RE: Concerns of a Security Researcher in a DMCA world

["Dave Korn" <dave.korn () artimi com>]

On 17 February 2006 05:16, mplsmith () gmail com wrote:

> I've recently been confronted with a question worthy of public debate.
> According to the DMCA Copyright Law (http://tinyurl.com/cqdft ) TITLE
> 17,CHAPTER 12,§1201 Subsection (J) the law permits copyright law exceptions
> for security researchers.

  No, you've misunderstood.  The law permits security researchers to "bypass
an access control mechanism" that has been put in place for the purpose of
protecting copyright, but it doesn't grant you immunity from copyright law
itself; although you are allowed to bypass the anti-copying measures in order
to reverse engineer and study the security of the program, you aren't actually
allowed to go and start making and selling copies of it, which is what a
"copyright law exception" would actually mean.

> A copyright according to what I've personally researched is "a limited
> license to exploit an idea for commercial purposes" 

  No, that's a patent.  "Copyright" is the right of the creator of a work to
grant or deny permission to an individual or entity to make copies of that
work, to distribute it, and to publicly display / perform / broadcast it[1].
It is not a licence, which is a grant of rights by someone else who holds
those rights; it is a right that you yourself hold.  It does not permit you to
exploit an idea; you can do that anyway, it's your idea.  It does not require
you to exploit an idea; your copyright-protected work doesn't have to be
commercialised at all, but you the creator of that work still have the right
to control its copying.  You can distribute the protected work for free if you
wish, but you can still deny others from copying it, because the right to copy
that work belongs to you only.  Now, if you hold the copyright to something,
then you have as a consequence the power to /grant/ such a "... limited
license to exploit ..." to anyone you wish, but that's not the same as saying
that copyright /is/ the license. 

> If copyright laws were originally designed to only ensure their owners
> exclusive rights to profit from a copyrighted item, and DMCA specifically
> permits exceptions for security testing then what exact actions/behavior
> are researchers permitted to do?   

  As mentioned in my first answer, you are permitted to do *precisely* this
and nothing else: you may bypass an access control mechanism that has been put
in place for the purpose of protecting copyright.  Nothing else.

> by the vendor. A simple example is software such as Winamp; its basic
> version can be downloaded freely without any cost to us and therefore
> making it easy to obtain, and review. The Winamp PRO version is a different
> story; this version requires consumers to pay $19.95 thus making it
> difficult for security researcher to easily obtain a copy and therefore
> unable (without wasted expenses) to have the capability to review this
> popular product in any reasonable way.      

  No, you can't rip some warez and then claim you were doing it to research
the security mechanisms therein.

  However, if you have legitimately purchased (or otherwise legitimately
obtained) a copy of winamp, and you wish to study it for security purposes,
you can (for example) break through the anti-debug wrapper and attach a
debugger, whereas if it were not for purposes of security research you would
be guilty of a DMCA offence for bypassing the mechanism that was put in place
to protect the copyright, EVEN IF YOUR PURPOSE WAS NOT TO BREAK THE COPYRIGHT.

> The security exception portion of the current copyright law was designed to
> ensure that the copyright law does not restrict, hinder or impact the
> ability for vulnerability research to be performed regarding copyright
> restricted items.   

  Yes; it became necessary because of the catch-all nature of the clause that
declares you guilty of a crime for bypassing an access control mechanism even
if you did not do so in order to copy the protected work.

> What method of acquiring software is ethical, legal, and most importantly
> realistic for researchers to succeed in performing much needed research?

  Not warez!  You can buy it, or if you can convince the maker that you are a
genuine researcher and that it would be worth their while to give you a copy
of their software in exchange for a free audit, you're good to go.

> Should security researchers be required to pay for software that they only
> review but never use? 

  It's up to the copyright holder.  If you can persuade them to send you a
free copy to review, fair enough.  If they tell you they don't want to give
you a free copy, you're SOL.  "Only reveiew but never use"?  Of course you're
using it: you're using it as part of your trade of security researcher.

> Is there a different between borrowing a copy of
> software vs downloading it from "other" sources? Should vendors be able to
> deny researchers from reviewing their software either by requiring
> permission or forcing researchers to pay for the software without ever
> using it as it is intended?       

  Yes, of course.  This is silly.  The DMCA does not permit you to pirate
software and you won't get off the hook by claiming to have done it "for
research purposes".

> The question is, why should security researchers need to pay full price and
> maintain huge budgets to obtain all software which they reviewed. 

  Nobody's forcing you to BE a security researcher.  Nor is anyone forcing you
to choose to review for-pay software rather than freeware or open source apps.
It was _you_ who decided to earn a living this way, and if _you_ can't afford
the equipment and materials required to carry out your business, OF COURSE
that doesn't entitle you to go out and steal it.

> If this
> is the only legal way then how can a researcher realistically review
> software such as Oracle without paying unrealistic/impossible amounts to
> money simply to do research?

  It's not unrealistic/impossible.  You are a professional, doing a
professional job and using professional tools of the trade.  Which you have to
buy.

  If MacDonalds' was in a bit of a cashflow crisis, and they couldn't afford
beef, would they ask "Are we allowed to go out and rustle some cattle"?   No,
because the question would be silly.

> In contrast to the Reverse Engineering exception requiring lawful obtaining
> of a program, the Security Testing copyright exception (TITLE 17,CHAPTER
> 12,§1201 Subsection (J)) does not state anything about how the software is
> obtained.

  Then there are no exceptions to the ordinary rules, are there, because
that's where they'd be listed, if there were any, isn't it?

> Security testing is also incorrectly defined as "accessing a
> computer, computer system, or computer network, solely for the purpose of
> good faith testing, investigating, or correcting, a security flaw or
> vulnerability, with the authorization of the owner or operator of such
> computer, computer system, or computer network". This definition as it is
> could never describe a valid copyrighted item 

  Computer + Software-under-test = "computer system".
  Software-under-test = copyrighted item.

> and also has nothing to do
> with reviewing applications/programs for vulnerabilities. Vulnerabilities
> are specifically found in "computers, computer systems, or computer
> networks" they are found within software applications which execute. on a
> computer (such as BIOS software), execute on a computer system (such as
> software applications), or execute on devices (such as IOS software) which
> when inner connect makeup a computer network.              
>
> How can security researchers succeed in this situation without being
> performing actions which may be construed as illegal due to the confusing
> (grey area) of the law? Are we expected to pay out unreasonable amounts of
> revenue to software vendors without a return thus forcing the research
> industry into a negatively profitable line of work? Is the industry
> permitted to research only at the mercy of the software vendors which truly
> receives no positive return from independent security research?      

  This is all nonsense I'm afraid, a combination of a few misunderstandings
and quite a lot of special pleading.  If you set up in business as a security
researcher, you have to BUY the stuff you will need to do the job.  If you set
up in any other line of business, you wouldn't ask "Say, do I have to buy pens
and paper and envelopes and stamps?  Why can't I just go out and steal some?
It's not fair that I should have to pay anything just in order to be able to
write letters... ".


    cheers,
      DaveK
[1] http://www.copyright.gov/circs/circ1.html#wci
-- 
Can't think of a witty .sigline today....