Reverse Engineering and the DMCA
This is an attempt to show why the DMCA rules need to be reconsidered.
The dmca rules :http://cyber.law.harvard.edu/openlaw/DVD/1201.html
The argument : How are these rules applied and are they used fairly.
For years we of the reverse engineering community have fought to have the word cracker removed from
what we do. In the old days, it was a correct word.
Then the warez/serialz whores came out and took what they learned or stole and made outrageous claims
in order to earn some kind of respect from people who elude me. The RCE community renamed them script
kiddies for the fact that once they swiped someone in the RCE community's work, they just applied it to
every software that had that certain protection. Warez and serialz were released and somehow the RCE
community got blamed.
So, we changed the rules. No names of targets. No keygens or patches that show directly how to circumvent.
No complete code listings showing where and how to circumvent. This was done specifically to stop the crackers
from releasing masses of warez. Script kiddies only want the glory of seeing their name show up in search results
when looking for warez or serialz. They have only the most basic of skills, just enough to know how to apply
RCE work so they can steal.
Almost all tutorials about "cracking" software are dated. Not many people write new tutorials anymore.
Protection schemes change so quickly, by the time you write a tutorial it is out-dated. I dont think I have
seen a new tutorial submitted to woodmann.com in 2 or 3 years if not longer. The second part of not releasing
tutorials is the fact that people within the community that have earned the respect of their peers, do not
want to make it easy for the script kiddies to release more warez.
For the most part, people who do release tutorials that have the respect of the community, do so with very
restricted code snippets. This makes it very difficult for those kiddies who do not understand the flow of code
to understand. The tutorials are left vague for that very reason.
Releasing a tutorial to people who know what they are doing only serves to improve their skills as they learn.
That is the entire point to releasing such things. To help show code to people who understand it to a degree.
If you only know what NOP means, you are going to get nowhere when following a tutorial. You need to have a slightly
more then basic understanding of code AND the tricks that authors use to prevent circumvention.
We do not tell you, we help you to understand. If you cannot show you have some understanding, you will
get no help.
We have pretty much evolved from crackers to "Code Analysis Technicians", for the lack of a better description.
They are Reverse Engineers looking to understand the latest protections and "code stunts".
Reverse engineering is the scientific method of taking something apart in order to figure out how it works.
Reverse engineering has been used by innovators to determine a product's structure in order to develop competing or
interoperable products. Reverse engineering is also an invaluable teaching tool used by researchers, academics and
students in many disciplines, who reverse engineer technology to discover, and learn from, its structure and design.
Although some reverse engineering techniques require making a copy of the software being investigated, an act that would
otherwise be considered a copyright violation, copyright law has allowed these reverse engineering copies as a form of
"fair use." Increasingly, however, contract clauses forbidding reverse engineering are included in technology licenses.
Sometimes sellers include these clauses in "shrink-wrap," "click-wrap," or "browse-wrap" licenses without enabling the
user to negotiate the terms of such a license. In many instances, users are not even aware of the terms to which they are
binding themselves. The proposed amendment to contract law called the Uniform Computer Information Transactions Act (UCITA),
adopted by two state legislatures, would make these kinds of contracts enforceable, and therefore more difficult to
challenge their anti- reverse engineering provisions.
Section 1201 of US code : Title 17
This is eight pages to deal with the circumvention of copyright
protection systems. My first question, what is a copyright protection system?
I looked for an official definition in the US code and could not find anything that descibed in detail
what it is so, I guess it is whatever you say it is.
Since we do not have a legal definition of a copyright protection system, we have a problem with
how this should be applied when alleging a violation. I assume that the DMCA will apply to any
If anyone can apply the DMCA without complete explanation, how do I know what is legal ?
Because the DMCA is based in the US, you are guilty until you prove your innocence.
Things are not included into such documents on purpose. It will limit the range of effectivness.
This needs to be further clarified.
Tools used by the RCE community.
(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any
technology, product, service, device, component, or part thereof, that -
(A) is primarily designed or produced for the purpose of circumventing a technological measure
that effectively controls access to a work protected under this title;
(B) has only limited commercially significant purpose or use other than to circumvent a
technological measure that effectively controls access to a work protected under this title; or
(C) is marketed by that person or another acting in concert with that person with that person's
knowledge for use in circumventing a technological measure that effectively controls
access to a work protected under this title.
This is rather interesting in that, the tools they are talking about are the ones used by every person
who writes/develops/debugs or troubleshoots software. All of you in this room are guilty.
Who the hell thought up this rule ?? These great minds could not even understand the most basic rule they were
trying to convey : Dont distribute cracks, patches, keygens or serial numbers.
Do Reverse engineers release cracks, patches, keygens or serial numbers ?? NO THEY DONT.
And if you do you are a crack whore.
This paragraph needs to be completely re-written.
Section F deals with reverse engineering directly.
(f) Reverse Engineering. -
(1) Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the
right to use a copy of a computer program may circumvent a technological measure that effectively
controls access to a particular portion of that program for the sole purpose of identifying and
analyzing those elements of the program that are necessary to achieve interoperability of an independently
created computer program with other programs, and that have not previously been readily available
to the person engaging in the circumvention, to the extent any such acts of identification and
analysis do not constitute infringement under this title.
