[KLUG Advocacy] Michigan's latest legislative messup

advocacy@kalamazoolinux.org advocacy@kalamazoolinux.org
Tue, 29 Apr 2003 14:37:38 -0400
Previous message: [KLUG Advocacy] Michigan's latest legislative messup
Next message: [KLUG Advocacy] [Fwd: Linux Report from InfoWorld.com, April 30, 2003]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The article distributed is largely FUD, ballyhoo and hype, IMO. 

I am not only in the process of getting legal advise to the contrary,
but am also involved in setting up a session with one or more legislators
in order to either clarify the meaning of the law as it is now on the books,
or start a movement to ammend the law to the extent needed.

It is fairly clear, I am being advised, that the law now on the books only
criminalizes the items stated if they are used in cinnection with other acts
already considered criminal. Apparently there is NO INTENTION and NO WORDING
that supports the a priori criminalization of these technologies.

							Regards,
							---> RGB <---


Mike Williams <knightperson@zuzax.com> posted:
>This is part of an email I get weekly, and this one is worth passing on 
>to anyone remotely related to technology or politics.  A law this 
>broadly written should never have made it on the books to be abused, but 
>it has.  Time to write a letter to your Congressman or a check to the 
>Electronic Frontier Foundation.  Sorry about the length, but I trimmed 
>it as much as I could.
>
>---------
>
>April 28, 2003
>Security Watch
>http://mcpmag.com/security/
>http://ENTmag.com
>
>
>**I'm a Criminal -- and You Probably Are, Too
>By Roberta Bragg
>
>I am a criminal. I've broken the law in seven states. By the time you
>read this I may have added a state or two to my list.
>
>I'm not currently afraid that the police are going to break down my
>door and drag me off to the hoosegow, but I'm certainly chilled by the
>recognition that they could.
>
>I didn't set out to break the law; nothing is farther from my
>intentions, my personal moral and ethical beliefs, my background and my
>lifelong work. I'm not a serial murderer. I'm not running a methlab in
>my basement. I haven't gone on a cross-country rampage robbing banks,
>knocking over gas stations or stealing cars. Nevertheless, I've crossed
>the line.
>
>If my next column is written from some county jail or state
>penitentiary, I'll be in good company. Most of you will be there, too,
>since you're breaking these laws as well.
>
>I'm talking about the so-called "Super DMCA" bills and their cousins,
>passed by Delaware, Illinois, Maryland, Michigan, Pennsylvania,
>Wyoming, and Virginia. They're currently under consideration in
>Arkansas, Colorado, Florida, Georgia, Massachusetts, Oregon, South
>Carolina, Tennessee, and Texas. Even if you don't live in these states,
>your actions may be considered to have entered their jurisdiction. What
>are state borders to the Internet?
>
>This law specifically outlaws software capable of concealing the
>existence or source of any electronic communication. In essence, you
>and I are now criminals because we apply sound information security
>practices such as:
>
>  - Using a firewall or NAT box to hide the original IP address of the
>computer from which we're working
>  - Encrypting a session between our computer and another computer in a
>manner which disguises the source address
>  - Using a VPN to tunnel to a corporate office
>  - Deploying a honey pot or honey net
>  - Using an anonymizer when browsing the Internet
>  - Purchasing products which can hide IP addresses. This, of course,
>includes Windows products
>  - Sharing information on IT security practices with others
>
>Heck, I'm probably breaking the law every time I communicate to you
>about how to do any of these things. Cast in the light of this law I'm
>probably an arch-criminal since I write and teach how to do these
>things and often describe and review specific products which do so.
>(Think my fears are ungrounded? A Michican Ph.D. candidate is so
>concerned he's removed his research from access by U.S. citizens: see
>www.securityfocus.com/news/3912 for details. How many others will now
>refuse to share with us the fruits of their security research?)
>
>I'm sure to some of you this may still seem to be quite far-fetched.
>After all, the laws were designed to keep folks from stealing cable TV
>and broadband Internet signals, and that quite obviously isn't our
>intent. Perhaps it's paranoid of me to think that anyone would use the
