Reverse Engineering and the DMCA

 Your Brain


This is an attempt to show why the DMCA rules need to be reconsidered.


The dmca rules :

The argument : How are these rules applied and are they used fairly.

For years we of the reverse engineering community have fought to have the word cracker removed from what we do. In the old days, it was a correct word. Then the warez/serialz whores came out and took what they learned or stole and made outrageous claims in order to earn some kind of respect from people who elude me. The RCE community renamed them script kiddies for the fact that once they swiped someone in the RCE community's work, they just applied it to every software that had that certain protection. Warez and serialz were released and somehow the RCE community got blamed.

So, we changed the rules. No names of targets. No keygens or patches that show directly how to circumvent. No complete code listings showing where and how to circumvent. This was done specifically to stop the crackers from releasing masses of warez. Script kiddies only want the glory of seeing their name show up in search results when looking for warez or serialz. They have only the most basic of skills, just enough to know how to apply RCE work so they can steal.

Almost all tutorials about "cracking" software are dated. Not many people write new tutorials anymore. Protection schemes change so quickly, by the time you write a tutorial it is out-dated. I dont think I have seen a new tutorial submitted to in 2 or 3 years if not longer. The second part of not releasing tutorials is the fact that people within the community that have earned the respect of their peers, do not want to make it easy for the script kiddies to release more warez.

For the most part, people who do release tutorials that have the respect of the community, do so with very restricted code snippets. This makes it very difficult for those kiddies who do not understand the flow of code to understand. The tutorials are left vague for that very reason.

Releasing a tutorial to people who know what they are doing only serves to improve their skills as they learn. That is the entire point to releasing such things. To help show code to people who understand it to a degree. If you only know what NOP means, you are going to get nowhere when following a tutorial. You need to have a slightly more then basic understanding of code AND the tricks that authors use to prevent circumvention.

We do not tell you, we help you to understand. If you cannot show you have some understanding, you will get no help.

We have pretty much evolved from crackers to "Code Analysis Technicians", for the lack of a better description. They are Reverse Engineers looking to understand the latest protections and "code stunts".

Reverse engineering is the scientific method of taking something apart in order to figure out how it works. Reverse engineering has been used by innovators to determine a product's structure in order to develop competing or interoperable products. Reverse engineering is also an invaluable teaching tool used by researchers, academics and students in many disciplines, who reverse engineer technology to discover, and learn from, its structure and design. Although some reverse engineering techniques require making a copy of the software being investigated, an act that would otherwise be considered a copyright violation, copyright law has allowed these reverse engineering copies as a form of "fair use." Increasingly, however, contract clauses forbidding reverse engineering are included in technology licenses. Sometimes sellers include these clauses in "shrink-wrap," "click-wrap," or "browse-wrap" licenses without enabling the user to negotiate the terms of such a license. In many instances, users are not even aware of the terms to which they are binding themselves. The proposed amendment to contract law called the Uniform Computer Information Transactions Act (UCITA), adopted by two state legislatures, would make these kinds of contracts enforceable, and therefore more difficult to challenge their anti- reverse engineering provisions.

Section 1201 of US code : Title 17

This is eight pages to deal with the circumvention of copyright protection systems. My first question, what is a copyright protection system? I looked for an official definition in the US code and could not find anything that descibed in detail what it is so, I guess it is whatever you say it is.

Since we do not have a legal definition of a copyright protection system, we have a problem with how this should be applied when alleging a violation. I assume that the DMCA will apply to any persons claim.

If anyone can apply the DMCA without complete explanation, how do I know what is legal ? Because the DMCA is based in the US, you are guilty until you prove your innocence.

Things are not included into such documents on purpose. It will limit the range of effectivness.

This needs to be further clarified.

Tools used by the RCE community.

(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that -

(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;

(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or

(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.

This is rather interesting in that, the tools they are talking about are the ones used by every person who writes/develops/debugs or troubleshoots software. All of you in this room are guilty.

Who the hell thought up this rule ?? These great minds could not even understand the most basic rule they were trying to convey : Dont distribute cracks, patches, keygens or serial numbers. Do Reverse engineers release cracks, patches, keygens or serial numbers ?? NO THEY DONT. And if you do you are a crack whore.

