[ISN] Security Developer Snared In Legal Tar Pit

From: InfoSec News (isnat_private)
Date: Wed Apr 23 2003 - 21:06:01 PDT

  • Next message: InfoSec News: "[ISN] Ruxcon: A security conference with a difference"

    http://www.informationweek.com/story/showArticle.jhtml?articleID=8800603
    
    By George V. Hulme
    Apr 23, 2003 
    
    An open-source security app may be the first victim of so-called 
    super-DMCA laws.
    
    In the days following the July 2001 Code Red worm outbreak, which
    infected 359,000 systems in 14 hours, software developer Tom Liston
    started work on an application that would turn the tables on worms. He
    created LaBrea, which essentially acts like a digital tar pit,
    trapping hackers and worms, forcing hackers to break off attacks, and
    preventing worms from moving on to other computers.
    
    The free, open-source application has been heralded in security
    circles and nominated for awards as a unique weapon. It's also been
    pulled from Lipton's Hackbusters.net site by its author. He yanked it
    April 15 when the Illinois resident learned that a 4-month-old state
    law (Compiled Statutes 720 ILCS 5) makes it illegal to create a device
    capable of disrupting a communication service without the express
    authorization of the communication service provider.
    
    The law also makes it a crime to conceal the existence, origin, or
    destination of any communication from a service provider or any lawful
    party.
    
    Technically, LaBrea disrupts communications and conceals the true
    origin of network communications. So Liston pulled LaBrea rather than
    risk prosecution for what he believes is, at best, a vaguely worded
    piece of legislation.
    
    Some software security experts, academics, and
    consumer-electronics-industry representatives say such legislation
    will curb legitimate research and speech. They refer to the state
    rules as "super-DMCA" laws because they claim the laws tend to be more
    restrictive than the federal Digital Millennial Copyright Act of 1998.
    The DMCA itself seeks to prohibit any hardware or software that can
    circumvent copy-protection schemes for digital media, such as E-books,
    movies, and music.
    
    Intellectual-property-rights advocates, including entertainment
    conglomerates, say those worries are overstated. So-called super-DMCA
    laws that are proliferating among the states, they say, are intended
    only to prevent people from pirating content.
    
    "These laws are about theft. It's that simple," says Vans Stevenson,
    senior VP of state legislative affairs at the Motion Picture
    Association of America. Stevenson says the laws are in no way intended
    to thwart legitimate security devices. "No one is going to go to jail
    for using a firewall or VPN," he says. It's safe to say, however, that
    the MPAA would like to see people who right now are pirating
    copyrighted content do some serious jail time.
    
    It's probable that Liston won't be proved paranoid or prudent until
    the matter goes to court, but he doesn't want to be the precedent
    setter. The Illinois law has teeth. Violations involving nine or fewer
    unlawful communication devices (which could be interpreted to mean
    software or a computer carrying offending software) are treated as
    misdemeanors.  Violations involving 10 or more devices are Class 4
    felonies. If the violation involves 50 or more devices, the penalty
    can reach five years' imprisonment. Civil action can also be brought
    against violators, with damages ranging from $250 to $10,000 for each
    unlawful communication device.
    
    "The problem for me is that LaBrea is an open-source application and
    is, essentially, a labor of love, not profit," Liston says. "Hiring a
    lawyer to tell me whether I can legally give away LaBrea without
    violating the super-DMCA provisions of Illinois state law just seems
    wrong."
    
    Liston says security researchers and academics have been warned off
    some actions with implied threats to press charges. Examples
    bolstering that claim include:
    
    * A team of security researchers from Princeton University, Rice 
      University, and Xerox in April 2001 decided not to publicly present 
      research that it had completed about circumventing watermark 
      techniques for digital music. The research was the result of a 
      challenge issued by the Secure Digital Music Initiative, a 
      consortium of companies trying to create open protection 
      specifications. The group tried to block full disclosure of 
      the research, saying the federal DMCA might be applied if it were 
      disclosed.
    
    * In August, Hewlett-Packard sent a memo citing the DMCA to a security 
      research firm, Secure Network Operations Inc. (better known as 
      SnoSoft), threatening legal action after the group published code 
      that exposed a serious hole in HP's Tru64 Unix operating system. HP 
      ultimately took no legal action.
    
    * Programmers and researchers from countries such as Britain and 
      Russia have refused to come to the United States for fear their 
      security-related research--legal in their nations--could land them 
      in prison here.
    
    So far, according to the digital-rights activist group Electronic
    Frontier Foundation, super-DMCA laws have been passed in Colorado,
    Delaware, Illinois, Michigan, Oregon, Pennsylvania, and Wyoming.
    Similar bills are pending in Arkansas, Florida, Georgia,
    Massachusetts, Tennessee, and Texas.
    
    Intellectual-property attorney Fred von Lohmann with the foundation
    says that ISPs, cable companies, and digital-entertainment companies
    could use these state laws to restrict what type of devices can be
    connected to the Internet and could potentially ban tools widely used
    to protect the relative anonymity and security of the Internet.
    
    "These state bills are very harmful to civil liberties and likely
    would be found unconstitutional if challenged," says
    intellectual-property lawyer Robin Gross, who's also executive
    director of IP Justice, an international civil-liberties organization.
    "Many everyday activities such as using a firewall to block intruders
    from your computers, surfing the Web using a service that prevents
    advertisers from tracking you, or using encrypted E-mail services to
    protect your personal privacy would all be illegal under the MPAA's
    model law" that it's recommending to states, she says.
    
    As a result of such criticisms, the MPAA's Stevenson has said, the
    association will suggest that states insert "intent to defraud"
    wording into legislation being considered.
    
    A defraud qualifier wouldn't matter to Liston. "I believe, based on my
    reading of the Illinois statutes, that continuing to distribute LaBrea
    from my site would place me in violation of the law," he says. Before
    he'd make it available on Hackbusters again, Liston says, he'd need to
    see the law rewritten, or "better yet, repealed."
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Apr 24 2003 - 05:00:12 PDT