CipherCloud Invokes DMCA To Block Discussions of Its Crypto System 85
New submitter brennz writes "Cryptographers on StackExchange were discussing CipherCloud, using some promotional material from the same to provide detail. CipherCloud responded with a DMCA takedown request that some have characterized as abusive."
back up again (Score:5, Informative)
StackExchange appears to have put the question back up [stackexchange.com], but remove from it the screenshots which the DMCA takedown demand claimed constituted copyright infringement.
The screenshots should be a pretty solid fair-use case, though, so even that part of the takedown demand is groundless.
Re:back up again (Score:5, Insightful)
There needs to be heavy punitive measures against this sort of thing.
Re:back up again (Score:5, Interesting)
There is no copyright "right" that is any equal to Human and Civil rights - including those of free speech.
There are two broad categories I like to use in describing laws and their application. Oppressive and Protective.
Oppressive law is mandated for the establishment and defence of Power.
Protective law seeks the institution and restoration of Justice.
DMCA is a prime example of oppressive law - and how tricky this distinction can be, as it masquerades itself as a measure for the protection of some natural right. In this case, the "rights" protected are - of course - merely a concession managed by the state, enacted through legislation and constitution.
Copyright in Universal Declaration of Human Rights (Score:2)
There is no copyright "right" that is any equal to Human and Civil rights - including those of free speech.
What document establishes the existence of "Human and Civil rights - including those of free speech" in more than one country? The Universal Declaration of Human Rights [un.org], for example, mentions freedom of expression in article 19 but mentions copyright in article 27(2).
Re: (Score:3)
Fuck that,
Copyright laws are important. If I make a software, I WANT all the users to pay me for my creation. If you don't use it don't pay, make it yourself , it will only take you 20 weeks of coding. But if I made it , I should be paid by all the users.PERIOD. I don't care that it's bits and they could be copied easily. I have the moral right to decide who can use what I made.
You are clearly an evil capitalist or a sock puppet for MPAA / RIAA / some other content conglomerate. There are no real people who believe in copyright law being applied to bits and bytes, especially not people who develop software since we are all communist hippies who think everything should be free.
Of course I actually agree with you though even though you may well be a troll :)
Oops. (Score:2)
Adam Savage: "Well there's your problem!"
Re: (Score:2)
No troll,
just an independent iOs developer trying to make a living on the appstore...
Good luck with that
Nonliteral copying (Score:2)
If you don't use it don't pay, make it yourself , it will only take you 20 weeks of coding.
George Harrison tried making music himself, and Bright Tunes Music still sued and won. Xio Software tried making software itself, and The Tetris Company still sued and won.
Re:Copyright in Universal Declaration of Human Rig (Score:4, Insightful)
"Fuck that, Copyright laws are important. If I make a software, I WANT all the users to pay me for my creation."
Copyright laws may be important, but they also need to be reasonable, and they also have to allow for "fair use". Anything else is a genuine crime against society.
A single screen cap out of a video, as part of a discussion about the product, is CLEARLY fair use, by U.S. law.
The problem here isn't the concept of copyright law. The problem here is greedy corporations and abusive laws like the DMCA.
Fair use; exclusive licensing (Score:2)
1. Funny, how you conveniently omitted, that the paragraph right in front of that states the exact opposite: "(1) Everyone has the right freely to participate in the cultural life of the community, to enjoy the arts and to share in scientific advancement and its benefits."
2. This complete self-contradiction is yet another one of the many things that make this declaration such a ridiculous joke that nobody gives a shit about. How could you possibly follow that contradict themselves
I see 27(2) as describing copyright and 27(1) as describing fair use.
This is NOT EVEN related to copyright! It talks about author's rights!
The French word for copyright is droit d'auteur which literally means right of author. It is intended as a culturally neutral way to refer to the concept of exclusive rights reserved to the author.
You are aware that "copyright" is a DISTRIBUTOR's right
The U.S. Constitution specifies that Congress grants exclusive rights "to authors and inventors". Are you referring to works of corporate authorship, or are you referring to standard form contracts in various parts of the publishing industry that
Re: (Score:2)
Just to play Devil's advocate I suppose the proponents of the DMCA would argue that it protects their right to property. The fact that it is non-physical property is irrelevant, they still have a right to own and control it.
The mistake is to equate physical property with intellectual property, and even copyright doesn't try to do that in most countries. Still, that is their line and they appear to the sticking to it.
Re: (Score:2)
You have a right to protect your life too, but that doesn't mean you can go around putting everyone you think is reaching for a gun in a headlock.
Re: (Score:2)
The fallacy began with the introduction of the spurious concept: "Intellectual Property".
