Embed Size (px)
DESCRIPTION
The talk is discussing the basic problem of code theft and violation of licenses. As an example the popular case "ATK vs. WEKA" is retold. With this case as an example the coderecon tool is introduced to show how to identify stolen code with technical utilities. Afterwards the legal aspects of plagiarism and code theft is discussed. This includes current law and articles of a statute in Switzerland, Europe/EU and worldwide.Bio: Marc Ruef is co-founder and CTO at scip AG in Zürich (http://www.scip.ch). The Swiss company provides consulting services covering security testing and forensic analysis, primarily in the financial sphere. He has written several books, whereas "The Art of Penetration Testing" is the far most known (http://www.computec.ch/mruef/?s=dkdpt). He launched and joined several projects, discussing, improving and providing security testing tools. One of those is ATK as an exploiting framework (http://www.computec.ch/projekte/atk/) which was victim of code theft back in 2006. Bio: Luca Dal Molin works as associate at Homburger AG, a leading commercial law firm in Switzerland. He is member of the practice team "IP|IT" which advises and represents clients in all areas of IP, technology and media law. Luca Dal Molin has graduated in law at the Zurich University and is admitted to the bar in Switzerland.
Citation preview
Code Plagiarism Technical Detection and Legal Prosecution
Marc Ruef | Luca Dal Molin
Security & Risk Conference October 26th - 29th 2011 Lucerne, Switzerland
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Hashdays 2011
Agenda | Code Plagiarism – Detect & Prosecute
1. Intro
Introduction 2 min
What is Code Plagiarism 3 min
2. ATK Case
How it all began 5 min
Technical Analysis 10 min
Legal Problems 10 min
Media Rampage 10 min
Additional Details 5 min
4. Outro
Summary 2 min
Questions 3 min
2/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Hashdays 2011
Introduction | Who is Marc
Name Marc Ruef
Job Co-Owner / CTO, scip AG, Zürich
Private Website http://www.computec.ch
Last Book „The Art of Penetration Testing―, Computer & Literatur Böblingen, ISBN 3-936546-49-5
Translation
3/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Hashdays 2011
Introduction | Who is Luca
Name Luca Dal Molin
Job Associate at Homburger AG
Member of Practice Team ―IP|IT‖
Corp. Website http://www.homburger.ch
4/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Introduction | What is Code Plagiarism
“The practice of taking someone else’s work or ideas and passing them off as one’s own.”
Oxford English Dictionary,
http://oxforddictionaries.com/definition/plagiarism
Hashdays 2011 5/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
ATK Case | Once upon a time ...
Hashdays 2011 6/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
There was an idea ...
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
... to help me exploit vulnerabilities.
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
And the Attack Tool Kit was born!
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
The ATK became pretty popular :)
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
One day I received an email from a friend ...
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
So I downloaded the scanner and took a look ... wtf?!
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
I have sent a letter to them to request to obey Copyright + GPL
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
They said: «We can’t see your problem. Please go away!»
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
I said: «No, please, be kind ...»
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
They said: «F—k off, we really don’t care. Really!»
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Technical Analysis | Source Code Analysis
Hashdays 2011
◦ Strings
◦ Names, Title
◦ Copyright
◦ Names
◦ Variables, Constants
◦ Functions, Methods, Classes
◦ Objects, Elements
◦ Structures
◦ Programming Style (indentation, vertical alignment)
◦ Conditional Statements (if, for, until, switch, goto)
◦ Pattern, Regex
◦ Dataflow
17/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
I need solid proof. Some reversing helps ...
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Plagiarism has some pitfalls ...
◦ Some original plugins were using arbitrary strings for requests and pattern matching. Therefore the string «atk» was part of many plugins in the original software. It made it also into their product (see screenshot). [12 plugins affected]
◦ Some plugins were realizing outbound tests. I have used a small daemon on my website www.computec.ch to determine the success. So did they. [1 plugin affected]
◦ Some plugins were using arbitrary dates/numbers too. Whenever possible I have used my birthday 11-02-1981. It made it also into their product. [2 plugins affected]
◦ Some plugins included typos and minor errors. Those made it also into their product. [5 plugins affected]
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
... so I gave them a last chance ...
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
... which they ignored. But tried to cover up :)
◦ Some plugins were altered to hide the obvious – Especially within the new release after my technical letter.
◦ Those changes usually destroyed the purpose of the code and rendered the checks useless! For example:
◦ The exfiltration tests were always negative if their website wasn’t hosting my daemon (which was not part of the ATK package) [3 plugins affected]
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Legal Problems | Threshold for Copyright
Hashdays 2011
◦ Article 2 of the Swiss Copyright Act:
1. Works shall mean literary and artistic creations of the mind, irrespective of their value or purpose, that possess an individual nature.
2. […]
3. Computer programs shall also be deemed works.
4. Protection shall also subsist in drafts, titles and parts of works on condition that they are creations of the mind with an individual nature.
◦ Key elements of the definition:
◦ Creation of the mind
◦ Individuality
22/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Legal Problems | Threshold for Copyright
Hashdays 2011
◦ Software:
◦ Idea | plan
◦ Object code | source code
◦ Case law (decision of the Zurich Court of Appeals, sic! 2009, p. 230):
◦ Very low threshold in terms of individuality
◦ Exclusion of banal or trivial software
◦ Consequence:
◦ As a matter of principle, software is generally protected by the Copyright Act
◦ Copyright protection is denied with regard to banal software
23/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Legal Problems | Other Possible Protection
Hashdays 2011
◦ Patent law?
