Digg this story   Add to del.icio.us  
Post to Bugtraq -- Go to Jail
Mark Rasch, 2002-08-05

HP's ill-advised DMCA threat actually had a few legal teeth. Will federal prosecutors soon start chomping at bug finders?

Imagine discovering a flaw in an operating system that would permit you to obtain root privileges. Imagine then posting information about this vulnerability to a message board dedicated to information security, along with a link to an exploit that could be assembled to take advantage of the vulnerability. Does the vendor of the OS congratulate you?

No. In the case of an engineer for SnoSoft who did precisely that last week, both he and his employer were rewarded for their diligence by a threat, not only of civil lawsuit by the vendor, but also of criminal prosecution under two separate federal and several state statutes.

On July 18, 2002, an engineer for SnoSoft posted a message to Bugtraq describing a buffer overflow exploit of Hewlett Packard's Tru64 UNIX operating system that could be used to get system privileges. Kent Ferson, a vice president in HP's Unix systems unit, responded by threatening both the engineer and his employer with criminal prosecution under the Digital Millennium Copyright Act ("DMCA") and the federal computer crime law.

What is more disconcerting than HP threats is the fact that, under the vague wording of the DMCA, there may be reason for others who post vulnerabilities to worry. A motivated prosecutor could use the vague wording of the statute to prosecute an unwary poster to a security board.

The DMCA was originally designed to protect copyright owner's rights to prevent the unauthorized display, use, or copying of their works. It attempted to do this by permitting copyright holders to use "technological measures" such as copy protection, encryption, or similar methods to regulate access to the copyrighted work, and criminalized the manufacture, use or dissemination of "circumvention" devices -- technology designed to defeat such copy protections or restrictions.

The way the statute was drafted, however, a technological measure is virtually anything that regulates access to the intellectual property. Under this expansive definition, an operating system itself, which controls access to a computer (which can contain copyrighted materials) can be considered a technological measure under the statute.

By analogy, a car door is a technological measure restricting access to the owner's manual (a copyrighted work) in the glove compartment.

Patching a Buggy Law
When the DMCA was being considered by Congress, there was much discussion about how it would affect information security. This debate did not focus on "posting" exploits as much as it did on ethical hackers. The DMCA explicitly permits "reverse engineering" of code, but only to achieve "interoperability" and not to discover vulnerabilities. Similarly, the DMCA permits "encryption research" but only if the person distributing the technological measure "made a good faith effort to obtain authorization [of the copyright holder] before the circumvention."

While the DMCA encourages the dissemination of vulnerability information about a copy protection scheme, to avoid criminal liability the poster must show that the information was "disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security."

The problem with the DMCA lies in the awkward definition of a "technological measure" designed to protect a copyrighted work. Although geared at copy protections, it is broad enough to include passwords, source code or anything that either prevents access to a copyrighted work, or protects any of the rights of a copyright holder.

We already knew that the DMCA empowers copyright holders to technologically prevent users from making fair and non-infringing uses of their works, and to pursue criminal prosecution against those who attempt to do what is effectively a legally permitted use.

Now it seems the DMCA can also be used to prevent embarrassment to vendors who fail to adequately secure software. By redefining the operating system as a "technological measure" and the posting of information about how to exploit vulnerabilities as "trafficking" in a circumvention device, the HP threat expands the scope of criminal law to what is probably First Amendment protected activity. There is no reason to believe that, in the future, a motivated prosecutor might not interpret the statute in a similar fashion -- particularly if the exploit is posted and then utilized to cause significant damage.

The HP nastygram went further than threatening a criminal prosecution under the copyright law. It also threatened a criminal prosecution under the Federal Computer Fraud and Abuse Act, Title 18 U.S.C. Section 1030 which, among other things, punishes those who "knowingly and with intent to defraud traffic in information through which a computer may be accessed without authorization" or to, "with intent to extort from any person any money or other thing of value, transmit in interstate or foreign commerce any communication containing any threat to cause damage to a ... computer." While neither of these apply to SnoSoft's conduct -- there was neither intent to defraud nor a threat to cause damage -- future security postings could run afoul of these statutes as well.

A few days after the HP letter was made public, a company public relations official reversed course, noting that the initial threat "was not consistent or indicative of HP's policy" and that "HP will not use the DMCA to stifle research or impede the flow of information that would benefit our customers and improve their system security."

But the HP debacle demonstrates that Congress needs to readdress the DMCA, and the WIPO treaty upon which it is based. A better balance must be achieved between the rights of copyright holders to protect their works and the many and various non-infringing uses of copyrighted works -- including discovering and disseminating information about software vulnerabilities.

Perhaps the most important lesson HP has learned from this experience is that engineers should not be permitted to practice law, just as lawyers should not be permitted to pretend to be engineers.

Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us  
Comments Mode:
Post to Bugtraq -- Go to Jail 2002-08-05
ktwo (1 replies)
Post to Bugtraq -- Go to Jail 2002-08-07
Post to Bugtraq -- Go to Jail 2002-08-06
Anonymous (1 replies)
Post to Bugtraq -- Go to Jail 2002-08-07
Psuedo-Anonymous Coward (1 replies)
Post to Bugtraq -- Go to Jail 2002-08-13
Mark D. Rasch
Post to Bugtraq -- Go to Jail 2002-08-08
Post to Bugtraq -- Go to Jail 2002-08-10
Post to Bugtraq -- Go to Jail -- Redux 2002-08-12
Annoyed at this whole mess
Post to Bugtraq -- Go to Jail 2002-08-14
A disgrunted American
Post to Bugtraq -- Go to Jail 2002-08-16


Privacy Statement
Copyright 2010, SecurityFocus