You can also receive Free Email Updates:

License to Hack

Zahri Kahoor | Sunday, October 28, 2012 | | |


                                                   There are bad ideas, and then there are really awful ideas. Example of a bad idea: the proposed uniform state law called the Uniform Computer Information Transactions Act (UCITA), with its "self-help" provision that lets vendors remotely sabotage software you've bought if they believe you're not conforming to their license terms. That one is such a stinker that three states have actually outlawed UCITA provisions from being enforced. And a really awful idea? Try legalizing malicious hacking. That's what a Los Angeles congressman named Howard Berman has in mind. He's proposing a federal law that would let copyright holders use "technological self-help measures" against peer-to-peer networks like Kazaa, Morpheus and the now-moribund Napster in order to fight piracy of their copyrighted material. 

"The term was coined by IBM years ago", says Peter Wood, chief of operations at First Base Technologies. "It's meant to imply a broader church than just penetration testing, which is the traditional term. ‘Hacking’ has become the trendy term for it, but what I say to a client is 'You're asking us to impersonate a criminal to try and see what your business's defences are like but without the risk of actually being attacked by a criminal'; hence the ethical bit."               

                                    What kind of "self-help" would be legalized? Spoofs, redirection, file blocking, decoys, interdiction and, oh yeah, actually breaking into servers to plant malicious code. And what if a copyright holder causes additional damage or attacks the systems of someone who isn't actually misusing their copyrights? Berman's bill would protect them from being arrested or sued. 

                                    The Ethical Hacking Council defines it like this: "The goal of the ethical hacker is to help the organisation take pre-emptive measures against malicious attacks by attacking the system himself; all the while staying within legal limits."

                                    The path from penetration testing to ethical hacking is well understood. "If we are doing a black box penetration test and it's unannounced – where the customer wants to see if they can spot us trying to get in, that their alerting systems are up to scratch – then we tend to refer to that as ethical hacking", explains Paul Vlissidis, technical director, NCC Group Secure Test.

                                                  Now let this sink in for a moment: This law is a license to hack, and hack maliciously - without any further government approval, without a court order, entirely at the discretion of the copyright holder. This is a terrible idea. Full disclosure: I've got no use for peer-to-peer networks where music and movies and software are pirated. My own copyrighted work has been ripped off on the Internet. My friends include the owners of several tiny music labels who hate the music-stealing networks with a passion and rejoiced when Napster went down. So I'm in a position to benefit from this license to hack. 
But I repeat: It's a truly awful idea. And not just because it would give a little moral justification to every overgrown juvenile delinquent who believes that "if it's OK for big movie studios to break into someone else's computer, then it's OK for me, too."

                                          It's also a bad law for us because even though it's aimed at peer-to-peer outfits like Kazaa and Morpheus, the next target will be corporate IT. Face it, there's no way to write a law that's sure to include all peer-to-peer pirates without defining things very broadly. So any copyright holder who's got a beef with any organization whose networks may be used to violate copyrights could claim this license to hack.

                                           So if some software vendor decides your company might have unlicensed software on its network - whether that's true or not - the vendor could break into your servers and rummage around. After all, the software vendor is a copyright holder, and that server is on a network. 
Sound crazy? Remember, Berman's idea is to leave this all to the discretion of the copyright holder. And some copyright holders are notorious for believing their rights extend far beyond what any court or lawmaker has ever approved. For software makers who want to have you in a hammerlock, this is like UCITA on steroids and what if a competitor suspects you've acquired some of its copyrighted proprietary information? (Remember, the suspicion doesn't have to be true.) Does anyone think some companies wouldn't jump at the chance to hack into their rivals' networks legally, no matter how flimsy the pretext, and "self-help" themselves to whatever they can find?  
Berman says copyright holders are at a disadvantage against peer-to-peer pirates. That's absolutely true. Crooks always have an advantage - they don't obey the law. 

                                                But the legal system shut down Napster for copyright infringement. That's the way to go after other peer-to-peer pirates too. There are already too many malicious hackers out there threatening our systems. Making any kind of electronic sabotage legal is a really, really awful idea.

0 comments:

Post a Comment