 So for folks who are just trickling in this is the law of reversing jailbreaking talk I'm Fred von Lohman from the Electronic Frontier Foundation I'm a senior staff attorney there focusing on intellectual property copyright that kind of thing With me is Jennifer Granick no stranger to many DEF CON veterans who is our civil liberties director So without further ado, we're going to be talking about sort of four basic sets of things here First I want to sort of go over the kinds of law problems that reverse engineers should be worried about I'm not sure we'll give everybody all the answers they hope to have but at least hopefully you'll know What questions you should be asking before you get in trouble. We'll use two Examples of reverse engineering to sort of sprinkle real-world examples in this talk One will be jailbreaking the iPhone something that is on a lot of people's minds Including our good friends at Apple who recently if you missed it seemed to think we are going to crash the entire nation's cell network with jailbroken iPhones I expect that will be a talk at next year's DEF CON. I encourage all of you to attend that And online gaming is another example, and then we'll give a few concrete strategy and tips like that So EFF probably doesn't need a big introduction. These are some of the other things we do We're doing a talk at four o'clock. That's a general ASCII FF talk So if folks want to come and query us about any of the other things on our agenda, please come to that so The takeaway I want you guys to get here if there is one thing I want you to walk away with I want you to remember four Basic problems to be aware of when it comes to reverse engineering for legal concerns One is license agreements. So we've all clicked I agree Many times we probably shouldn't have clicked I agree But there are all of those there and increasingly courts think that 20,000 words of legal ease actually matters The second thing to worry about is copyright law whenever you are making copies of software including potentially even just copies in RAM Copyright law probably is something to think about Third thing the digital Millennium Copyright Act those four letters get a lot of play The thing you have to remember is if you are circumventing a technical protection measure Often people say oh that's DRM. It can be DRM. It can also be other things anytime. You're bypassing or circumventing anything Even if it's just obfuscation Certainly if it's encryption you should be thinking about the DMCA and then finally if you are accessing a computer That is not yours If it's a server out there That's you should be thinking about the computer fraud and abuse act and that will be something Jennifer will talk more about So we're not talking today about patents or trade secrets Frankly, these are not as much of a threat for most reverse engineers as the other four items. We will be talking about So talking about jailbreaking first Let's start with the license question as I said license agreements are out there the jailbreaking context brings us really to I should probably list them in the reverse order The first is the end user agreements you agree to as an iPhone owner slash customer I last time I checked you have to agree to over 21,000 words in order to activate an iPhone I haven't counted the latest Apple rev it might be a few hundred more or less now They just changed the license agreement about two months ago Actually in direct response to our effort to get jailbreaking legalized in the copyright office They went to the trouble of changing the license agreement to try to make it extra clear that you don't own any of the software on the iPhone even though you own the hardware. I still think they didn't win on that But we'll get there later. The other one is the SDK and API licenses that folks agree to if you are a developer for the iPhone So these are both licenses if you're reverse engineering, you're gonna want to know what they say You're particularly gonna want to read to make sure that To figure out what if anything they say about reverse engineering they specifically attempt to forbid Reverse engineering and they go into some detail to say including Decompilation including you know a whole bunch of other things they say they don't want you to do So there are other it's not a simple matter of oh, it's there. I'm not allowed to do it There are a lot of questions about license agreements about their enforceability, but I'm here really to urge you not to ignore them Realize they're there take the trouble to read them if you're thinking about agreeing to them. Are they enforceable? Often courts in the United States have been saying that if you click I agree that Licenses are generally enforceable that doesn't mean that every clause and every provision will necessarily be enforced But just so folks know there is a mythology out there that oh this stuff can't possibly be legally binding Courts actually have been saying they often are Big question there is do you have to click I agree? Browser apps tend to be frowned on by courts. So those are the things where we just give you a link We never show you the terms. We just say oh you used it there for your bound Courts tend not to be very friendly to those on the other hand if you clicked I agree particularly if you click I agree before you actually paid any money courts tend to be friendlier there The other thing to keep in mind about licenses is what's your maximum downside risk if you breach a license? It's like any other breach of contract that you would have in any contract that you then enter into a someone else and Normally in the