This paragraph needs to be completely re-written.

Section F deals with reverse engineering directly.

(f) Reverse Engineering. -

(1) Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.

Remember Dimitry ??

(2) Notwithstanding the provisions of subsections (a)(2) and (b), a person may develop and employ technological means to circumvent a technological measure, or to circumvent protection afforded by a technological measure, in order to enable the identification and analysis under paragraph (1), or for the purpose of enabling interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability, to the extent that doing so does not constitute infringement under this title.

Whatever the hell that means. I suppose they mean I can write a software that can strip all the images from a Power Point presentation.

(3) The information acquired through the acts permitted under paragraph (1), and the means permitted under paragraph (2), may be made available to others if the person referred to in paragraph (1) or (2), as the case may be, provides such information or means solely for the purpose of enabling interoperability of an independently created computer program with other programs, and to the extent that doing so does not constitute infringement under this title or violate applicable law other than this section.

So if you make a program to strip ebook images for use on a *nix machine, It's OK.

(4) For purposes of this subsection, the term ''interoperability'' means the ability of computer programs to exchange information, and of such programs mutually to use the information which has been exchanged.

Section G deals with encryption.

I am not going to post the text of that section. The reason being, it is OK to reverse engineer encryption routines. You can not share that information with anyone else. I dont know to many people who play around with encryption routines solely to steal software. It is very labor/computer intensive. People who engage in this do it because that is their field of employment or, they are really bored and need to fill up a couple of months of free time.

Section I. Protection of personally identifying information.
If you have software that has collected information about me, AKA spyware, I can reverse engineer it. DUH !

Section J, Security testing.
I would expect to be able to test the security of software and network's. DUH !

The last section deals with analog devices. This is of no importance unless you manufacture such devices.

In Bonito Boats, Inc. v. Thunder Craft Boats, Inc. 489 U.S. 141(1989), the U.S. Supreme Court regarded reverse engineering as "an essential part of innovation", likely to yield variations on the product that "could lead to significant advances in technology". (From "Reverse Engineering Under Siege", Pamela Samuelson, Comm. ACM 45(10) October 2002.) It is possible that decompilation (when it becomes practical) could do the same for software that physical reverse engineering does for boats and other fields of endeavour. The article above also states that "Courts in the U.S. have also treated reverse engineering as an important factor in maintaining the balance in intellectual property law". It goes on to point out that patents confer significant advantages to their owners, but only in return for disclosure of the invention, so that the public will ultimately benefit from the it. Perhaps decompilation can help redress the balance that the recent flood of dubious software patents has perturbed.

With the Digital Millennium Copyright Act (DMCA), the USA has become one of the worst countries as far as the freedoms of computer users is concerned (e.g. see the Anti-DMCA Website, and CEM Kaner's Blog; point 8 refers to reverse engineering including decompilation.). As Cem points out, California courts have started enforcing no-reverse-engineering. Worse, the US government attempts to apply pressure through its economic might to other countries. The European Union has bowed to this pressure, while Australia seems to have so far resisted the worst of it.

Australia has since bowed to this pressure.

Question: What kinds of things are copyrightable?

Answer: In order for material to be copyrightable, it must be original and must be in a fixed medium. Only material that originated with the author can support a copyright. Items from the public domain which appear in a work, as well as work borrowed from others, cannot be the subject of an infringement claim. Also, certain stock material might not be copyrightable, such as footage that indicates a location like the standard shots of San Francisco in Star Trek IV: The Voyage Home. Also exempted are stock characters like the noisy punk rocker who gets the Vulcan death grip in Star Trek IV. The requirement that works be in a fixed medium leaves out certain forms of expression, most notably choreography and oral performances such as speeches. For instance, if I perform a Klingon death wail in a local park, my performance is not copyrightable. However, if I film the performance, then the film is copyrightable.

Single words and short phrases are generally not protected by copyright, even when the name has been "coined" or newly-created by the mark owner. Words, phrases and titles may be protected by trademark, however.

Does this include the use of EAX, EBX, PUSH ;ETC ??

Question: What rights are protected by copyright law?

