Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Your Rights Online

CipherCloud Invokes DMCA To Block Discussions of Its Crypto System 85

New submitter brennz writes "Cryptographers on StackExchange were discussing CipherCloud, using some promotional material from the same to provide detail. CipherCloud responded with a DMCA takedown request that some have characterized as abusive."
This discussion has been archived. No new comments can be posted.

CipherCloud Invokes DMCA To Block Discussions of Its Crypto System

Comments Filter:
  • back up again (Score:5, Informative)

    by Trepidity ( 597 ) <[delirium-slashdot] [at] [hackish.org]> on Sunday April 21, 2013 @01:12PM (#43510729)

    StackExchange appears to have put the question back up [stackexchange.com], but remove from it the screenshots which the DMCA takedown demand claimed constituted copyright infringement.

    The screenshots should be a pretty solid fair-use case, though, so even that part of the takedown demand is groundless.

    • Re:back up again (Score:5, Insightful)

      by TemperedAlchemist ( 2045966 ) on Sunday April 21, 2013 @01:43PM (#43510895)

      There needs to be heavy punitive measures against this sort of thing.

      • Re:back up again (Score:5, Interesting)

        by Jeremiah Cornelius ( 137 ) on Sunday April 21, 2013 @02:06PM (#43511033) Homepage Journal

        There is no copyright "right" that is any equal to Human and Civil rights - including those of free speech.

        There are two broad categories I like to use in describing laws and their application. Oppressive and Protective.

        Oppressive law is mandated for the establishment and defence of Power.

        Protective law seeks the institution and restoration of Justice.

        DMCA is a prime example of oppressive law - and how tricky this distinction can be, as it masquerades itself as a measure for the protection of some natural right. In this case, the "rights" protected are - of course - merely a concession managed by the state, enacted through legislation and constitution.

        • There is no copyright "right" that is any equal to Human and Civil rights - including those of free speech.

          What document establishes the existence of "Human and Civil rights - including those of free speech" in more than one country? The Universal Declaration of Human Rights [un.org], for example, mentions freedom of expression in article 19 but mentions copyright in article 27(2).

        • by AmiMoJo ( 196126 ) *

          Just to play Devil's advocate I suppose the proponents of the DMCA would argue that it protects their right to property. The fact that it is non-physical property is irrelevant, they still have a right to own and control it.

          The mistake is to equate physical property with intellectual property, and even copyright doesn't try to do that in most countries. Still, that is their line and they appear to the sticking to it.

          • You have a right to protect your life too, but that doesn't mean you can go around putting everyone you think is reaching for a gun in a headlock.

          • The fallacy began with the introduction of the spurious concept: "Intellectual Property".

            Copyright was introduced in the US with the Constitution in 1789. It was similarly afforded corollary recognition under Napoleon in France, sometime later.

            Never were the rights of a trademark holder or author equated with the rights of real property, in these formulations. They were exclusive franchises for limited duration. Shakespeare, Moliere and Charles Brockden Brown are property of the public - a concept that a

      • Re:back up again (Score:5, Insightful)

        by Anonymous Coward on Sunday April 21, 2013 @02:16PM (#43511077)

        Well, now everyone knows beyond a shadow of a doubt that "CipherCloud" is insecure, or else they wouldn't have tried to suppress the conversation. Since their whole business is as a security provider...

        • Stories like this always just astonish me. Surely companies like this would realise by now, that by pulling this kind of stunt, they are essentially slashing their own wrists. Bullying their way into a legitimate discussion about their product by making questionable demands that screencaps be taken down just a) raises suspicion about the quality of their product, b) generates a lot of negative publicity and c) turns the very people that their product is targeted at against them! Striesand effect FTW
      • There needs to be heavy punitive measures against this sort of thing

        Please explain why. There is a law in place that gives websites free harbour, while giving copyright holders a way to take down copyrighted materials that they own. And you say there should be heavy punitive measures against using your legal rights? If you put the material up then you can inform the website that you are not committing copyright infringement. Should there be heavy punitive measures against that as well?

