Dailydave mailing list archives
RE: Concerns of a Security Researcher in a DMCA world
From: "Dave Korn" <dave.korn () artimi com>
Date: Fri, 17 Feb 2006 18:31:48 -0000
On 17 February 2006 05:16, mplsmith () gmail com wrote:
I've recently been confronted with a question worthy of public debate. According to the DMCA Copyright Law (http://tinyurl.com/cqdft ) TITLE 17,CHAPTER 12,§1201 Subsection (J) the law permits copyright law exceptions for security researchers.
No, you've misunderstood. The law permits security researchers to "bypass an access control mechanism" that has been put in place for the purpose of protecting copyright, but it doesn't grant you immunity from copyright law itself; although you are allowed to bypass the anti-copying measures in order to reverse engineer and study the security of the program, you aren't actually allowed to go and start making and selling copies of it, which is what a "copyright law exception" would actually mean.
A copyright according to what I've personally researched is "a limited license to exploit an idea for commercial purposes"
No, that's a patent. "Copyright" is the right of the creator of a work to grant or deny permission to an individual or entity to make copies of that work, to distribute it, and to publicly display / perform / broadcast it[1]. It is not a licence, which is a grant of rights by someone else who holds those rights; it is a right that you yourself hold. It does not permit you to exploit an idea; you can do that anyway, it's your idea. It does not require you to exploit an idea; your copyright-protected work doesn't have to be commercialised at all, but you the creator of that work still have the right to control its copying. You can distribute the protected work for free if you wish, but you can still deny others from copying it, because the right to copy that work belongs to you only. Now, if you hold the copyright to something, then you have as a consequence the power to /grant/ such a "... limited license to exploit ..." to anyone you wish, but that's not the same as saying that copyright /is/ the license.
If copyright laws were originally designed to only ensure their owners exclusive rights to profit from a copyrighted item, and DMCA specifically permits exceptions for security testing then what exact actions/behavior are researchers permitted to do?
As mentioned in my first answer, you are permitted to do *precisely* this and nothing else: you may bypass an access control mechanism that has been put in place for the purpose of protecting copyright. Nothing else.
by the vendor. A simple example is software such as Winamp; its basic version can be downloaded freely without any cost to us and therefore making it easy to obtain, and review. The Winamp PRO version is a different story; this version requires consumers to pay $19.95 thus making it difficult for security researcher to easily obtain a copy and therefore unable (without wasted expenses) to have the capability to review this popular product in any reasonable way.
No, you can't rip some warez and then claim you were doing it to research the security mechanisms therein. However, if you have legitimately purchased (or otherwise legitimately obtained) a copy of winamp, and you wish to study it for security purposes, you can (for example) break through the anti-debug wrapper and attach a debugger, whereas if it were not for purposes of security research you would be guilty of a DMCA offence for bypassing the mechanism that was put in place to protect the copyright, EVEN IF YOUR PURPOSE WAS NOT TO BREAK THE COPYRIGHT.
The security exception portion of the current copyright law was designed to ensure that the copyright law does not restrict, hinder or impact the ability for vulnerability research to be performed regarding copyright restricted items.
Yes; it became necessary because of the catch-all nature of the clause that declares you guilty of a crime for bypassing an access control mechanism even if you did not do so in order to copy the protected work.
What method of acquiring software is ethical, legal, and most importantly realistic for researchers to succeed in performing much needed research?
Not warez! You can buy it, or if you can convince the maker that you are a genuine researcher and that it would be worth their while to give you a copy of their software in exchange for a free audit, you're good to go.
Should security researchers be required to pay for software that they only review but never use?
It's up to the copyright holder. If you can persuade them to send you a free copy to review, fair enough. If they tell you they don't want to give you a free copy, you're SOL. "Only reveiew but never use"? Of course you're using it: you're using it as part of your trade of security researcher.
Is there a different between borrowing a copy of software vs downloading it from "other" sources? Should vendors be able to deny researchers from reviewing their software either by requiring permission or forcing researchers to pay for the software without ever using it as it is intended?
Yes, of course. This is silly. The DMCA does not permit you to pirate software and you won't get off the hook by claiming to have done it "for research purposes".
The question is, why should security researchers need to pay full price and maintain huge budgets to obtain all software which they reviewed.
Nobody's forcing you to BE a security researcher. Nor is anyone forcing you to choose to review for-pay software rather than freeware or open source apps. It was _you_ who decided to earn a living this way, and if _you_ can't afford the equipment and materials required to carry out your business, OF COURSE that doesn't entitle you to go out and steal it.
If this is the only legal way then how can a researcher realistically review software such as Oracle without paying unrealistic/impossible amounts to money simply to do research?
It's not unrealistic/impossible. You are a professional, doing a professional job and using professional tools of the trade. Which you have to buy. If MacDonalds' was in a bit of a cashflow crisis, and they couldn't afford beef, would they ask "Are we allowed to go out and rustle some cattle"? No, because the question would be silly.
In contrast to the Reverse Engineering exception requiring lawful obtaining of a program, the Security Testing copyright exception (TITLE 17,CHAPTER 12,§1201 Subsection (J)) does not state anything about how the software is obtained.
Then there are no exceptions to the ordinary rules, are there, because that's where they'd be listed, if there were any, isn't it?
Security testing is also incorrectly defined as "accessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator of such computer, computer system, or computer network". This definition as it is could never describe a valid copyrighted item
Computer + Software-under-test = "computer system". Software-under-test = copyrighted item.
and also has nothing to do with reviewing applications/programs for vulnerabilities. Vulnerabilities are specifically found in "computers, computer systems, or computer networks" they are found within software applications which execute. on a computer (such as BIOS software), execute on a computer system (such as software applications), or execute on devices (such as IOS software) which when inner connect makeup a computer network. How can security researchers succeed in this situation without being performing actions which may be construed as illegal due to the confusing (grey area) of the law? Are we expected to pay out unreasonable amounts of revenue to software vendors without a return thus forcing the research industry into a negatively profitable line of work? Is the industry permitted to research only at the mercy of the software vendors which truly receives no positive return from independent security research?
This is all nonsense I'm afraid, a combination of a few misunderstandings and quite a lot of special pleading. If you set up in business as a security researcher, you have to BUY the stuff you will need to do the job. If you set up in any other line of business, you wouldn't ask "Say, do I have to buy pens and paper and envelopes and stamps? Why can't I just go out and steal some? It's not fair that I should have to pay anything just in order to be able to write letters... ". cheers, DaveK [1] http://www.copyright.gov/circs/circ1.html#wci -- Can't think of a witty .sigline today....
Current thread:
- Concerns of a Security Researcher in a DMCA world mplsmith () gmail com (Feb 17)
- RE: Concerns of a Security Researcher in a DMCA world Dave Korn (Feb 18)