The talk is discussing the basic problem of code theft and violation of licenses. As an example the popular case "ATK vs. WEKA" is retold. With this case as an example the coderecon tool is introduced to show how to identify stolen code with technical utilities. Afterwards the legal aspects of plagiarism and code theft is discussed. This includes current law and articles of a statute in Switzerland, Europe/EU and worldwide.
Bio: Marc Ruef is co-founder and CTO at scip AG in Zürich (http://www.scip.ch). The Swiss company provides consulting services covering security testing and forensic analysis, primarily in the financial sphere. He has written several books, whereas "The Art of Penetration Testing" is the far most known (http://www.computec.ch/mruef/?s=dkdpt). He launched and joined several projects, discussing, improving and providing security testing tools. One of those is ATK as an exploiting framework (http://www.computec.ch/projekte/atk/) which was victim of code theft back in 2006.
Bio: Luca Dal Molin works as associate at Homburger AG, a leading commercial law firm in Switzerland. He is member of the practice team "IP|IT" which advises and represents clients in all areas of IP, technology and media law. Luca Dal Molin has graduated in law at the Zurich University and is admitted to the bar in Switzerland.
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
hashdays 2011: Marc Ruef & Luca Dal Molin Code Plagiarism - Technical Detection and Legal Prosecution
1. Code Plagiarism
Technical Detection and Legal Prosecution
Marc Ruef | Luca Dal Molin
Security & Risk Conference
October 26th - 29th 2011
Lucerne, Switzerland
2. Agenda | Code Plagiarism – Detect & Prosecute Intro
Who?
1. Intro What?
ATK Case
Introduction 2 min
How it began
What is Code Plagiarism 3 min Technical Analysis
2. ATK Case Legal Problems
How it all began 5 min Media Rampage
Additional Details
Technical Analysis 10 min
Outro
Legal Problems 10 min Summary
Media Rampage 10 min Questions
Additional Details 5 min
4. Outro
Summary 2 min
Questions 3 min
Hashdays 2011 2/42
3. Introduction | Who is Marc Intro
Who?
What?
Name Marc Ruef
ATK Case
Job Co-Owner / CTO, scip AG, Zürich How it began
Technical Analysis
Private Website http://www.computec.ch Legal Problems
Last Book „The Art of Penetration Testing―, Media Rampage
Computer & Literatur Böblingen, Additional Details
Outro
ISBN 3-936546-49-5
Summary
Questions
Translation
Hashdays 2011 3/42
4. Introduction | Who is Luca Intro
Who?
What?
Name Luca Dal Molin
ATK Case
Job Associate at Homburger AG How it began
Member of Practice Team ―IP|IT‖ Technical Analysis
Legal Problems
Corp. Website http://www.homburger.ch Media Rampage
Additional Details
Outro
Summary
Questions
Hashdays 2011 4/42
5. Introduction | What is Code Plagiarism Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
“The practice of taking someone else’s work or ideas Media Rampage
Additional Details
and passing them off as one’s own.” Outro
Summary
Questions
Oxford English Dictionary,
http://oxforddictionaries.com/definition/plagiarism
Hashdays 2011 5/42
6. ATK Case | Once upon a time ... Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Hashdays 2011 6/42
7. There was an idea ...
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
8. ... to help me exploit vulnerabilities.
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
9. And the Attack Tool Kit was born!
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
10. The ATK became pretty popular :)
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
11. One day I received an email from a friend ...
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
12. So I downloaded the scanner and took a look ... wtf?!
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
13. I have sent a letter to them to request to obey Copyright + GPL
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
14. They said: «We can’t see your problem. Please go away!»
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
15. I said: «No, please, be kind ...»
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
16. They said: «F—k off, we really don’t care. Really!»
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
17. Technical Analysis | Source Code Analysis Intro
Who?
What?
◦ Strings ATK Case
◦ Names, Title How it began
◦ Copyright Technical Analysis
Legal Problems
◦ Names Media Rampage
◦ Variables, Constants Additional Details
Outro
◦ Functions, Methods, Classes Summary
◦ Objects, Elements Questions
◦ Structures
◦ Programming Style (indentation, vertical alignment)
◦ Conditional Statements (if, for, until, switch, goto)
◦ Pattern, Regex
◦ Dataflow
Hashdays 2011 17/42
18. I need solid proof. Some reversing helps ...
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
19. Plagiarism has some pitfalls ...
◦ Some original plugins were using arbitrary strings for requests and
pattern matching. Therefore the string «atk» was part of many plugins
in the original software. It made it also into their product (see
screenshot). [12 plugins affected]
◦ Some plugins were realizing outbound tests. I have used a small
Intro
daemon on my website www.computec.ch to determine the success.
