Cracker education site ICE resists IBILL pressure

Should CERT be shut down too?

Administrators of the cracker education Web site Icefortress.com have undergone a change of heart since we reported their plan to fold under pressure from Internet billing-service provider IBILL, which has threatened a copyright infringement suit under the Digital Millennium Copyright Act (DMCA), claiming that the Icefortress site did it harm by supplying information and tools which could enable visitors to hack its protected sites and thereby violate its copyrights.

The ICE site, which had been on line for nearly two years, was originally pulled by its host, Xyrid, immediately after receiving a threat-memo from IBILL lawyer Stephen Workman, presumably in its eagerness to get clear of a third-party dispute and cut its liabilities as quickly and painlessly as possible. For a time the Icefortress crew considered Xyrid's action a sound example to follow, having neither the time nor the money to fight a well-heeled corporation like IBILL in the courts.

Friends

But since we ran our original coverage, the ICE crew have been encouraged by a few friendly hands in the struggle to keep controversial information safe from interference on First Amendment grounds.

Carnegie Mellon University Computer Science Professor David Touretzky, whose testimony on the free-speech aspects of program code during the 2600.com trial was singled out by the judge as especially persuasive, has mirrored on his own Web site an essay which the ICE crew believe IBILL objects to and which, they believe, inspired their threat of action. The essay in question is a simple account of how IBILL connects to one's security port, a well-documented and quite general bit of Internet protocol data hardly worth sounding alarms over.

Touretzky has been active in defending free speech on the Net for several years now. "When I see a little guy being crushed by a big guy, my instinct is to mirror what they have," Touretzky told The Register. "And anything else IBILL wants to object to, I'll be happy to mirror so long as I decide it's legal," he added.

Touretzky has also created a most unflattering Web page dedicated to IBILL attorney Workman, entitled "Steven W. Workman: Porno Lawyer", including an article Workman contributed to porno Webmaster gazette the Condom Chronicles, and court documents from a legal malpractice suit brought against Workman by a former client from which he emerged whole on procedural grounds.

San Francisco lawyer Jennifer Granick, who served as a legal consultant to SecurityFocus journalist Kevin Poulsen, when, in a previous life, he'd been convicted of computer misuse, has also taken up the cause, now representing Icefortress domain owner Timothy McDonnell.

IBILL's legal case amounts to nothing more than "a libellous and unsubstantiated claim backed by the threat of litigation," Granick told The Register. The company's first mistake, she notes, was to threaten Icefortress' host, Xyrid, without giving domain owner McDonnell an opportunity to challenge, or even know, IBILL's objections before the site was pulled.

The company is playing fast and loose with the DMCA, exploiting its several internal contradictions, Granick believes. "The DMCA is a tool in the arsenal of companies that don't want to allow fair use" of copyrighted materials, she said.

IBILL's second mistake was to package their threat in an invalid legal format, she notes. IBILL lawyer Workman was obliged to identify the material which the company deemed infringing, and was to sign under penalty of perjury. This, Granick says, would have given some legal teeth to Workman's memo.

What remains now, she says, is for IBILL to identify the infringing material and file a proper legal notice, or, failing that, to 'fess up and tell Xyrid that they have nothing to fear from restoring the Icefortress site.

To date, not even Granick knows what material on the Icefortress site IBILL objects to. This refusal to mention a particular item strongly suggests that the company doesn't actually have anything that would withstand examination in court, and has simply been using threats of litigation to bluff Icefortress into folding.

Bluffing

The company has been reluctant to go on record with their side of the story, appealing to a quite reasonable concern that anything quoted in the press might come back to haunt them if they should argue their case before the bench. Thus when IBILL Director of Intellectual Property Edward Cherry spoke to The Register, he limited his comments to very broad issues touching tangentially on the case.

He did say that the company respects the First Amendment guarantee of free speech, but feels that free expression needs to be balanced carefully with the need to protect copyrights, in which vast sums of money are often invested.

