Cracker education site ICE resists IBILL pressure

[InfoSec News <isn () C4I ORG>]

http://www.theregister.co.uk/content/6/12500.html

By: Thomas C Greene in Washington
Posted: 10/08/2000 at 12:56 GMT

Administrators of the cracker education Web site Icefortress.com have
undergone a change of heart since we reported their plan to fold under
pressure from Internet billing-service provider IBILL, which has
threatened a copyright infringement suit under the Digital Millennium
Copyright Act (DMCA), claiming that the Icefortress site did it harm
by supplying information and tools which could enable visitors to hack
its protected sites and thereby violate its copyrights.

The ICE site, which had been on line for nearly two years, was
originally pulled by its host, Xyrid, immediately after receiving a
threat-memo from IBILL lawyer Stephen Workman, presumably in its
eagerness to get clear of a third-party dispute and cut its
liabilities as quickly and painlessly as possible. For a time the
Icefortress crew considered Xyrid's action a sound example to follow,
having neither the time nor the money to fight a well-heeled
corporation like IBILL in the courts.

Friends

But since we ran our original coverage, the ICE crew have been
encouraged by a few friendly hands in the struggle to keep
controversial information safe from interference on First Amendment
grounds.

Carnegie Mellon University Computer Science Professor David Touretzky,
whose testimony on the free-speech aspects of program code during the
2600.com trial was singled out by the judge as especially persuasive,
has mirrored on his own Web site an essay which the ICE crew believe
IBILL objects to and which, they believe, inspired their threat of
action. The essay in question is a simple account of how IBILL
connects to one's security port, a well-documented and quite general
bit of Internet protocol data hardly worth sounding alarms over.

Touretzky has been active in defending free speech on the Net for
several years now. "When I see a little guy being crushed by a big
guy, my instinct is to mirror what they have," Touretzky told The
Register. "And anything else IBILL wants to object to, I'll be happy
to mirror so long as I decide it's legal," he added.

Touretzky has also created a most unflattering Web page dedicated to
IBILL attorney Workman, entitled "Steven W. Workman: Porno Lawyer",
including an article Workman contributed to porno Webmaster gazette
the Condom Chronicles, and court documents from a legal malpractice
suit brought against Workman by a former client from which he emerged
whole on procedural grounds.

San Francisco lawyer Jennifer Granick, who served as a legal
consultant to SecurityFocus journalist Kevin Poulsen, when, in a
previous life, he'd been convicted of computer misuse, has also taken
up the cause, now representing Icefortress domain owner Timothy
McDonnell.

IBILL's legal case amounts to nothing more than "a libellous and
unsubstantiated claim backed by the threat of litigation," Granick
told The Register. The company's first mistake, she notes, was to
threaten Icefortress' host, Xyrid, without giving domain owner
McDonnell an opportunity to challenge, or even know, IBILL's
objections before the site was pulled.

The company is playing fast and loose with the DMCA, exploiting its
several internal contradictions, Granick believes. "The DMCA is a tool
in the arsenal of companies that don't want to allow fair use" of
copyrighted materials, she said.

IBILL's second mistake was to package their threat in an invalid legal
format, she notes. IBILL lawyer Workman was obliged to identify the
material which the company deemed infringing, and was to sign under
penalty of perjury. This, Granick says, would have given some legal
teeth to Workman's memo.

What remains now, she says, is for IBILL to identify the infringing
material and file a proper legal notice, or, failing that, to 'fess up
and tell Xyrid that they have nothing to fear from restoring the
Icefortress site.

To date, not even Granick knows what material on the Icefortress site
IBILL objects to. This refusal to mention a particular item strongly
suggests that the company doesn't actually have anything that would
withstand examination in court, and has simply been using threats of
litigation to bluff Icefortress into folding.

Bluffing

The company has been reluctant to go on record with their side of the
story, appealing to a quite reasonable concern that anything quoted in
the press might come back to haunt them if they should argue their
case before the bench. Thus when IBILL Director of Intellectual
Property Edward Cherry spoke to The Register, he limited his comments
to very broad issues touching tangentially on the case.

