA "law" either as a joke or semi-seriously (I know kernel.org is in the US...) again.
Re:Alan's taking the easy way out (Score:2)
I live in Canada and have sent in my pleas for us to not have a rehashed DMCA introduced here already.
Re:Alan's taking the easy way out (Score:2, Interesting)
Full Changelog (Score:2, Informative)
2.2.20 final
o Final fixes for the computone driver (Michael Warfield)
2.2.20pre12
o Update davicom driver to fix oopses (Sten Wang)
o Updated PC300 driver - fix SCA-II DMA bugs
(Daniela P. R. Magri Squassoni)
o Make syn cookies per socket (Andi Kleen)
o Computone driver fixes for fast PC's (Michael Warfield)
| Follow on devfs patches didnt apply so dropped
o DAC960 update (Leonard Zubkoff)
2.2.20pre11
o Security fixes
- Quota buffer overrun , possibly locally (Solar Designer)
exploitable
- Ptrace race - local root exploit (Rafal Wojtczuk,
- Symlink local denial of service attack Solar Designer,
fix Linus Torvalds)
- Sparc exec fixups (Solar Designer)
o Sparc updates (Dave Miller)
o Add escaped usb hot plug config item (Ryan Maple)
o Fix eepro10 driver problems (Aris)
o Make request_module return match 2.4 (David Woodhouse)
o Update SiS900 driver (Hui-Fen Hsu)
o Update ver_linux to match 2.4 (Steven Cole)
o Final isdn fixups for 2.2 (Kai Germaschewski)
o scsi tape fixes from 2.4 (Kai Mäkisara)
o Update credits entry (Henrik Storner)
o Fix scc driver hang case (Jeroen)
o Update credits entry (Dave Jones)
o Update FAT documentation (Hirokazu Nomoto)
o Small net tweaks (Dave Miller)
o Fix cs89xx abuse of skb->len (Kapr Johnik)
2.2.20pre10
o Update the gdth driver (Achim Leubner)
o Fix prelink elf loading in 2.2 (Jakub Jelinek)
o 2.2 lockd fixes when talking to HP/UX (Trond Myklebust)
o 3ware driver update (Adam Radford)
o hysdn driver update (Kai Germaschewski)
o Backport via rhine fixes (Dennis Bjorklund)
o NFS client fixes (Trond Myklebust, Ion Badulescu,
Jim Castleberry, Crag I Hagan.
Adrian Drzewiecki)
o Blacklist TEAC PD-1 to single lun (Wojtek Pilorz)
o Fix null request_mode return (David Woodhouse)
o Update credits entry (Fernando Fuganti)
o Fix sparc build with newer binutils (Andreas Jaeger)
o Starfire update (Ion Badulescu)
o Remove dead USB files (Greg Kroah-Hartmann)
o Fix isdn mppp crash case (Kai Germaschewski)
o Fix eicon driver (Kai Germaschewski)
o More pci idents (Andreas Tobler)
o Typo fix (Eli Carter)
o Remove ^M's from some data files (Greg Kroah-Hartmann)
o 64bit cleanups for isdn (Kai Germaschewski)
o Update isdn certificates (Kai Germaschewski)
o Mac update for sysrq (Ben Herrenschmidt)
2.2.20pre9
o Document ip_always_defrag in proc.txt (Brett Eldrige)
o Update S/390 asm for newer gcc (Ulrich Weigand
o Update S/390 documentation Carsten Otte
o Update s390 dump too and co)
o Update s/390 dasd to match 2.4
o Backport s/390 tape driver from 2.4
o FDDI bits for s/390
o Updates for newer pmac laptops (Tom Rini)
o AMD760MP support (Johannes Erdfelt)
o Fix PPC oops on media change (Tom Rini)
o Fix some weird but valid input combinations (Tom Rini)
on PPC
o Add additional checks to irc dcc masquerade (Juanjo Ciarlante,
Michal Zalewski)
o Update 2.2 ISDN maintainer (Kai Germaschewski)
o Fix 3c505 with > 16Mb of RAM (Paul)
o Bring USB into sync with 2.4.7 (Greg Kroah-Hartmann)
2.2.20pre8
o Merge DRM fixes from 2.4.7 tree (me)
o Merge sbpcd fixes from 2.4.7 tree
o Merge moxa buffer length check
o Merge bttv clip length check
o Merge aha2920 shared irq from 2.4.7 tree
o Merge MTWEOF fix from 2.4.6 tree
o Merge serverworks AGP from 2.4.6 tree
o Merge sbc60xxx watchdog fixes from 2.4.6
o Merge lapbether fixes from 2.4.6
o Merge bpqether fixes from 2.4.6
o Merge scc fixes from 2.4.6
o Merge lmc memory leak fixes from 2.4.6
o Merge sm_wss fixes from 2.4.6
o Resync AGP support with 2.4.6
o Merge epca fixes from 2.4.5
