CS363Week 13 - Thursday

Last time

What did we talk about last time? E-mail security Privacy in emerging technologies

Questions?

Assignment 5

Project 3

Security tidbit

Heartbleed updates! It's true that attackers can get arbitrary

chunks of data, possibly including user passwords

Analysts at Cloudflare believe it is difficult to use Heartbleed to steal private SSL keys The ones that the servers use that are central to

all of public key infrastructure However, one attacker was successful in

recovering such keys https://www.cloudflarechallenge.com/heartbleed

More Heartbleed updates Another possible exploit for Heartbleed is

session hijacking Taking over a user's session after he or she logs in More information:

https://www.mattslifebytes.com/?p=533 A Bloomberg article says that the NSA knew

and used Heartbleed for two years http://www.bloomberg.com/news/2014-04-11/nsa-

said-to-have-used-heartbleed-bug-exposing-consumers.html

NSA denies prior knowledge of Heartbleed

Cartoon from: http://xkcd.com/1354/

Legal Issues

Legal issues in computer security

Motivations for studying legal issues: To know what protection the law gives us

for computers and data To respect laws that protect the rights of

others with respect to computers and data To help, as experts, to recommend

improvements to these laws Computer law is complicated Computer law changes quickly, but

never as fast as technology itself

Areas of interest

We will look at four areas where the law intersects with the usage of computers: Protecting computer systems against criminals▪ What is your legal recourse when criminals attack?

Protecting code and data▪ What are the copyright issues at stake?

Protecting programmers' and employers' rights▪ What is the legal environment of a software

development workplace? Protecting users of programs▪ What is your legal recourse if a program you buy

doesn't work?

Protecting Programs and Data

Copyright

Copyright protects the expression of an idea Two people could have had the same idea

independently Many laws including the copyright law of 1978 and

the DMCA apply to copyright Copyright applies to an original work which

must be in some tangible medium of expression Works with no clear author or that are old

enough are in the public domain, owned by everyone

Copyright is supposed to promote the free exchange of ideas by protecting the authors

Fair use, piracy, and infringement

Fair use includes the uses that a copyrighted work can be put to If you buy a work, you can use it in the ways outlined in

the purchasing agreement Without purchasing the work, it can be used and copied

for criticism, comment, reporting, teaching, and research Piracy includes any uses of a copyrighted work

that do not fall under fair use Copyright gives the author rights to the first sale

After the first sale, the purchaser can sell it to someone else

This system is reasonable for books or works of art but more complex for software

Copyrights standards

Copyrighted material must be clearly marked with the word "copyright" or ©, the author's name, and the year

Registering a copyright is unnecessary at a philosophical level But you are not able to claim damages until you have

done so In the US, a copyright lasts for 70 years after the

death of the last surviving author or 95 years after publication for a work copyrighted by a company

International standards give only 50 years after the death of the last surviving author or 50 years after publication

Infringement

If someone has violated the protections of your copyright (called infringing), you must go to court to claim damages

The infringement must be substantial, and it must be copying, not coincidentally creating the same thing

If two people create the same thing independently, they can both copyright their versions

Copyrights for computer software

Copyrights are good for books, songs, and photographs Copying is obvious The line between public domain and creativity is clear

Computer programs can be copyrighted but it doesn't work as well You can copyright the source code, the expression of

the idea But that won't copyright the algorithm, the idea

behind it You also have to publish the source code in order to

copyright it

DMCA

The Digital Millennium Copyright Act (DMCA) of 1998 clarified some aspects of copyright law about digital objects Digital objects can be copyrighted It is a crime to disable antipiracy measures built into

an object It is a crime to make, sell, or provide devices that

disable antipiracy measures or copy digital objects▪ Except for educational purposes

You can make a backup copy of a digital object to protect against hardware and software failures

Libraries can make up to 3 copies of a digital object to lend to other libraries

A mess

Some things in the DMCA are quite vague A lawyer could argue that you can't rip music

from a CD and put it on an MP3 player Is it a backup or not?

Courts have ruled that a computer menu design can be copyrighted but its "look and feel" cannot be

Copyrights probably need a real update for the computer age

An emerging idea behind music and software copyrights is that you don't buy the music or software itself, you buy the right to use it

Patents

Patents are another form of legal protection They focus on inventions, tangible objects, and

ways to make them Unlike copyright protection which applies directly to

works of the mind Patents apply to a "new and useful process,

machine, manufacture, or composition of matter"

They explicitly do not apply to "newly discovered laws of nature … [and] mental processes"

Patents protect a way to carry out some idea

Requirements for a patent The object patented has to be novel and

nonobvious Unlike copyrights, two people cannot hold

patents for simultaneously inventing something The person who invented it first gets the patent (not

the person who files first) Copyrights are easy to get, but a patent

requires that you convince the U.S. Patent and Trademark Office that your invention deserves a patent Lawyers are usually involved

Patent infringement

Unlike copyrights, an inventor must oppose all infringement or risk losing patent rights

However, infringement occurs even in the case of independent invention

Defenses when charged with patent infringement: My invention is sufficiently different from yours Your patent is invalid Your invention really wasn't novel I invented the object first