He did say that the company respects the First Amendment guarantee of
free speech, but feels that free expression needs to be balanced
carefully with the need to protect copyrights, in which vast sums of
money are often invested.

He noted also that the company prefers to use a civil action rather
than a criminal action to settle its dispute with Icefortress, on
grounds that it would be a pity to stigmatise a group of clever
youngsters with criminal records.

Of course the burden of proof in a criminal case is higher than in a
civil case, and there is no doubt that this consideration plays some
part in IBILL's preference to appeal to the DMCA, since its case
against Icefortress is dodgy at best.

As we reported earlier, Workman claims that any information or tool
which can defeat an access control violates the DMCA anticircumvention
provisions (17 USC 1201). The 1201 provisions are intended to protect
copyrighted materials, and Workman is hoping to get around this by
claiming that virtually anything which can be protected with an access
control such as a crypto scheme, or even a password, can also be
copyrighted.

Surely this amounts to torturing the text to obtain a particular
reading. If the 1201 provisions were interpreted as broadly as Workman
would have them, then all the security tools in common use today by
systems administrators would be outlawed.

But the strongest hint that the company is bluffing is the fact that
they've steadfastly refused to identify what, exactly, on the
Icefortress site infringes their copyrights.

"If IBILL can identify something they think is infringing, I'll take a
look at it and advise Icefortress whether or not I think it can be
published legally. If I decide that it is legal, and IBILL wants to
dispute that in the courts, then they're welcome to try," Granick told
us.

The company appears to be bluffing on a presumption that the entire
ICE site, by its very nature, is illegal. Following Workman's very
broad reading of the DMCA, IBILL's Cherry claims that providing tools
and information which can be used to defeat any network security
system is prohibited. Thus, simply by virtue of being a 'hacker
education site', Icefortress is in violation of the law.

Muddy waters

We mean no disrespect to Icefortress, but we must note that if
Cherry's reading of the DMCA is correct, then the most dangerous
hacker education site on the Web would have to be the Computer
Emergency Response Team (CERT) security site, hosted by none other
than Carnegie Mellon University, and financed in part by the US
government. We've spent many a blissful hour trawling its vast
archives for detailed descriptions of security weaknesses in most
popular network hardware and software and their default
implementations, and downloading source code, scripts and tools with
which such holes may be conveniently exploited.

It is to the CERT site, more than any other source, that we owe our
own expertise in network and Web security (such as it is); and while
we don't wish to boast, we must note that we could quite easily apply
what we've learned and downloaded there to extremely destructive
on-line activities if we were so inclined.

Thus if we accept that the ICE site is subject to closure for
providing information and tools related to exploiting computer
security weaknesses, we would have to accept that CERT, too, is
subject to closure on the same grounds. Indeed, considering CERT's
positively immense archive, its immediate closure ought to become the
chief priority of anyone wishing to protect themselves from those who
educate potential malicious hackers.

Any distinction between Icefortress.com, which looks like a site
catering to crackers, and CERT.org, which offers much the same
information but looks like a site catering to systems administrators,
is absolutely cosmetic and thus perfectly fraudulent. We are reminded
of the US 'assault-rifle' law, which banned the sale of certain
semi-automatic rifles because they had the misfortune to be black and
scary-looking, while ignoring traditional-looking 'sporting' weapons
possessing identical destructive capabilities.

The law gradually evolved into a more common-sense regulation limiting
the magazine capacities of all semi-automatic rifles and outlawing
folding stocks and flash suppressors which can ease concealment; but
it originated in a preposterous Congressional reaction to meaningless
cosmetic features.

Political bodies like the US Congress may be inspired to action by
superficial distinctions, but the Bill of Rights happens not to
recognise them. If CERT has the right to publish systems weaknesses
and exploits, so does Icefortress. According to law, "certain speakers
can't be privileged," Granick notes. "We can't say, 'Carnegie Mellon
yes, but independent researchers no.'"

So now the question becomes whether or not IBILL is prepared to take
on the entire academic community and every security-oriented site on
the Web. We rather think they're not. We rather think they're setting
themselves up to regret that they ever heard of Icefortress, and
perhaps of Stephen Workman as well.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".