        • Re: (Score:3, Interesting)

          by analyst-cz ( 1386075 )
          Being freelance data security consultant myself, seeing any (regardless of whether law-aligned or law-breaking) attempt to suppress discussion about security of some product/company initiated by producing/that company, it marks it as heavily suspect. This has nothing to do with the legality of the suppression act, rather with the suppression attempt itself.

          Adding CipherCloud on blacklist of non-recommended products/companies for my clients. Point. Issue closed at....
      • There needs to be heavy punitive measures against this sort of thing.

        There ARE punitive measures against this sort of thing - they were added to counter concerns that content rights-holders would abuse the DMCA for just this sort of purpose.
        Putting it in simple terms, the problem is that the person/organisation receiving the DMCA takedown has to (a) file an appeal against the takedown, and then in order for the punitive measures to kick in, they have to (b) prove that the organisation issuing the DMCA notice did so maliciously, knowing that they had no right to demand take-d

  • by fustakrakich ( 1673220 ) on Sunday April 21, 2013 @01:18PM (#43510759) Journal

    There is no other way to characterize the DMCA.. It was no accident.

    • by Anonymous Coward

      DMCA is very useful for GPL enforcement!

      • Are we this deep into a Slashdot thread, without ONE joke being made about "Homomorphic" Encryption?

        Sheesh!

        • Re: (Score:3, Insightful)

          That would imply reading the article. But at least now I can understand the nature of the takedown.

          Why, it looks like young men playing leapfrog.

  • by Anonymous Coward on Sunday April 21, 2013 @01:25PM (#43510791)
    If you have to go to such extremes to cover up what people are saying about your product, your product must really suck.
  • by bakuun ( 976228 ) on Sunday April 21, 2013 @01:31PM (#43510821)
    Now I know to stay well clear of anything that has to do with Ciphercloud. I certainly wouldn't have seen the Stack exchange discussion (much less the fact that Ciphercloud feels that cryptanalysis is bad for them) if they didn't do what they did, though. Thanks, Ciphercloud!
  • by Khyber ( 864651 ) <techkitsune@gmail.com> on Sunday April 21, 2013 @01:37PM (#43510867) Homepage Journal

    One guy comes right in with an answer that pretty much blows CC's false BS claims out of the water.

    That's why the DMCA was invoked, to hide their criminal lying. That's why the images were removed, because all it took was a look at the images to figure out their bullshit.

  • by Opportunist ( 166417 ) on Sunday April 21, 2013 @01:48PM (#43510921)

    The question whether something promoted as "secure" actually is depends highly on exactly this: Someone coming and trying to break it. It's not like any other software product you use, where you, the user, can easily tell whether it does its job or not. You use some word processing software, you can instantly check whether it does what YOU want it to do (even if it happens to fail in some other department, you'll easily be able to tell whether it does what YOU want). You use some game, you can easily tell whether it gives you what you wanted in it.

    Security software ... not quite. Whether it delivers what it promises isn't something you can check as the average user. Because, as the average user, you don't "use" it. Even as the person responsible for security in a company, you hardly have the time nor necessarily the knowledge to test it thoroughly. And before someone pipes in with "but if you can't break through bad security, you fail at your job", be aware that the job description for CISO hardly includes doing pen tests. If anything, you order them from companies who have the time and money to keep current with security issues.

    So the question whether a product is good or snake oil highly depends on peer review, on people going out and hammering it. If you now go out of your way to keep people from just doing that, well, how should I judge such a move? This is much like a scientist publishing a breakthrough in anti-gravity, while at the same time forbidding everyone to attempt to reproduce his results.

    That's about as much credibility is left after such a move.