law that means they get what we call actual damages Which means in the case of jailbreaking Apple would have to say you've actually caused some financial harm To Apple by jailbreaking your iPhone. I personally doubt they would be able to show any real harm given the Several hundred dollars you've probably paid them and you may also be paying AT&T It's hard to see how jailbreaking your own iPhone harms them But it's good to keep in mind. That's the kind of remedy. We're talking about we're not talking about going to prison We're not talking about huge statutory damages We're not talking about the kinds of things that I'll get to in a minute that come up with copyright and the DMCA So reverse engineering engineering excuse me reverse engineering Prohibitions have been enforced by a couple of courts in the United States That final word is far from out on this EFF continues to look for reverse engineering cases to bring to try to shape this law in a way that leaves room for reverse Engineering the other thing to keep in mind is that in Europe European law is extremely friendly to reverse engineering compared to US law in fact in Europe License agreements are not allowed to ban reverse engineering And if you read license agreements carefully, you'll see they're often carefully written to say you may not reverse engineer Except to the extent the law in your jurisdiction Allows reverse engineering and that magic language is usually in there for people who want to sell in both the United States and Europe They want to leave the door open under the European law. So things to keep in mind So let's talk a little bit about copyright the second of the four things I mentioned to keep in mind for reverse engineering copyright is scarier than contract scarier than licenses for the reasons I alluded to a moment ago. There are statutory damages many of you may have heard about the Jamie Thomas Rassett in in Minnesota who just Got a two million dollar judgment against her for sharing 26 songs on a peer-to-peer file sharing network That's the result of these so-called statutory damages That means the copyright owner doesn't have to prove that you actually harmed them the way they would for a contract claim They can simply say hey you infringed my copyright I'm automatically entitled to a minimum of seven hundred and fifty dollars up to a maximum of thirty thousand dollars or up to a 150,000 dollars if you're willful for per work infringed So if we're talking about the iPhone software, how many pieces of software are you copying potentially there? I would argue if it's the firmware. That's just one piece of software one statutory damage award I'm not sure Apple would agree. Nobody has yet been sued in that There are injunctions. They can say you're not allowed to do this anymore and there are potentially criminal penalties criminal penalties and copyright tend to be reserved for Piracy and counterfeiting. I'm not aware of anyone who's ever been brought up on criminal charges for Reverse engineering in the context of interoperability or any other sort of pro competitive pro research kind of reverse engineering But it is possible if there's a commercial motive That you know you never can be sure that some district attorney might not be talked into something, but at least so far the Situation has been pretty positive. We have not seen criminal charges and copyright for traditional reverse engineering So the two main defenses in copyright for reverse engineers are fair use section 1 of 7 of the copyright act and Section 117 of the copyright act which basically gives the owner of software Certain rights to make copies and adaptations So quickly fair use we have a couple of very good cases in the fair use Jurisprudence that say hey if you have to make copies in order to access Function and idea the stuff that's not protected by copyright in Order to make an interoperable product That's been viewed as a fair use there are two cases both involving video game consoles Sega and the PlayStation and in those cases the court said hey if you need to reverse engineer to figure out how to make game Cartridges that work in the console. You're making your own game. You're not stealing code out of the console You just want to know how to make your game work on the console. That's a fair use the key two key pieces of this in those cases The courts were very interested in whether you got legitimate access to the software that you were reverse engineering So you want to have done you want not to have taken the cracked version from BitTorrent And also the courts don't like it if you're copying code unnecessarily Fair use is something that's not there to save you the effort of coding your own thing if you could have done it It's there to allow you access to the pieces. You absolutely need it So try to avoid lifting code from the the code that you're reverse engineering try not to Wholesale copy chunks into your own Resulting code section 117 This is a less well-known part of the Copyright Act It says that the owner of a copy of a computer program may copy or adapt the program as an essential step of the Utilization of the computer program with a machine So this is basically the idea that if I buy a piece of software I should be able to run that piece of software on a computer without being worried about violating Copyright by simply using the software for the purpose that it was intended that also includes this Adapt language the courts are there's not much case law about how far that Adapt right reaches, but it certainly could reach certain kinds of reverse engineering I would argue that adapting the firmware