Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: (ichimunki)Re: Security, is it to much to ask?

by tachyon (Chancellor)
on Jul 18, 2001 at 05:24 UTC ( [id://97513]=note: print w/replies, xml ) Need Help??


in reply to (ichimunki)Re: Security, is it to much to ask?
in thread Security, is it to much to ask?

Hi. Fist I don't intend to say TOO much :-) If I could have edited the title to fix it I would have. If I hadn't thought it trivial I would have bugged an editor.

I am not and have never been a cracker although I am familiar with the techniques of decompiling and with x86 assembler. Before posting the original response I considered the issues of whether chinman was the rightful owner of the intellectual propertry (his scripts) embedded within the .exe generated by PerlApp. Having established to my satisfaction that this was indeed the case I simply greped his scripts out of the exe using a standard method. I did this with the full consent of the owner of the aforementioned scripts. I did not 'reverse engineer' anything, nor was this required. The scripts are plainly identified and easily removed.

The scripts thus reclaimed represented chinman's intellectual property not Active State's. The fact that they were encoded hindered his right to access his own intellectual property. Despite requesting help from Active State they are yet to send so much as an autoresponder message.

The encoding scheme utilised XOR against a key string to generate a simple symetric key shift cipher. This type of cipher was first described by Blaise De Vigenère (1523-1596) so is probably no longer subject to patent issues :-) This type of cipher is a just a glorified caeser shift cipher and can be broken using a number of techniques. Using XOR in this manner to generate a Vigenère cipher is widespread and has been used since before I was interested in computers (late 70s).

So nothing belonging to Active State over which they have any exclusive IP rights has been touched. What has been done is to demonstrate that the task is quite do-able. My question was and remains should it be this easy? If it is then those using PerlApp for pseudo security should be aware of this.

I think this is quite different from breaking the encryption of DVDs - that was naughty and the only foreseeable purpose illegal. It is also difficult to fix given the huge investment in infrastructure. PerlApp in contrast would be easy to fix.

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Replies are listed 'Best First'.
(MeowChow - be afraid) Re: Security, is it to much to ask?
by MeowChow (Vicar) on Jul 18, 2001 at 05:58 UTC
    I read the news today, oh boy.

    The fact that the encryption method is well-known and ineffective is irrelevant. The schemes used by both CSS and the software mentioned in the story I linked are also relatively facile, known and ineffective.

    The fact that you were decrypting content with IP rights not belonging to ActiveState is irrelevant. Digital rights management systems are not designed to protect the IP rights of the system's designers, but the rights of the licensees and users of the system. To that end, the DMCA criminalizes any attempts to circumvent the system, even if you are circumventing to gain access to your own IP.

    That said, I wouldn't fret over it too much, but if you see a band of men wearing suits and earpieces jump out of a black, unmarked Suburban, it couldn't hurt to start walking briskly in the other direction :-p

       MeowChow                                   
                   s aamecha.s a..a\u$&owag.print
(ichimunki) Re x 3: Security, is it to much to ask?
by ichimunki (Priest) on Jul 18, 2001 at 20:21 UTC
    First (and noting that tachyon is from Australia where the laws are probably a bit different), now that you've discussed publicly how to reverse engineer a script from the binary produced by the AS product, I don't need to be the owner of the original script. You've just shared with the world how to break an encryption scheme. This is one of the things forbidden by the DMCA and is exactly what is getting various Russians (visiting the USA) and 2600 publishers in trouble. Luckily for Perl Monks, PM is not on ActiveState's sh*tlist (and probably just barely on their radar) and it is doubtful that AS would be so boneheaded to go reporting PM to the authorities over this-- unlike Adobe their reputation could be seriously harmed by such a thing.

    Second, there are plenty of purposes which are foreseeable for breaking the encryption on a DVD which are not illegal. Examples include: archiving, personal use sampling (say I wanted to make a compilation of my favorite scenes from the movies), Fair Use sampling (for academic works on movies or reviews), watching DVDs on computers or players for which there is no existing player software, watching DVDs using Free Software as opposed to $40 per license software. All of these uses are legally allowed, but technically impossible due to the encryption scheme. They would become technically posssible if it were legal to crack the encryption scheme.

