Software Licensing: The Hidden Threat to Information Security

Software Licensing: The Hidden Threat to Information Security
Richard Forno, 2002-01-23

Software licensing agreements may contain stipulations that could jeopardize your network's security.

As security professionals and pundits, we often focus on the technical side of security and are prone to overlooking quieter, but equally sinister, security risks that affect the confidentiality, integrity, and availability of our information assets. We already know that nearly all software - from Microsoft Windows to Netscape Communicator and even much shareware - is licensed, not sold, under terms that indemnify the vendor from legal liability if the product fails, crashes, causes other problems to a system, comes with a virus or causes any other problem, now or in the future. Naturally, in the rush to deploy the latest-and-greatest applications we rarely read the software license, and when we do, it’s not done from a security perspective. While software licensing - for better or worse - is not a new concept, what got me thinking was how such devices, backed by federal and international laws , pose information assurance risks to the enterprise. What concerned me was a recent editorial on Freshmeat,net that pointed out that Borland’s Kylix/JBuilder software license had the following provision: "12. AUDIT. During the term of this License and for one (1) year thereafter, upon reasonable notice and during normal business hours, Borland or its outside auditors will have the right to enter your premises and access your records and computer systems to verify that you have paid to Borland the correct amounts owed under this License and determine whether the Products are being used in accordance with the terms of this License." By accepting the terms of this agreement, the licensee signs over the right to Borland to conduct random searches of the licensee’s property and networks. Note the complete absence of a non-disclosure agreement between Borland (or its agents) and the software licensee for such audits. From an information assurance perspective - let alone traditional corporate security - I have a hard time granting a third party access to my networks and systems in order to enforce their software license provisions. This would offer Borland a right of search and seizure that even the government doesn’t have. In the case of law enforcement, that’s what search warrants are for - only items covered in the court order are ‘fair game’ to be searched, and not anything the searchers want to go through. Borland’s license thus assaults the Constitutional principles of limited search and seizure that is required by law enforcement entities. Borland customers would be agreeing to open up a non-technical vulnerability in their enterprise to allow untrusted outsiders free roam of their networks and information assets in a manner that violates industry best security practices. (Note: To Borland’s credit, as of 16 January 2002, the firm is reportedly revising the licensing terms for the aforementioned products in the wake of the bad press the company has received.) Licensing agreements may not only stipulate conditions that limit the licensee’s right to privacy, they may also infringe on the users right to discuss the product. In a August 1999 PC Magazine article entitled “The Test That Wasn’t”, lawyer Cem Kaner described how Oracle prevented the magazine from publishing comparative reviews of its products. According to Kaner, the magazine "planned to do something that has not been done in recent history: a comparison of database performance on the exact same hardware. Because a database software license prohibits publishing benchmark test results without the vendor's written permission, negotiating for permission is always a challenge...Oracle...formally declined to let us publish any benchmark test results." PC Magazine decided not to run the review. Around the same time, Network Associates, maker of a major PC anti-virus software package, pulled a similar stunt, with a license that read, in part, The customer shall not disclose the results of any benchmark test to any third party without Network Associates' prior written approval...The customer will not publish reviews of the product without prior consent from Network Associates. The PC Magazine incident occurred in 1999, just after the Digital Milllenium Copyright Act (DMCA) was signed into law. DMCA, for the uninitiated, is an anti-consumer, anti-competitive, anti-knowledge law that was lobbied for by the entertainment industry cartels under the guise of ‘intellectual property protection.’ The DMCA was ostensibly tabled in order to provide copyright protection for e-commerce and electronic content providers. The reality is that it is ripe with loopholes and words that run contrary to existing federal laws, not to mention the Constitution. In fact, the DMCA appears to many in the security community to be an attempt to muzzle criticisms of vendors. In both the cases mentioned above, the DMCA was the justification that Oracle and NAI could fall back on to deflect any public outcry over these industry benchmarks. Further, the Uniform Computer Information Transactions Act (UCITA) being debated by state legislative bodies builds on DMCA and the existing shrink-wrap software license provisions in a very sinister fashion. One draft of the Act enabled software vendors to either remotely disable its products and/or implement ‘time bombs’ that would prevent its use until the client renewed and paid for a new software license. That helps to explain why you see vendors rushing to network-enable their products and assign unique registration codes to their users - think of Microsoft’s 40-digit Office and Windows XP Product Activation or the new online music initiatives being pushed by the entertainment industry cartels. Not only does this mean you are truly ‘renting’ your software or music (when will there be an annual subscription to Microsoft Windows?) but that a third-party will be able to serve its own profiteering motives by potentially holding your information and business operations hostage! Fred Langa’s column of January 21 in Information Week expands on this potential scenario. By agreeing to licenses under these conditions, users may unknowingly agree that the products they use may self-destruct, create technical vulnerabilities on their networks (perhaps for software license verification) and that their information assets could be held hostage if some bean-counter downstairs forgets to pay the annual operating system license on the corporate desktops. From an information assurance perspective, consider the grave community ramifications if a vendor’s license prohibited industry reviews, benchmarks, or analysis of its products. Would you buy a particular anti-virus product if a magazine review said it couldn’t scan the horizon, let alone a computer virus? Absent independent analysis from magazines and e-mail lists, the computing public may never know what products are not only better than others, but which ones are safer and more stable than others. Would you knowingly deploy a product that continually “calls home” to its vendor, or allowed the vendor the ability to lock the product and hold your information hostage? This explains the current rush by the software industry to restrict the disclosure of software vulnerabilities...it’s less about making the Internet safer than it is about molding public perception that a given vendor’s products or services are as their marketing propagandists claim. In the vendor’s ideal world, nothing should be declared a “problem” with its products until the vendor declares it a problem, which is exceedingly unlikely to happen because it makes for bad PR. From what I’ve seen, there are only a few cases (such as PC Magazine above ) where magazines have caved to software vendors and not run comparative reviews of various products. To my knowledge, none of the published reviews have been legally challenged – but they could have been. However, any licensing provision that prohibits the independent analysis and discussion of a product’s features – including its shortcomings - can, and should, be legally challenged. Either that, or laws must be enacted that allow software users to seek legal recourse if products are faulty or otherwise endanger their information or the Internet in general. This was the recommendation of a report issued by the US National Academy of Sciences last week. As a security professional, I want – no, I NEED - to know the truth about the products used by my enterprise, and that won’t come from the major software vendors. Objective security analysis and testing comes from researchers around the world who aren’t under the ‘thumb’ of a software vendor, and who are thus free to fold, spindle, and mutilate software and publish their results. This is the Internet’s answer to the US Consumer Product Safety Commission….and it has proven its worth to the Internet community time and again. Further Reading An Open Letter to Borland/Inprise Concerning Licensing National Security and Individual Freedoms:
How the Digital Millenium Copyright Act (DMCA) Threatens Both BadSoftware.Com – Legal analysis of DMCA, UCITA from Cem Kaner Anti-DMCA.org

Richard Forno is the coauthor of Incident Response (O'Reilly) and The Art of Information Warfare (Universal). He helped to establish the first incident response team for the U.S. House of Representatives, and is the former Chief Security Officer at Network Solutions. Richard is currently writing and consulting in the Washington, DC area.