Return-Path: <sentto-279987-4376-1011854217-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 23 Jan 2002 22:38:11 -0800 (PST) Received: (qmail 16214 invoked by uid 510); 24 Jan 2002 06:36:52 -0000 Received: from n34.groups.yahoo.com (216.115.96.84) by all.net with SMTP; 24 Jan 2002 06:36:52 -0000 X-eGroups-Return: sentto-279987-4376-1011854217-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.188] by n34.groups.yahoo.com with NNFMP; 24 Jan 2002 06:36:57 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_1_3); 24 Jan 2002 06:36:57 -0000 Received: (qmail 62251 invoked from network); 24 Jan 2002 06:36:56 -0000 Received: from unknown (216.115.97.172) by m2.grp.snv.yahoo.com with QMQP; 24 Jan 2002 06:36:56 -0000 Received: from unknown (HELO red.all.net) (12.232.72.98) by mta2.grp.snv.yahoo.com with SMTP; 24 Jan 2002 06:36:56 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g0O6bTI04991 for iwar@onelist.com; Wed, 23 Jan 2002 22:37:29 -0800 Message-Id: <200201240637.g0O6bTI04991@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 23 Jan 2002 22:37:29 -0800 (PST) Subject: [iwar] [fc:Software.Licensing:.The.Hidden.Threat.to.Information.Security] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Software Licensing: The Hidden Threat to Information Security Software licensing agreements may contain stipulations that could jeopardize your network's security. By Richard Forno Jan 23 2002 6:04AM PT <a href="http://www.securityfocus.com/columnists/55">http://www.securityfocus.com/columnists/55> As security professionals and pundits, we often focus on the technical side of security and are prone to overlooking quieter, but equally sinister, security risks that affect the confidentiality, integrity, and availability of our information assets. We already know that nearly all software - from Microsoft Windows to Netscape Communicator and even much shareware - is licensed, not sold, under terms that indemnify the vendor from legal liability if the product fails, crashes, causes other problems to a system, comes with a virus or causes any other problem, now or in the future. Naturally, in the rush to deploy the latest-and-greatest applications we rarely read the software license, and when we do, itıs not done from a security perspective. While software licensing - for better or worse - is not a new concept, what got me thinking was how such devices, backed by federal and international laws , pose information assurance risks to the enterprise. What concerned me was a recent editorial on Freshmeat,net that pointed out that Borlandıs Kylix/JBuilder software license had the following provision: "12. AUDIT. During the term of this License and for one (1) year thereafter, upon reasonable notice and during normal business hours, Borland or its outside auditors will have the right to enter your premises and access your records and computer systems to verify that you have paid to Borland the correct amounts owed under this License and determine whether the Products are being used in accordance with the terms of this License." By accepting the terms of this agreement, the licensee signs over the right to Borland to conduct random searches of the licenseeıs property and networks. Note the complete absence of a non-disclosure agreement between Borland (or its agents) and the software licensee for such audits. From an information assurance perspective - let alone traditional corporate security - I have a hard time granting a third party access to my networks and systems in order to enforce their software license provisions. This would offer Borland a right of search and seizure that even the government doesnıt have. In the case of law enforcement, thatıs what search warrants are for - only items covered in the court order are fair gameı to be searched, and not anything the searchers want to go through. Borlandıs license thus assaults the Constitutional principles of limited search and seizure that is required by law enforcement entities. Borland customers would be agreeing to open up a non-technical vulnerability in their enterprise to allow untrusted outsiders free roam of their networks and information assets in a manner that violates industry best security practices. (Note: To Borlandıs credit, as of 16 January 2002, the firm is reportedly revising the licensing terms for the aforementioned products in the wake of the bad press the company has received.) Licensing agreements may not only stipulate conditions that limit the licenseeıs right to privacy, they may also infringe on the users right to discuss the product. In a August 1999 PC Magazine article entitled ³The Test That Wasnıt², lawyer Cem Kaner described how Oracle prevented the magazine from publishing comparative reviews of its products. According to Kaner, the magazine "planned to do something that has not been done in recent history: a comparison of database performance on the exact same hardware. Because a database software license prohibits publishing benchmark test results without the vendor's written permission, negotiating for permission is always a challenge...Oracle...formally declined to let us publish any benchmark test results." PC Magazine decided not to run the review. Around the same time, Network Associates, maker of a major PC anti-virus software package, pulled a similar stunt, with a license that read, in part, The customer shall not disclose the results of any benchmark test to any third party without Network Associates' prior written approval...The customer will not publish reviews of the product without prior consent from Network Associates. The PC Magazine incident occurred in 1999, just after the Digital Milllenium Copyright Act (DMCA) was signed into law. DMCA, for the uninitiated, is an anti-consumer, anti-competitive, anti-knowledge law that was lobbied for by the entertainment industry cartels under the guise of intellectual property protection.