on your iPhone in order to run applications of your choice Should fall within this in fact We are arguing that in front of the copyright office right now seeking an exemption to the DMCA for jailbreaking so as I mentioned one question is what how far does adapt reach another question is do you own the Software these are issues that people fight about the courts still haven't given us clear answers in my view You own the firmware on your iPhone in Apple's view. You are merely licensed This is a fight that several cases are working on right now But stuff is to say you want to think about whether or not it's the kind of software you own In other words you bought it one time fee keep it forever can't be taken away from you Versus whether it's the kind of software that you are merely leasing or otherwise given very limited access to for that kind of code Reverse engineering 117 might not help you So moving to the third category of legal Areas to think about when reverse engineering the digital Millennium Copyright Act many folks here already familiar with that section 1201 of the Copyright Act says you may not Circumvent technical protection measures and you may not traffic in tools that are circumvention tools So here's the actual language, you know This not actually the actual language This is the basic gist of the code of the law says no person shall circumvent no Trafficking in tools raises a lot of questions then about well, what is a technological measure? What are the things you're not allowed to circumvent or bypass? Well, there are a few things we know from the law and there's a lot of other areas that are still gray Courts have said DVD encryption is a technical protection measure Therefore DVD ripping in the eyes of most courts would be viewed as a violation of the DMCA decrypting encrypted content without using the authorized key Protocol encryption probably a technical protection measure came up in the context of real media streams In a case back in 2001 Authentication handshakes also probably a technical protection measure that should trigger your thinking about this Chain of trust code signing. That's what Apple uses in the iPhone I think a strong chance that a court would find that to be covered by the DMCA Harder questions are what about simple code obfuscation? What about undocumented protocols? We've seen software vendors argue that that stuff is protected by the DMCA as well I tend to disagree the courts have not given us clear guidance for that But whenever you see this kind of measure put in the code to stop you from reverse engineering You'll want to think about the DMCA maybe call a lawyer to talk about it There are fortunately a bunch of exceptions that are built into the law to allow certain activities Reverse engineering for interoperability is probably the most important one for our purposes There's also one for security testing encryption research one for law enforcement, of course And some courts have said there also has to be a real possibility of copyright infringement that if your Circumvention can't actually infringe any copyright say for example because it's firmware in a garage door opener as was the case in one recent ruling Really no chance of Infringing the firmware in the garage door opener if the code never comes out of the actual garage door opener Courts said no DMCA violation because no chance of copyright infringement So reverse engineering, this is the exception kind of long worth reading carefully Breaks down to a few key elements. You have to have lawfully obtained the code You have to do the reverse engineering for the sole purpose of identifying and analyzing to achieve interoperability So again the focus in this exception is interoperability Making your own piece of software to work in conjunction with the piece that you're reverse engineering The statute talks about program to program interoperability a lot of debate about whether this extends to program to data interoperability a Distinction that I'm the first one to admit kind of doesn't make much sense But the courts seem to think well if you're reverse engineering to get your DVD to play back on a Linux machine That's different than if you're reverse engineering to make one piece of software work with another piece of software Finally that or two last things one the information has to have been not previously readily available And finally you have to still prove that you didn't infringe copyright. So it takes us back to our fair use discussion So very quickly here talk a bit about how this applies to the jailbreaking scenario There are really three categories of people to worry about they have different questions that they have to ask There's the independent app developers I think app developers have relatively little to worry about under the DMCA They are not themselves having generally to reverse engineer the firmware If you're just putting your app in the Sidiya store Develop the app put it in the store not much risk there the jailbreaking tool Developers the of which at least one is in the audience. I know God bless you Pwnage tool is wonderful. I'm not prepared to admit in public whether I in fact have used it just last weekend So There I think obviously the DMCA is a question should be considered But frankly, I think the reverse engineering for interoperability Exception could very well apply to developing Pwnage tool It is after all creating interoperability program to program and finally what about iPhone owners Well when someone actually jail breaks their own iPhone I think it's rather hard to argue that they are Analyzing for the purpose of developing interoperable software most people who are jailbreaking their iPhone are not themselves Developing their own code. They're just jailbreaking their iPhone to use some You know side quarter tethering GV mobile this last week so for them we have gone to the copyright office in Starting in December and are arguing there now to get a specific DMCA exception for iPhone owners to jailbreak their phone We've been arguing with Apple about this now for about six months We'll have a ruling in October and hopefully that will yield some legal certainty for owners I will say Apple has them sued or threatened to sue any Individual iPhone owner for jail breaking their phone as far as I'm aware But they have taken a very strong public position in front of the copyright office that they believe it violates the DMCA Of course as long as they say that it's going to be hard for independent app developers to develop the kind of legitimate marketplace That they deserve So with that I'm going to hand over to my colleague Jennifer Granik to talk about the fourth and final category What happens when you connect to a server that's not your own? Hi, everybody. Thanks for having me. Okay, so We talked a bit about the jailbreaking of the iPhone but but sometimes when you do reverse engineering You're looking to do something else and so I'm going to talk a little bit about the special issue of online gaming and Doing reverse engineering of online gaming just to illustrate that there are other areas of the law that that may apply Now when reverse engineering an online game like let's say something like World of Warcraft You have many of the same issues legally that you have with jailbreaking but now you have the special issue that there is a network involved and This is different because now you have to deal with the areas of law that protect networks so that is the computer fraud and abuse act and Is the federal law and computer fraud and abuse act is the federal computer crime law? It is codified at 18 USC 1030. That's the statute for it and this federal law is Kind of prototypical of the computer crime laws that are out there every state has its own computer crime law as well So I would what I'm talking about here We'll have some implication for many of the state laws which are kind of built off of the computer fraud abuse act But each state law is really different And I'm going to talk later on today at 1 o'clock about some cases that arose under the CFAA and the Massachusetts Computer crime law and so people who are interested in in how computer crime is regulated and what it has to do with Legitimate hacking and computer security work can come to that talk as well And I'll do a little bit of a comparison between the federal law and the Massachusetts law Which is very interesting. I'll just tell you for those of you who are here in Nevada right now I also looked up the Nevada computer crime law before I came here to DEF CON and it is Extremely broad it prohibits altering or tampering with or gaining access to documents that are outside of a computer network So if you see any papers lying around near a computer, I wouldn't actually touch those without consulting a lawyer first so this is what the computer fraud and abuse act says and There's basically Essential concept in here two essential concepts that are the trigger for the illegal activity One is the concept of access and the other is the concept of Exceeding authorization or doing so without authorization. So these are supposed to be the things that distinguish between Legal activity and illegal activity. So what does it mean to access a computer? Well, the case law is basically interpreted that term to mean Anything you do to a computer any kind of interaction with it whatsoever computer you send a packet you've accessed it Okay, you look at something, you know, you access a web server you look at whatever data it sends back to you you've accessed it So they've interpreted access extremely broadly. There's never been a case that said this isn't a computer crime because there wasn't really access here Okay, so now the second thing is about without authorization. Well, what is authorization or something without authorization? And it turns out that without authorization is also has been interpreted extremely broadly So, you know, do you need express or written permission? I mean we use computers all the time without getting any kind of permission And what the courts have kind of tended to do is Have two sort of fuzzy tests about whether you do something without authorization or you exceed your authorization And one of the fuzzy tests is like, you know, you shouldn't have done that and it was Something that was not appropriate. And so you exceeded your authorization So there's a number of cases that involve disgruntled Ex-employees who go from one company to another company and take their data with them take contacts or other stuff like that with them And in a number of those cases not all because there's started to be a pushback in the federal courts against this idea But in a number of those cases the courts have said, you know The minute you stopped working for your employer and started thinking I'm going over to the competition You're no longer that's no longer you're no longer acting in your employer's interest. And so you no longer have authorization So think about that you're using a computer in a way That's not in the computer owner's best interest and somehow that means that you're denied authorization another kind of trend in the case law is this idea that You don't have authorization if you access in a way that is contrary