Copyright was introduced in the US with the Constitution in 1789. It was similarly afforded corollary recognition under Napoleon in France, sometime later.
Never were the rights of a trademark holder or author equated with the rights of real property, in these formulations. They were exclusive franchises for limited duration. Shakespeare, Moliere and Charles Brockden Brown are property of the public - a concept that a
Re:back up again (Score:5, Insightful)
Well, now everyone knows beyond a shadow of a doubt that "CipherCloud" is insecure, or else they wouldn't have tried to suppress the conversation. Since their whole business is as a security provider...
Re: (Score:2)
Re: (Score:2)
There needs to be heavy punitive measures against this sort of thing
Please explain why. There is a law in place that gives websites free harbour, while giving copyright holders a way to take down copyrighted materials that they own. And you say there should be heavy punitive measures against using your legal rights? If you put the material up then you can inform the website that you are not committing copyright infringement. Should there be heavy punitive measures against that as well?
Re: (Score:3, Interesting)
Adding CipherCloud on blacklist of non-recommended products/companies for my clients. Point. Issue closed at....
Re: (Score:2)
There needs to be heavy punitive measures against this sort of thing.
There ARE punitive measures against this sort of thing - they were added to counter concerns that content rights-holders would abuse the DMCA for just this sort of purpose.
Putting it in simple terms, the problem is that the person/organisation receiving the DMCA takedown has to (a) file an appeal against the takedown, and then in order for the punitive measures to kick in, they have to (b) prove that the organisation issuing the DMCA notice did so maliciously, knowing that they had no right to demand take-d
...characterized as abusive... (Score:5, Insightful)
There is no other way to characterize the DMCA.. It was no accident.
Re: (Score:1)
DMCA is very useful for GPL enforcement!
Re: (Score:2)
Are we this deep into a Slashdot thread, without ONE joke being made about "Homomorphic" Encryption?
Sheesh!
Re: (Score:3, Insightful)
That would imply reading the article. But at least now I can understand the nature of the takedown.
Why, it looks like young men playing leapfrog.
Re: (Score:2)
Ordinarily, I'd be all like "Aren't there any girls?" but then I remembered where I am.
Re: (Score:2)
Guess which political party the MAFIAA bought [opensecrets.org] in order to get the DMCA passed?
Yeah, the party that LOVES more and more government.
The very same party that by some crazy-ass "logic" thinks that the same government that runs the TSA should run health care for everyone.
Imagine that.
(How the hell can the Slashtards who rail against rampant government incompetence when the TSA is involved or when the Patriot Act or warrantless wiretaps are mentioned suddenly love handing over 1/6 of the economy and control of their health care decisions to the same bureaucrats? IT'S THE SAME OVERWEENING INCOMPETENT GOVERNMENT YOU FUCKING MORONS! IT ISN'T GOING TO MAKE ANYTHING BETTER BECAUSE IT NEVER HAS!)
It was passed unanimously which means some republicans voted for it too. This is especially true since they controlled the senate and the house of representatives in 1996 when it passed. http://en.wikipedia.org/wiki/Republican_Revolution [wikipedia.org]
If the GOP gave two shits about the DMCA they have had ample opportunities to change it since. They haven't because they don't give a shit. Maybe the only reason for the vast payments to the Democratic party that year is simply because they needed more buying off, the republ
We know how good CipherCloud is (Score:5, Interesting)
Re: (Score:3)
Streisand effect, anyone? (Score:5, Insightful)
Re:Streisand effect, anyone? (Score:4, Funny)
It is generally sound practice to stay clear of anything that has the world "Cloud" in the name.
Cloud Strife, Dark Cloud, SoundCloud (Score:4, Funny)
It is generally sound practice to stay clear of anything that has the world "Cloud" in the name.
So would Final Fantasy VII characters [wikipedia.org], PS2 games [wikipedia.org], and replacements for the old MP3.com [wikipedia.org] be part of your "generally" or part of the exception?
Re:Streisand effect, anyone? (Score:5, Informative)
There's meta discussion here, including links to cached copies...
http://meta.crypto.stackexchange.com/questions/250/ciphercloud-dmca-notice [stackexchange.com]
Busted Wide Open as Shit in the Comments (Score:5, Informative)
One guy comes right in with an answer that pretty much blows CC's false BS claims out of the water.
That's why the DMCA was invoked, to hide their criminal lying. That's why the images were removed, because all it took was a look at the images to figure out their bullshit.
