cryptome – Techdirt (original) (raw)

Banking Equipment Vendor Tries To Censor Security Research With DMCA Notice — Then Backs Down When Called Out For It

from the abusing-the-system dept

Abuse of the DMCA takedown process to remove material that is awkward or embarrassing for a company is a common enough topic on Techdirt. But here’s one with a slight twist. It concerns hardware security modules (HSMs), which manage the cryptographic keys and PINs used to authenticate bank card transactions. These were generally regarded as pretty secure — until researchers started analyzing them, as Ross Anderson, head of the Security Research Laboratory at Cambridge University, explains:

[HSM’s] application programming interfaces (APIs) had become unmanageably complex, and in the early 2000s Mike Bond, Jolyon Clulow and I found that by sending sequences of commands to the machine that its designers hadn’t anticipated, it was often possible to break the device spectacularly. This became a thriving field of security research.

Of course, “thriving” here means “we found lots of security holes”, which is why those manufacturing HSMs would rather people didn’t do much research in this area. Recently, that desire led to the banking equipment manufacturer Thales sending a DMCA takedown notice to John Young, who runs the well-known Cryptome site, demanding that he remove a manual for one of their HSM products. What makes this demand particularly ridiculous is the fact that the manual had been on Cryptome since 2003 without any previous problems and, according to Young, is also widely available on the Internet, including from Thales itself.

But a blog post from Anderson detailing this clumsy attempt to remove something using the blunt instrument of a DMCA takedown notice suddenly brought the company to its senses. A few days after his post appeared, the same person who had sent Young the less-than-friendly takedown notice followed it up with this rather more chummy missive:

Thales is in no way trying to censor information that would benefit banking security research.

The information concerned, as has been noted, has been available since 2003 and is in fact obsolete. It also does not reflect the current Thales payment hardware security module.

So why on earth bother trying to take it down?

It is not unusual for Thales to suggest that out-of-date information is removed from web sites so that it doesn’t cause confusion or mislead our customers. This would normally be handled with a polite request to the web site owner; on this occasion, unfortunately, we were over-zealous in initiating a takedown notice.

Well, there’s rather a lot of “out-of-date” information on the Internet — most of it, in fact — and generally people don’t resort to DMCA takedowns to try to remove it; “over-zealous” doesn’t even begin to describe the disproportionate nature of the reaction here.

Thales fully appreciates the benefits of openly sharing information relating to our security products and fully supports legitimate academic research in this area. The most up-to-date and accurate information can be obtained directly from Thales.

Let’s hope the company remembers that next time somebody posts information about security flaws in its systems.

I therefore wish to withdraw my earlier request for you to remove or disable access to the material in question and apologise for any distress it may have caused.

But as Young points out:

Credit for Thales’ recantation goes to incorruptible security critic Ross Anderson who blogged and telephoned Thales to thrash the zealots

Indeed. And it really shouldn’t be necessary for professors of computer security to waste their time exposing abusive DMCA takedowns in this way, when they could be more usefully winkling out yet more dangerous flaws in hardware security modules, for example….

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: banks, censorship, copyright, dmca, security research
Companies: cryptome, security research labs

Network Solutions Confused About The DMCA

from the that's-not-how-it-works dept

Last week we wrote about how Microsoft abused the DMCA to force Cryptome offline via Network Solutions. Since then, there’s been some interesting scrambling by all parties involved. Mircorosft claimed that it never meant to take Cryptome down entirely, just the one document (though, it no longer is asking for it to be taken down). But that doesn’t make much sense, because Network Solutions only had the ability to take down the whole site, not pieces of content. Either way, what really confused us was Network Solutions response to the DMCA takedown, which was that it waited until Cryptome filed a counternotice to take down the site. That’s not how the DMCA works.

Yet, in a blog post sent over by Achura, Network Solutions tries to provide a “layperson’s guide” to the DMCA. The only problem is that they get it wrong.

First, Network Solutions seems to think that the DMCA provides for a “notice-and-notice” system of dealing with takedowns, whereby it needs to first notify the user and wait for them to respond. Unfortunately, the DMCA does not follow such a procedure. It would be much better if it did. However, the DMCA is a “notice-and-takedown” setup, whereby the service provider who receives the notice needs to first take down the content, if it wishes to retain its safe harbor protections. It can choose not to take the content down (though, that rarely happens), but it risks losing the safe harbor protections. As the law itself clearly states:

upon notification of claimed infringement as described in paragraph (3), responds expeditiously to remove, or disable access to, the material that is claimed to be infringing or to be the subject of infringing activity.

