Technology

Linux Update Withholds Security Details


Citing a controversial U.S. copyright law, a top Linux developer announced

this week that Americans would not be given details about the security

fixes in an update to the open source operating system, a first for a

software development community that prides itself on transparency.

An update to version 2.2 of the Linux kernel, an older version of Linux

that's still in wide use, was released Monday, conspicuously shorn of

information about a number of security holes patched in the software.

In an email to a Linux developer's mailing list, U.K.-based Linux guru

Alan Cox wrote that the self-censorship was necessary to avoid running

afoul of the U.S. Digital Millennium Copyright Act (DMCA), a law that

makes it a crime to create or distribute software "primarily designed" to

circumvent a copy protection scheme.

Cox controls the 2.2 release, and is generally considered Linux's

second-in-command after creator Linus Torvalds.

The DMCA has been under fire from computer programmers and electronic

civil libertarians who argue that it is an unconstitutional impingement on

speech, and interferes with consumers' traditional right to make personal

copies of books, movies and music that they've purchased.

In July, the first criminal prosecution under the Act kicked-off with FBI

agents arresting Dmitry Sklyarov, a Russian computer programmer who was

visiting the U.S. to give a talk at a security conference. Sklyarov is the

author of a computer program that cracks the copy protection scheme used

by Adobe Systems' eBook software.

"With luck, the Sklyarov case will see that overturned on constitutional

grounds," Cox wrote on the list. "Until then U.S. citizens will have to

guess about security issues."

AMERICA BOYCOTTED. But U.S. Linux developers and users suspect Cox of using them to carry a political message.

"My personal belief is that certain people are using this as an excuse to

draw attention to the dangers inherent in the DMCA," says Birmingham

system administrator Wayne Brown. "I'm sympathetic to their efforts, but

not at all happy that people who need access to this information will be

denied just to make a point... It seems to me to be contrary to the whole

spirit of free software development."

"I still think this is an extremist view of the DMCA," wrote U.S. Linux

developer Tom Sightler, in a post to the developer's list. "I don't see

where it keeps you from posting information about security fixes to your

own code."

Cox didn't respond to a reporter's inquiry, but on the mailing list, he

wrote that the new closed policy was necessary because Linux's standard

security features may be used for "rights management" of copyrighted work.

He declined to elaborate further "on a list that reaches U.S. citizens."

The programmer plans to post Linux security information exclusively on a

Web site that will block access from the U.S.

Despite Cox's fears, describing security holes or patches in Linux doesn't

violate the DMCA, because the information isn't primarily designed for the

purpose of circumvention, says attorney Jennifer Granick, director of the

Stanford Law School's Law and Technology Clinic.

"He seems to be assuming that the DMCA prohibits discussion about any kind

of security, and that's not what it does," says Granick. "The DMCA is bad,

but it's not that bad."

"Part of the problem with the DMCA is it doesn't make intuitive sense to

people who are practicing in this field, so even after reading the

statute, people don't understand exactly what they are or aren't allowed

to do," says Granick. By Kevin Poulsen


The Good Business Issue
LIMITED-TIME OFFER SUBSCRIBE NOW

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus