AU security researchers need legal advice: CERT - News - Security

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------

AU security researchers need legal advice: CERT

By Patrick Gray, 0
May 20, 2003
URL: http://www.zdnet.com.au/news/security/soa/AU-security-researchers-need-legal-advice-CERT/0,130061744,120274678,00.htm

The technical head of CERT, Jeff Carpenter, says Australian researchers should familiarise themselves with copyright laws in the context of reverse engineering malicious code to avoid hassles with DMCA-like legislation.

"Legal issues have become more and more complicated... I'm not familiar with the law in Australia, but within the United States, the DMCA and other laws are making things complicated," he told ZDNet Australia during a recent interview.

Carpenter says that conducting analysis on malicious code, such as a worm payload or Trojan binary, may result in legal problems stemming from copyright law.

"If you're going to do work in this area you we recommend you consult legal counsel before you... find yourself in a sticky legal situation," he said.

Reverse engineering is a vital tool when responding to severe incidents. By reverse engineering worms and exploits, researchers can look beyond what's happening at that moment and start formulating a response.

"When you have something like [the recent worm] Slammer attacking... you don't necessarily know if there's something else that hasn't been activated yet," he said.

Whilst the legal issue is a concern, it's not an intractable one. Legal advice on how to go about this type of research can protect researchers. CERT has consulted its lawyers and is able to move forward with reverse engineering exercises.

"We have worked out through our attorneys the appropriate way for us to proceed," he said.

When contacted by ZDNet Australia, security consultant Daniel Lewkovitz conceded it's an interesting thought.

"What a wonderful academic argument," he said, pointing out that "copyright would subsist in code you wrote" even if it was malicious. There is always the possibility that other, copyrighted and legitimate code can find its way into malicious binaries, but Lewkovitz doubts there'll be any problems from the authors of malicious binaries or code.

"I wait with bated breath for someone who releases malicious code to go to court on the basis of someone else infringing on their copyright," he said.