The second sincerest form of flattery

One of my research interests is applying the principles of "human-scale" security (such as mechanical locks and alarm systems) to computer science. Although human-scale systems are almost always imperfect, their failure mechanisms are often much more gradual and more predictable than their information security counterparts, and I believe that by better understanding why this is we might be able to build computer systems that behave in similar ways.

Several particularly interesting illustrations of the phenomenon of gradual and predictable security failure can be found in safes and vaults. I'm working on a survey paper, tentatively entitled "Safecracking for the computer scientist," that I hope will stimulate other researchers to think along similar lines. Last month I finished a first draft and put it on my web site. (For those who've not seen it, it's at http://www.crypto.com/papers/safelocks.pdf.)

Although the paper is only of rather narrow interest, a couple of weeks ago the wildly popular "Slashdot" news site discovered and linked to the draft; somewhere around 50,000 people downloaded the (large) pdf file that weekend.

My web server survived Slashdot's attention, but I was somewhat taken aback by what happened next.

A couple of years ago I wrote a paper about weaknesses in the keyspaces of master-keyed mechanical locks (it marked the beginning of my understanding of the depth of the similarities between information and physical security). Some locksmiths were outraged that I would publish a paper "revealing" security vulnerabilities in what they believed to be a closed field. See http://www.crypto.com/papers/kiss.html for details, but to make a long story short, some locksmiths do not approve of disclosing vulnerabilities in locks to the "general public," on the grounds that open discussion aids the bad guys more than it helps the good guys. (I don't agree -- and the scientific method's requirement for open scrutiny and debate does not provide an exemption when the subject involves security -- but that's another story for another time.)

Perhaps predictably, there has been a similar reaction to my recent draft on safe locks. Shortly after Slashdot linked to the paper, one or more locksmithing trade groups discovered it as well . The response of some locksmiths to the draft has been at least as negative as it was to my master keying paper. I've received quite a bit of uncomplimentary email from locksmiths, and I'm told that locksmithing message boards have recently been abuzz with messages about what a scoundrel I must be to again have written such an "unethical" and "irresponsible" paper.

Ironically, the theme of my safecracking survey is that while safes aren't perfect, they largely meet their requirements, and indeed, computer security would do well to emulate their security principles. Nothing in my paper (and indeed, no techniques of which I'm aware) would allow one to quickly open decent quality safes. The paper's conclusion is that even if one is fluent in the (not very) secrets of the safecracking trade, the measurable security of even relatively modest safes allows them to be used quite effectively for their intended applications (especially as part of larger security systems that complement the safes' limitations). I certainly don't think it would have been in any way "unethical" to have published an analysis that reached a different conclusion, but my paper as written could hardly be considered an attack against the safe industry or its products.

As with the reaction to my master keying paper, many of the complaints I've received are self-contradictory and emotionally charged, often invoking "homeland security" in unspecified but ominous ways. I've developed a thick skin against this sort of thing, and I try not to take it personally (although it's a bit disturbing to have so many people so angry with me over my work). It's rather like being accused of witchcraft; many of the complainers don't seem to be seeking a reasoned debate but are instead venting a broader range of unspoken frustrations that go well beyond either me or my papers. There is simply no effective way to debate on these terms, especially against an angry mob.

In any case, some locksmiths have apparently been trying to organize a letter writing campaign aimed at various officials at my university (U. Penn), and I'm told that my department chair, my dean, the provost, and the head of campus security have each received (a handful of) letters complaining about me. Of course, Penn's support for the basic principles of academic freedom would protect me even if these officials agreed that my paper was somehow inappropriate (this, after all, is exactly what the tenure system was designed for). But some of the letter writers seem to have unwittingly stumbled upon a weapon that could potentially be very effective (in other contexts) at silencing Internet-based debate. They have accused me of copyright infringement.

My paper is heavily illustrated with photographs of safe locks and their components. Several letters have (accurately) pointed out that these photographs are protected by copyright and that by distributing my paper I'm also distributing copyrighted material. This, I must admit, is entirely correct. But I created every one of the images myself, in my own studio, and with my own materials, cameras and computers. I arranged the subjects, lit them, and photographed them. The results are copyrighted, to be sure, but I hold the copyrights.

Fortunately, my university is not in the habit of removing the online papers of its faculty without checking with us first, and my paper has remained on my web site unmolested by these spurious copyright claims. But it occurs to me that, given the relevant provisions of the DMCA, a more timid ISP might have reacted quite differently, choosing instead to take down the controversial content until I could prove (or at least assert) that I have the rights to the images in question. This could take days or even weeks, depending on the level of proof demanded. Such a tactic could be a very effective way to harass or suppress authors of controversial material, and, if done with the sort of vague wording used in the letters about me, would appear to leave the author with no recourse against anybody. The letter writers didn't actually claim copyright, but simply raised the issue. An ISP (had it over-reacted) could plausibly claim that they were simply protecting their interests in quickly taking the questionable material offline.

I suspect that, in my case, the organizers of the letter-writing campaign were not dishonestly attempting to exploit the DMCA, but instead genuinely assumed that I had copied my images from some commercial source. A friend suggested that I should take this as a compliment; after all, if imitation is the sincerest form of flattery, perhaps being accused of copyright infringement is the second sincerest.

Matt Blaze
19 January 2005