cyberlocker

My outfit from the last convention I did. It’s a mix of fairy kei and cyber punk for a magical girl Unicorn outfit. Next to a really awesome tank girl!


Fluffy boot covers- handmade by @carebearplur
Skirt : Angelic Pretty
Purse: Betsey Johnson
Cyberlocks , jewelry , and hair clips Kittywood Designs
Sweater,shirt,tights, and carousel hat: offbrand

Legal threat against security researcher claims he violated lock's copyright


Mike Davis from Ioactive found serious flaws in the high-security the Cyberlock locks used by hospitals, airports and critical infrastructure, but when he announced his findings, he got a legal threat that cited the Digital Millennium Copyright Act.

Jeff Rabkin, a partner at the “elite international law firm” Jones Day sent the thinly veiled threat on April 29, asking Ioactive to help him discover whether “intellectual property laws such as the anticircumvention provision of the Digital Millennium Copyright Act” had been violated in the course of Davis’s research.

The 1998 DMCA prohibits actions that assist in bypassing “effective means of access control” to copyrighted works. It’s the statute that lets Apple prevent competitors from launching rival App Stores, and stops companies from selling DVD-ripping software.

The problems with the DMCA have metastasized as computer code has become a critical part of everything we own, from cars and tractors to fridges and pacemakers, and even to our locks. The prohibition on helping people get past the locks that manufacturers use to force their customers to buy spares, parts and add-ons from the original vendor and not a cheaper competitor may also be covered by the DMCA, hence this letter, which supposes that publishing information about flaws in a lock violates copyright law.

In security circles, it’s axiomatic that researchers must be free to discover and disclose flaws in the systems that we rely on, because it’s the only way to harden our vital security systems. Preventing researchers from publishing doesn’t prevent bugs from being exploited – what a white-hat hacker can discover and disclose, a black-hat hacker can independently rediscover and weaponize – but it does ensure that the customers for security are denied the information they need to evaluate the security decisions they’ve made.

Rabkin and Jones Day are quite possibly barking up the wrong tree here. Two early DMCA cases – Skylink and Lexmark – tested whether the law stretched to preventing competitors from reverse-engineering devices in order to make interoperable spares and consumables (garage door openers and printer cartridges) and in both cases, the Federal Circuit found that the DMCA could not be used to prevent this sort of activity.

Disclosing vulnerabilities isn’t exactly parallel to Lexmark/Skylink. In those cases, an original manufacturer sued a commercial rival, and the judges took offense at the use of copyright law to such a nakedly anti-competitive purpose. To me, it’s clear that disclosing the drastic defects that a manufacturer made in its products is of the same character as making competing products – a legitimate and socially vital process that is obviously out of copyright’s scope.

The Ars Technica article has attracted some commentary from Mike Davis himself, who speculates that the real issue is that the locks were not designed to be upgraded in the field, and that his discovery might put the manufacturer in the difficult position of having to replace the locks, rather than upgrading them.

Rabkin has disputed Davis’s findings, but he’s also sought to chill the publication of those findings. You can’t really have it both ways: if the findings are incorrect, then there’s no risk in their being published. The normal scientific/scholarly process will run its course, and other researchers will or won’t be able to replicate those findings and validate or disprove them. But to argue that something is incorrect and to simultaneously seek to prevent us from reading it smacks of defensive cowardice and substituting intimidation for debate.

Read the rest…