to the terms of service So the big case in this area was the prosecution last year of Lori Drew Violating the MySpace terms of service for providing false information about her identity Now those of you who follow this case may know that this was in the context of of the What the other name for the Lori Drew case that people refer to it as sort of a shorthand is the Megan Meyer case This was a situation where this Missouri housewife made a false account on MySpace in the name and identity of like a teenage boy and people used that account to have interaction with this teenage girl who was her neighbor and The boy said hurtful and nasty things to the girl and the girl killed herself, which was this big tragedy that then resulted in a United States attorney in Los Angeles Prosecuting this Missouri housewife under the computer fraud and abuse act and basically what they said is you violated the MySpace terms of service So you didn't have authorization Okay, now just to remind you these are those same terms of service that as Fred told you earlier are considered browse wrap that you Don't click through on a I agree and you can't even get contract damages for violating, but now it's become arguably the basis for federal crime The case in this case the woman was convicted and then the judge just recently overturned her conviction on the grounds that that interpretation of the computer fraud and abuse act that resulted in her being convicted was Vague and we are waiting for a written opinion from the court on that topic to discuss the issue And then be something that you know We can point to to show that the idea that vialing terms of service is somehow now a federal crime is ridiculous Okay, the next part of 1030 that's really important is this 1030a5 which is the causes damage provision. I'm going to talk a lot about this at one o'clock But you can hear it's a little bit different from the access without authorization. This involves transmitting Programs or information or code and as a result causing damage without authorization to a protected computer Which basically just means any computer in interstate commerce, okay? And this is the rest of a5 if you access without authorization and cause damage and damage isn't it isn't is defined as just any Impairment to the integrity or availability of the data. I'm not integrity is a term. That's also been very loosely Very loosely interpreted. So what's the situation here? Well, and why is it so special with online games? Well with online games You have this situation where very often there's client software that resides on your own computer And then the client software interacts with software on the central server for the game and your client communicates with the server and Data and packets are transmitted between those two things and you want to know how the game works So you do some reverse engineering you either listen to the traffic between or something like that Or you manipulate the data that resides on your own computer And one of the things that we're going to say to you a little later at the end here is you know If you do your testing on your own computer You're always in a safer situation than if you do testing that involves some kind of interaction with other computers And here's why if I manipulate the client software on my own computer in order to test and see how the server Reacts to that manipulation. I'm sending packets from the client to the server Okay, so just to go back for a second I'm transmitting codes or commands to another computer And if those codes or commands cause damage as interpreted under the statute, then I am I could be liable under the CFAA and damage again means impairment to the integrity of the data or if the game soft so that's one way the CFAA could apply to online gaming another way is if the Terms of service or the eula for the game says that you're not going to do this And you're not going to make any kind of contact with the game server using software or client software That's been manipulated in any way or that's been reverse engineered in any way Then you do so then under the Lori Drew theory you violated the terms of service So you are accessing the game server without authorization and again That's a potential computer fraud and abuse act violation. So This is the problem with doing reverse engineering with code that runs on you with code on your machine that interacts with code on another machine Okay, how does this has this been applied to online games? Well, there's one case that I found where the computer fraud and abuse act was a Claim that was raised in a civil case and this was Blizzard versus in-game dollar There's no accident that I used World of Warcraft as an example It's a extremely popular game in fact several of my friends have lost many hours of their lives to it Maybe lost is the wrong word, but Blizzard is very very very litigious So they do they bring a lot of lawsuits to protect their their varied interests and in this case This was a company that was doing gold farming and do people know what that is? Basically, do they create, you know, they it's a bot that creates value valuable gold pieces within the game and Blizzard sued them and one of the claims that they brought was the computer fraud and abuse act And the other claim that they brought was the California computer crime statute, which is a section 502c under the California law and so I looked at the claims for this and the computer fraud and abuse act claim was very much focused actually on the idea that This company advertised its gold farming services through spam to World Warcraft users And that