EFF: Coders' RightsBy Ericka Chickowski | Posted 2008-10-02 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
From fighting patent trolls to establishing a coder's rights policy to protecting online civil liberties, the Electronic Frontier Foundation (EFF) is an organization dedicated to helping to define the gray area between the law, the rights of individuals and technology practices. This nonprofit has gained admiration across the board, from workaday admins and tech-savvy executives to rank-and-file geeks, for its 18-year-long crusade to protect individual rights to privacy and free speech on the Internet. What these supporters might not be aware of is that the EFF has its own business interests in mind, as well.
But the DMCA isn’t just used as a blunt weapon beating down reverse engineering. It is also one of several tools used by technology vendors to suppress valuable security-vulnerability information from ever seeing the light of day. The EFF has made a particular point to try cases on behalf of security researchers, who are being bullied into keeping quiet about security problems that can affect a wide range of businesses.
“Security research is critical for IT professionals because, quite frankly, a vendor is always going to tell you its product is rock solid, totally secure,” von Lohmann says. “And most it professionals don't have their own in-house red team to test every one of those statements. So, it is incredibly important for all the customers out there that there are security researchers to kick the tires on all of this stuff to figure out if it works.”
But many of these vendors want to avoid the bad press of flagrant security errors and bugs, choosing, instead,to go through the courts to keep embarrassments at bay rather than simply fixing any problems.
“You have to have an open dialogue about problems, and the initial instinct of a lot of large institutions is to try to hide the mess,” the EFF’s Cohn says. “I think we're going to continue to be busy in this area for a while. I've watched this so many times now, handled many, many cases and advised more researchers than I can count on these issues.”
This was the situation recently, when a group of MIT students were sued from disclosing a very high-profile vulnerability in the card-swiping technology employed by the Massachusetts Bay Transportation Authority. The EFF swooped to their defense and got the initial gag order against the students lifted.
“They were very helpful to the students that were in my class, and I now think they should be commended for their work and help,” says Ron Rivest, a professor in MIT's Department of Electrical Engineering and Computer Science. “The question of disclosing vulnerabilities is a difficult one,” explains Rivest, “and there are always tensions between making vulnerabilities public and considering the current users and vendors and so on. [But] I think the field advances when the vulnerabilities are ultimately discussed and researchers have a chance to examine vulnerabilities and propose better solutions to them.”
Most recently, the EFF instituted a formalized Coders’ Rights Project that will bring together all of its legal work surrounding this issue to advance the rights of these researchers. The ultimate goal is to better protect businesses and consumers at large, according to Cohn and von Lohmann.