RE: Lessons Learned from the MPAA's use of DCMA

From: Brooke, O'neil (EXP) (o'neil.brookeat_private)
Date: Fri Jul 12 2002 - 14:40:04 PDT

  • Next message: Wolf, Glenn: "RE: Another odd scan..."

    I respectfully disagree Michal. It all depends on the presentation. 
    
    - Does the notification that you send, cite a specific law that has been
    broken?
    - Does the notification that you send, provide the network provider, with a
    clear and unmistakable course of action that MUST be taken? 
    - If this course of action is not taken are you citing the laws that the
    network service provider would be breaking?
    
    I took a look at the DCMA. here
    http://www.eff.org/IP/DMCA/hr2281_dmca_law_19981020_pl105-304.html
    
    This clause stood out. 
    
    Sec. 1201. Circumvention of copyright protection systems
    
    `(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No
    person shall circumvent a technological measure that effectively controls
    access to a work protected under this title. The prohibition contained in
    the preceding sentence shall take effect at the end of the 2-year period
    beginning on the date of the enactment of this chapter.
    
    
    <COMMENTS><COMMENTS><COMMENTS>
    
    As long as you have some copyrighted material on your computer systems, then
    all security mechanisms on that computer will be covered by the DCMA. Your
    computers and their security systems are technological measures designed to
    secure your copyrighted material.
    
    </COMMENTS></COMMENTS></COMMENTS>
    
    
    `(j) SECURITY TESTING-
    
    `(1) DEFINITION- For purposes of this subsection, the term `security
    testing' means accessing a computer, computer system, or computer network,
    solely for the purpose of good faith testing, investigating, or correcting,
    a security flaw or vulnerability, with the authorization of the owner or
    operator of such computer, computer system, or computer network.
    
    
    <COMMENTS><COMMENTS><COMMENTS>
    
    Network scanning, DDOS (testing yet again if a computer can be taken off
    line with this method), running exploit code against your hosts could be
    construed as 'Security Testing'. 
    
    </COMMENTS></COMMENTS></COMMENTS>
    
    
    `(2) PERMISSIBLE ACTS OF SECURITY TESTING- Notwithstanding the provisions of
    subsection (a)(1)(A), it is not a violation of that subsection for a person
    to engage in an act of security testing, if such act does not constitute
    infringement under this title or a violation of applicable law other than
    this section, including section 1030 of title 18 and those provisions of
    title 18 amended by the Computer Fraud and Abuse Act of 1986.
    
    `(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person
    qualifies for the exemption under paragraph (2), the factors to be
    considered shall include--
    
    `(A) whether the information derived from the security testing was used
    solely to promote the security of the owner or operator of such computer,
    computer system or computer network, or shared directly with the developer
    of such computer, computer system, or computer network; and
    
    `(B) whether the information derived from the security testing was used or
    maintained in a manner that does not facilitate infringement under this
    title or a violation of applicable law other than this section, including a
    violation of privacy or breach of security.
    
    `(4) USE OF TECHNOLOGICAL MEANS FOR SECURITY TESTING- Notwithstanding the
    provisions of subsection (a)(2), it is not a violation of that subsection
    for a person to develop, produce, distribute or employ technological means
    for the sole purpose of performing the acts of security testing described in
    subsection (2), provided such technological means does not otherwise violate
    section (a)(2).
    
    <COMMENTS><COMMENTS><COMMENTS>
    
    But the violator has not recevied your approval. They were not working soley
    to promote the security of your network.
    
    
    So to recap:
    - Does the notification that you send cite a specific law that has been
    broken?
    Yes. DCMA (a)(1)(A) and the protections under this law (j)(2), (j)(3)(A),
    (j)(3)(B) and (j)(4) have not been met. 
    
    Perhaps these are the exit clauses you give the network service provider and
    the end user. i.e. "If you feel that you are entitled to protections under
    the DCMA (j)(2), (j)(3)(A), (j)(3)(B) and (j)(4) you must provide us with
    name, address, and explaination. etc.
    
    I'll take a crack at writing up a an actual template letter later. Please be
    advised I AM NOT A LAWYER! If there are any lawyers out there, your comments
    would be greatly appreciated.
    
    </COMMENTS></COMMENTS></COMMENTS>
    
    
    -----Original Message-----
    From: Michal Zalewski [mailto:lcamtufat_private]
    Sent: July 11, 2002 10:50 PM
    To: Brooke, O'neil (EXP)
    Cc: 'Vachon, Scott'; vuln-devat_private;
    incidentsat_private
    Subject: Re: Lessons Learned from the MPAA's use of DCMA
    
    
    On Thu, 11 Jul 2002, Brooke, O'neil (EXP) wrote:
    
    > I.e. Send a letter to the network provider stating: If you do not stop
    > this subscriber from taking these illegal actions (cite the law that
    > states spamming, DOS'ing, etc. are illegal) then we will hold you (the
    > network provider) financially accountable for our losses.
    
    A provider that fails to cooperate after getting a standard abuse report
    from you will most likely not care about any kind of letters from any
    entity that does not have an army of well paid lawyers at its service - in
    which case, they'd most likely take "immediate preventive actions" even
    upon a completely unconfirmed or impossible to verify report.
    
    Otherwise, the typical (if any) response from a pro-spam ISP is that if
    you feel the customer is breaking the law, you should sue the customer,
    and we'll happily cooperate with the court. At worst, they'd claim they
    couldn't process and verify your claim, no biggie. This is pretty much
    bogus, but they do feel safe in doing that, in almost every country.
    
    -- 
    _____________________________________________________
    Michal Zalewski [lcamtufat_private] [security]
    [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
    =-=> Did you know that clones never use mirrors? <=-=
              http://lcamtuf.coredump.cx/photo/
    



    This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 15:48:30 PDT