Remember Dimitry ??
(2) Notwithstanding the provisions of subsections (a)(2) and (b), a person may develop and employ
technological means to circumvent a technological measure, or to circumvent protection afforded by
a technological measure, in order to enable the identification and analysis under paragraph (1), or
for the purpose of enabling interoperability of an independently created computer program with
other programs, if such means are necessary to achieve such interoperability, to the extent that
doing so does not constitute infringement under this title.
Whatever the hell that means. I suppose they mean I can write a software that can strip all the images
from a Power Point presentation.
(3) The information acquired through the acts permitted under paragraph (1), and the means permitted
under paragraph (2), may be made available to others if the person referred to in paragraph (1) or (2),
as the case may be, provides such information or means solely for the purpose of enabling
interoperability of an independently created computer program with other programs, and to the extent
that doing so does not constitute infringement under this title or violate applicable law other than
So if you make a program to strip ebook images for use on a *nix machine, It's OK.
(4) For purposes of this subsection, the term ''interoperability'' means the ability of computer programs
to exchange information, and of such programs mutually to use the information which has been exchanged.
Section G deals with encryption.
I am not going to post the text of that section. The reason being, it is OK to reverse engineer
encryption routines. You can not share that information with anyone else.
I dont know to many people who play around with encryption routines solely to steal software.
It is very labor/computer intensive. People who engage in this do it because that is their field
of employment or, they are really bored and need to fill up a couple of months of free time.
Section I. Protection of personally identifying information.
Section J, Security testing.
The last section deals with analog devices. This is of no importance unless you manufacture such devices.
With the Digital Millennium Copyright Act (DMCA), the USA has become one of the worst countries as far as
the freedoms of computer users is concerned (e.g. see the Anti-DMCA Website, and CEM Kaner's Blog; point
8 refers to reverse engineering including decompilation.). As Cem points out, California courts have started
enforcing no-reverse-engineering. Worse, the US government attempts to apply pressure through its
economic might to other countries. The European Union has bowed to this pressure, while Australia seems to
have so far resisted the worst of it.
Australia has since bowed to this pressure.
Question: What kinds of things are copyrightable?
Answer: In order for material to be copyrightable, it must be original and must be in a fixed medium.
Only material that originated with the author can support a copyright. Items from the public domain which appear in a work,
as well as work borrowed from others, cannot be the subject of an infringement claim. Also, certain stock material might not
be copyrightable, such as footage that indicates a location like the standard shots of San Francisco in Star Trek IV: The Voyage Home.
Also exempted are stock characters like the noisy punk rocker who gets the Vulcan death grip in Star Trek IV.
The requirement that works be in a fixed medium leaves out certain forms of expression, most notably choreography
and oral performances such as speeches. For instance, if I perform a Klingon death wail in a local park, my performance
is not copyrightable. However, if I film the performance, then the film is copyrightable.
Single words and short phrases are generally not protected by copyright, even when the name has been "coined" or
newly-created by the mark owner. Words, phrases and titles may be protected by trademark, however.
Does this include the use of EAX, EBX, PUSH ;ETC ??
Question: What rights are protected by copyright law?
Answer: The purpose of copyright law is to encourage creative work by granting a temporary monopoly in an author's original creations.
This monopoly takes the form of six rights in areas where the author retains exclusive control. These rights are:
Question: What is copyright infringement? Are there any defenses?
Answer: Infringement occurs whenever someone who is not the copyright holder (or a licensee of the copyright holder)
exercises one of the exclusive rights listed above.
The most common defense to an infringement claim is "fair use," a doctrine that allows people to use copyrighted material
without permission in certain situations, such as quotations in a book review. To evaluate fair use of copyrighted material,
the courts consider four factors:
The most significant factor in this analysis is the fourth, effect on the market. If a copier's use supplants demand
for the original work, then it will be very difficult for him or her to claim fair use. On the other hand, if the use does
not compete with the original, for example because it is a parody, criticism, or news report, it is more likely to be permitted as "fair use."
When I receive a notice of a DMCA violation I reply with the standard requirements set by the DMCA.
1. Identify in sufficient detail the copyrighted work that you believe has been infringed upon.
For all of the complaints I have received, I have never ever seen any of this information supplied.
I usually get "the work, blah blah blah is in violation of the DMCA.
Please remove this to avoid further action"
These requests are always sent from a law firm. When I ask that they fulfill the requirements of the
DMCA including the 8 points listed above, they go to my server host.
The next thing you get is a 48 hour remove from the host and then shutdown.
I have argued in vain with them but they do not care, they just dont want to be threatened.
So I then have to fight to get my content back by threatening my host with a lawsuit.
For those of you visit my site somewhat regularly, you know how many times I have had to move in the
last 7 years. The answer is 5.
The original intent of the internet was to allow the FREE exchange of information. This theory has
long been non exsitent. Everything that you see is or has been manipulated by some entity.
