Dimitry Sklyarov: Enemy or friend?

COMMENTARY--E-book publishers might think of jailed Russian cryptanalyst Dimitry Sklyarov as their worst enemy... until they see his slide show.

While publishers fret over the potential of illegal copies of their books, Sklyarov's presentation reveals that they could be ripped off in an unexpected way: by producers of astonishingly inept cryptography software. Sklyarov is in jail for revealing that secret.

Publishers encrypt their books to prevent them from being read by anyone except the registered owner... they hope. But it turns out that the encryption software of at least two manufacturers is so weak that it can be broken instantly. One publisher, Sklyarov found, uses a cypher called rot13 that has been known since Caesar's time. An encryption vendor uses a cypher so weak that programmers refer to it as the "Hello World" of cryptography programs, and another embeds code key information in the document, so that the key can be found and used to unlock the document instantly.

Let's examine a few of Sklyarov's slides, courtesy of CMU Professor David Touretzky's Web archive. The slides are part of a presentation Sklyarov made two weeks ago at the DEF CON computer securityconference. Sklyarov was arrested for distributing software that breaks thesimple codes explained in these slides. His software allows you to read your own copy of an e-book using a different program, computer, or operating system than the one you've registered it for. Sklyarov's software is popular with blind people, who use it to feed e-books into speech synthesizers, and with readers who are afraid that their e-books will become unreadable after a computer upgrade or operating system change--a reasonable concern. Sklyarov remains in jail today, even though Adobe Systems Incorporated, which instigated the arrest, later regretted its own action and called for his release. In a New York Times editorial, Stanford law professor Lawrence Lessig asserts that Sklyarov hasn't broken any law. It's ironic that a Russian had to cometo the U.S. to be arrested for what are essentially thought-crimes: allowing people access to books, and exercising his free-speech right by blowing the whistle on inferior products.

Sklyarov's arrest is one of the first under the Digital Millennium Copyright Act, which lowers an iron curtain on the act of reading or viewing digital media in the United States. The act was prompted by publishers who are afraid of wholesale copying of their work. But the act goes much too far, prohibiting the circumvention of a copy-control device that is necessary simply to read a book or watch a movie, regardless of whether or not the reader is the legitimate owner of their copy. DMCA proponents use the act to restrict your fair-use rights under copyright law: among them the right to read or view your own copy of the media, the right to sell a used book, lend it to a friend, or check it out of the library, and even the right to re-read a book without paying an additional fee. One of the earliest e-books was a textbook that expired and became unreadableat the semester's end, so that the students would not be able to resell it at the college bookstore.

If you are able to read an e-book with your own software, rather than the licensed program of the publisher, you might be able to circumvent these restrictions, or you could make illegal copies that can be read by others. So, DMCA proponents say, you must be prohibited from reading your own media with your own software. But they are ignoring the fact that the government grants the copy right to publishers in exchange for rights that the publishers grant the people, including fair use rights and the transition of a work into the public domain as a copyright expires. For decades, publishers have successfully lobbied to extend the duration of copyrights, so that their work would never enter the public domain. DMCA is a step against the remaining fair-use rights, completely skewing the balance of rights in the publisher's favor.

Sklyarov's slide show
So, what information did Sklyarov present at DEF CON?

Sklyarov's slide 5 goes over the cryptographic algorithm of E-Book Pro (warning--the site includes annoying pop-ups). The $197e-book protection software is advertised as 100% burglarproof andclaims a list of Fortune 500 companies as its customers. Sklyarov found thatthe software "encrypts" e-books by mixing each byte of the text with a constantbyte. This is a technique so weak that it probably shouldn't even be calledcryptography. Actually, the programmer was trying to mix the textwith the word "encrypted." I guess he cynically felt he could say "it's encrypted" after doing that. Mixing with such a short, fixed string of characters wouldstill have been a ludicrously weak encryption method, but a novice's mathematicalmistake makes it even weaker. I suspect that e-book makers who have purchasedthis program might be interested in using that "lifetime money-back guarantee",if they can't get a version of E-Book Pro with better encryption.

