OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Alert: Important Legislative Alert
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Alert: Important Legislative Alert

  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Alert: Important Legislative Alert
  • From: Russ <Russ.CooperRC.ON.CA>
  • Date: Thu, 25 Jun 1998 23:36:28 -0400
  • Comments: To: "NTSecurity (E-mail)" <NTSecuritylistserv.ntbugtraq.com>
  • Comments: cc: "john_ashcroftashcroft.senate.gov" <john_ashcroftashcroft.senate.gov>, "senator_hatchhatch.senate.gov" <senator_hatchhatch.senate.gov>, "jim_kerstetterzdnet.com" <jim_kerstetterzdnet.com>, "bugtraqnetspace.org" <bugtraqnetspace.org>
  • Reply-To: Russ <Russ.CooperRC.ON.CA>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
A copy of this message is posted at
http://www.ntbugtraq.com/editorials/WIPeOut.asp

Simple Nomad posted a message a few days ago regarding a World
Intellectual Property Organization treaty about Copyright Protection.
Fred Donck submitted a copy of a message sent to Bugtraq on Tuesday as a
reminder. This is my formal response to this bill.

Please read down at least as far as the "Why You Should Care" section.
This Law could attempt to shut down NTBugtraq and NTSecurity, together
with all other such valuable sources of information.

Background:
-----------

I should first point out that I am a Canadian living and working in
Canada. I have not yet investigated the status of this treaty in Canada
or Canadian legislation passed to enforce it. My comments are directed
at the swiftly passing U.S. Senate Digital Millennium Act of 1998 as
amended and passed, see;
http://thomas.loc.gov/cgi-bin/query/C?c105:./temp/~c105FTJICn)

It is expect that the Act will shortly become American Law, as reported
by ZDnet in;
http://www.zdnet.com/pcweek/news/0622/22wipo.html

Some background can be found at;
http://www.senate.gov/~rpc/rva/1052/1052137.htm
http://www.senate.gov/~judiciary/oghmille.htm
http://www.senate.gov/~ashcroft/privacy.htm

based on the WIPO treaty proposed and signed in Dec. '96;
http://www.wipo.org/eng/diplconf/distrib/94dc.htm

At the essence of Chapter 12 of this Act is the issue of Copyright
Protection Measures Circumvention.

Many have interpreted this to mean reverse engineering of software or
hardware, or analysis of cryptographic implementations.

As with most legislation, its sufficiently broad enough to cover a wide
variety of interpretations, leaving much up to the courts, and
defendants, to define.

Why You Should Care:
--------------------

The legislation can quite reasonably be interpreted to say;

1. It is illegal to test, debug, or analyze software for any purpose
other than integration with an independent work you are creating.

If NT crashes for some reason, you cannot do these things using any
method other than those supplied to you by Microsoft (or methods they
approve specifically, such as something a support engineer might
prescribe). Assuming you could not boot your machine, your system must
stay down until such time as MS can help you fix it.

2. It is illegal to perform penetration testing.

Doing so might lead you to discover some aspect of the operation of the
copyrighted software, which would then be considered a violation of this
law. Its interesting that recently a multi-million (if not billion)
dollar industry has evolved doing just this. This law will make all such
applications illegal (Like the ISS Scanner, or others).

3. It is illegal to do intrusion detection.

The law prohibits you from interfering with the transmission of a
copyrighted piece of work. So if John.A.Hacker puts a trivial copyright
notification in his program that performs a Denial of Service attack on
your network, you cannot interfere with its operation. As long as this
attack is not targeted at a specific copyrighted piece of work (e.g. NT,
or Win95) but at the network itself (e.g. a syn-flood attack),
John.A.Hacker is not violating the law himself.

Should you attempt to analyze the attack, say to discover just who it
was that shut your network down for a week, you would be violating their
copyrighted work.

4. It is illegal to interfere with Cookies.

Cookies represent a component of a web application, and as such, are
covered under the protections offered by this law. Therefore, if you are
able to receive cookies but chose not to, you are interfering with the
copyrighted work in transmission.

Of course this would also apply to any client-based agent that the site
may wish to download to your machine to collect information about what
applications you have installed. Any method of data collection that can
be instigated by a connection to a copyrighted application must be
allowed to perform its normal operations. Tampering is illegal.

5. Firewalls, or anything that Proxies transmissions and alters the
contents, can be construed as illegal.

Unless of course it happens to be attempting to do so to prevent Child
Pornography or Good Parenting (there's an exemption for that). If all
you want to do is ensure your employees are going to productive business
related sites, sorry, you are tampering with the copyrighted
application's capabilities.

Not only can you not alter outbound, but if you alter, filter, restrict,
inbound transmissions, you are again violating the law. So if you strip
JavaScript out of a web page, or take a virus out of an email, you have
violated this law.

Not to mention the fact that the logs of such devices, like Firewalls,
are, in themselves, a violation of the law. Information contained in
such logs may sufficient disclose the copyrighted process used by a
"work", and as such, cannot be disseminated.

Of course Firewall vendors will be required to implement mechanisms to
prevent the dissemination of their logs as the law compels a vendor who
makes a product that might violate the copyright of another vendor to
take appropriate steps.

All Firewalls will end up like Microsoft's Netmon network monitor,
unable to display passwords or anything that might be considered
copyrighted material.

6. I could go on...

What About NTBugtraq?
---------------------

I have literally thousands of messages from the more than 13,000
subscribers of NTBugtraq and NTSecurity indicating just how valuable the
information found here has been to them.

I have no intentions whatsoever of stopping either service, EVER! The
service we provide to the community of interest we serve cannot be
replaced BY ANY MECHANISM. The Senate seeks to mandate into law the
practices of CIAC and CERT, receive report, notify vendor, and wait for
vendor response.