o Merge riscom8 fixes from 2.4.5
o Merge softdog fixes from 2.4.5
o Merge specialix fixes from 2.4.5
o Merge wdt/wdt_pci fixes from 2.4.5
o ISDN cisco hdlc fixes (Kai Germaschewski)
o ISDN timer fixes (Kai Germaschewski)
o isdn minor control change backport (Kai Germaschewski)
o Backport ELCR MP 1.1 config/PCI routing stuff (John William)
o Backport isdn ppp fixes from 2.4 (Kai Germaschewski)
o Backport isdn_tty fixes from 2.4 (Kai Germaschewski)
o eicon cleanups (Armin Schindler)
| Armin can you double check the clashes were ok
o Fix an ntfs oops (Anton Altaparmakov)
o Fix arp null neighbour buglet (Dave Miller)
o Update sparc version strings, pci fixups (Dave Miller)
o Define CONFIG_X86 in 2.2 as well as 2.4 (Herbert Xu)
o Configure.help cleanups (Steven Cole)
o Add MODE_SELECT_10 to qlogic fc table (Jeff Andre)
o Remove dead oldproc variable (Dave Miller)
o Update starfire driver for 2.2 (Ion Badulescu)
o 8139too driver update (Jens David)
o Assorted race fixes for binfmt loaders (Al Viro)
o Update Alpha support for older boxes (Jay Estabrook)
o ISDN bsdcomp/ppp compression fixes (Kai Germaschewski)
2.2.20pre7
o Merge rose buffer management fixes (Jean-Paul Roubelat)
o Configure.help updates (Steven Cole)
o Add Steven Cole to credits (Steven Cole)
o Update kbuild list info (Michael Chastain)
o Fix slab.c doc typo (Piotr Kasprzyk)
o Lengthen parport probe timeout (Jean-Luc Coulon)
o Fix vm86 cleanup (Stas Sergeev)
o Fix 8139too build bug (Jürgen Zimmermann)
o Fix slow 8139too performance (Oleg Makarenko)
o Sparc64 exec fixes (Solar Designer)
2.2.20pre6
o Merge all the pending ISDN updates (Kai Germaschewski)
| These are sizable changes and want a good testing
o Fix sg deadlock bug as per 2.4 (Douglas Gilbert)
o Count socket/pipe in quota inode use (Paul Menage)
o Fix some missing configuration help texts (Steven Cole)
o Fix Rik van Riel's credits entry (Rik van Riel)
o Mark xtime as volatile in extern definition (various people)
o Fix open error return checks (Andries Brouwer)
2.2.20pre5
o Fix a patch generation error, replaces 2.2.20pre4 which is
wrong on ad1848
2.2.20pre4
o Fix small corruption bug in 82596 (Andries Brouwer)
o Fix usb printer probing (Pete Zaitcev)
o Fix swapon/procfs race (Paul Menage)
o Handle ide dma bug in the CS5530 (Mark Lord)
o Backport 2.4 ipv6 neighbour discovery changes (Dave Miller)
o FIx sock_wmalloc error handling (Dave Miller)
o Enter quickack mode for out of window TCP data (Andi Kleen)
o Fix Established v SYN-ACK TCP state error (Alexey Kuznetsov)
o Sparc updates, ptrace changes etc (Dave Miller)
o Fix wrong printk in vdolive masq (Keitaro Yosimura)
o Fix core dump handling bugs in 2.2 (Al Viro)
o Update hdlc and synclink drivers (Paul Fulghum)
o Update netlink help texts (Magnus Damm)
o Fix rtl8139 keeping files open (Andrew Morton)
o Further sk98 driver updates. fix wrong license (Mirko Lindner)
text in files
o Jonathan Woithe has moved (Jonathan Woithe)
o Update cpqarray driver (Charles White)
o Update cciss driver (Charles White)
o Don't delete directories on an fs that reports (Ingo Oeser)
then 0 size when doing distclean
o Add support for the 2.4 boot extensions to 2.2 (H Peter Anvin)
o Fix nfs cache locking corruption on SMP (Craig Hagan)
o Add missing check to cdrom readaudio ioctl (Jani Jaakkola)
o Fix refclock build with newer gcc (Jari Ruusu)
o koi8-r fixes (Andy Rysin)
o Spelling fixes for documentation (Andries Brouwer)
2.2.20pre3
o FPU/ptrace corruption fixes (Victor Zandy)
o Resync belkin usb serial with 2.4 (Greg Kroah-Hartmann)
o Resync digiport usb serial with 2.4 (Greg Kroah-Hartmann)
o Rsync empeg usb serial with 2.4 (Greg Kroah-Hartmann)
o Resync ftdi_sio against 2.4 (Greg Kroah-Hartmann)
o Bring keyscan usb back into line with 2.4 (Greg Kroah-Hartmann)