Answer: The purpose of copyright law is to encourage creative work by granting a temporary monopoly in an author's original creations. This monopoly takes the form of six rights in areas where the author retains exclusive control. These rights are:
(1) the right of reproduction (i.e., copying),
(2) the right to create derivative works,
(3) the right to distribution,
(4) the right to performance,
(5) the right to display, and
(6) the digital transmission performance right.

Question: What is copyright infringement? Are there any defenses?

Answer: Infringement occurs whenever someone who is not the copyright holder (or a licensee of the copyright holder) exercises one of the exclusive rights listed above.

The most common defense to an infringement claim is "fair use," a doctrine that allows people to use copyrighted material without permission in certain situations, such as quotations in a book review. To evaluate fair use of copyrighted material, the courts consider four factors:
the purpose and character of the use
the nature of the copyrighted work
the amount and substantiality of copying,
and the market effect.

The most significant factor in this analysis is the fourth, effect on the market. If a copier's use supplants demand for the original work, then it will be very difficult for him or her to claim fair use. On the other hand, if the use does not compete with the original, for example because it is a parody, criticism, or news report, it is more likely to be permitted as "fair use."
Report uses and abuses of DMCA section 512(h) subpoenas. If someone is seeking your name without a reasonable claim of copyright infringement, that's an abuse: For example, if someone is using the subpoena to harass or defraud; if they've matched filenames, but not their content; if you weren't using the IP address listed (because of a typo or other error, such as because someone else was using a wireless network). Even if you did have copyrighted material on your computer, you might have a lawful right of fair use.

When I receive a notice of a DMCA violation I reply with the standard requirements set by the DMCA. They are:

1. Identify in sufficient detail the copyrighted work that you believe has been infringed upon.
2. Identify the material that you claim is infringing the copyrighted work listed in item #1 above.
3. Provide information reasonably sufficient to permit us to contact you (email address is preferred).
4. Provide information, if possible, sufficient to permit us to notify the owner/administrator of the allegedly infringing webpage or other content (email address is preferred).
5. Include the following statement: "I have a good faith belief that use of the copyrighted materials described above as allegedly infringing is not authorized by the copyright owner, its agent, or the law."
6. Include the following statement: "I swear, under penalty of perjury, that the information in the notification is accurate and that I am the copyright owner or am authorized to act on behalf of the owner of an exclusive right that is allegedly infringed."
7. Sign the paper.
8. Send the written communication to the following address:

For all of the complaints I have received, I have never ever seen any of this information supplied. I usually get "the work, blah blah blah is in violation of the DMCA. http://www.yoursitehere/illegalstuff/ Please remove this to avoid further action"

These requests are always sent from a law firm. When I ask that they fulfill the requirements of the DMCA including the 8 points listed above, they go to my server host. The next thing you get is a 48 hour remove from the host and then shutdown. I have argued in vain with them but they do not care, they just dont want to be threatened. So I then have to fight to get my content back by threatening my host with a lawsuit.

For those of you visit my site somewhat regularly, you know how many times I have had to move in the last 7 years. The answer is 5.

The original intent of the internet was to allow the FREE exchange of information. This theory has long been non exsitent. Everything that you see is or has been manipulated by some entity.

As of mid February, Google had decided to make it known to the public that some people were using the DMCA to make Google stop returning search results that include links to copy righted material.

One particular part of this complaint was in regards to the alleged theft of images.

When you upload ANYTHING to a website, YOU have to insure the safety of that material. If you dont want a spider or bot to see this material, You must secure it. If you dont want people (human beings) to see it, YOU have to secure the material, Either by username and password or by a hidden directory that cannot be viewed by anyone or anything.

If you dont want anyone to see it, dont upload it. It's as simple as that. There are other ways to get your materials out to the people you want to have it.

So you made some materials available and people started taking it. Just because you put up a disclaimer saying "you cannot use my stuff", does not mean that people or bots wont take it. A novel idea : Make people responsible for their own actions.