    • by Takatata ( 2864109 ) on Sunday April 21, 2013 @02:29PM (#43511157)
      100% agreement. That's on user side. I am a freelancing software developer. The only project offers I strictly refuse are projects which involve cryptographic tasks. I just can't deliver. I am self-taught and did learning on the job in many projects. When I get the task to put a rotating green cube on the screen, I know the job is done when I see a rotating green cube on the screen. Even if I never did any 3D graphics before. Cryptographics? In a few hours I could conjure up cryptographic algorithms, which encrypt text in a way I could not decrypt myself in a 1000 years. Too bad I can never be sure that a cryptographic expert could read my encryption almost like plain text. Odds are that exactly something like that would happen.
      • by Opportunist ( 166417 ) on Sunday April 21, 2013 @02:59PM (#43511299)

        Allow me to let you in on a secret: A good portion of people writing "security" software don't really understand it either. You can tell when you review it. There is a fair lot of cargo cult programming going on, coupled with the use of libraries without first reviewing them or understanding their inner working or at least knowing to what degree it is self-sealing or how far you have to sanitize the input. This by itself is not yet a huge problem, as long as the libraries themselves work flawlessly, they are well and completely documented (and that documentation actually gets read) and they are being used correctly. And those things are more often than not a real problem.

        Now couple this with programmers using a lot of copy/pasting to get their programs written, often from rather dubious and not reviewed sources (you know the kind, where self proclaimed experts exchange their ideas what programming is like...), possibly copying snippets that were by no means MEANT to be secure or sanitized, and I guess I needn't go into detail.

        • Re: (Score:3, Insightful)

          by Takatata ( 2864109 )

          Allow me to let you in on a secret: A good portion of people writing "security" software don't really understand it either. [...]

          I know. But I don't have to add to bad software. And as self-taught freelancer I have to be a little bit more aware of my reputation. Taking cryptographic related task would be a lose/lose situation for everyone.

          • Thank you for being responsible, and knowing your limits as a software author. We *don't* need ore bad code in the world.

      • Slight nuance (Score:4, Interesting)

        by Anonymous Coward on Sunday April 21, 2013 @03:06PM (#43511333)

        Cryptographics? In a few hours I could conjure up cryptographic algorithms, which encrypt text in a way I could not decrypt myself in a 1000 years. Too bad I can never be sure that a cryptographic expert could read my encryption almost like plain text. Odds are that exactly something like that would happen.

        You have a healthy respect for cryptography, and that's good. However, I will point out that many standard crypto algorithms have test suites. If your crypto implementation yields the expected result for all the test cases, then you can be reasonably certain that your implementation is correct rather than having self-canceling bugs on encrypt/decrypt.

        However, then you have to ask yourself *why* you are reimplementing a standard crypto algorithm when there are multitudinous well-tested libraries available for such.

        Of course, this neglects implementation concerns like timing attacks, improperly secured key material, etc... which one would hope that the standardized, well-tested implementation libraries have already addressed insofar as possible.

        • Of course, this neglects implementation concerns like timing attacks, improperly secured key material, etc...

          Exactly. If it was only calling some functions in a lib, I would not worry much. But there are just too many boundary conditions I simply don't know. Would I be able to learn? Perhaps. Would it pay? Probably not. I'd have to be more alert to changes in security related technologies than I have to be in most other areas. This would only make sense if I totally focus on security and cryptography rel

          • by Anonymous Coward

            Of course, this neglects implementation concerns like timing attacks, improperly secured key material, etc...

            Exactly. If it was only calling some functions in a lib, I would not worry much. But there are just too many boundary conditions I simply don't know. Would I be able to learn? Perhaps. Would it pay? Probably not. I'd have to be more alert to changes in security related technologies than I have to be in most other areas. This would only make sense if I totally focus on security and cryptography related stuff. And before I get really high paying jobs I'd have to make a name of myself with this kind of work. Difficult for a freelancer in my position. And for me a bit boring, too. I like to have projects in constantly changing companies and areas.

            You can use library implementations of a cipher, with library methods for handling padding and initialisation vectors, etc, and still be vulnerable e.g. predictable initialisation vectors, block swapping and padding oracle attacks. Cryptography implementations are only a very small part of the problem; you also need to know how to use it appropriately, which modes of operation are appropriate and secure for your use case, etc.