Slide 12 goes over weaknesses in the FileOpen Systems e-book security program. FileOpen was chosen as an Adobe"security partner", which leads me to wonder how closely Adobe examines thecryptography used by its partners. Sklyarov found that the FileOpen software,which requires a $2500 publisher's license, puts key information in the encrypteddocument, which is sort of like leaving your car with the keys in the ignition. The code can be broken instantly. Users of the latest version 2.4 of thissoftware might want to demand an upgrade with more competent cryptography. Surprisingly, many of those users seem to be scientific and technical journals.Even those sophisticated customers weren't able to determine FileOpen's weakness,because they had no source code and insufficient documentation of FileOpen'sinternal processes. Sklyarov had to find that out by meticulously examiningthe output of the software in a process of reverse-engineering, somethingthe customer can't be expected to do.

In slide 11, Sklyarov goes on to expose an encryption method used by New Paradigm Research Group, who use it to encode documents that they sell for approximately $3000 per copy. NPRG doesn't appear to be deceivinganyone, because they encrypt only their own documents. Since there isn'tmuch potential for bootlegging of the industrial reports they sell, theyprobably don't lose anything from the fact that their encryption is laughablyweak. It uses a cypher called rot13 that, for each letter, substitutesthe letter that comes 13 places after it in the alphabet, looping from Z, back to A. Thus, A becomes N, and N becomes A. The Cryptoquotepuzzles in newspapers use stronger code than this. Adobe ships a rot13decoder as a toy example of how to encode e-books. I wonder if someone atNPRG didn't realize that the example was a toy.

Sklyarov's slide show goes on to expose other e-book encryption methods,some of them breakable instantly, some of them only in certain cases andwith a significant expenditure of computer time. One thing that's clear from hisslides is that his was a scientific presentation, and one of direct benefitto the very people who asked for his arrest.

It's important to note that the best cryptography manufacturers, companieslike Counterpane and RSA, publicly disclose source-code and documentation on their cryptographicalgorithms, and the resulting encryption still can't be broken ina practical amount of time when used correctly. When the source-code is keptsecret, it's too easy for the vendor to sneak a weak implementation pasthis customers.

But however well cryptography can be made to work, it's fruitless to attemptto construct a cryptographic means of keeping data from being copied. Encrypted data can be copied as easily as any other data, and then can be viewed byanyone who has the encryption key. In the case of encrypted DVD video disks,every player contains the key, so copies of encrypted data play perfectly.In the case of e-books, one person's key can be used by everyone, and againencryption doesn't work. Publishers should admit this and find another strategy to protect themselves. Actively finding and prosecuting bootleggers for the act of producing illicit copies of books, as we've done for decades with audioand videotapes, probably remains the best defense. Prosecuting the creatorsand users of software that can read e-books, on the other hand, also prosecutes legitimate readers of those books.

Skylarov remains in jail for the crime of whistle blowing and distributing a program that allows people to read books, something that should be considered a fundamental human right. There is no question that his software has a legitimate use--you should be able to read your own copy of a an e-book with any software you wish to use, and his software is obsolescenceinsurance for e-book collectors. Those people might otherwise lose theright to read their own e-books as old reading programs and devices fail.

US Representative Rick Boucher (D-VA) had this to say about Sklyarov's arrest:

The arrest of Dmitry Sklyarov under federal copyright law for the creation of software that facilitates the exercise of individual fair use rights is a travesty. I urge his immediate release.

Boucher was joined by theElectronic Publishers Coalition, the Electronic Frontier Foundation, and many others.

It's time for an amendment of DMCA to restore the concept of fairuse in copyright law that DMCA abrogates, so that the legitimateowners of a copy of digital media won't be treated like criminals any longer.And while we're at it, it's time to get Sklyarov back to Russia and his newbornchild.

Bruce Perens is co-founder of the open source initiative and has been a leadingLinux developer since 1994. He is the primary author of The Open Source Definition, the canonical definition of open sourcesoftware licensing. Perens hastens to point out that this commentary ishis own opinion, and has nothing whatsoever to do with his employer.