$title='Calendar'; include('includes.php'); ?>
From the EFF's website:
Cindy Cohn is the Legal Director for the Electronic Frontier Foundation as well as its General Counsel. She is responsible for overseeing the EFF's overall legal strategy and supervising EFF's 9 staff attorneys. EFF continues to be actively involved wherever freedom and civil liberties are at stake online. Issues that Ms. Cohn handles directly include:
- Hepting v. AT&T/In re: NSA Telecommunications Companies
- Electronic Voting
- John Doe cases
- Misuse of Copyright Infringement notices (DMCA 512(f))
- Online Activism
- Sony BMG DRM case
- Spam
Today's class will be on the topic of the publication of vulnerability data and restrictions thereof. Virtually all computer programs have bugs, and many of these bugs can be exploited by an attacker to change the program's behavior. Fortunately most of these vulnerabilities are unknown. As long as they remain unknown they can't be exploited.
For more than 20 years the computer security researchers and vendors have struggled with the question of how vulnerabilities should be publicized. Vendors would like the vulnerabilities to be quietly reported to the vendor so that they can be fixed and have the fixes distributed in a predictable manner---ideally with the next release of the software. After all, telling people that the vulnerability exists gives attackers a clue about finding it. Once the word is out a race is on between the attackers, who look for exploits, and manufacturers and users, who must fix all of the vulnerable systems. (Of course, news about vulnerabilities is also embarrassing for software vendors and can cause a loss of sales.)
The Digital Millennium Copyright Act criminalized the distribution of certain kinds of vulnerability information---information that could be used to circumvent technical measures used to protect copyright management systems. One of the first tests of the provision of this law was in July 2001, when a Russian computer programmer named Dmitry Sklyarov discovered a flaw in the copyright control system of the Adobe eBook Reader. He came to the United States to make a presentation about what he had found, and he was arrested.
Cohn's slides are available in PowerPoint and Acrobat formats.
Articles about the Sklyarnov case:
One of the things that you will notice in Chapter 4 is that, despite the increasing widespread availability of cryptography, collection organizations operating within the National Security Agency and the Central Intelligence Agency do not seem (in the authors' opinion) to have been tremendously frustrated in their missions. In part this is because not much of the world's communications are actually encrypted. In part this is because traffic analysis can be just as valuable---and sometimes even more valuable---than being able to understand the content of a communication itself. And sometimes, the authors state, it is beause the cryptography used can be broken or subverted by the nation's collection organizations.
Please prepare a 1-page brief on the case of US Government v. Dmitry Sklyarov and ElcomSoft using the IRAC method.
For information about the IRAC method, please see the wikipedia entry and this explaination from Professor Bruce Zucker at California State University.
I have prepared a 1-page annotated brief about Gary Kremen's sex.com appeal against NSI. You can find it here: [doc] [pdf].
NOTE: NPS Students may submit until Friday PM
footer(); ?>