o Resync keyspan_pda usb with 2.4 (Greg Kroah-Hartmann)
o Resync omninet usb with 2.4.5 (Greg Kroah-Hartmann)
o Resync usb-serial driver with 2.4.5 (Greg Kroah-Hartmann)
o Resync visor usb driver with 2.4.5 (Greg Kroah-Hartmann)
o Rsync whiteheat driver with 2.4.5 (Greg Kroah-Hartmann)
o Add edgeport USB serial (Greg Kroah-Hartmann)
o Add mct_u232 USB serial (Greg Kroah-Hartmann)
o Update usb storage device list (Stas Bekman, Kaz Sasayma)
o Bring usb acm driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring bluetooth driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring dabusb driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring usb dc2xx driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring mdc800 usb driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring rio driver into line with 2.4.5 (Greg Kroah-Hartmann)
o Bring USB scanner drivers into line with 2.4.5 (Greg Kroah-Hartmann)
o Update ov511 driver to match 2.4.5 (Greg Kroah-Hartmann)
o Update PCIIOC ioctls (esp for sparc) (Dave Miller)
o General sparc bugfixes (Dave Miller)
o Fix possible oops in fbmem ioctls (Dave Miller)
o Fix reboot/halt bug on "Alcor" Alpha boxes (Tom Vier)
o Update osst driver (Willem Riede)
o Fix syncppp negotiation bug (Bob Dunlop)
o SMBfs bug fixes from 2.4 series (Urban Widmark)
o 3ware IDE raid driver updates (Adam Radford)
o Fix incorrect use of bitops on non long types (Dave Miller)
o Fix reboot/halt bug on 'Miata' Alpha boxes (Tom Vier)
o Update Tim Waugh's contact info (Tim Waugh)
o Add TIOCGSERIAL to sun serial on PCI sparc32 (Lars Kellogg-Stedman)
o ov511 check user data more carefully (Marc McClelland)
o Fix netif_wake_queue compatibility macro (Andi Kleen)
2.2.20pre2
o Fix ip_decrease_ttl as per 2.4 (Dave Miller)
o Fix tcp retransmit state bug (Alexey Kuznetsov)
o Fix a few obscure sparc tree bugs (Dave Miller)
o Fix fb
o Fix complie with CONFIG_INTEL_RNG=y (Andrzej Krzysztofowicz)
o Fix rio driver when HZ!=100 (Andrzej Krzysztofowicz)
o Stop 3c509 grabbing other EISA boards (Andrzej Krzysztofowicz)
o Remove surplus defines for root= names (Andrzej Krzysztofowicz)
o Revert pre1 APIC change
2.2.20pre1
o Fix SMP deadlock in NFS (Trond Myklebust)
o Fix missing printk in bluesmoke handler (me)
o Fix sparc64 nfs (Dave Miller)
o Update io_apic code to avoid breaking dual (Johannes Erdfelt)
Athlon 760MP
o Fix includes bugs in toshiba driver (Justin Keene,
Greg Kroah-Hartmann)
o Fix wanpipe cross compile (Phil Blundell)
o AGPGART copy_from_user fix (Dawson Engler)
o Fix alpha resource setup error (Allan Frank)
o Eicon driver updates (Armind Schindler)
o PC300 driver update (Daniela Squassoni)
o Show lock owner on flocks (Jim Mintha)
o Update cciss driver to 1.0.3 (Charles White)
o Backport cciss/cpqarray security fixes (me)
o Update i810 random number generator (Jeff Garzik)
o Update sk98 driver (Mirko Lindner)
o Update sis900 ethernet driver (Hui-Fen Hsu)
o Fix checklist glitch in make menuconfig (Moritz Schulte)
o Update synclink driver (Paul Fulghum)
o Update advansys scsi driver (Bob Frey)
o Ver_linux fixes for 2.2 (Steven Cole)
o Bring 2.2 back into line with the master ISDN (Kai Germaschewski)
o Whiteheat usb driver update (Greg Kroah-Hartmann)
o Fix via_rhine byte counters (Adam Lackorzynski)
o Fix modem control on rio serial (Rogier Wolff)
o Add more Iomega Zip to the usb storage list (Wim Coekaerts)
o Add ZF Micro watchdog (Fernando Fuganti)
Think Unix (Score:2)
Danny.
open source intrinsically at risk (Score:2)
And open source is at a grave disadvantage here: when Microsoft violates the GPL, nobody will know about it because it is hidden in gigabytes of messy binaries. But when Apache or the Linux kernel steps on someone's toes, everybody knows about it right away because the source code is open and widely read.