Who?
What?
So did they. [1 plugin affected] ATK Case
How it began
◦ Some plugins were using arbitrary dates/numbers too. Whenever
Technical Analysis
possible I have used my birthday 11-02-1981. It made it also Problems
Legal into
their product. [2 plugins affected] Media Rampage
Additional Details
◦ Some plugins included typos and minor errors. Those made it also into
Outro
their product. [5 plugins affected] Summary
Questions
20. ... so I gave them a last chance ...
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
21. ... which they ignored. But tried to cover up :)
◦ Some plugins were altered to hide the obvious – Especially within the
new release after my technical letter.
◦ Those changes usually destroyed the purpose of the code and
rendered the checks useless! For example:
Intro
◦ The exfiltration tests were always negative if their website wasn’t
Who?
hosting my daemon (which was not part of the ATK package) [3
What?
plugins affected] ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
22. Legal Problems | Threshold for Copyright Intro
Who?
What?
◦ Article 2 of the Swiss Copyright Act: ATK Case
1. Works shall mean literary and artistic creations of the How it began
mind, irrespective of their value or purpose, that Technical Analysis
possess an individual nature. Legal Problems
Media Rampage
2. […] Additional Details
3. Computer programs shall also be deemed works. Outro
4. Protection shall also subsist in drafts, titles and parts Summary
Questions
of works on condition that they are creations of the
mind with an individual nature.
◦ Key elements of the definition:
◦ Creation of the mind
◦ Individuality
Hashdays 2011 22/42
23. Legal Problems | Threshold for Copyright Intro
Who?
What?
◦ Software: ATK Case
◦ Idea | plan How it began
◦ Object code | source code Technical Analysis
Legal Problems
◦ Case law (decision of the Zurich Court of Appeals, Media Rampage
sic! 2009, p. 230): Additional Details
Outro
◦ Very low threshold in terms of individuality
Summary
◦ Exclusion of banal or trivial software Questions
◦ Consequence:
◦ As a matter of principle, software is generally
protected by the Copyright Act
◦ Copyright protection is denied with regard to banal
software
Hashdays 2011 23/42
24. Legal Problems | Other Possible Protection Intro
Who?
What?
◦ Patent law? ATK Case
◦ Brand | design? How it began
Technical Analysis
◦ Unfair Competition Act? Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Hashdays 2011 24/42
25. My options were: No. 1 – Legal Prosecution
◦ Had contact with differend lawyers from different countries
(Switzerland, Germany, USA)
◦ Had contact with Free Software Foundation (FSF)
◦ There were multiple difficulties: Intro
◦ Such a legal case in Switzerland was «unique» until then
Who?
What?
◦ My legal insurance wasn’t covering «copyright violations» (no legal
ATK Case
How it began
insurance in Switzerland was/is) Technical Analysis
◦ It would cost me a not definable amount of money to prosecute
Legal Problems
Media Rampage
◦ The chances were zero to gain indemnity (because I distributed
Additional Details
Outro
the ATK for «free» and therefore had no calculable lossSummary
of income).
Questions
◦ Within a trial I would have lost money anyway (that’s not my idea
of an open-source project).
◦ Because I have waited a long time, I wasn’t able to enforce
«immediate legal actions» anymore.
26. My options were: No. 2 – Media Rampage :)
◦ For me it wasn’t about the money. It was about law and justice ... and
for the lulz!!1
◦ I started to prepare a broad media offensive.
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
27. If I don’t get enough attention, then I may go public!
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
28. But who did it?
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
29. I tried to contact my «old friend» ... But he ignored me :(
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
30. But wait? I know him and own his code too! :)
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
31. Then they claimed that I was lying. (I didn’t like that!)
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
32. By accident I’ve got access to their «expert opinion» ...
Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
33. Evidence admitted in court Intro
Who?
What?
◦ How does a court establish whether a violation of a ATK Case
copyright has occurred? How it began
◦ Expert opinion Technical Analysis
Legal Problems
◦ Value of a private expert opinion? Media Rampage
◦ What will the expert analyze: Additional Details
Outro
◦ Description of the software | plan?
Summary
◦ Functionalities? Questions
◦ Source Code?
◦ Object Code?
Hashdays 2011 33/42
34. I’m sorry, not everyone is an «expert»!
◦ There is a list of funny typos (e.g. «exploits» became «exploids»).
(pp. 12) He might not be a language expert (there are many
typos).
◦ He did compare the compiled software and not the source-code. (pp.
10) Not a brilliant approach to comment on a «code theft
Intro
accusation». Who?
What?