As of mid February, Google had decided to make it known to the public that some people were using
the DMCA to make Google stop returning search results that include links to copy righted material.
One particular part of this complaint was in regards to the alleged theft of images.
When you upload ANYTHING to a website, YOU have to insure the safety of that material.
If you dont want a spider or bot to see this material, You must secure it.
If you dont want people (human beings) to see it, YOU have to secure the material,
Either by username and password or by a hidden directory that cannot be viewed by anyone or anything.
If you dont want anyone to see it, dont upload it. It's as simple as that. There are other ways to
get your materials out to the people you want to have it.
So you made some materials available and people started taking it. Just because you put up a disclaimer
saying "you cannot use my stuff", does not mean that people or bots wont take it. A novel idea :
Make people responsible for their own actions.
An example :
I leave my front door unlocked and someone just walks in and takes my TV.
I call the police and say I have been robbed. The police ask, was the door locked ?
Umm no mr policeman, I forgot to lock it. The police laugh in my face and walk away.
The insurance company will not by me a new tv because of my own stupidity.
Now I am mad because I dont have a tv. I sue the police based on the fact that they are supposed
to protect me and my stuff and they didnt.
It sounds reasonable if you think about it. That is their job. The judge would probably instruct the bailiff
to shoot me for being an idiot.
I think everyone knows that if you leave the front door unlocked, you run the risk of losing your stuff.
Of course the DMCA just had to add a special paragraph to section 512 to include search engines.
Google would never endanger their investors money so they just flat out blocked all the content
from those sites, not just what was infringed upon. They are abetting in the supression of free
information without proving it has been infringed upon.
People put information on the internet do so of their own free will. Google has sought to have the
reputation of the strongest search engine on the planet BUT, when threatened, they will fold.
The World Wide Web works through hyperlinks, tags that allow web site authors to connect their texts with others
and enable web browsers to move quickly from one page to another document to which it refers. These links are what set
hypertext apart from static offline texts, and core to Web-founder Tim Berners-Lee's original design.
Nonetheless, you may have received a cease and desist notice regarding hyperlinks on your website. Some companies
claim that linking to their websites requires prior permission, or allege that your links falsely imply that they sponsor
or endorse your site. Other C&Ds may assert trademark infringement based on the words and images you use in hyperlinks.
You may be told that you are violating the law because your site links to illegal or copyrighted material, even if you do not
host any of that material on your own servers. What about "deep linking," when you set a link to an inside page, not the website's homepage?
This topic area addresses the issues that arise regarding linking and other web navigation (frames and pop-ups, for example),
in legal terms including copyright, trademark, false advertising, the safe harbor for "information location tools," and contract
I guess you just cant hammer the thought into the skulls of the DMCA people.
It is a search engine. It is automatic. It works through a series of algorithims.
Its not some guy searching and then posting links.
This tactic is used to try and stop access to materials in countries that do not recognize the DMCA.
Why?, because it is easy to use threats. The chances of you complaining to a host in a country
that does not care about the DMCA and getting any form of relief is NIL.
So this is how the dmca is utilized today. It is used to threaten. Same as RIAA except the RIAA actually
sues people based on an ip address. Has the RIAA ever went to court with a CD it got from joe publics
cd player and said," the times these tracks were recorded closely match the times we watch joe download
these songs from limewire."
No they have not. You see, you and I dont have 50 grand lying around to go sue some college kids because we
are bored. I have an idea for the RIAA, Find the person who actually ripped the cd and uploaded its
contents and sue his ass. I was just walking down the street and found this cd, how am I to blame.
It is a uniquely american tradition to be guilty when charged and then have to prove YOU are innocent,
not the other way around. Big business knows this and use it to their advantage.
In order for copy right protection to work in terms of the internet is to find out who stole your stuff.
That is how they stretch the law when they need to make someone, anyone pay. It makes them feel good
and they think they are sending a message to the rest of the world. It does not work, it will never work.
There are of course a large group of people who support the DMCA in all its unregulated glory.
I support any request of a violation and remove the materials if they are in fact a violation.
I am not anti-DMCA
What I am opposed to is the very abritary application of the law.
When will they force MSN search to cease and desist?
So you are thinking, Woodmann, you are just splitting hairs, you are not interpeting the
DMCA correctly. Yes I am splitting hairs. If they can do it why cant I ?
If they can be arbitrary, why cant I?
Who is the biggest threat to the powers that be ? Warez , Serialz, Keygenz, straight out
patches aka cracks. File sharers are of course responsible. Everybody knows what the purpose
of file sharing is. It certainly isnt to provide the world with a copy of this text file.
When the wild west of the internet was just that, wild, there were no rules to govern the sharing of files.
Now they see what this great thing has wrought and they are mad. These same people who have
very large controlling interests in places like AOL, now want the power to govern all people.
Where were they when this started? This is somewhat akin to organized crime. Once they see a good
thing they muscle their way in.
So what did we learn about the DMCA and Reverse code engineering?
Pretty much nothing. On the one hand they say it is OK. On the other hand they say "NO, BAD DOG".
I think it is left vague on purpose, so as to be able to bend their rules to fit whatever the circumstance