Status of Cryptography Research in implementation of the EUCD

Owen Lewis oml at sysrx.uk.com
Wed, 14 Aug 2002 22:09:03 +0100 

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk
> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Julian T J
> Midgley
> Sent: 14 August 2002 16:02
> To: ukcrypto@chiark.greenend.org.uk
> Subject: RE: Status of Cryptography Research in implementation of the
> EUCD
>
>
> Firstly, we are not talking about copyright infringement (an academic who
> discovers a weakness in an algorithm used for copy-protection doesn't
> necessarily infringe anyone's copyright).

I have said, many times now, the opposite of what you imply.
No harm from the discovery. Harm from the publication of the method.

To publish the means to effect a breach of copyright may be as harmful to
the holder of the copyright as any breach of the copyright. Furthermore, it
may be tantamount to aiding and abetting such breaches. Lastly, there is no
certainty at all that any marked public good is served thereby.

> Secondly, the important point is that an algorithm can have numerous uses,
> as I attempted to indicate in my early reply.  If the same algorithm is
> used both in SSL and in a copy-protection mechanism, a researcher who
> discovers a flaw benefits the public greatly by informing them that there
> is a flaw in algorithm Foo, and by publishing details of the flaw, enables
> someone to fix it (if he cannot fix it himself).  Inadvertently of course,
> he publishes information that may be useful to someone wishing to
> circumvent the copy-protection mechanism.

This is obfuscation of the basics. The basics are:

	-	If a researcher obtained his information unlawfully he stands to be
pursued on this ground alone.

	-	If we cause harm by our acts we are responsible for the harm we do
whether or not the harm is intended. Manslaughter, ISTR in unlawful killing
without a formed intent. To paraphrase Larkin, parents f*ck up their
children even when well intentioned.

	-	If a researcher publishes a method to breach copyright the only good that
is likely served is that of thieves and there is a palpable risk of harm to
all the holders of copyright protected by that method as well as to the
owner of the method itself.


In the case of cryptographic routines in general the matter of what good,
overall, is served by publishing cracks is not at all well defined. People,
especially it might seem those who like to discuss cryptography, like also
to discuss it and other security matters too in black and white terms.
Security is rarely if ever black or white but almost always has some
indeterminate quantum state in between the extremes of total and complete
absence of security. IMO, total security is a theoretical and not a
practical state. It's indeterminacy of state is in part due to the nature of
the technologies employed but in the main part is due to simple human
frailties. This has been discussed here before and, indeed, Roger Needham is
giving a Royal Society lecture next month on much the same point.


> .... it's arguable that there is no need whatever to make an offence
> (civil or criminal) of the mere act of circumvention.  If the
> circumvention doesn't result in infringement and if information enabling
> circumvention isn't published then the rightsholder has no complaint
> whatever.

Yes and no. Yes, I agree the copyright holder has no real cause for
complaint that a hack is discovered and not published (he may even have
reason to be grateful). No, you are wrong to imply that there is no cause
for complaint where agreed terms of licence are either ignored or flagrantly
broken.

> If I purchase an engine from you, and take it apart to
> determine how it works, you cannot prosecute me for the act of doing so;

I can surely sue you successfully if you took it apart:

		-	without a licence from me to run the software.

		-	in breach of terms of a licence sold or otherwise provided you and that
expressly forbade you to disassemble etc. the executables and on which terms
you agreed to run the software.

That said, if you do so quietly and keep the matter to yourself, then no
harm is done and you may continue to sleep peacefully at night.

> why then should you be able to prosecute me for the mere act of
> circumvention, when no infringement results?


See the above. As I see it, you construct a showy house of card that
conceals it has no foundations. If I am wrong in this, then, please,
dispense with the exemplar cards with their flashy colours and describe to
me the principles - the foundations - on which you build your house.

Owen