He noted also that the company prefers to use a civil action rather than a criminal action to settle its dispute with Icefortress, on grounds that it would be a pity to stigmatise a group of clever youngsters with criminal records.

Of course the burden of proof in a criminal case is higher than in a civil case, and there is no doubt that this consideration plays some part in IBILL's preference to appeal to the DMCA, since its case against Icefortress is dodgy at best.

As we reported earlier, Workman claims that any information or tool which can defeat an access control violates the DMCA anticircumvention provisions (17 USC 1201). The 1201 provisions are intended to protect copyrighted materials, and Workman is hoping to get around this by claiming that virtually anything which can be protected with an access control such as a crypto scheme, or even a password, can also be copyrighted.

Surely this amounts to torturing the text to obtain a particular reading. If the 1201 provisions were interpreted as broadly as Workman would have them, then all the security tools in common use today by systems administrators would be outlawed.

But the strongest hint that the company is bluffing is the fact that they've steadfastly refused to identify what, exactly, on the Icefortress site infringes their copyrights.

"If IBILL can identify something they think is infringing, I'll take a look at it and advise Icefortress whether or not I think it can be published legally. If I decide that it is legal, and IBILL wants to dispute that in the courts, then they're welcome to try," Granick told us.

The company appears to be bluffing on a presumption that the entire ICE site, by its very nature, is illegal. Following Workman's very broad reading of the DMCA, IBILL's Cherry claims that providing tools and information which can be used to defeat any network security system is prohibited. Thus, simply by virtue of being a 'hacker education site', Icefortress is in violation of the law.

Muddy waters

We mean no disrespect to Icefortress, but we must note that if Cherry's reading of the DMCA is correct, then the most dangerous hacker education site on the Web would have to be the Computer Emergency Response Team (CERT) security site, hosted by none other than Carnegie Mellon University, and financed in part by the US government. We've spent many a blissful hour trawling its vast archives for detailed descriptions of security weaknesses in most popular network hardware and software and their default implementations, and downloading source code, scripts and tools with which such holes may be conveniently exploited.

It is to the CERT site, more than any other source, that we owe our own expertise in network and Web security (such as it is); and while we don't wish to boast, we must note that we could quite easily apply what we've learned and downloaded there to extremely destructive on-line activities if we were so inclined.

Thus if we accept that the ICE site is subject to closure for providing information and tools related to exploiting computer security weaknesses, we would have to accept that CERT, too, is subject to closure on the same grounds. Indeed, considering CERT's positively immense archive, its immediate closure ought to become the chief priority of anyone wishing to protect themselves from those who educate potential malicious hackers.

Any distinction between Icefortress.com, which looks like a site catering to crackers, and CERT.org, which offers much the same information but looks like a site catering to systems administrators, is absolutely cosmetic and thus perfectly fraudulent. We are reminded of the US 'assault-rifle' law, which banned the sale of certain semi-automatic rifles because they had the misfortune to be black and scary-looking, while ignoring traditional-looking 'sporting' weapons possessing identical destructive capabilities.

The law gradually evolved into a more common-sense regulation limiting the magazine capacities of all semi-automatic rifles and outlawing folding stocks and flash suppressors which can ease concealment; but it originated in a preposterous Congressional reaction to meaningless cosmetic features.

Political bodies like the US Congress may be inspired to action by superficial distinctions, but the Bill of Rights happens not to recognise them. If CERT has the right to publish systems weaknesses and exploits, so does Icefortress. According to law, "certain speakers can't be privileged," Granick notes. "We can't say, 'Carnegie Mellon yes, but independent researchers no.'"

So now the question becomes whether or not IBILL is prepared to take on the entire academic community and every security-oriented site on the Web. We rather think they're not. We rather think they're setting themselves up to regret that they ever heard of Icefortress, and perhaps of Stephen Workman as well. ®

Previous coverage

Cracker education site folds on DMCA threat

Sponsored: Driving business with continuous operational intelligence