there was tons of spam coming through on the network all the time where they were saying like use our service use our Service and people were getting a lot of messages and it was degrading the network because the network was having to take up time to Process and distribute all of these spam messages So again when we're thinking about and that this was the damage, right? So again when thinking about damage, which is impairment to the integrity or availability of data It doesn't mean you're bringing down the system courts have said even worse, you know Kind of system availability or the speed of traffic is degraded Then that can be damaged too and this is what Blizzard said that in-game dollar was doing and so okay spam It's not really that much about the interoperability or interaction of the reverse engineered software with the clients or rather with the server software in the game But the California computer crime statute claim had no such distinction in it about well This is really just about the sending of the spam in that statute There are very much seemed like they were saying you know just by having this program running and interacting with this with the server Software that that violates the California computer crime statute, which is a little bit broader than section 5.0 Then a then section 1030 Okay And there were I looked around for some other examples of whether this this claim has been broad in civil cases And I haven't seen it but given the breadth of state computer crime statutes and of the computer fraud and abuse act I think it's worth noting that if you're going to be doing reverse engineering of online games or any other kind of code Where you have client software that sits on your machine that interacts with any kind of server any kind of software That's out there on the network that you need to start thinking about the computer fraud and abuse act and the Corollary state laws and whether those apply to you Okay, so this is so sad and dangerous and everybody's thinking God the law sucks. What can we do? So here we have some strategies and lessons from these stories about what you can do So you want to talk about the ones that are relevant to your partner. Should I just go I'll go ahead You can chime in This is on okay, so first avoid clicking through Yula's if possible and again as Fred said You know it doesn't help to not read them, but if you can avoid clicking on them. That's a great way to go Yeah, one one one concrete piece of advice on that It's not a guarantee that you'll be able to dodge a Yula But I have often told people if your intent on reverse engineering particularly software that's included with hardware eBay can be your friend right if you were to buy an iPhone for example from eBay that already was activated and had the firmware installed Well, then you haven't clicked I agree to anything and I think Apple would have a hard time arguing that you're somehow bound by any Kind of contract because you didn't agree to a contract now the person who sold you the iPhone Maybe they breached their contract, but hey, that's between Apple and person number one not between Apple and you So that's something to keep in mind I'm not saying that will work every time there have been courts that have said hey wait a minute You knew there was a contract and so this dodge may or may not work, but all else being equal eBay can be your friend Yeah And also though to really distinguish there between going and buying something legitimately on eBay and getting a copy of the software That you know is infringing okay because a lot of the exceptions as Fred said before that apply to protect reverse engineers Don't apply if you have a if you infringe to get the copy of the software that you're reverse engineering in the first place So legitimate bonafide for value purchase. That's good or could be good can help Getting a cracked version or something that you know is infringing always bad always bad causes more problems Okay Think about what you're doing before you copy and copy no more than is necessary to do the job So for individuals this can be a little bit difficult But what we tell people and what companies do when they do reverse engineering is they have one set of people who do the reverse engineering and figure out how the code works and derive the the ideas and the functionality from the code and then those people who've seen the original code take the stuff that they've derived the Information they've derived and they pass it off to a whole new different set of people that were not allowed to interact with the Original piece of code at all and it's those people that do the programming. This is the clean rooming And this is a way to make sure that you don't inadvertently or accidentally take some of the code and put it in your In your final product, right? This just happened for anybody who is following the news There's been a bunch of reverse engineering efforts underway in connection with RTM PE Which is a streaming video protocol that is part of some of the latest flash implementations and Someone thoughtfully out there reverse engineered RTM PE wrote a piece of code that Interoperated with that protocol and someone else wrote a spec Basically looking at that source code Describing exactly how it works pulling out the ideas without pulling any of the code And so of course now if anybody wanted to re-implement they have a clean spec to do it from they don't have to click I agree they don't even have to necessarily have access to the original code at all in order to write a piece of code that can Play back RTM PE Which by the way if you check