An example : I leave my front door unlocked and someone just walks in and takes my TV. I call the police and say I have been robbed. The police ask, was the door locked ? Umm no mr policeman, I forgot to lock it. The police laugh in my face and walk away. The insurance company will not by me a new tv because of my own stupidity. Now I am mad because I dont have a tv. I sue the police based on the fact that they are supposed to protect me and my stuff and they didnt. It sounds reasonable if you think about it. That is their job. The judge would probably instruct the bailiff to shoot me for being an idiot. I think everyone knows that if you leave the front door unlocked, you run the risk of losing your stuff.

Of course the DMCA just had to add a special paragraph to section 512 to include search engines. Google would never endanger their investors money so they just flat out blocked all the content from those sites, not just what was infringed upon. They are abetting in the supression of free information without proving it has been infringed upon. People put information on the internet do so of their own free will. Google has sought to have the reputation of the strongest search engine on the planet BUT, when threatened, they will fold.

The World Wide Web works through hyperlinks, tags that allow web site authors to connect their texts with others and enable web browsers to move quickly from one page to another document to which it refers. These links are what set hypertext apart from static offline texts, and core to Web-founder Tim Berners-Lee's original design. Nonetheless, you may have received a cease and desist notice regarding hyperlinks on your website. Some companies claim that linking to their websites requires prior permission, or allege that your links falsely imply that they sponsor or endorse your site. Other C&Ds may assert trademark infringement based on the words and images you use in hyperlinks. You may be told that you are violating the law because your site links to illegal or copyrighted material, even if you do not host any of that material on your own servers. What about "deep linking," when you set a link to an inside page, not the website's homepage? This topic area addresses the issues that arise regarding linking and other web navigation (frames and pop-ups, for example), in legal terms including copyright, trademark, false advertising, the safe harbor for "information location tools," and contract (what effect do a site's "terms of use" really have?).

I guess you just cant hammer the thought into the skulls of the DMCA people. It is a search engine. It is automatic. It works through a series of algorithims. Its not some guy searching and then posting links.

This tactic is used to try and stop access to materials in countries that do not recognize the DMCA. Why?, because it is easy to use threats. The chances of you complaining to a host in a country that does not care about the DMCA and getting any form of relief is NIL.

So this is how the dmca is utilized today. It is used to threaten. Same as RIAA except the RIAA actually sues people based on an ip address. Has the RIAA ever went to court with a CD it got from joe publics cd player and said," the times these tracks were recorded closely match the times we watch joe download these songs from limewire." No they have not. You see, you and I dont have 50 grand lying around to go sue some college kids because we are bored. I have an idea for the RIAA, Find the person who actually ripped the cd and uploaded its contents and sue his ass. I was just walking down the street and found this cd, how am I to blame.

It is a uniquely american tradition to be guilty when charged and then have to prove YOU are innocent, not the other way around. Big business knows this and use it to their advantage.

In order for copy right protection to work in terms of the internet is to find out who stole your stuff.

That is how they stretch the law when they need to make someone, anyone pay. It makes them feel good and they think they are sending a message to the rest of the world. It does not work, it will never work.

There are of course a large group of people who support the DMCA in all its unregulated glory. I support any request of a violation and remove the materials if they are in fact a violation. I am not anti-DMCA

What I am opposed to is the very abritary application of the law.

When will they force MSN search to cease and desist?

So you are thinking, Woodmann, you are just splitting hairs, you are not interpeting the DMCA correctly. Yes I am splitting hairs. If they can do it why cant I ? If they can be arbitrary, why cant I?

Who is the biggest threat to the powers that be ? Warez , Serialz, Keygenz, straight out patches aka cracks. File sharers are of course responsible. Everybody knows what the purpose of file sharing is. It certainly isnt to provide the world with a copy of this text file.

When the wild west of the internet was just that, wild, there were no rules to govern the sharing of files. Now they see what this great thing has wrought and they are mad. These same people who have very large controlling interests in places like AOL, now want the power to govern all people. Where were they when this started? This is somewhat akin to organized crime. Once they see a good thing they muscle their way in.

So what did we learn about the DMCA and Reverse code engineering? Pretty much nothing. On the one hand they say it is OK. On the other hand they say "NO, BAD DOG". I think it is left vague on purpose, so as to be able to bend their rules to fit whatever the circumstance may be.