Copyright Blocking Security Research: Researchers Barred From Exploring Leaked Archive

from the that's-a-problem dept

Thu, Jan 14th 2016 10:39am — Mike Masnick

Two researchers for Kaspersky Lab, Costin Raiu and Anton Ivanov, have published an absolutely fascinating tale of how they successfully tracked down a zero day exploit in Microsoft Silverlight. The story is totally worth reading, and it stems from the researchers trying to find an exploit that was described in an Ars Technica article by Cyrus Farivar, concerning a hacker selling exploits to Hacking Team, which was revealed last summer when Hacking Team got hacked and had all its emails (among other things) released.

Again, the whole story is fascinating and worth reading. The researchers explain how they found the vulnerability (which basically involved setting a trap and eventually having it sprung, more or less after they'd forgotten about it), but there's a surprising tidbit all the way at the end of the article, highlighted by Chris Soghoian, in which the Kaspersky researchers admit that they're not positive the vulnerability they found is the same one described by the Russian hacker who sold his exploits to Hacking Team... thanks to copyright:

One final note: due to copyright reasons, we couldn’t check if the leaked Hacking Team archive has this exploit as well. We assume the security community which found the other zero-days in the HackingTeam leaks will also be able to check for this one.

There's been plenty of talk for years about how copyright can restrict security research. Much of that has focused on anti-circumvention provisions, such as the DMCA 1201, that makes getting around "technological protection measures" a form of copyright infringement. We've seen that issue pop up occasionally, like the time that the RIAA threatened to sue Ed Felten if he presented his research on why its SDMI DRM was broken.

Clearly, however, that's not the issue here. It's not even entirely clear what the exact copyright issue would be here, but it is worth noting that when the leak first happened, at least someone sought to take down the documents by making copyright claims. Perhaps Kaspersky's lawyers fear that even looking through the leaked documents could expose them to some sort of copyright liability.

And, given the way people fling around copyright lawsuits these days, perhaps that's not so crazy from the "limiting liability" perspective. But from the "doing security research" perspective, it's absolutely ridiculous. And, just another example of the dangerous copyright creep -- where this tool is used to stop otherwise perfectly reasonable behavior. In this case, it's not just stopping reasonable behavior, but important research that may be necessary to better protect privacy and safety.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: copyright, cybersecurity, security, security research, silverlight, zero days
Companies: hacking team, kaspersky lab, microsoft

7 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

MadAsASnake (profile), 14 Jan 2016 @ 11:40am

"dangerous copyright creep"

Is that Chris Dodd or Tim Kuik?
[ link to this | view in chronology ]
Anonymous Coward, 14 Jan 2016 @ 12:01pm

Russian copyright law?
Keep in mind that every country's copyright law is different, and while there are often great similarities in areas important to publishers - like length and registration requirements - other areas are pretty non-standardized.

In particular, the intersection of trade secrets and copyrights, via rights to unpublished material is all over the map.

It would be nice to have a clarification from Kaspersky.
[ link to this | view in chronology ]
Manok, 15 Jan 2016 @ 2:51am

Copyright creep? Ha! Next thing that'll happen is that patents will be granted for 0-day exploits.
[ link to this | view in chronology ]
Whatever, 15 Jan 2016 @ 4:25am

Finally, some good news for a change
If you're going to do research, you need to pay for the privilege. Why is this so hard to understand, PaulT?
[ link to this | view in chronology ]
- Wendy Cockcroft, 15 Jan 2016 @ 7:24am
  
  Re: Finally, some good news for a change
  Because adding the profit motive to research will, of necessity, skew the results in favour of whatever brings the most profit in OR whatever saves the most money.
  
  AND the gatekeeper problems means that essential information can be denied because the gatekeeper has the right to refuse a licence.
  
  Pharmaceutical companies do this all the time to prevent generics companies from making cheaper drugs.
  [ link to this | view in chronology ]
Griffdog (profile), 15 Jan 2016 @ 9:45am

A wink and a nod...
Sure, maybe copyright prevented them from checking the Hacking Team archive. Or maybe not. Perhaps this is the researchers' way of avoiding a copyright lawsuit while still getting the message out, "Hey, y'all might want to look at that stuff. If I was allowed to look, that's sure the place I'd want to look. Yeah, right there in section 7.3. Just a guess."
[ link to this | view in chronology ]
M. Alan Thomas II (profile), 15 Jan 2016 @ 9:14pm

I feel like Online Policy Group v. Diebold, Inc. would cover this, that being a security-relevant leaked-emails case.
[ link to this | view in chronology ]