            Short of actually training to be a cryptographer, it is best to leave it to someon

    • Re:Security credibility DEPENDS on peer review
      .
      And this review pretty much shows that CipherCloud only performs
      -- "per word" encryption into a limited range
      -- uses the same separator code-word to delimit each new encrypted word
      -- does no encryption on punctuation marks
      -- leaves itself wide open to word-frequency attacks

      And the image is a very necessary way to show it, though each reader could go to the ciphercloud web site and try it out themselves.
      .
      Strangely, I can see their point of view of DMCA'i

  • by Jeremy Erwin ( 2054 ) on Sunday April 21, 2013 @01:51PM (#43510963) Journal

    Look elsewhere--the only thing that should be obscure about a crypto system is the key.

  • by Anonymous Coward

    If Ciphercloud invokes DMCA on enough content, it will be difficult to determine the original message from "[image removed due to DMCA request]"

    • The last link is laughable - their 5 minute tour starts with a 5minute and 58 second video.....

  • DMCA, in theory, is to stop people copying around the Internet the hard work creative efforts of people. It's not to stop a screenshot of something being discussed.

    • by dougmc ( 70836 )

      Perhaps, but in practice it doesn't matter what it was *intended* to do, only what the wording allows it to be *used* to do. And in this case, it's being used in an attempt to block unfavorable discussions.

      That said, the original discussion's use would almost certainly fall within fair use, so they could just respond to the DMCA request and get their stuff put back up, putting the ball back into the court the company sending the request. And having no case, they should drop it. Still abusive, but at leas

      • Perhaps, but in practice it doesn't matter what it was *intended* to do, only what the wording allows it to be *used* to do. And in this case, it's being used in an attempt to block unfavorable discussions.

        That said, the original discussion's use would almost certainly fall within fair use, so they could just respond to the DMCA request and get their stuff put back up, putting the ball back into the court the company sending the request.

        They could indeed respond to the DMCA request and get their stuff put back up. But then, potentially, lawyers get involved. And when lawyers get involved, it gets very very expensive. Maybe the EFF or the ACLU will take your case, but they don't have the staff or money (donate [eff.org] today [aclu.org]!) to take every case, so they might not be able to, in which case you'll have to hire your own.

        • by dougmc ( 70836 )

          The EFF and ACLU are only going to take cases that they think are going to have large impacts -- set precedent, get widely publicized, etc. They just don't have the resources.

          You are correct, of course. Of course, by responding to the DMCA and getting your stuff put back up, you're telling them exactly who they should hassle legally. And even without a case, they can cause a lot of grief. Which is part of why I wish there was a penalty for bogus claims.

      • by jbolden ( 176878 )

        I do wish the DMCA had provisions to punish for obviously invalid invocations of it, however.

        It does. Things like fraudulent claims of ownership are punishable. The thing is this isn't obvious invalid. It is very likely invalid. There is a bar it just is much further along.

        Besides generally you want people to be able to object in an official way rather easily and that's all a DMCA claim is, an on the record objection.

  • by Bogtha ( 906264 ) on Sunday April 21, 2013 @02:22PM (#43511105)

    I just poked around the Stack Exchange API, and it seems several CipherCloud questions have been catapulted into the hottest questions in that site's history.

  • It's not only a DMCA request; there is also a traditional cease-and-desist lawyer letter tacked onto the end, ordering StackExchange to ban a particular user and remove the actual (user-written) text of specific posts, via the usual bluster ("false and misleading", "defamation", "lanham act",...).

  • These folks are idiots for issuing a DMCA in regards to their own material. Guess who wont be in business much longer.

  • The taken-down images, and the promotional video around 2:53
    http://pages.ciphercloud.com/AnyAppfiveminutesdemo.html?aliId=1 [ciphercloud.com]
    make it clear that in these promotional materials, identical plaintext leads to identical ciphertext.

    Ciphercould's DMCA takedown notice
    http://meta.crypto.stackexchange.com/a/258/555 [stackexchange.com]
    rebuts that as wrong ("Ciphercloud's product is not deterministic"), with a key point at the beginning of page 3:
    "[detractor] implies that what was perceived from a public demo is Ciphercould's product offeri

  • If they were doing secure encryption they could have just answered the question themselves. Since they instead went for silencing the critique, I guess the security of CipherCloud most be pretty bad.

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...