Patents for computer objects The Patent Office has discouraged patents

for computer software In 1981 two cases won patents for industrial

processes that use computer programs as part of a larger process

Since then, algorithms have been recognized as processes by the Patent Office and thousands of software patents have been issued

The time and expense is often not justified for small software developers

Trade secrets

Copyrights and patents both require that the underlying work or details of an invention are made public

A trade secret is some information that gives a company an advantage over others The formula for Coca-cola

Trade secrets must be kept secret If a product can be reverse engineered, a trade

secret gives no protection If an idea or process is independently discovered,

there is still no protection The only protection is when a trade secret is

improperly obtained

Trade secrets and computers Trade secret protection is a typical

protection for computer software Microsoft does not explain all the details of

its software Unfortunately, software is not too

difficult to reverse engineer Even with only machine code

Trade secret protection is hard to enforce They try to do it with a lot of Nondisclosure

Agreements

Summary of copyrights, patents, and trade secrets

Copyright Patent Trade Secret

ProtectsExpression of idea, not idea

itself

Invention, the way something

works

A secret, a competitive advantage

Protected object made

public

Yes, all about promoting publication

Filed at patent office No

Requirement to distribute Yes No No

Ease of filing Easy, do it yourself

Complicated, usually needs

lawyersNo filing

DurationLife of author +

70 years, 95 years for corporations

19 years As long as you can keep it secret

Legal protection

Sue if unauthorized copy

sold

Sue if invention copied

Sue if secret improperly obtained

Happy Birthday

The book incorrectly claims that the song "Happy Birthday to You" is so widely known that it would be hard to claim a copyright

In fact, the song has a long history of copyright with ownership transferred to Time-Warner in 1998 Time-Warner collected over $2 million in royalties for

performances of the song in 2008 Don Pablo's, Outback, Olive Garden, and other large

chains almost always sing some bizarre customized birthday song instead of paying royalties

Some experts argue that the copyright is not valid If it is valid, it will expire in 2016 in Europe and 2030

in the US

Hardware and software

Hardware designs can, in general, be patented Firmware is tough

The hardware it is stored on can be patented The code itself is hard to copyright Trade secrets are probably the right choice

Object (machine) code Uncertain! Companies file copyrights, but there is no

guarantee they will apply Source code

You can file a copyright You have to publicize the first and last 25 pages of

sourced code (but those can contain nothing useful) Trade secrets are typical

Documentation, web content, domain names

The documentation of a program must be copyrighted separately from the source code

Web content is perhaps the easiest to link to traditional copyrights It is mostly text and pictures Much of the code online is visible, so trade

secrets don't work Domain names, URLs, company names,

product names, and commercial symbols are protected by a trademark

URL example

This is from 2000, a relatively old story Hacker magazine 2600 went to register the domain

name verizonsucks.com They discovered that Verizon had already registered it They registered verizonreallysucks.com Verizon sued them under a new law but lost because

2600 was not trying to profit from the domain In response, someone registered the longest domain

name supported by the system at that time: VerizonShouldSpendMoreTimeFixingItsNetworkAndLessMoneyOnLawyers.com

Read more: http://www.wired.com/techbiz/media/news/2000/05/36210

Information and the Law

Information as an object

Traditionally, actual things like cannon balls, horses, and eggplants were sold

Service industries such as hair stylist or accountant have existed for a long time as well

Information can also be sold, but it has different properties

Ways information is different Information is not depletable Information can be replicated (often exactly) Information has a small marginal cost

Marginal cost is the price to make another thing after you've made the first one

It's much lower for computer-based information▪ Reprinting a newspaper by hand is hard, but distributing

software is not The value of information is often time

dependent Information can be transferred intangibly

Information legal issues

Information has some value, but it is hard to pin down There are technological approaches to dealing with piracy, but we

need better legal remedies Electronic publishing

How do you protect content that you have published online only for subscribers?

They can copy the material and distribute it Data in a database

Courts can't figure out what is and isn't protected in a database Can some specific subset be protected? Databases often contain a great deal of public data

Electronic commerce How do you prove that a digital sale of electronic items actually

occurred? What if Steam took your money and didn't give you a game? There are essentially no legal ways to redress a situation where you pay

real money for equipment in Diablo 3 and don't get it

Protecting information

Statutes are laws that say that certain actions are illegal

Violating a statute can result in a criminal trial The goal is to punish the criminal

A tort is harm that does not come from violating a statute but still runs counter to precedents Perpetrators can be sued, usually for money

Contract law is another form of civil law It involves an offer, an acceptance, and a

consideration Contracts do not have to be written

Criminal vs. civil law

Criminal Law Civil Law

Defined by Statutes ContractsCommon law

Cases brought by Government

GovernmentIndividuals and

companies

Wronged party Society Individuals and companies

Remedy Jail or fine Damages, usually money

Upcoming

Next time…

Employee and employer rights Software failures Computer crime

No class on Monday!

Reminders

Keep reading Chapter 11 Work on Assignment 5

Due next Friday before midnightTurn in your Project 3 code by

midnight! Then get cracking!