Security credibility DEPENDS on peer review (Score:5, Insightful)
The question whether something promoted as "secure" actually is depends highly on exactly this: Someone coming and trying to break it. It's not like any other software product you use, where you, the user, can easily tell whether it does its job or not. You use some word processing software, you can instantly check whether it does what YOU want it to do (even if it happens to fail in some other department, you'll easily be able to tell whether it does what YOU want). You use some game, you can easily tell whether it gives you what you wanted in it.
Security software ... not quite. Whether it delivers what it promises isn't something you can check as the average user. Because, as the average user, you don't "use" it. Even as the person responsible for security in a company, you hardly have the time nor necessarily the knowledge to test it thoroughly. And before someone pipes in with "but if you can't break through bad security, you fail at your job", be aware that the job description for CISO hardly includes doing pen tests. If anything, you order them from companies who have the time and money to keep current with security issues.
So the question whether a product is good or snake oil highly depends on peer review, on people going out and hammering it. If you now go out of your way to keep people from just doing that, well, how should I judge such a move? This is much like a scientist publishing a breakthrough in anti-gravity, while at the same time forbidding everyone to attempt to reproduce his results.
That's about as much credibility is left after such a move.
Re:Security credibility DEPENDS on peer review (Score:5, Insightful)
Re:Security credibility DEPENDS on peer review (Score:4, Interesting)
Allow me to let you in on a secret: A good portion of people writing "security" software don't really understand it either. You can tell when you review it. There is a fair lot of cargo cult programming going on, coupled with the use of libraries without first reviewing them or understanding their inner working or at least knowing to what degree it is self-sealing or how far you have to sanitize the input. This by itself is not yet a huge problem, as long as the libraries themselves work flawlessly, they are well and completely documented (and that documentation actually gets read) and they are being used correctly. And those things are more often than not a real problem.
Now couple this with programmers using a lot of copy/pasting to get their programs written, often from rather dubious and not reviewed sources (you know the kind, where self proclaimed experts exchange their ideas what programming is like...), possibly copying snippets that were by no means MEANT to be secure or sanitized, and I guess I needn't go into detail.
Re: (Score:3, Insightful)
I know. But I don't have to add to bad software. And as self-taught freelancer I have to be a little bit more aware of my reputation. Taking cryptographic related task would be a lose/lose situation for everyone.
Re: (Score:1)
Thank you for being responsible, and knowing your limits as a software author. We *don't* need ore bad code in the world.
Slight nuance (Score:4, Interesting)
Cryptographics? In a few hours I could conjure up cryptographic algorithms, which encrypt text in a way I could not decrypt myself in a 1000 years. Too bad I can never be sure that a cryptographic expert could read my encryption almost like plain text. Odds are that exactly something like that would happen.
You have a healthy respect for cryptography, and that's good. However, I will point out that many standard crypto algorithms have test suites. If your crypto implementation yields the expected result for all the test cases, then you can be reasonably certain that your implementation is correct rather than having self-canceling bugs on encrypt/decrypt.
However, then you have to ask yourself *why* you are reimplementing a standard crypto algorithm when there are multitudinous well-tested libraries available for such.
Of course, this neglects implementation concerns like timing attacks, improperly secured key material, etc... which one would hope that the standardized, well-tested implementation libraries have already addressed insofar as possible.
Re: (Score:2)
Exactly. If it was only calling some functions in a lib, I would not worry much. But there are just too many boundary conditions I simply don't know. Would I be able to learn? Perhaps. Would it pay? Probably not. I'd have to be more alert to changes in security related technologies than I have to be in most other areas. This would only make sense if I totally focus on security and cryptography rel
Re: (Score:1)
Exactly. If it was only calling some functions in a lib, I would not worry much. But there are just too many boundary conditions I simply don't know. Would I be able to learn? Perhaps. Would it pay? Probably not. I'd have to be more alert to changes in security related technologies than I have to be in most other areas. This would only make sense if I totally focus on security and cryptography related stuff. And before I get really high paying jobs I'd have to make a name of myself with this kind of work. Difficult for a freelancer in my position. And for me a bit boring, too. I like to have projects in constantly changing companies and areas.
You can use library implementations of a cipher, with library methods for handling padding and initialisation vectors, etc, and still be vulnerable e.g. predictable initialisation vectors, block swapping and padding oracle attacks. Cryptography implementations are only a very small part of the problem; you also need to know how to use it appropriately, which modes of operation are appropriate and secure for your use case, etc.
Short of actually training to be a cryptographer, it is best to leave it to someon
Re: (Score:2)
Well, "peer review" isn't limited to reviews by people who know at least as much if not more about a matter as the person being reviewed. But you're right, if someone who has only a passing knowledge in the subject can debunk it as snake oil, something's REALLY wrong.