ı The DMCA was ostensibly tabled in order to provide copyright protection for e-commerce and electronic content providers. The reality is that it is ripe with loopholes and words that run contrary to existing federal laws, not to mention the Constitution. In fact, the DMCA appears to many in the security community to be an attempt to muzzle criticisms of vendors. In both the cases mentioned above, the DMCA was the justification that Oracle and NAI could fall back on to deflect any public outcry over these industry benchmarks. Further, the Uniform Computer Information Transactions Act (UCITA) being debated by state legislative bodies builds on DMCA and the existing shrink-wrap software license provisions in a very sinister fashion. One draft of the Act enabled software vendors to either remotely disable its products and/or implement time bombsı that would prevent its use until the client renewed and paid for a new software license. That helps to explain why you see vendors rushing to network-enable their products and assign unique registration codes to their users - think of Microsoftıs 40-digit Office and Windows XP Product Activation or the new online music initiatives being pushed by the entertainment industry cartels. Not only does this mean you are truly rentingı your software or music (when will there be an annual subscription to Microsoft Windows?) but that a third-party will be able to serve its own profiteering motives by potentially holding your information and business operations hostage! Fred Langaıs column of January 21 in Information Week expands on this potential scenario. By agreeing to licenses under these conditions, users may unknowingly agree that the products they use may self-destruct, create technical vulnerabilities on their networks (perhaps for software license verification) and that their information assets could be held hostage if some bean-counter downstairs forgets to pay the annual operating system license on the corporate desktops. From an information assurance perspective, consider the grave community ramifications if a vendorıs license prohibited industry reviews, benchmarks, or analysis of its products. Would you buy a particular anti-virus product if a magazine review said it couldnıt scan the horizon, let alone a computer virus? Absent independent analysis from magazines and e-mail lists, the computing public may never know what products are not only better than others, but which ones are safer and more stable than others. Would you knowingly deploy a product that continually ³calls home² to its vendor, or allowed the vendor the ability to lock the product and hold your information hostage? This explains the current rush by the software industry to restrict the disclosure of software vulnerabilities...itıs less about making the Internet safer than it is about molding public perception that a given vendorıs products or services are as their marketing propagandists claim. In the vendorıs ideal world, nothing should be declared a ³problem² with its products until the vendor declares it a problem, which is exceedingly unlikely to happen because it makes for bad PR. From what Iıve seen, there are only a few cases (such as PC Magazine above ) where magazines have caved to software vendors and not run comparative reviews of various products. To my knowledge, none of the published reviews have been legally challenged but they could have been. However, any licensing provision that prohibits the independent analysis and discussion of a productıs features including its shortcomings - can, and should, be legally challenged. Either that, or laws must be enacted that allow software users to seek legal recourse if products are faulty or otherwise endanger their information or the Internet in general. This was the recommendation of a report issued by the US National Academy of Sciences last week. As a security professional, I want no, I NEED - to know the truth about the products used by my enterprise, and that wonıt come from the major software vendors. Objective security analysis and testing comes from researchers around the world who arenıt under the thumbı of a software vendor, and who are thus free to fold, spindle, and mutilate software and publish their results. This is the Internetıs answer to the US Consumer Product Safety Commission.and it has proven its worth to the Internet community time and again. Further Reading An Open Letter to Borland/Inprise Concerning Licensing National Security and Individual Freedoms: How the Digital Millenium Copyright Act (DMCA) Threatens Both BadSoftware.Com Legal analysis of DMCA, UCITA from Cem Kaner Anti-DMCA.org Richard Forno is the coauthor of Incident Response (O'Reilly) and The Art of Information Warfare (Universal). He helped to establish the first incident response team for the U.S. House of Representatives, and is the former Chief Security Officer at Network Solutions. Richard is currently writing and consulting in the Washington, DC area. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Sponsored by VeriSign - The Value of Trust When building an e-commerce site, you want to start with a secure foundation. Learn how with VeriSign's FREE Guide. http://us.click.yahoo.com/kWSNbC/XdiDAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST