Feeds

Cracker education site folds on DMCA threat

Fair Use provision too shaky to stand on

  • alert
  • submit to reddit

SANS - Survey on application security programs

The threat of legal action can be an effective, preemptive weapon in the ever-shifting front lines of copyright law, as the well-known (and now former) cracker-education Web site Icefortress.com has recently learned. The ICE crew have decided to pack up their operation rather than defend a lengthy court battle threatened by on-line porno billing outfit IBILL, a frequent, and fairly challenging, target for password crackers.

The Icefortress site, which had been on line for approximately two years, included a guest area with a forum where newbies could post questions, a download area where they could obtain tools such as password-list manipulators and brute-force cracking applications (many developed by members of the ICE crew), a news page, and a collection of essays and tips on various aspects of Net security and cracking Web sites.

The Icefortress crew believes that the issue for IBILL was an outdated essay on the site's guest area, written by a former member, containing a brief tip, not on methods of cracking IBILL-protected sites, but merely on how to prevent IBILL from detecting one's real IP. IBILL, according to the essay's author, Lucifer Fallen, connects to one's security port; it is therefore advisable to see that a proxy is loaded there if one wishes to remain anonymous.

While the objectionable information in this case might well be ruled by a court to be too general to qualify as a violation of trade secrets or the skirting of technical access controls, the ICE crew feel they have neither the resources nor the time to test it and find out firsthand. It would not be the first time that a controversial Web site has been forced to close shop because the operators had not the means to fight a court challenge by a well-heeled opponent.

From IBILL's point of view, the issue is quite clear. A sufficiently large compilation of non-proprietary, original information, however un-artistic it may be, can be copyrighted under US law. This might include such dry items as work products, technical standards, a customer database and the like. Password cracking can easily lead to a compromise of such data; therefore, the skirting of access controls can be taken as a copyright violation under the Digital Millennium Copyright Act (DMCA).

"If I have copyrighted material protected by a password device, and a third party circumvents that password device, he is committing a violation and causing economic harm," IBILL Director of Intellectual Property Edward Cherry told The Register in no uncertain terms.

The dispute with Icefortress.com "appears to have been amicably resolved through diligent representation by [IBILL attorney] Steven Workman," Cherry added, making reference to the fact that the site has been taken down. He warned that "any password site that we find will be dealt with accordingly."

Attorney Workman did have an impressive attack in mind. A memo from him to Icefortress' former host, Xyrid, which The Register has obtained, suggests the plan.

"The operator of this site, and all persons or entities which facilitate dissemination of this protected information, are subject to civil and criminal liability under the Digital Millennium Copyright Act," Workman wrote.

It was that appeal to the DMCA, the full implications of which have yet to be explored in the courts, that aroused The Register's interest in this case.

Workman believes that the DMCA, which makes it illegal to circumvent any technical access control protecting copyrighted material, also protects compiled data as it does the more traditional items such as artistic works and proprietary information.

"I would argue that once behind a password-protected area, everything might be copyrightable," Workman told The Register.

"The [full] reach of the DMCA hasn't been tested" in the courts yet, Workman said, but added that he would be "more than happy to test it" himself.

All that makes sense, but it does leave the issue of 'Fair Use' well up in the air. The DMCA's most glaring internal inconsistency is the fact that it outlaws the skirting of technical controls protecting copyrighted material, while at the same time asserting in very plain language that nothing in the Act may be construed to hamper the fair use of copyrighted material.

Thus, if the desired information is protected by an access control, it becomes a crime to exercise the very fair use which the Act defends - clearly an unintentional paradox which will need to be repaired in the courts as the Act is invoked in future legal disputes.

The frustrating contradiction, or felicitous loophole, depending on which side of the fence you sit, becomes relevant here when we consider that in the case of IBILL, the only way to get a look at their copyrighted material for the perfectly legitimate purposes of writing a critique or analysis of their security methods would be to crack their security in the first place.

'Copyrighted' and 'secret' are two very different things. While it is clear that proprietary information is secret, and anyone making it public is liable to legal action; IBILL is not claiming that the information ICE published is proprietary, but merely copyrighted.

Copyrighted material, as distinct from proprietary trade secrets, has always been recognised as fair game for publication within certain, long-established limitations under the principle of fair use.

An entire work may not be reproduced; no part of it may be sold by a third party without permission; the copyright holder must be acknowledged when snippets are published; and so on. But parts of a copyrighted body of work may indeed be reproduced freely for purposes of criticism, analysis or argumentation, a use which we believe the offending essay at Icefortress represented.

Thus the essay might well have survived in court as a legitimate analysis of IBILL security under the rules of fair use; though if not, at least the DMCA would have got a decent test in the field, which it very much needs.

Attorney Workman indicates that he's eager to give it a go at the first opportunity he receives, and we fully expect to see him doing so in the near future; but for the Icefortress crew, a lack of financial resources means that a largely untested, and patently defective, piece of federal legislation has become the occasion for a sudden curtain call. ®

Related Story

Linux users protest DVD regs on Capitol Hill

3 Big data security analytics techniques

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.