And before you go all "they had it coming" on those buying into their solution, be aware that the average IT guy in a company is nothing but a manager. Hell, I'm slowly turning into one. I just don't have the time anymore to keep on the "edge"
"Per word" encryption + unencrypted punctuation. (Score:2)
.
And this review pretty much shows that CipherCloud only performs
-- uses the same separator code-word to delimit each new encrypted word
-- does no encryption on punctuation marks
-- leaves itself wide open to word-frequency attacks
And the image is a very necessary way to show it, though each reader could go to the ciphercloud web site and try it out themselves.
.
Strangely, I can see their point of view of DMCA'i
Re:"Per word" encryption + unencrypted punctuation (Score:5, Funny)
Re: (Score:2)
OMFG, that's great. May I use that phrase? I can well need it from time to time in meetings.
Probably not secure then. (Score:5, Insightful)
Look elsewhere--the only thing that should be obscure about a crypto system is the key.
On a positive note (Score:1)
If Ciphercloud invokes DMCA on enough content, it will be difficult to determine the original message from "[image removed due to DMCA request]"
here are some of the links in the dmca notice (Score:5, Informative)
Re: (Score:2)
The last link is laughable - their 5 minute tour starts with a 5minute and 58 second video.....
Anyway (Score:2)
DMCA, in theory, is to stop people copying around the Internet the hard work creative efforts of people. It's not to stop a screenshot of something being discussed.
Re: (Score:3)
Perhaps, but in practice it doesn't matter what it was *intended* to do, only what the wording allows it to be *used* to do. And in this case, it's being used in an attempt to block unfavorable discussions.
That said, the original discussion's use would almost certainly fall within fair use, so they could just respond to the DMCA request and get their stuff put back up, putting the ball back into the court the company sending the request. And having no case, they should drop it. Still abusive, but at leas
Re: (Score:2)
Perhaps, but in practice it doesn't matter what it was *intended* to do, only what the wording allows it to be *used* to do. And in this case, it's being used in an attempt to block unfavorable discussions.
That said, the original discussion's use would almost certainly fall within fair use, so they could just respond to the DMCA request and get their stuff put back up, putting the ball back into the court the company sending the request.
They could indeed respond to the DMCA request and get their stuff put back up. But then, potentially, lawyers get involved. And when lawyers get involved, it gets very very expensive. Maybe the EFF or the ACLU will take your case, but they don't have the staff or money (donate [eff.org] today [aclu.org]!) to take every case, so they might not be able to, in which case you'll have to hire your own.
Re: (Score:2)
The EFF and ACLU are only going to take cases that they think are going to have large impacts -- set precedent, get widely publicized, etc. They just don't have the resources.
You are correct, of course. Of course, by responding to the DMCA and getting your stuff put back up, you're telling them exactly who they should hassle legally. And even without a case, they can cause a lot of grief. Which is part of why I wish there was a penalty for bogus claims.
Re: (Score:2)
I do wish the DMCA had provisions to punish for obviously invalid invocations of it, however.
It does. Things like fraudulent claims of ownership are punishable. The thing is this isn't obvious invalid. It is very likely invalid. There is a bar it just is much further along.
Besides generally you want people to be able to object in an official way rather easily and that's all a DMCA claim is, an on the record objection.
The Streisand effect strikes again (Score:3)
I just poked around the Stack Exchange API, and it seems several CipherCloud questions have been catapulted into the hottest questions in that site's history.
DMCA + generic "defamation" C&D (Score:2)
It's not only a DMCA request; there is also a traditional cease-and-desist lawyer letter tacked onto the end, ordering StackExchange to ban a particular user and remove the actual (user-written) text of specific posts, via the usual bluster ("false and misleading", "defamation", "lanham act",...).
Talk about Shooting yourself in the foot (Score:2)
These folks are idiots for issuing a DMCA in regards to their own material. Guess who wont be in business much longer.
Do not judge us from what we show! (Score:2)
The taken-down images, and the promotional video around 2:53
http://pages.ciphercloud.com/AnyAppfiveminutesdemo.html?aliId=1 [ciphercloud.com]
make it clear that in these promotional materials, identical plaintext leads to identical ciphertext.
Ciphercould's DMCA takedown notice
http://meta.crypto.stackexchange.com/a/258/555 [stackexchange.com]
rebuts that as wrong ("Ciphercloud's product is not deterministic"), with a key point at the beginning of page 3:
"[detractor] implies that what was perceived from a public demo is Ciphercould's product offeri
Could have answered themselves (Score:1)
If they were doing secure encryption they could have just answered the question themselves. Since they instead went for silencing the critique, I guess the security of CipherCloud most be pretty bad.