there are some very interesting videos on YouTube that are actually RTM PE Particularly videos that are provided by certain major Hollywood movie studios. So interesting Okay, if there's encryption or obfuscation or any of these kinds of technical protection measures that were in the list that Fred showed You earlier and the slide says reread 1201f But I would be a little bit more directive about this if you have that kind of thing as part of something you're reverse engineering I think you need to talk to a lawyer The digital Millennium Copyright Act, you know, it is like it's great for lawyers Because people need to come and talk to us and that's wonderful because that's our job but the digital Millennium Copyright Act is very complicated and The exemptions to the act are very complicated and you know just do what doing something solely for a particular purpose What does that mean? What does it mean that it's you know for a certain type of interoperability? It's it's it's subtle and difficult and so I think that if you're working in an area where you have TPMs technological protection measures and that's part of what you're going to be and you're going to be routing around those Then I think it's a great idea to go and talk to a lawyer first Yeah, and I would say the more effort somebody has put into stopping you from doing it The more you should talk to a lawyer before you go and jump those hurdles They're there for a reason courts often are sympathetic And so you want to be careful for any who followed this story There's a guy who made a piece of code called glider that allowed you to play World of Warcraft on autopilot while you were asleep So you could level up so you could level up without the trouble and bother And sleep at the same time totally great idea Sold tens of thousands of copies and got sued by Blizzard World of Warcraft for those who don't know if you're running World of Warcraft on your computer You're also running a set of code known as warden which is Blizzard's code that watches Everything else that's executing on your machine while World of Warcraft is executing and if they spot anything They don't like running in your environment at the same time They cut off your access to the World of Warcraft servers And one of the claims that was brought against the guy who designed glider was the argument that by Continuing it by hiding from warden by having his glider code basically elude warden's Surveillance of his own CPU He was circumventing a technological protection measure Continuing to get access to the server that he wasn't supposed to otherwise access and he lost that case That'll be appealed. It's a case. We're watching very closely But it's an example of how if warden if there's a technical measure like warden Really is designed to stop you from doing what you want to do That's a good time to call a lawyer before you go and dodge that one and well friends Absolutely, right that you know the more trouble and effort that the copyright owner has gone into to put some kind of regulation or or TPM on that code. It's not true that it requires that that technological protection measure be like super good or powerful or strong It just has to the statute says it effectively controls access to a copyrighted work And despite what that might sound like to the average reader effectively doesn't mean that it's effective Effectively means that in effect That's what I was trying to do as opposed to like I actually effectively accomplished it So the strength of the TPM is not necessarily a trigger for whether the DMCA applies or not But the in terms of but but he's absolutely right in terms of how difficult how much the copyright owner tried It's going to matter in terms of how likely it is that a court will look a scant set your circumvention of that measure Okay, off-shoring and it's limitations. I Often talk to people who say oh, there's no problem We'll just do all of this in another country that doesn't have a DMCA and doesn't care about copyright Um That again is something you should do very carefully Some may remember real networks is being sued in San Francisco right now for their real DVD product that allows you to Copy your DVDs onto a hard drive for later playback One of the things that was a big deal in that trial was real networks hired a reverse engineering firm in the Ukraine To do the work and the motion picture studios just went hammer and tongs about the fact that we all know what goes on in the Ukraine is All a bunch of hacking that can't possibly be okay So keep in mind the fact that if you're going to go offshore that doesn't necessarily automatically solve your problem That being said I've always thought someone could make a great business holding a DEF CON like conference on a cruise ship and international waters That would be fun Okay, test on your own machines I talked about this before but you know with the computer fraud and abuse act We're talking about unauthorized access to other people's computers that cause damages to their computers In the old days, it was really really hard to do any kind of testing on your own machines because computers were a lot more expensive They're still expensive, but it's more possible now I think to do testing on each machines that you control and if you can do that It Obviates a lot of problems that maybe are unnecessary under state and federal laws Of course with Blizzard you don't have access or some or World of Warcraft or something like that You don't have access to the code that runs on the server So you're really just being able to study the code that's on your own machine And then whatever