Do Copyright Laws Apply to Bug Exploits?

Do the developers of exploits used to break into networks have the right to copyright their programs? And, if so, do network administrators have the right to share those exploits, once they’ve been used to break into their networks, in order to obtain help in blocking it from attacking their networks in the future?

That question may be answered if TESO Security, a
group of non-commercial network security enthusiasts, pursues a lawsuit against the Bugtraq mailing list run by SecurityFocus.com.


“This is a pretty new one,” said Edward Andrew Norwood, head of the
Intellectual Property practice at Waller Lansden Dortch & Davis, and chair of the Nashville Bar Association’s Intellectual Property Committee. “I have not heard of anything like this before.”

“It’s a fairly aggressive position to say that our hacking program of somebody else’s software is now copyrighted by us,” Norwood said. “But, so long as what they created is copyrightable, then yes, an act of somebody else to copy that software is an act of copyright infringement. To the extent that this is a copyrightable work and they are the owners of that work, then yes, nobody can copy that work.”

Network administrators around the world have been scrambling to secure their servers since news of a vulnerability in the Telnet program — used to remotely access servers — first came to the public’s attention last week when TESO posted advisories to several security mailing lists, including Bugtraq.


On Tuesday, the Computer Emergency Response Team (CERT) issued an advisory that servers running the Berkeley Software Design (BSD)
operating system were vulnerable to the flaw.

But the legal issue entered the story on Tuesday, when a member of the
Bugtraq mailing list, which boasts upwards of
50,000 subscribers, posted an exploit — developed by TESO as part of its
research into the flaw it discovered — which takes
advantage of the vulnerability, despite the fact that the exploit’s header
forbade distribution of the exploit.

The header read: “The contents of these coded instructions, statements and
computer programs may not be disclosed to third parties, copied or
duplicated in any form, in whole or in part, without the prior written
permission of TESO Security. This includes especially the Bugtraq mailing
list, the www.hack.co.za website and any public exploit archive.”


“We did not give out the exploit to anyone and have not done so since it was
written,” said Sebastian, a member of TESO and the discoverer of the
vulnerability. Sebastian chose to remain “pseudonymous.”

So if TESO didn’t distribute the exploit, how did it wind up on Bugtraq?
According to Sebastian, the exploit was stolen from TESO’s network and
became part of the arsenal of unskilled crackers (malicious hackers) dubbed
‘script kiddies,’ who have since used it to deface a number of Web sites.

Sebastian explained, “We do not know how this happened as of yet. Anyway, we
were notified by an anonymous person that the exploit had been used to break
into his server machine and the attacker left the exploit header (the
copyright and one-line description) as a proof on his server.

“We instantly knew that this was not good news and would probably mean a lot
of illegal activity using our exploit. So we decided to release an advisory
to the public as soon as possible, although we have not yet researched all
vulnerable platforms and have not compiled full details on the vulnerable
systems.”

It was apparently a person who received the exploit in such a manner that
posted it to the Bugtraq list. Elias Levy, administrator of the list,
conceded that, despite the fact that the poster was warning others of a new
exploit being used in the wild, it was a mistake to allow the exploit to get
onto the mailing list.

“The approval of TESO’s exploit was an error as we have stated on the list,”
Levy told InternetNews.com. “This does not appear to have been sufficient
for TESO. We do have to wonder, how did their exploit end up being used by
criminals to break into machines, and [we] find it ironic that while
their
exploit is being openly traded in the underground they did not wish to
provide the public with access to the same so that at the very least they
could examine it and use it to test their own systems.”

Levy added, “We do not encourage people that find vulnerabilities to release
exploits, although we understand that some people may think it’s necessary.
We encourage people that wish to release some type of demonstration tool to
create it in such a way that it only allows for the testing, not the
exploitation, of the vulnerability. That being said, if there is an exploit
in the wild we will publish it so as to allow the public to be aware of its
existence, study it, and use it for their own testing.”


“The exploit has been stolen before, and was indeed
‘traded’ among relatively unskilled system crackers,” Sebastian said. “We
also have received
mails of persons who apparently had the exploit before it was sent to
Bugtraq. “Nevertheless, the distribution through Bugtraq added massively to
the problem from our point of view.”

Sebastian said TESO is still considering whether to pursue legal action, but
has not yet retained an attorney.

However, TESO may face an uphill battle in court if it decides to pursue a
case, Norwood said.

“You probably have the right to make copies of [an exploit] to find out
where its flaw is,” Norwood said. “I doubt there’s a court out there
that’s going to hold this to be a copyright infringement.”

He also noted that TESO may not have a right to copyright the work at all,
as a court may take the view that the exploit was derived from another
source, in this case the flawed BSD code.

“It may be that it’s a derivative work,” Norwood said. “Creative derivation
of works is an exclusive right of the copyright owners too. There’s probably
an open question as to whether [TESO] ever owned a copyright to the code to
start with.”

Still, Norwood said that if the exploit was copyrightable, then Bugtraq
probably did not have the right to reproduce it.

“The copyright owner is the one who has the right to make a distribute
copies,” he said. “The fact that you own the original, tangible object does
not constitute the right to make copies of it.”

Norwood likened the copy of the exploit to a photographic negative.

“Just because you’ve got the negative and can make prints, doesn’t mean you
have the right to make copies under the copyright act,” he said. “Only the
copyright holder can do that.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web