RE: telnetd exploit code

[Kelly Martin <kellym () fb00 fb org>]

There is a doctrine known as "copyright misuse" which permits a court to
refuse to enforce a copyright interest when that interest is being used (or
enforcement of the right is sought) for an improper purpose.  Copyright
actions, for the most part, lie in equity and as such the court may apply
equitable principles to deny relief when granting it would be unreasonable.
I suspect that it would not be a hard sell to convince a court that
enforcing a malicious software author's copyright interests in such software
would be unreasonable and would amount to copyright misuse.

Note also that in order to prosecute copyright infringement on a virus, the
author would have to file a registration for that virus with the Copyright
Office, which would then be admissible as evidence in a criminal prosecution
against that author for computer tampering. In addition, the civil complaint
that the author would have to file to initiate a copyright enforcement
action would be admissible, as would the sworn affidavits which would
necessarily be annexed to that complaint as exhibits.  So, from a pratical
standpoint, even if virus authors have a copyright interest in their
viruses, they would be utter idiots to seek to enforce them.  This would
also apply to efforts to use the DMCA, as that also requires a sworn
affidavit attesting to ownership of the intellectual property in question.

The only caveat here would be a virus author who wrote a virus but never
released it or who published it for "academic review" without a license to
use (e.g. exploit code developed by testing labs).  In this case, if you
discovered her virus on your system, she would probably be willing to work
with you in a joint prosecution against the virus releaser, as that
individual has both infringed the virus author's copyright and committed
computer tampering against your system, especially when you point out to her
that if she fails to cooperate, you will name her as a joint defendant in
conspiracy with the releasing individual on the charge of computer
tampering.

So, I wouldn't worry about copyright interests in viruses.  It's
questionable (in my mind) whether such interests are legally enforceable,
and quite clear to me that they are not practically enforceable even if they
are legally.

The foregoing is not legal advice.  For legal advice, consult a licensed
attorney.

Kelly

> -----Original Message-----
> From: Aaron Silver [SMTP:asilver () epoch net]
> Sent: Tuesday, July 24, 2001 4:22 PM
> To:   bugtraq () securityfocus com
> Subject:      Re: telnetd exploit code
>
> There's a question begging to be asked here...
>
> First of all let me say that I don't know Sebastian or his motivations, so
> I am not infering anything here, simply that this brought up a point that
> is now itching my head a lot.
>
> If a hacker copyright's his code, and then releases it into the wild, what
> does that do for his rights under the copyright?
>
> To turn it upside down, I have a machine that has had some hacker code
> placed on it. I didn't authorize it to be placed on there... Am I to be
> denied investigating this code (and sharing it with others to help me
> investigate) because someone placed a copyright notice on the code.
>
> Normally the rights of the individual to swing his arms ends at the tip of
> another individual's nose.
>
> This issue can get a lot muddier, but I figured I'd start with a simple
> case. =)
>
> Aaron Silver
>
> aleph1 () securityfocus com wrote:
>
> > * Sebastian (scut () nb in-berlin de) [010724 09:38]:
> > > I do not know who let this posting through, but I think something went
> > > seriously wrong here.
> > >
> > > What do the mailing list administrators do here, letting a
> confidential
> > > source code with full copyright and confidentiality header intact
> through a
> > > public mailing list. The Bugtraq mailing list was especially noted as
> > > example even in the header, which should not be allowed to disclose
> this.
> > > Although a lot of Bugtraq readers might not agree with me here, I
> think
> > > there is a right under which I can deny the disclosure of this source
> code.
> > > Call it privacy, call it copyright, I do not care about its name.
> >
> > Sebastian is correct. It was an error to approve the message given he
> > clearly stated in the comments he did not wish it distributed. For
> > that I apologize.
> >
> > That being said, it been quite obvious that for a while now that this
> > exploit is being shared in the underground and has been used actively
> > to break into systems. Better control of exploits one does not wish
> > to see distributed may be called for.
> >
> > > Oh, and another odd thing, there is no X-Approved-By: this time in the
> > > post, I wonder why. Do you know ?
> >
> > The X-Approved-By header was inserted by LISTSERV. We been using ezmlm,
> > which does not insert the header, for a while now.
> >
> > > ciao,
> > > -scut
> >
> > --
> > Elias Levy
> > SecurityFocus.com
> > http://www.securityfocus.com/
> > Si vis pacem, para bellum