◦ His argument why «to borrow» my code is legitimate was, that I have
ATK Case
How it began
mentioned GPL just somewhere «hard to find». The project was Analysis
Technical
therefore «open-source» and I have lost all my rights. (pp.Legal Problems
4) This
conclusion is just plain stupid. You don’t lose copyrights byMedia Rampage
publishing
the source code! Additional Details
Outro
◦ On some pages he disapproved that those were the same plugins. On
Summary
Questions
others he argued that the match might by «just by accident». (pp. 4,
9, 12, 15) Yeah sure, 380 plugins with the exact same 1.716
commands are just magical coincidence!
◦ The «expert opinion» contained a copy of the WikiPedia page about
«General Public License». (pp. 22-26) Some say WP and Expert
can’t be mentioned within the same sentence ;)
35. Details | Particularities OSS and GPL Intro
Who?
What?
◦ Copyright protection of OSS in general ATK Case
◦ With regard to GPL in particular: How it began
Technical Analysis
◦ How to validly include GPL when distributing software
Legal Problems
◦ Rights and obligations of the licensor Media Rampage
◦ Rights and obligations of the licensee Additional Details
Outro
◦ Copyleft Summary
◦ Auto-termination in case of violations Questions
◦ Differences Copyright Act | GPL
Hashdays 2011 35/42
36. Details | What should Marc have done? Intro
Who?
What?
◦ With regard to the inclusion of GPL? ATK Case
◦ Act quickly! How it began
Technical Analysis
◦ Act decisively! Legal Problems
◦ Safeguard potential evidence Media Rampage
Additional Details
Outro
Summary
Questions
Hashdays 2011 36/42
37. One more thing ...
◦ In version 1.8 they fragged their http engine. Because all http
requests missed proper CRLF at the end, the http checks were
rendered useless. 100% false-negatives!
◦ The «stresstest module» didn’t work if the http:// was missing in the
target definition (which was no requirement and did not show a
Intro
warning message). 100% false-negatives! Who?
What?
◦ The «webspider module» wasn’t able to collect file and path Case
ATK
names
How it began
which start with a dot. Have fun testing .htaccess files! More false-
Technical Analysis
negatives! Legal Problems
Media Rampage
◦ The «lan viewer module» did freeze the whole application if you Details
Additional
clicked onto something during discovery mode. Denial of Service
Outro
Summary
◦ The «port scan module» did a full-connect without a timeout to every
Questions
open destination port. Http services lead to denial of service. But
chargen lead to memory corruption and code execution Pwnd by
your target!
38. Summary Intro
Who?
What?
◦ Legal prosecution is not easy.
ATK Case
◦ Act quickly and take a good lawyer! #lfmf How it began
◦ Licenses and copyrights aren’t the same. You don’t lose a Technical Analysis
copyright by publishing the source code. Legal Problems
Media Rampage
◦ Fight for your right as long as you’re sure about it. Additional Details
Outro
Summary
Questions
Hashdays 2011 38/42
39. Literature Intro
Who?
◦ ATK vs. What?
ATK Case
◦ ATK Project gegen (2006), How it began
http://www.computec.ch/news.php?item.117 Technical Analysis
Legal Problems
◦ ATK gegen , Teil 2: Rückzug? (2006),
Media Rampage
http://www.computec.ch/news.php?item.120 Additional Details
◦ ATK gegen , Teil 3: Siege und Niederlagen, Outro
http://www.computec.ch/news.php?item.126 Summary
Questions
◦ ATK gegen - Technische Beweisführung
(2007),
http://www.computec.ch/download.php?view.889
Hashdays 2011 39/42
40. Questions Intro
Who?
What?
ATK Case
How it began
Technical Analysis
Legal Problems
Media Rampage
Additional Details
Outro
Summary
Questions
Hashdays 2011 40/42
41. Thank you for your Attention! Intro
Who?
What?
Homburger AG
ATK Case
Prime Tower How it began
Hardstrasse 201 Technical Analysis
Legal Problems
CH-8005 Zurich
Media Rampage
Additional Details
Tel +41 43 222 10 00 Outro
Summary
Fax +41 43 222 15 00 Questions
Mail luca.dalmolin@homburger.ch
Web http://www.homburger.ch
Hashdays 2011 41/42
42. Security is our Business! Intro
Who?
What?
scip AG
ATK Case
Badenerstrasse 551 How it began
CH-8048 Zürich Technical Analysis
Legal Problems
Media Rampage
Tel +41 44 404 13 13 Additional Details
Fax +41 44 404 13 14 Outro
Summary
Mail info@scip.ch Questions
Web http://www.scip.ch
Twitter http://twitter.com/scipag
Strategy | Consulting
Auditing | Testing
Forensics | Analysis
Hashdays 2011 42/42