Subject: Re: [Freesw] the closed security model
From: L.Jean Camp <jean_camp@harvard.edu>
Date: Tue, 19 Feb 2002 13:50:37 -0500


Open code depends on a transparent market so that its superiority can be 
illustrated.  Security is an advantage of open code. Intellectual 
property is the battleground where closed code proponents have the best 
chance of shutting down open code. The publication of security and 
interoperability information is increasingly being made criminal.  Hell, 
cables that enable the chance of interaction are being prohibited.

Microsoft and Disney and Time Warner (when he can get away with it from 
AOL) are pushing a bill which has been written requiring DRM-style 
security on "all digital devices". This is as serious threat as the 
threat to DAT (search SSSCA). If the bill were narrowed to desktop - 
equivalent devices then most of hte opposition would be gone.  As a side 
effect this bill prohibits open source and free software. Again the 
content providers are lining up against the component providers. The 
content providers won on DAT and lost on VCRs; won on radio broadcast 
(thus creating a disfunctional market and payola) and won big on video 
broadcasting.

If breaking software to interact with it is criminal then leveraging the 
desktop becomes more simple.

Here are a couple of MS strategies that lie within the larger MS 
strategy of owning the authentication market and thereby obtaining data 
and transaction fees for all net-based purchases:

- prohibiting interaction with .Net
- using the highly recognizable xml  -- or just the created-by tag -- to 
prevent non-MS generated code from displaying correctly via an encrypted 
'security check' for 'compliance'
- linking replacement of browsers with install programs and locking the 
preferences files
- altering SSL or Kerberos or other authentication methods so that only 
MS servers can authenticate  with MS browsers

These strategies would be far more difficult to defeat if interacting or 
reverse engineering the code is prohibited in the US.

Currently in the courts there is a test of click-wrap terms which 
prohibit critical evaluations of products. On a second front there is 
increasing pressure to 'classify' all security research so that 
discussing security weaknesses of deployed software is criminal. This is 
likely to be put forward after the budget fights, and the journalism 
community is the wild card here. If that effort were successful any 
report of security failures will be about open code, since reporting on 
closed code security faults will be prohibited.

best regards,
-Jean


On Tuesday, February 19, 2002, at 12:17 PM, Nick Jennings wrote:

> On Tue, Feb 19, 2002 at 11:23:34AM -0500, jean_camp@harvard.edu wrote:
>> A pointer from the BoA vault -- the new security hire is about
>> preventing bad press about security.
>>
>> Implications for fsb: obvious.
>
>  I may just have not gotten enough sleep last night, but at any rate, 
> I'll
>  bite. What exactly does this mean for FSBs?
>
>  I mean, I see how the MS stance is bad for open security reports in
>  general (e.g. gives open security reporting a bad name to some), but
>  I don't see how this would effect a budding young FSB directly.
>
>  Like I say, maybe I'm just not thinking straight right now...
>
> --
>   Nick Jennings
>