RE: Lessons Learned from the MPAA's use of DCMA

["Brooke, O'neil (EXP)" <o'neil.brooke () lmco com>]

I respectfully disagree Michal. It all depends on the presentation. 

- Does the notification that you send, cite a specific law that has been
broken?
- Does the notification that you send, provide the network provider, with a
clear and unmistakable course of action that MUST be taken? 
- If this course of action is not taken are you citing the laws that the
network service provider would be breaking?

I took a look at the DCMA. here
http://www.eff.org/IP/DMCA/hr2281_dmca_law_19981020_pl105-304.html

This clause stood out. 

Sec. 1201. Circumvention of copyright protection systems

`(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No
person shall circumvent a technological measure that effectively controls
access to a work protected under this title. The prohibition contained in
the preceding sentence shall take effect at the end of the 2-year period
beginning on the date of the enactment of this chapter.


<COMMENTS><COMMENTS><COMMENTS>

As long as you have some copyrighted material on your computer systems, then
all security mechanisms on that computer will be covered by the DCMA. Your
computers and their security systems are technological measures designed to
secure your copyrighted material.

</COMMENTS></COMMENTS></COMMENTS>


`(j) SECURITY TESTING-

`(1) DEFINITION- For purposes of this subsection, the term `security
testing' means accessing a computer, computer system, or computer network,
solely for the purpose of good faith testing, investigating, or correcting,
a security flaw or vulnerability, with the authorization of the owner or
operator of such computer, computer system, or computer network.


<COMMENTS><COMMENTS><COMMENTS>

Network scanning, DDOS (testing yet again if a computer can be taken off
line with this method), running exploit code against your hosts could be
construed as 'Security Testing'. 

</COMMENTS></COMMENTS></COMMENTS>


`(2) PERMISSIBLE ACTS OF SECURITY TESTING- Notwithstanding the provisions of
subsection (a)(1)(A), it is not a violation of that subsection for a person
to engage in an act of security testing, if such act does not constitute
infringement under this title or a violation of applicable law other than
this section, including section 1030 of title 18 and those provisions of
title 18 amended by the Computer Fraud and Abuse Act of 1986.

`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person
qualifies for the exemption under paragraph (2), the factors to be
considered shall include--

`(A) whether the information derived from the security testing was used
solely to promote the security of the owner or operator of such computer,
computer system or computer network, or shared directly with the developer
of such computer, computer system, or computer network; and

`(B) whether the information derived from the security testing was used or
maintained in a manner that does not facilitate infringement under this
title or a violation of applicable law other than this section, including a
violation of privacy or breach of security.

`(4) USE OF TECHNOLOGICAL MEANS FOR SECURITY TESTING- Notwithstanding the
provisions of subsection (a)(2), it is not a violation of that subsection
for a person to develop, produce, distribute or employ technological means
for the sole purpose of performing the acts of security testing described in
subsection (2), provided such technological means does not otherwise violate
section (a)(2).

<COMMENTS><COMMENTS><COMMENTS>

But the violator has not recevied your approval. They were not working soley
to promote the security of your network.


So to recap:
- Does the notification that you send cite a specific law that has been
broken?
Yes. DCMA (a)(1)(A) and the protections under this law (j)(2), (j)(3)(A),
(j)(3)(B) and (j)(4) have not been met. 

Perhaps these are the exit clauses you give the network service provider and
the end user. i.e. "If you feel that you are entitled to protections under
the DCMA (j)(2), (j)(3)(A), (j)(3)(B) and (j)(4) you must provide us with
name, address, and explaination. etc.

I'll take a crack at writing up a an actual template letter later. Please be
advised I AM NOT A LAWYER! If there are any lawyers out there, your comments
would be greatly appreciated.

</COMMENTS></COMMENTS></COMMENTS>


-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf () coredump cx]
Sent: July 11, 2002 10:50 PM
To: Brooke, O'neil (EXP)
Cc: 'Vachon, Scott'; vuln-dev () securityfocus com;
incidents () securityfocus com
Subject: Re: Lessons Learned from the MPAA's use of DCMA


On Thu, 11 Jul 2002, Brooke, O'neil (EXP) wrote:

> I.e. Send a letter to the network provider stating: If you do not stop
> this subscriber from taking these illegal actions (cite the law that
> states spamming, DOS'ing, etc. are illegal) then we will hold you (the
> network provider) financially accountable for our losses.

A provider that fails to cooperate after getting a standard abuse report
from you will most likely not care about any kind of letters from any
entity that does not have an army of well paid lawyers at its service - in
which case, they'd most likely take "immediate preventive actions" even
upon a completely unconfirmed or impossible to verify report.

Otherwise, the typical (if any) response from a pro-spam ISP is that if
you feel the customer is breaking the law, you should sue the customer,
and we'll happily cooperate with the court. At worst, they'd claim they
couldn't process and verify your claim, no biggie. This is pretty much
bogus, but they do feel safe in doing that, in almost every country.

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/