week 13 - thursday. what did we talk about last time? e-mail security privacy in emerging...
TRANSCRIPT
CS363Week 13 - Thursday
Last time
What did we talk about last time? E-mail security Privacy in emerging technologies
Questions?
Assignment 5
Project 3
Security tidbit
Heartbleed updates! It's true that attackers can get arbitrary
chunks of data, possibly including user passwords
Analysts at Cloudflare believe it is difficult to use Heartbleed to steal private SSL keys The ones that the servers use that are central to
all of public key infrastructure However, one attacker was successful in
recovering such keys https://www.cloudflarechallenge.com/heartbleed
More Heartbleed updates Another possible exploit for Heartbleed is
session hijacking Taking over a user's session after he or she logs in More information:
https://www.mattslifebytes.com/?p=533 A Bloomberg article says that the NSA knew
and used Heartbleed for two years http://www.bloomberg.com/news/2014-04-11/nsa-
said-to-have-used-heartbleed-bug-exposing-consumers.html
NSA denies prior knowledge of Heartbleed
Cartoon from: http://xkcd.com/1354/
Legal Issues
Legal issues in computer security
Motivations for studying legal issues: To know what protection the law gives us
for computers and data To respect laws that protect the rights of
others with respect to computers and data To help, as experts, to recommend
improvements to these laws Computer law is complicated Computer law changes quickly, but
never as fast as technology itself
Areas of interest
We will look at four areas where the law intersects with the usage of computers: Protecting computer systems against criminals▪ What is your legal recourse when criminals attack?
Protecting code and data▪ What are the copyright issues at stake?
Protecting programmers' and employers' rights▪ What is the legal environment of a software
development workplace? Protecting users of programs▪ What is your legal recourse if a program you buy
doesn't work?
Protecting Programs and Data
Copyright
Copyright protects the expression of an idea Two people could have had the same idea
independently Many laws including the copyright law of 1978 and
the DMCA apply to copyright Copyright applies to an original work which
must be in some tangible medium of expression Works with no clear author or that are old
enough are in the public domain, owned by everyone
Copyright is supposed to promote the free exchange of ideas by protecting the authors
Fair use, piracy, and infringement
Fair use includes the uses that a copyrighted work can be put to If you buy a work, you can use it in the ways outlined in
the purchasing agreement Without purchasing the work, it can be used and copied
for criticism, comment, reporting, teaching, and research Piracy includes any uses of a copyrighted work
that do not fall under fair use Copyright gives the author rights to the first sale
After the first sale, the purchaser can sell it to someone else
This system is reasonable for books or works of art but more complex for software
Copyrights standards
Copyrighted material must be clearly marked with the word "copyright" or ©, the author's name, and the year
Registering a copyright is unnecessary at a philosophical level But you are not able to claim damages until you have
done so In the US, a copyright lasts for 70 years after the
death of the last surviving author or 95 years after publication for a work copyrighted by a company
International standards give only 50 years after the death of the last surviving author or 50 years after publication
Infringement
If someone has violated the protections of your copyright (called infringing), you must go to court to claim damages
The infringement must be substantial, and it must be copying, not coincidentally creating the same thing
If two people create the same thing independently, they can both copyright their versions
Copyrights for computer software
Copyrights are good for books, songs, and photographs Copying is obvious The line between public domain and creativity is clear
Computer programs can be copyrighted but it doesn't work as well You can copyright the source code, the expression of
the idea But that won't copyright the algorithm, the idea
behind it You also have to publish the source code in order to
copyright it
DMCA
The Digital Millennium Copyright Act (DMCA) of 1998 clarified some aspects of copyright law about digital objects Digital objects can be copyrighted It is a crime to disable antipiracy measures built into
an object It is a crime to make, sell, or provide devices that
disable antipiracy measures or copy digital objects▪ Except for educational purposes
You can make a backup copy of a digital object to protect against hardware and software failures
Libraries can make up to 3 copies of a digital object to lend to other libraries
A mess
Some things in the DMCA are quite vague A lawyer could argue that you can't rip music
from a CD and put it on an MP3 player Is it a backup or not?
