Is it fair to tell the world about vulnerabilities in software, thus opening the way for the entry of viruses, worms and the like or for equipment to be used in an illegal way?
Two recent cases in the US bring this matter to light. Both in some way involve the same party, the publisher of 2600 magazine, subtitled “The Hacker Quarterly”.
In the first, the magazine pointed out a vulnerability in the clustering software, known as Piranha, shipped with RedHat’s Linux operating system. This put a default password (the letter q or the word "piranha") into the system, allowing potentially anyone into sensitive areas of the operating system. 2600 came under the gun by publishing a story about the possible security hole.
Default passwords are an unfortunate but frequent phenomenon of IT and related systems. The password built into the system by the vendor is frequently obvious, but the user is counselled to change it as soon as possible. If everyone changes their password as soon as they receive the copy of the software, there should be no problem. So is an obvious password a failing of the vendor, the user, or anyone who spreads word of the failing and makes widespread abuse possible?
In the second case, a group of developers seeking to customise a Linux interface for a DVD player were obliged to delve into the security system of Windows-oriented DVD players to enable their own player to “crack” the security on encrypted DVD media.
So far so good, but then the Motion Picture Association of America became involved, citing the new Digital Millennium Copyright Act. The DMCA says that anything that bypasses access control is in violation, regardless of the reason for doing it, or, as the editor of 2600 magazine put it, “regardless of how unfair that access control may be [to users of non-Windows systems like Linux]".
Allegedly as a reaction to the MPAA’s intransigent attitude, 2600 and other publications began publishing the code needed to decrypt DVD disks, a piece of code known as DeCSS.
The case went in favour of the MPAA, but must be fought, urges 2600. If this is not done, says an unsigned editorial, “we would be handing a blank check to these huge corporate entities. They would be able to sue whoever they want whenever they want simply for figuring out how technology works, writing computer programs or, as in this case, simply trying to view legally purchased material on a legally purchased machine.”
The publication draws a tenuous link between the two cases, by saying that the original encryption on DVD disks was inadequate (if it could be so easily broken) and the “guilty” parties were simply exposing its weakness, to the ultimate benefit of all. The developers would now have to develop something else.
We had a similar minor local case several years ago, when Xtra in its early days issued default passwords that were easily guessable. The fact was published on Internet newsgroups and enough information given to enable password protection to be effectively bypassed. Xtra’s reaction was simply to change the protection mechanism. This should be the reaction of RedHat and the MPAA, some contributors to 2600 suggest.
I am inclined to view the “cracking” in all three cases (including Xtra) as legitimate. DeCSS was not developed as a piracy tool, but for legitimate motives; in the other two cases, uncovering of the fault prevented the greater disaster of allowing a vulnerability to continue.
What should not have occurred (though it may sound strange for a journalist to say this) is broad and detailed publication. Proof of any shortcoming in a protection mechanism should first be a matter for discussion between the vendor and the discoverers of the fault. Rushing into print is stepping beyond protection against future abuse and becomes an invitation to the dishonest.