◦ Brand | design?
◦ Unfair Competition Act?
24/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
My options were: No. 1 – Legal Prosecution
◦ Had contact with differend lawyers from different countries (Switzerland, Germany, USA)
◦ Had contact with Free Software Foundation (FSF)
◦ There were multiple difficulties:
◦ Such a legal case in Switzerland was «unique» until then
◦ My legal insurance wasn’t covering «copyright violations» (no legal insurance in Switzerland was/is)
◦ It would cost me a not definable amount of money to prosecute
◦ The chances were zero to gain indemnity (because I distributed the ATK for «free» and therefore had no calculable loss of income).
◦ Within a trial I would have lost money anyway (that’s not my idea of an open-source project).
◦ Because I have waited a long time, I wasn’t able to enforce «immediate legal actions» anymore.
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
My options were: No. 2 – Media Rampage :)
◦ For me it wasn’t about the money. It was about law and justice ... and for the lulz!!1
◦ I started to prepare a broad media offensive.
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
If I don’t get enough attention, then I may go public!
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
But who did it?
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
I tried to contact my «old friend» ... But he ignored me :(
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
But wait? I know him and own his code too! :)
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Then they claimed that I was lying. (I didn’t like that!)
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
By accident I’ve got access to their «expert opinion» ...
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Evidence admitted in court
Hashdays 2011
◦ How does a court establish whether a violation of a copyright has occurred?
◦ Expert opinion
◦ Value of a private expert opinion?
◦ What will the expert analyze:
◦ Description of the software | plan?
◦ Functionalities?
◦ Source Code?
◦ Object Code?
33/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
I’m sorry, not everyone is an «expert»!
◦ There is a list of funny typos (e.g. «exploits» became «exploids»). (pp. 12) He might not be a language expert (there are many typos).
◦ He did compare the compiled software and not the source-code. (pp. 10) Not a brilliant approach to comment on a «code theft accusation».
◦ His argument why «to borrow» my code is legitimate was, that I have mentioned GPL just somewhere «hard to find». The project was therefore «open-source» and I have lost all my rights. (pp. 4) This conclusion is just plain stupid. You don’t lose copyrights by publishing the source code!
◦ On some pages he disapproved that those were the same plugins. On others he argued that the match might by «just by accident». (pp. 4, 9, 12, 15) Yeah sure, 380 plugins with the exact same 1.716 commands are just magical coincidence!
◦ The «expert opinion» contained a copy of the WikiPedia page about «General Public License». (pp. 22-26) Some say WP and Expert can’t be mentioned within the same sentence ;)
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Details | Particularities OSS and GPL
Hashdays 2011
◦ Copyright protection of OSS in general
◦ With regard to GPL in particular:
◦ How to validly include GPL when distributing software
◦ Rights and obligations of the licensor
◦ Rights and obligations of the licensee
◦ Copyleft
◦ Auto-termination in case of violations
◦ Differences Copyright Act | GPL
35/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Details | What should Marc have done?
Hashdays 2011
◦ With regard to the inclusion of GPL?
◦ Act quickly!
◦ Act decisively!
◦ Safeguard potential evidence
36/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
One more thing ...
◦ In version 1.8 they fragged their http engine. Because all http requests missed proper CRLF at the end, the http checks were rendered useless. 100% false-negatives!
◦ The «stresstest module» didn’t work if the http:// was missing in the target definition (which was no requirement and did not show a warning message). 100% false-negatives!
◦ The «webspider module» wasn’t able to collect file and path names which start with a dot. Have fun testing .htaccess files! More false-negatives!
◦ The «lan viewer module» did freeze the whole application if you clicked onto something during discovery mode. Denial of Service
◦ The «port scan module» did a full-connect without a timeout to every open destination port. Http services lead to denial of service. But chargen lead to memory corruption and code execution Pwnd by your target!
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Summary
◦ Legal prosecution is not easy.
◦ Act quickly and take a good lawyer! #lfmf
◦ Licenses and copyrights aren’t the same. You don’t lose a copyright by publishing the source code.
◦ Fight for your right as long as you’re sure about it.
Hashdays 2011 38/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Hashdays 2011
Literature
◦ ATK vs.
◦ ATK Project gegen (2006),
http://www.computec.ch/news.php?item.117
◦ ATK gegen , Teil 2: Rückzug? (2006),
http://www.computec.ch/news.php?item.120
◦ ATK gegen , Teil 3: Siege und Niederlagen,
http://www.computec.ch/news.php?item.126
◦ ATK gegen - Technische Beweisführung
(2007), http://www.computec.ch/download.php?view.889
39/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Questions
Hashdays 2011 40/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Hashdays 2011
Thank you for your Attention!
Homburger AG
Prime Tower
Hardstrasse 201
CH-8005 Zurich
Tel +41 43 222 10 00
Fax +41 43 222 15 00
Mail [email protected]
Web http://www.homburger.ch
41/42
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Hashdays 2011
Security is our Business!
scip AG
Badenerstrasse 551
CH-8048 Zürich
Tel +41 44 404 13 13
Fax +41 44 404 13 14
Mail [email protected]
Web http://www.scip.ch
Twitter http://twitter.com/scipag
Strategy | Consulting
Auditing | Testing
Forensics | Analysis
42/42
