Security Developer Snared In Legal Tar Pit

[InfoSec News <isn () c4i org>]

http://www.informationweek.com/story/showArticle.jhtml?articleID=8800603

By George V. Hulme
Apr 23, 2003 

An open-source security app may be the first victim of so-called 
super-DMCA laws.

In the days following the July 2001 Code Red worm outbreak, which
infected 359,000 systems in 14 hours, software developer Tom Liston
started work on an application that would turn the tables on worms. He
created LaBrea, which essentially acts like a digital tar pit,
trapping hackers and worms, forcing hackers to break off attacks, and
preventing worms from moving on to other computers.

The free, open-source application has been heralded in security
circles and nominated for awards as a unique weapon. It's also been
pulled from Lipton's Hackbusters.net site by its author. He yanked it
April 15 when the Illinois resident learned that a 4-month-old state
law (Compiled Statutes 720 ILCS 5) makes it illegal to create a device
capable of disrupting a communication service without the express
authorization of the communication service provider.

The law also makes it a crime to conceal the existence, origin, or
destination of any communication from a service provider or any lawful
party.

Technically, LaBrea disrupts communications and conceals the true
origin of network communications. So Liston pulled LaBrea rather than
risk prosecution for what he believes is, at best, a vaguely worded
piece of legislation.

Some software security experts, academics, and
consumer-electronics-industry representatives say such legislation
will curb legitimate research and speech. They refer to the state
rules as "super-DMCA" laws because they claim the laws tend to be more
restrictive than the federal Digital Millennial Copyright Act of 1998.
The DMCA itself seeks to prohibit any hardware or software that can
circumvent copy-protection schemes for digital media, such as E-books,
movies, and music.

Intellectual-property-rights advocates, including entertainment
conglomerates, say those worries are overstated. So-called super-DMCA
laws that are proliferating among the states, they say, are intended
only to prevent people from pirating content.

"These laws are about theft. It's that simple," says Vans Stevenson,
senior VP of state legislative affairs at the Motion Picture
Association of America. Stevenson says the laws are in no way intended
to thwart legitimate security devices. "No one is going to go to jail
for using a firewall or VPN," he says. It's safe to say, however, that
the MPAA would like to see people who right now are pirating
copyrighted content do some serious jail time.

It's probable that Liston won't be proved paranoid or prudent until
the matter goes to court, but he doesn't want to be the precedent
setter. The Illinois law has teeth. Violations involving nine or fewer
unlawful communication devices (which could be interpreted to mean
software or a computer carrying offending software) are treated as
misdemeanors.  Violations involving 10 or more devices are Class 4
felonies. If the violation involves 50 or more devices, the penalty
can reach five years' imprisonment. Civil action can also be brought
against violators, with damages ranging from $250 to $10,000 for each
unlawful communication device.

"The problem for me is that LaBrea is an open-source application and
is, essentially, a labor of love, not profit," Liston says. "Hiring a
lawyer to tell me whether I can legally give away LaBrea without
violating the super-DMCA provisions of Illinois state law just seems
wrong."

Liston says security researchers and academics have been warned off
some actions with implied threats to press charges. Examples
bolstering that claim include:

* A team of security researchers from Princeton University, Rice 
  University, and Xerox in April 2001 decided not to publicly present 
  research that it had completed about circumventing watermark 
  techniques for digital music. The research was the result of a 
  challenge issued by the Secure Digital Music Initiative, a 
  consortium of companies trying to create open protection 
  specifications. The group tried to block full disclosure of 
  the research, saying the federal DMCA might be applied if it were 
  disclosed.

* In August, Hewlett-Packard sent a memo citing the DMCA to a security 
  research firm, Secure Network Operations Inc. (better known as 
  SnoSoft), threatening legal action after the group published code 
  that exposed a serious hole in HP's Tru64 Unix operating system. HP 
  ultimately took no legal action.

* Programmers and researchers from countries such as Britain and 
  Russia have refused to come to the United States for fear their 
  security-related research--legal in their nations--could land them 
  in prison here.

So far, according to the digital-rights activist group Electronic
Frontier Foundation, super-DMCA laws have been passed in Colorado,
Delaware, Illinois, Michigan, Oregon, Pennsylvania, and Wyoming.
Similar bills are pending in Arkansas, Florida, Georgia,
Massachusetts, Tennessee, and Texas.

Intellectual-property attorney Fred von Lohmann with the foundation
says that ISPs, cable companies, and digital-entertainment companies
could use these state laws to restrict what type of devices can be
connected to the Internet and could potentially ban tools widely used
to protect the relative anonymity and security of the Internet.

"These state bills are very harmful to civil liberties and likely
would be found unconstitutional if challenged," says
intellectual-property lawyer Robin Gross, who's also executive
director of IP Justice, an international civil-liberties organization.
"Many everyday activities such as using a firewall to block intruders
from your computers, surfing the Web using a service that prevents
advertisers from tracking you, or using encrypted E-mail services to
protect your personal privacy would all be illegal under the MPAA's
model law" that it's recommending to states, she says.

As a result of such criticisms, the MPAA's Stevenson has said, the
association will suggest that states insert "intent to defraud"
wording into legislation being considered.

A defraud qualifier wouldn't matter to Liston. "I believe, based on my
reading of the Illinois statutes, that continuing to distribute LaBrea
from my site would place me in violation of the law," he says. Before
he'd make it available on Hackbusters again, Liston says, he'd need to
see the law rewritten, or "better yet, repealed."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.