Courts have ruled that a computer menu design can be copyrighted but its "look and feel" cannot be
Copyrights probably need a real update for the computer age
An emerging idea behind music and software copyrights is that you don't buy the music or software itself, you buy the right to use it
Patents
Patents are another form of legal protection They focus on inventions, tangible objects, and
ways to make them Unlike copyright protection which applies directly to
works of the mind Patents apply to a "new and useful process,
machine, manufacture, or composition of matter"
They explicitly do not apply to "newly discovered laws of nature … [and] mental processes"
Patents protect a way to carry out some idea
Requirements for a patent The object patented has to be novel and
nonobvious Unlike copyrights, two people cannot hold
patents for simultaneously inventing something The person who invented it first gets the patent (not
the person who files first) Copyrights are easy to get, but a patent
requires that you convince the U.S. Patent and Trademark Office that your invention deserves a patent Lawyers are usually involved
Patent infringement
Unlike copyrights, an inventor must oppose all infringement or risk losing patent rights
However, infringement occurs even in the case of independent invention
Defenses when charged with patent infringement: My invention is sufficiently different from yours Your patent is invalid Your invention really wasn't novel I invented the object first
Patents for computer objects The Patent Office has discouraged patents
for computer software In 1981 two cases won patents for industrial
processes that use computer programs as part of a larger process
Since then, algorithms have been recognized as processes by the Patent Office and thousands of software patents have been issued
The time and expense is often not justified for small software developers
Trade secrets
Copyrights and patents both require that the underlying work or details of an invention are made public
A trade secret is some information that gives a company an advantage over others The formula for Coca-cola
Trade secrets must be kept secret If a product can be reverse engineered, a trade
secret gives no protection If an idea or process is independently discovered,
there is still no protection The only protection is when a trade secret is
improperly obtained
Trade secrets and computers Trade secret protection is a typical
protection for computer software Microsoft does not explain all the details of
its software Unfortunately, software is not too
difficult to reverse engineer Even with only machine code
Trade secret protection is hard to enforce They try to do it with a lot of Nondisclosure
Agreements
Summary of copyrights, patents, and trade secrets
Copyright Patent Trade Secret
ProtectsExpression of idea, not idea
itself
Invention, the way something
works
A secret, a competitive advantage
Protected object made
public
Yes, all about promoting publication
Filed at patent office No
Requirement to distribute Yes No No
Ease of filing Easy, do it yourself
Complicated, usually needs
lawyersNo filing
DurationLife of author +
70 years, 95 years for corporations
19 years As long as you can keep it secret
Legal protection
Sue if unauthorized copy
sold
Sue if invention copied
Sue if secret improperly obtained
Happy Birthday
The book incorrectly claims that the song "Happy Birthday to You" is so widely known that it would be hard to claim a copyright
In fact, the song has a long history of copyright with ownership transferred to Time-Warner in 1998 Time-Warner collected over $2 million in royalties for
performances of the song in 2008 Don Pablo's, Outback, Olive Garden, and other large
chains almost always sing some bizarre customized birthday song instead of paying royalties
Some experts argue that the copyright is not valid If it is valid, it will expire in 2016 in Europe and 2030
in the US
Hardware and software
Hardware designs can, in general, be patented Firmware is tough
The hardware it is stored on can be patented The code itself is hard to copyright Trade secrets are probably the right choice
Object (machine) code Uncertain! Companies file copyrights, but there is no
guarantee they will apply Source code
You can file a copyright You have to publicize the first and last 25 pages of
sourced code (but those can contain nothing useful) Trade secrets are typical
Documentation, web content, domain names
The documentation of a program must be copyrighted separately from the source code
Web content is perhaps the easiest to link to traditional copyrights It is mostly text and pictures Much of the code online is visible, so trade
secrets don't work Domain names, URLs, company names,
product names, and commercial symbols are protected by a trademark
URL example
This is from 2000, a relatively old story Hacker magazine 2600 went to register the domain
name verizonsucks.com They discovered that Verizon had already registered it They registered verizonreallysucks.com Verizon sued them under a new law but lost because
2600 was not trying to profit from the domain In response, someone registered the longest domain
name supported by the system at that time: VerizonShouldSpendMoreTimeFixingItsNetworkAndLessMoneyOnLawyers.com
Read more: http://www.wired.com/techbiz/media/news/2000/05/36210
Information and the Law
Information as an object
Traditionally, actual things like cannon balls, horses, and eggplants were sold
Service industries such as hair stylist or accountant have existed for a long time as well
Information can also be sold, but it has different properties
Ways information is different Information is not depletable Information can be replicated (often exactly) Information has a small marginal cost
Marginal cost is the price to make another thing after you've made the first one
It's much lower for computer-based information▪ Reprinting a newspaper by hand is hard, but distributing
software is not The value of information is often time
dependent Information can be transferred intangibly
Information legal issues
Information has some value, but it is hard to pin down There are technological approaches to dealing with piracy, but we
need better legal remedies Electronic publishing
How do you protect content that you have published online only for subscribers?
They can copy the material and distribute it Data in a database
Courts can't figure out what is and isn't protected in a database Can some specific subset be protected? Databases often contain a great deal of public data
Electronic commerce How do you prove that a digital sale of electronic items actually
occurred? What if Steam took your money and didn't give you a game? There are essentially no legal ways to redress a situation where you pay
real money for equipment in Diablo 3 and don't get it
Protecting information
Statutes are laws that say that certain actions are illegal
Violating a statute can result in a criminal trial The goal is to punish the criminal
A tort is harm that does not come from violating a statute but still runs counter to precedents Perpetrators can be sued, usually for money
Contract law is another form of civil law It involves an offer, an acceptance, and a
consideration Contracts do not have to be written
Criminal vs. civil law
Criminal Law Civil Law
Defined by Statutes ContractsCommon law
Cases brought by Government
GovernmentIndividuals and
companies
Wronged party Society Individuals and companies
Remedy Jail or fine Damages, usually money
Upcoming
Next time…
Employee and employer rights Software failures Computer crime
No class on Monday!
Reminders
Keep reading Chapter 11 Work on Assignment 5
Due next Friday before midnightTurn in your Project 3 code by
midnight! Then get cracking!