Managing Network Security


by Fred Cohen

Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

What's the DMCA?

The "Digital Millennium Copyright Act" (DMCA) is a US law that has global impact on anyone who is reachable by the United States government and who is involved in legal issues in information protection - which is to say - almost every person who uses, owns, or is responsible for a computer.

The DMCA basically makes it illegal to manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof that:

Effective, in this case, means that it would work " the ordinary course of its operation..." and does not mean it is hard to bypass. A one letter password, a license key, or an access control setting on the computer would be considered effective, as would protection by Rot13 or similar techniques.

Works protected under this title include all copyrighted works. It turns out that anything that is put into tangible form is considered to be a copyrighted work at its inception unless it is explicitly put into the public domain or is not copyright by law (for example US government documents are not copyright as a matter of US law).

What does this have to do with me?

The DMCA has recently come to the fore with the arrest of Dmitry Sklyarov, a Russian researcher who was in the United States at the DefCon conference in Las Vegas. He was arrested for releasing a program to the Internet that provided the means to defeat a copy protection scheme for a digital video disk system so that the owner of the disk could view it on a Linux platform.

A few months earlier, Edward W. Felten and his research team at Princeton University were stopped from publishing a cryptanalysis paper on how to defeat a copy protection scheme. The SDMI Foundation had made a public offer to have anyone who was able break their cryptographic copy protection scheme. The offer was stated so as to give a reward for breaking the scheme, but required that in order to get the award, you had to keep the method confidential and provide details to the Foundation. Ed Felton's team decided to publish and forgo the award, so the Recording Industry Association of America, the SDMI Foundation, and the Verance Corporation threatened to bring a lawsuit for violation of the DMCA if the publication went forward. The refereed conference paper was not published.

In my case, I used to sell products to help find criminals and otherwise perform forensic analysis of digital systems and networks. All of the techniques I use and the software I used to sell had the purpose of making exact copies of disks and network traffic and analyzing it to reveal the content despite attempts by the criminal (who owns copyright of the material by virtue of having put it in tangible form) to prevent access. These products were withdrawn from the market recently because I believe that they have become illegal to distribute, sell, manufacture, etc. The most affected customer groups are, of course, law enforcement and corporations who used to buy these products to help them enforce the laws and find corporate criminals. At least in my case, the DMCA has only hurt those who are trying to enforce the laws. No criminal in their right mind would buy my software because it has no reasonable criminal use. It is decidedly not helpful in breaking into systems, at least not as compared to other tools on the market. It is very careful at documenting everything it does, again something that police want but criminals do not. So much for that one.

It turns out, on a side note, that it also had effects on some of my research and may have effects on my educational efforts. The prohibition against distribution of technology seems to apply to, for example, describing how to bypass a protective mechanism. I teach a course on cryptography for cybercops, which is basically focussed on ways to bypass cryptographic protection mechanisms while remaining within the law with regard to evidence issues. Similarly, my digital forensics course and my introductory information protection course deal with issues of how to attack and defend systems. If this is illegal we run into all sorts of issues. For example there are many books on cryptography that deal with these issues as well. Making this illegal starts to really seriously impinge upon the right of free speech and I think this law will be struck down for that reason, but I don't want to become the poster boy for jailed researchers. Research I have been doing in steganalysis is also being suspended because it runs directly into the law and the areas that are presently being challenged in legal cases. This work has only been used to support law enforcement, but my research is not funded by law enforcement and so has no legal standing under the law enforcement exemption provided by the DMCA.

What does this have to do with you?

OK - so I am a researcher and educator in this field, and as a result, many things about information protection have more to do with me than they normally have to do with most of my readers. But the DMCA has far reaching implications.

Remember Dmitry Sklyarov? He didn't publish these results in the US - he published them over the web from Russia where the DMCA does not apply and such publication is legal. Since the content was available over the web, the US Department of Justice decided that constituted distribution in the US which made him subject to immediate arrest upon entry into the US. Of course the US has historically entered other countries and kidnaped people to bring them to the US so they could be arrested, so living elsewhere isn't necessarily an effective protection against the long arm of US law enforcement, but this arrest has had global effects on people who might otherwise travel to the US to attend technical meetings and conferences or on other business trips. If you or any of your team are living outside the US and you work on and publish in this area, you would probably be well served to not come to the US because you could be arrested at any time and jailed pending trial. Does this remind you of any other places in the world? Places the US has called 'oppressive'?

So who else might be arrested in the US under the DMCA? Let's see. The license key that comes with Microsoft products is a technical measure that prevents copying - did you know that? It's true. And under the DMCA if you have made more than 1 backup of any Microsoft product - or any other copyrighted work protected under a similar license and technical countermeasure, you are also subject to arrest and prosecution. Does the word 'backup' come to mind? It should. Most backup systems make copies of large portions of content from systems. Unless they know about the specific copyright limitations of each item being backed up, they may be in violation of the DMCA. The widely used product "Ghost", for example, backs up disks and ignores any copy protections on the software on those disks. So if you sell or traffic in (as in provide to your corporate employees) backup systems that bypass otherwise effective protections (such as the Microsoft license key), you might be subject to arrest.

But what about the 1st amendment?

The first amendment to the US constitution reads:

It looks to me like the congress has made a law "abridging the freedom of speech" and it looks this way to lots of other folks, but of course the law its the law until and unless overrules by the court system. This ultimately comes down to a case that may eventually get to the US supreme court. Eventually means a long time from now, which also means that you might be in jail for that long time while 'justice' is served. In my experience, justice delayed doesn't taste very good.

Will the 2st amendment win out over the DMCA? We wait and learn.

Civil disobedience - or - the chilling effect

I for one believe that this is one of those cases where civil disobedience is called for. The principle at stake is very important to freedom and justice, and the law seems to me to be outrageous. But civil disobedience means that those who practice it take the consequences that come with it. If you break this law you may get arrested and prosecuted and jailed for a long time. You might lose all of your money, your sources of income, your family, and lots more along the way. And there's more...

You could be found guilty and end up a felon with a record for the rest of your life. You could be held in a prison for many years and end up being beaten, raped, and even killed. You could be branded a criminal for the rest of your life.

The only other options are to ignore the law, which means you are at risk and simply ignore it, or to try not to break the law, which produces a chilling effect. A chilling effect means that research is slowed down, people are afraid to do things they would otherwise do without a second thought, and people who do things that are near the margin of the law are constantly afraid of being arrested.


The DMCA is a bad law and should be struck down as soon and as thoroughly as possible.

My personal belief and hope is that the DMCA will be struck down soon and completely. It's not that I am some fringe element who opposes law and order. It's that I greatly value my freedoms and the freedoms of others.

My personal take on the balance between civil disobedience and the chilling effect is that I will be civilly disobedient in the more conservative areas and chilled in other areas. I will not sell my forensics products or do research in these areas while the law is in effect, but I will continue to teach courses in these areas and write and publish papers. I figure that the first amendment will win out in the end - at least in terms of being able to teach classes and write papers for professional publication. But if I am wrong, you will be able to contact me through the federal prison paper-based mail system...

About The Author:

Fred Cohen is researching information protection as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates, and educating cyber defenders over-the-Internet as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at or visiting