>law to attack legitimate security researchers, companies protecting
>their information or home users who add a firewall to their desktop
>computer. But the law doesn't have any language about intent. To be
>fair, a revised version of the law is circulating that includes an
>intent to defraud as a provision. The revision, however, doesn't define
>how that will be determined. In addition, this version of the law isn't
>the one now under consideration, or that has been passed.
>
>In addition to hindering your information security efforts, and placing
>you at risk of arrest, prosecution and imprisonment, The Electronic
>Frontier Foundation lists the following problems with the bills:
>
>  - Things not expressly permitted are forbidden: You can't add a
>wireless access point to your DSL connection at home without the
>permission of your ISP. Think they'll let you?
>  - Threat to anonymity: As mentioned, it outlaws NAT, firewalls,
>encryption and VPNs
>  - Threat to competition and innovation: Who would produce new security
>devices in the United States? This market will go elsewhere
>  - Transfers law from public to private hands: The bills are sponsored
>by cable providers and the like and encouraged by their friends at the
>Motion Picture Association of America (MPAA). The bills add the
>potential of civil liability, meaning these companies could also sue us
>  - ISVs seen to be in violation can be forced to downgrade their
>products, removing the offending capability. Don't look now, but
>Microsoft's end-user license agreement states they can access your
>machines for the purpose of providing software updates
>  - The service provider can sue you; if they win, they can make you pay
>their attorney fees. But if you win, you can't collect your attorney
>fees from them.
>  - Preliminary injunctions (cease and desist) are allowed without
>providing proof of damage, harm or inadequate remedy -- the normal
>requirement. In short, once accused, the courts can order you to stop
>doing what you're doing. Yes, they could shut me up and I probably
>couldn't tell you about it.
>  - You may have to pay damages of $1,500 to $10,000 for each illegal
>device, even if there's no proof any harm has occurred. Well, let's
>see; if my next column explains how to configure NAT for a specific
>device, and it gets delivered to all of you?guess I could be fined
>roughly a half-million dollars
>  - Chilling affect on research. Need I say more?
>
>The law as it stands is bad, and we all need to speak up. Find out the
>status of the law in your state and the states in which you might be
>accused of breaking it. Visit the sites listed below to become informed
>and find specific courses of action you might take. At least write your
>legislators and start a dialog with them about the meaning of this
>bill. Circulate information about impending legislative votes on bills
>in consideration; imagine the impact we all e-mailed these legislators
>on the eve of their decision. Start educating everyone about how
>information security works and why hiding the source of a communication
>protects everyone. And above all, *do not* stop implementing and using
>sound security practices. If that makes us all criminals, then so be
>it; they can't arrest us all.
>
>  - Status of current and impending legislation, interpretation of the
>law: Http://www.freedom-to-tinker.com/doc/2003/mpaa_3apr.rtf
>
>  - Status of state laws: Http://www.freedom-to-
>tinker.com/superdmca.html
>
>  - Electronic Frontier Foundation discussion and links:
>Http://www.eff.org/IP/DMCA/states/200304_sdmca_eff_analysis.php
>
>  - Information on hearings: Http://www.digitalspeech.org/
>
>-- Roberta Bragg, MCSE, CISSP and contributing editor for MCP Magazine,
>runs her company, Have Computer Will Travel Inc., out of a notebook
>carrying case. She's a frequent speaker and trainer for MCP Magazine's
>TechMentor conference and seminar series. She's an independent
>consultant specializing in security, operating systems and databases.
>Her newest book is the CISSP Training Guide (Que Publishing). You can
>reach her at roberta.bragg@mcpmag.com.
>
>
>_______________________________________________
>Advocacy mailing list
>Advocacy@kalamazoolinux.org
>
Previous message: [KLUG Advocacy] Michigan's latest legislative messup
Next message: [KLUG Advocacy] [Fwd: Linux Report from InfoWorld.com, April 30, 2003]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]