So NetSol is wrong to claim that they first need to notify the user and wait for the response.

Second, NetSol is then wrong in how it responds to a counternotice from the user. It claims:

If the customer challenges the Notice by submitting a Counter Notification that complies with the DMCA, the Host is required to disable access to the allegedly infringing site for a period of “not less than 10 business days, nor [sic] more than 14 business days” (the “Challenge Time Period”).

Again, this appears to be incorrect. If it had been following the DMCA, it should have already taken the content down to retain safe harbors. It makes no sense to say once the counternotice is sent then you take down the content. Instead, the no less than 10 days/no more than 14 days refers to how much time the service provider is supposed to wait before putting the content back that it already took down. Of course, given that NetSol was confused about the notice-and-takedown process, you could see why it felt the need to take the content down after the counternotice — because that’s the point that it realizes it was legally supposed to take the content down earlier.

Filed Under: copyright, counternotice, dmca, takedowns
Companies: cryptome, microsoft, network solutions

Microsoft Uses DMCA To Force Cryptome Offline

from the abuse-of-dmca dept

You may recall late last year we wrote about how Yahoo got upset about the security website Cryptome publishing their “surveillance guide,” which details the process (and prices) for law enforcement to request information from Yahoo. Yahoo got upset and issued a DMCA takedown notice, which Cryptome fought. Cryptome has published similar documents from a variety of companies. Recently, for example, it published one from Microsoft, and… once again it’s faced with a DMCA takedown. Microsoft sent the DMCA takedown to Network Solutions who refused to stand up for Cryptome, leading to the site being taken offline. Even worse, Network Solutions didn’t even wait until its self-imposed deadline to take down the site. As soon as Cryptome filed a counternotice (which would actually give NetSol a reason to keep the site up), NetSol took the site down.

This is a massive abuse of the DMCA takedown process by Microsoft. The DMCA is designed to stop people from sharing copyrighted information not for the purpose of hiding documents — and especially not for the purpose of trying to suppress the release of important information.

Furthermore, this kind of move has only served to do one thing: call much more attention to Microsoft’s surveillance guide, which, yes, is now much more widely available. On top of that, it’s made clear that Network Solutions will immediately buckle under DMCA threats — so if they’re your register, perhaps it’s time to look elsewhere. Microsoft is a company that should know better than to abuse the DMCA to stifle free speech, and it seems quite likely that they will end up regretting this decision.

Update: And, of course, now that they’ve drawn much more attention to the whole thing, Microsoft has withdrawn the takedown.

Filed Under: copyright, dmca, security
Companies: cryptome, microsoft

Yahoo Doesn't Want You To Know Its Spying Price List; Issues DMCA Takedown

from the can-the-pricelist-be-copyrighted? dept

Last week, well-known privacy activist, Chris Soghoian, got a lot of attention for revealing some data on how often Sprint was sharing GPS data with the government. However, perhaps an even more interesting part of his detailed writeup about various service providers and how they provide data to the government, was his attempt to uncover how much various service providers charge the government. This was interesting, in that it showed how giving the government private data could be a bit of a profit center for some firms. Soghoian uncovered some price lists, but Yahoo and Verizon refused to reveal their price lists, claiming that doing so would “shock” or “confuse” customers. That was odd, since other firms did reveal their price lists, and the results weren’t all that shocking or confusing.

Of course, it didn’t take long for someone to leak Yahoo’s spying price list (or, more accurately, its “compliance guide for law enforcement,” which also includes some pricing info) to Cryptome.org. Other, similar documents were also posted to Cryptome from other service providers, but the only one who freaked out appears to be Yahoo. Robert Ring alerts us that Yahoo sent a DMCA takedown request to Cryptome over the document. Cryptome appears to have just posted the takedown request along with its ongoing email discussion with Yahoo’s lawyers, while leaving the original document in place.

Of course, by now, you can rest assured that Yahoo’s document has been copied in all sorts of places, just by nature of Yahoo’s attempt to hide it. It makes you wonder why the company even bothered in the first place.

Filed Under: dmca, law enforcement, price guide, privacy, spying
Companies: cryptome, yahoo