RealTime IT News

Do Copyright Laws Apply to Bug Exploits?

Do the developers of exploits used to break into networks have the right to copyright their programs? And, if so, do network administrators have the right to share those exploits, once they've been used to break into their networks, in order to obtain help in blocking it from attacking their networks in the future?

That question may be answered if TESO Security, a group of non-commercial network security enthusiasts, pursues a lawsuit against the Bugtraq mailing list run by SecurityFocus.com.

"This is a pretty new one," said Edward Andrew Norwood, head of the Intellectual Property practice at Waller Lansden Dortch & Davis, and chair of the Nashville Bar Association's Intellectual Property Committee. "I have not heard of anything like this before."

"It's a fairly aggressive position to say that our hacking program of somebody else's software is now copyrighted by us," Norwood said. "But, so long as what they created is copyrightable, then yes, an act of somebody else to copy that software is an act of copyright infringement. To the extent that this is a copyrightable work and they are the owners of that work, then yes, nobody can copy that work."

Network administrators around the world have been scrambling to secure their servers since news of a vulnerability in the Telnet program -- used to remotely access servers -- first came to the public's attention last week when TESO posted advisories to several security mailing lists, including Bugtraq.

On Tuesday, the Computer Emergency Response Team (CERT) issued an advisory that servers running the Berkeley Software Design (BSD) operating system were vulnerable to the flaw.

But the legal issue entered the story on Tuesday, when a member of the Bugtraq mailing list, which boasts upwards of 50,000 subscribers, posted an exploit -- developed by TESO as part of its research into the flaw it discovered -- which takes advantage of the vulnerability, despite the fact that the exploit's header forbade distribution of the exploit.

The header read: "The contents of these coded instructions, statements and computer programs may not be disclosed to third parties, copied or duplicated in any form, in whole or in part, without the prior written permission of TESO Security. This includes especially the Bugtraq mailing list, the www.hack.co.za website and any public exploit archive."

"We did not give out the exploit to anyone and have not done so since it was written," said Sebastian, a member of TESO and the discoverer of the vulnerability. Sebastian chose to remain "pseudonymous."

So if TESO didn't distribute the exploit, how did it wind up on Bugtraq? According to Sebastian, the exploit was stolen from TESO's network and became part of the arsenal of unskilled crackers (malicious hackers) dubbed 'script kiddies,' who have since used it to deface a number of Web sites.

Sebastian explained, "We do not know how this happened as of yet. Anyway, we were notified by an anonymous person that the exploit had been used to break into his server machine and the attacker left the exploit header (the copyright and one-line description) as a proof on his server.

"We instantly knew that this was not good news and would probably mean a lot of illegal activity using our exploit. So we decided to release an advisory to the public as soon as possible, although we have not yet researched all vulnerable platforms and have not compiled full details on the vulnerable systems."

It was apparently a person who received the exploit in such a manner that posted it to the Bugtraq list. Elias Levy, administrator of the list, conceded that, despite the fact that the poster was warning others of a new exploit being used in the wild, it was a mistake to allow the exploit to get onto the mailing list.

"The approval of TESO's exploit was an error as we have stated on the list," Levy told InternetNews.com. "This does not appear to have been sufficient for TESO. We do have to wonder, how did their exploit end up being used by criminals to break into machines, and [we] find it ironic that while their exploit is being openly traded in the underground they did not wish to provide the public with access to the same so that at the very least they could examine it and use it to test their own systems."

Levy added, "We do not encourage people that find vulnerabilities to release exploits, although we understand that some people may think it's necessary. We encourage people that wish to release some type of demonstration tool to create it in such a way that it only allows for the testing, not the exploitation, of the vulnerability. That being said, if there is an exploit in the wild we will publish it so as to allow the public to be aware of its existence, study it, and use it for their own testing."

"The exploit has been stolen before, and was indeed 'traded' among relatively unskilled system crackers," Sebastian said. "We also have received mails of persons who apparently had the exploit before it was sent to Bugtraq. "Nevertheless, the distribution through Bugtraq added massively to the problem from our point of view."

Sebastian said TESO is still considering whether to pursue legal action, but has not yet retained an attorney.

However, TESO may face an uphill battle in court if it decides to pursue a case, Norwood said.

"You probably have the right to make copies of [an exploit] to find out where its flaw is," Norwood said. "I doubt there's a court out there that's going to hold this to be a copyright infringement."

He also noted that TESO may not have a right to copyright the work at all, as a court may take the view that the exploit was derived from another source, in this case the flawed BSD code.

"It may be that it's a derivative work," Norwood said. "Creative derivation of works is an exclusive right of the copyright owners too. There's probably an open question as to whether [TESO] ever owned a copyright to the code to start with."

Still, Norwood said that if the exploit was copyrightable, then Bugtraq probably did not have the right to reproduce it.

"The copyright owner is the one who has the right to make a distribute copies," he said. "The fact that you own the original, tangible object does not constitute the right to make copies of it."

Norwood likened the copy of the exploit to a photographic negative.

"Just because you've got the negative and can make prints, doesn't mean you have the right to make copies under the copyright act," he said. "Only the copyright holder can do that."