I respectfully disagree Michal. It all depends on the presentation. - Does the notification that you send, cite a specific law that has been broken? - Does the notification that you send, provide the network provider, with a clear and unmistakable course of action that MUST be taken? - If this course of action is not taken are you citing the laws that the network service provider would be breaking? I took a look at the DCMA. here http://www.eff.org/IP/DMCA/hr2281_dmca_law_19981020_pl105-304.html This clause stood out. Sec. 1201. Circumvention of copyright protection systems `(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title. The prohibition contained in the preceding sentence shall take effect at the end of the 2-year period beginning on the date of the enactment of this chapter. <COMMENTS><COMMENTS><COMMENTS> As long as you have some copyrighted material on your computer systems, then all security mechanisms on that computer will be covered by the DCMA. Your computers and their security systems are technological measures designed to secure your copyrighted material. </COMMENTS></COMMENTS></COMMENTS> `(j) SECURITY TESTING- `(1) DEFINITION- For purposes of this subsection, the term `security testing' means accessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator of such computer, computer system, or computer network. <COMMENTS><COMMENTS><COMMENTS> Network scanning, DDOS (testing yet again if a computer can be taken off line with this method), running exploit code against your hosts could be construed as 'Security Testing'. </COMMENTS></COMMENTS></COMMENTS> `(2) PERMISSIBLE ACTS OF SECURITY TESTING- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to engage in an act of security testing, if such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986. `(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include-- `(A) whether the information derived from the security testing was used solely to promote the security of the owner or operator of such computer, computer system or computer network, or shared directly with the developer of such computer, computer system, or computer network; and `(B) whether the information derived from the security testing was used or maintained in a manner that does not facilitate infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security. `(4) USE OF TECHNOLOGICAL MEANS FOR SECURITY TESTING- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to develop, produce, distribute or employ technological means for the sole purpose of performing the acts of security testing described in subsection (2), provided such technological means does not otherwise violate section (a)(2). <COMMENTS><COMMENTS><COMMENTS> But the violator has not recevied your approval. They were not working soley to promote the security of your network. So to recap: - Does the notification that you send cite a specific law that has been broken? Yes. DCMA (a)(1)(A) and the protections under this law (j)(2), (j)(3)(A), (j)(3)(B) and (j)(4) have not been met. Perhaps these are the exit clauses you give the network service provider and the end user. i.e. "If you feel that you are entitled to protections under the DCMA (j)(2), (j)(3)(A), (j)(3)(B) and (j)(4) you must provide us with name, address, and explaination. etc. I'll take a crack at writing up a an actual template letter later. Please be advised I AM NOT A LAWYER! If there are any lawyers out there, your comments would be greatly appreciated. </COMMENTS></COMMENTS></COMMENTS> -----Original Message----- From: Michal Zalewski [mailto:lcamtufat_private] Sent: July 11, 2002 10:50 PM To: Brooke, O'neil (EXP) Cc: 'Vachon, Scott'; vuln-devat_private; incidentsat_private Subject: Re: Lessons Learned from the MPAA's use of DCMA On Thu, 11 Jul 2002, Brooke, O'neil (EXP) wrote: > I.e. Send a letter to the network provider stating: If you do not stop > this subscriber from taking these illegal actions (cite the law that > states spamming, DOS'ing, etc. are illegal) then we will hold you (the > network provider) financially accountable for our losses. A provider that fails to cooperate after getting a standard abuse report from you will most likely not care about any kind of letters from any entity that does not have an army of well paid lawyers at its service - in which case, they'd most likely take "immediate preventive actions" even upon a completely unconfirmed or impossible to verify report. Otherwise, the typical (if any) response from a pro-spam ISP is that if you feel the customer is breaking the law, you should sue the customer, and we'll happily cooperate with the court. At worst, they'd claim they couldn't process and verify your claim, no biggie. This is pretty much bogus, but they do feel safe in doing that, in almost every country. -- _____________________________________________________ Michal Zalewski [lcamtufat_private] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 15:48:30 PDT