    This whole discussion points up why the DMCA is a bad law-- in the USA we can't discuss how to recover our own scripts without cracking someone else's encryption scheme, which is forbidden. Personally, I enjoyed seeing how this was done and filed the whole matter under "Why trying to obscure the source of Perl scripts is a big waste of time" with a cross-reference to "Avoid Active State add-ons to Perl" :)

      Not being a lawyer and having only read the summary of the DCMA here it seems that it is not as bad as suggested. Here is the relevant section:

      DMCA Exceptions

      Finally, the prohibitions contained in section 1201 are subject to a number of exceptions. One is an exception to the operation of the entire section, for law enforcement, intelligence and other governmental activities. (Section 1201(e)). The others relate to section 1201(a), the provision dealing with the category of technological measures that control access to works. The broadest of these exceptions, section 1201(a)(1)(B)-(E), establishes an ongoing administrative rule-making proceeding to evaluate the impact of the prohibition against the act of circumventing such access-control measures. This conduct prohibition does not take effect for two years. Once it does, it is subject to an exception for users of a work which is in a particular class of works if they are or are likely to be adversely affected by virtue of the prohibition in making noninfringing uses. The applicability of the exemption is determined through a periodic rulemaking by the Librarian of Congress, on the recommendation of the Register of Copyrights, who is to consult with the Assistant Secretary of Commerce for Communications and Information.

      The six additional exceptions are as follows:

      1. Nonprofit library, archive and educational institution exception (section 1201(d)). The prohibition on the act of circumvention of access control measures is subject to an exception that permits nonprofit libraries, archives and educational institutions to circumvent solely for the purpose of making a good faith determination as to whether they wish to obtain authorized access to the work.

      2. Reverse engineering (section 1201(f)). This exception permits circumvention, and the development of technological means for such circumvention, by a person who has lawfully obtained a right to use a copy of a computer program for the sole purpose of identifying and analyzing elements of the program necessary to achieve interoperability with other programs, to the extent that such acts are permitted under copyright law.

      3. Encryption research (section 1201(g)). An exception for encryption research permits circumvention of access control measures, and thedevelopment of the technological means to do so, in order to identify flaws and vulnerabilities of encryption technologies.

      4. Protection of minors (section 1201(h)). This exception allows a court applying the prohibition to a component or part to consider the necessity for its incorporation in technology that prevents access of minors to material on the Internet.

      5. Personal privacy (section 1201(i)). This exception permits circumven-tion when the technological measure, or the work it protects, is capable of collecting or disseminating personally identifying information about the online activities of a natural person.

      6. Security testing (section 1201(j)). This exception permits circumven-tion of access control measures, and the development of technological means for such circumvention, for the purpose of testing the security of a computer, computer system or computer network, with the authorization of its owner or operator.

      It would seem that what was done is permitted under clauses 2,3 and 6.

      cheers

      tachyon

      s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

        Since (1) does not specify 501(c)3 certification of nonprofit status, I would think that we might qualify under that, as well (caveat: I am not a lawyer either). Perlmonks, to the best of my knowledge is not run to make money, and we are an archive of sorts, as well as an institution (among ourselves) for education (or perhaps many of us need to be institutionalized). I think it could be considered fair under the terms of (1) for us to evaluate the strength of the encryption to determine whether we think it is worthwhile for our use.

        Just a thought ... my case here would probably never stand up in court.
        Ack. I should have just left this one alone, and I apologize for even discussing this past a cursory mention, you're probably right (although I'd interpret the above as allowing pretty much any discussion, including DeCSS). I'm just going to try and stick to Perl from now on. The DMCA and other sociopolitical issues wear me out and do me no good. I've already planned to stick to freely usable media and Free Software in the future, so hopefully I'll start to recover and mellow out. :)

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://97513]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having a coffee break in the Monastery: (6)
As of 2024-03-28 11:02 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found