I don't have a solution for this problem other than that we need to become more active politically: open source software should not be at this disadvantage. But until the laws are fixed, decisions like Cox's, will be both rational and increasingly common. Stopgap technological measures, such as anonymous posting of such information, may help in the meanwhile, but they are far from perfect, both because they don't actually remove the legal liability and because they make development unnecessarily cumbersome.
Idaho Letter (Score:3, Insightful)
Feel free to cut and paste and modify.
Jon Lasser may be smart, but... (Score:2)
...today he seems to be off-balance, and doesn't seem to understand all of the issues about which he speaks. Apparently he has failed to note a couple of key facts:
Alan Cox hasn't censored himself. If Jon Lasser would fly to England or cross the border into either Mexico or Canada, he could find an Internet café somewhere where he could study the changelogs at his leisure.
It's his country that's done the censorship.
The DMCA has already made the full disclosure way he and everyone else who has the smallest clue about computer and information security knows to be effective illegal in the United States.
If he wants to bitch about it, let him either write to his congressman to get the law repealed, or emigrate to some other country that doesn't have a DMCA-like law.
Cox has reason to be worried... (Score:2)
What does this have to do with Alan Cox? Everything...
The powers that be in the information sector know that the loss of IP rights would completely destroy the information economy and, as such, the US economy. They cannot let go of these laws. They need them to ensure the survivability of the US economy into the next century. This is why the DMCA will be defended at every turn. This is why any act of "civil disobediece' will be punished. And if it is a foreign citizen that needs to be punished (like Dimitri or Alan) so much the better. The only people who will be crying to defend these "evil hackers" would be a bunch of ineffective nerds who can't even figure out they need to support the mainstream political parties to get their voices heard and who go away after a news article disappears from Slashdot's front page.
So, no. I don't think that Alan is being paranoid or just making a point. What I think is that the Slashdot audience really doesn't understand the extent to which the US economy is supported by IP law and the extent to which our government will go to see those laws protected and extended.
So go ahead. The changelogs are out there. Go ahead and host them yourselves. That is if you're not afraid to. Oh? Got to stay in and watch that Seinfeld rerun, huh? Thought so...
Re:You are making it too complicated (Score:2)
What work of yours has been affected by the DMCA and what did you do about it?
Nitpicks (Score:2, Interesting)
The inabilty to laugh at something amusing? (Score:1)
Re:And who didn't see this coming? (Score:3, Informative)
People keep repeating this, where does it come from? The DMCA is not specifically about encryption. It is about technological measures that effectively control access to copyrighted works. Based on court cases so far we can safely say that encryption appears to count as one such technological measure, but that doesn't suddenly mean that it's the only measure. If it was meant to apply specifically to encryption then I think the language used would be very different.
Linux is technological, even if you don't like the particular techonology. Linux is used to control access to copyrighted works, including text files, programs, music, graphics, whatever. It isn't difficult to conclude that the security measures in Linux are technological measures that effectively control access to copyrighted works.
That doesn't mean I'm convinced that posting this particular information would be contrary to the DMCA, I'm really not sure, but that has nothing to do with whether or not encryption is involved, which is a complete red herring.
Err... no. (Score:3, Insightful)
It covers COPYRIGHT PROTECTION MECHANISMS. You just assume those must be encrypted.
ie: Let's say a new CD format came out that just used a couple of bits to determine if a work is permitted to be copied (and requires a new player to play, etc). Someone who reveals a way to 'ignore' those bits, ie: by hotwiring the device is also violating the DMCA.
The linux kernel could very well have someone's copyrighted work on it, and giving someone the ability to obtain root access without authorization in order to copy that work could be constituted as a violation of the act. Yes, it's a stretch.. but not completely out to lunch. That's how broad the language of the DMCA is.
As for the 'sheer stupidity' of a British Citizen doing this... what about that Russian Citizen who was arrested for this very law?
If Alan wants to ever visit the US, say, to go to a conference, or the Superbowl, or whatever... he'll have to make sure he stears clear of US law, no?
Alan isn't a proponent of security through obscurity. He's a proponent of not getting arrested upon entering the United States.
Re:Put away your straw man (Score:2)
If you think the US hasn't prosecuted people for things that happen outside the US, you better go back to your little bubble.
"The code was made available to Americans on the internet, therefore, he violated US law on US soil"
Re:Wasn't it a joke/political comment? (Score:2, Informative)
Mr. Cox has consulted a lawyer (always a good idea when you are unsure of how a law might affect your activities) and has been advised that there is a greater-than-zero chance that he might be open to arrest and imprisonment if he travels to the US after publishing an "uncensored" changelog. Mr. Cox therefore chooses to avoid that greater-than-zero chance and protect his ability to travel to the US as he wishes to.
It's not a joke. It's sounds silly, but it's not a joke. Unfortunate indeed, but no joke.