you might just decide to test or implement You know you're taking the computer fraud and abuse act risks So this is a this is a you know if it's if at all possible and I understand the limitations But I think it's also possible in more circumstances than it used to be yeah And I'll just say concrete example if you're going to try to reverse engineer the flash protocol Better to find somebody who actually has a licensed flash server get their permission to use it as a test platform Rather than just hammering on YouTube servers and figuring. Oh, what could possibly go wrong? Exactly these terms these there are other people servers turn out to be inordinately delicate. You never know Okay, and the importance of atmospheric so this is something that again I'm going to talk about at one o'clock a little bit more, but you know, I can't Unfortunately, this isn't really how it ought to be But this is an extremely important thing for judges because one of things you have to understand about courts is that they don't really know All that much about technology and they don't really know all that much about computer security And so they're kind of going with their gut on a lot of things This is true with everything, but I think you know, it's true with crimes and search warrants and all of that stuff as well But I think it's particularly true with something where they just don't have like a basic familiarity with it So it's sort of like this the sensibility about it is something that really makes a difference So in the blizzard in line in the blizzard Case basically, you know one of the things there people were kind of disgusted by the spam and by the Fact that it was cheating and the idea that this cheating this gold farming was not only messing with blizzard But was undermining the the experience of all of blizzard's customers who are just these people who wanted to play their game And it paid their money and that sort of thing Similarly with the wow glider case that Fred was talking about this is another thing where it has like the kind of The stink of cheating about it and if there's courts understand cheating They may not understand reverse engineering or circumvention or you know all of that stuff But they understand the idea that you know somebody is taking unfair advantage and that is like unpalatable And we see always you know when we have our cases you have kind of the dry law You know and there's just like what the law says But then there's you know the sort of the advocacy or the art that goes into it And a lot of that has to do with giving people a feeling that you're the one who's supposed to win, right? And we so we see that in our in your just to give you an example of our jail breaking exemption that we have Up before the copyright office now, you know our view is is that it's your phone And you should be able to do what you want with your phone that this is a consumer right and that the phone is kind of locked Down and you want to free your phone so that you can run the code that you want to on it And that's that's what we think well when we see what Apple writes back to the copyright office about you know This idea in their mind, you know, it's these rogue devices that are you know Posing a danger to their network. There's no real reason to unlock them It allows you to manipulate all sorts of variables on the phone like the unique serial identifier And the only people who would want to manipulate those identifiers are drug dealers So, you know here we've gone from like consumer advocates being like, you know Your phone is yours to do with what you want because you bought it too We're helping drug dealers make their phones untraceable the drug dealers who want to sign up for a two-year AT&T contract to get an iPhone Those drug dealers You know who you are You should have talked to me before you did that so um This is so again, though important of atmospherics and this idea, you know this idea this so okay So that's something, you know, you you've got to think about and I think a lot of times You know, this is something that we have a little bit of you know That courts have a little bit of trouble with at DEF CON, you know This is you have legitimate research legitimate reporting by legitimate people in a fun context Where people call themselves hackers and sometimes courts just think a little bit of scants at that I had a case a couple of years ago where One of the pieces of evidence that the prosecutor used to show that my client had malicious Intent when he did what he did was that when he was arrested he was wearing a DEF CON t-shirt So my plan was to show up in the Ninth Circuit The case was up in the Ninth Circuit, which is the federal appellate court for Nevada and California and a whole bunch of states in this area And my plan was to show up in the Ninth Circuit in my DEF CON t-shirt and be like, you know Do I have malicious and my pink suit and I was gonna be like do I have malicious intent? No You know, it's okay to wear the shirt. It's not really evidence But then the government decided that I was right and they were wrong and they dismissed the charges So, you know another thing is you have to be Thank you. You have to be Cognizant of these things even though sometimes it takes a little bit of the fun out of it Anything else? That's it. Okay, so we are gonna take questions in room 104 And so we'll go over there and we're gonna be there for about half an hour And if you guys have other questions, you're welcome to contact us I'm Jennifer at EFF org Fred's Fred at EFF org and come and talk to us or email us and if we can help you we will Thank you