Not to diminish the capabilities of these organizations, but if they
were effective then NTBugtraq and NTSecurity wouldn't be necessary.

Besides, under this law, the practice would be altered. Since there
would only be the vendor to receive reports from, these organizations
would no longer be necessary (except to coordinate the dissemination of
information from vendors). Nobody would be reporting anything any more
because nobody would be legally allowed to discover anything (and if you
do, better keep your mouth shut!).

If we have to, we'll move the service to a location that has not
accepted the treaty and let the U.S. Gov't attempt to ban access to the
site.

Conclusions:
------------

The WIPO Copyright Treaty, in and of itself, is not the problem. Dr.
Kamil Idris, Director General of the World Intellectual Property
Organization states himself, in his welcome message, that the mandate of
the WIPO includes;

- that the progress of humankind, in the widest sense, rests upon its
capacity to advance ever further in the areas of technology and culture;

- that any such advance, be it by means of invention or artistic work,
represents an "intellectual property";

- that whoever originates or legally owns such a property deserves the
right to protection under the law against its unfair use (for example,
counterfeiting or piracy) by others;

- that by ensuring such legal rights, others will be encouraged to
expend time and resources on attempting to make other advances.

Clearly the U.S. Senate, in its interpretation of the WIPO treaty, has
missed the boat here. Their interpretation, and the legislation intended
to implement the treaty in the U.S., makes it illegal "to expend time
and resources on attempting to make other advances".

In the digital world we have seen numerous instances of digital
plagiarism, and consistently courts have favored progress over
propriety. The Senate would have us believe that we can discover what is
wrong with an application by asking the copyright owner for an analysis.

That's just plain stupid. Doing so gives away intellectual property. If
I am compelled to ask the vendor of software package "A" why it works
the way it does, or why it can't do something I want, how am I to define
what is missing and therefore potentially marketable?

If the only thing I can judge my purchase decision on is the surface of
the copyrighted work, how can I say I've exercised due diligence when I,
and my shareholders, know that its possible to do more?

Attempting to legislate something that is entirely possible and
plausible into obscurity in the hopes that it will prevent it akin to
the "war on drugs". Good media but lousy policy, and hardly enforceable
in a productive and socially beneficial fashion.

Should all of the security analysts in the world start finding covert
ways to communicate their consulting to their clients? Should all of the
copyrighted work vendors in the world employ security consultants when
only a fraction of the market wants security? Should companies stop
trying to assess their risks and put defensive strategies in place?

Senator Ashcroft, in his announcement of the Act, said;

"Another issue of concern is that unless product designers are
adequately consulted on the design and implementation of technological
protection measures and means of preserving copyright management
information, such measures may have noticeable and recurring adverse
effects on the authorized display or performance of works. Under such
circumstances, certain adjustments to specific products may become
necessary after sale to a consumer to maintain the normal, authorized
functioning of such products. Such adjustments, when made solely to
mitigate the adverse effects of the measure on the normal, authorized
operation of a manufacturer's product, device, component, or part
thereof, would not, in my view, constitute conduct that would fall
within the proscriptions of this legislation."

Great, but no provision was put into the Act to clarify just what "Such
adjustments" means. One might believe it means the alteration of a
software product to make it more secure, but with a $500,000 or 5 year
prison term facing the person who tries this, who would try?

Besides, just how would one determine what "adjustments" are required.
The Act prohibits me from investigating the "normal, authorized
functioning of such products" beyond what they are supposed to do. If it
doesn't do what its supposed to, or what I consider "normal", where is
the exemption for me to investigate why?

Senator Ashcroft goes on to state;

"The truth of the matter is that Congress ought to operate
contemporaneously with industry to solve problems. Anytime the affected
industries beat government to the solution they ought to be praised. In
many respects I invite the private sector to be there first and get it
done well. If they are there first, they will often solve the problem.
Even when they cannot solve the problem, the private sector problem
solving process will at least narrow the issues for the government to
address. Getting a law passed is very difficult, getting it changed is
sometimes even more difficult, and so relying on government really
elevates the need to have no garbage in, to result in the right output."

Wonderful. The Digital Millennium is going to be controlled by the
Government and the Vendors. What happened to the consumer here? The
history of digital technology is that independent research, often from a
student or employee of a non-digital vendor, is what motivates the
technology.

Innovation is borne out of research, building a better mouse trap
because you analyzed the old one and found something lacking or faulty.

You talk about the Gov't or Private sector being the ones who "solve
problems". Fact is, when it comes to security, neither have been very
good at solving the problems. The problems have typically been
discovered, and solutions proposed, by independents who don't profit
from their shared discoveries.

Bottom Line:
------------

Too much of this legislation is intended for cross-purpose. The same
laws apply equally to digital art work, video, radio, and all sorts of
digital transmissions (and analog).

While it may be realistic to place such controls on, say, Digital
Satellite Systems, where there is some integrity between sender and
receiver, laying it open to interpretation to all forms of transmissions
makes it unenforceable.

If I, in the process of taking normal precautions to protect my place of
business (and on-line Internet-based store) modify the underlying
"normal and authorized" operation of a copyrighted work based on
analysis I have done, and as a result have provided myself a level of
protection that has allowed me to conduct the business which I wish to
conduct, chances are I am not going to be found liable for copyright
violation.

The law says otherwise, and I'll have to go to court to prove my point,
and in the mean time many will be stifled because of the threat of
litigation.

I will happily collect letters of support and make their sentiments
available as appropriate. I'm not sure what if any effect this will
have, but I felt it need to be aired.

Cheers,
Russ Cooper
R.C. Consulting, Inc.
Owner/Moderator NTBugtraq/NTSecuritylistserv.ntbugtraq.com