Code PlagiarismTechnical Detection and Legal Prosecution

Marc Ruef | Luca Dal Molin

Security & Risk ConferenceOctober 26th - 29th 2011Lucerne, Switzerland

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Hashdays 2011

Agenda | Code Plagiarism – Detect & Prosecute1. Intro

Introduction2

min

What is Code Plagiarism3

min

2. ATK Case

How it all began5

min

Technical Analysis10

min

Legal Problems10

min

Media Rampage10

min

Additional Details5

min

4. Outro

Summary2

min

Questions3

min

2/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Hashdays 2011

Introduction | Who is Marc

Name Marc Ruef

Job Co-Owner / CTO, scip AG, Zürich

Private Website http://www.computec.ch

Last Book „The Art of Penetration Testing“,Computer & Literatur Böblingen,ISBN 3-936546-49-5

Translation

3/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Hashdays 2011

Introduction | Who is Luca

Name Luca Dal Molin

Job Associate at Homburger AGMember of Practice Team “IP|IT”

Corp. Website http://www.homburger.ch

4/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Introduction | What is Code Plagiarism

“The practice of taking someone else’s work or ideas and passing them off as one’s own.”

Oxford English Dictionary,http://oxforddictionaries.com/definition/plagiarism

Hashdays 2011 5/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

ATK Case | Once upon a time ...

Hashdays 2011

20036/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

There was an idea ...

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

... to help me exploit vulnerabilities.

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

And the Attack Tool Kit was born!

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

The ATK became pretty popular :)

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

One day I received an email from a friend ...

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

So I downloaded the scanner and took a look ... wtf?!

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

I have sent a letter to them to request to obey Copyright + GPL

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

They said: «We can’t see your problem. Please go away!»

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

I said: «No, please, be kind ...»

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

They said: «F—k off, we really don’t care. Really!»

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Technical Analysis | Source Code Analysis

Hashdays 2011

◦ Strings◦ Names, Title◦ Copyright

◦ Names◦ Variables, Constants◦ Functions, Methods, Classes◦ Objects, Elements

◦ Structures◦ Programming Style (indentation, vertical alignment)◦ Conditional Statements (if, for, until, switch, goto)◦ Pattern, Regex◦ Dataflow

17/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

I need solid proof. Some reversing helps ...

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Plagiarism has some pitfalls ...

◦ Some original plugins were using arbitrary strings for requests and pattern matching. Therefore the string «atk» was part of many plugins in the original software. It made it also into their product (see screenshot). [12 plugins affected]

◦ Some plugins were realizing outbound tests. I have used a small daemon on my website www.computec.ch to determine the success. So did they. [1 plugin affected]

◦ Some plugins were using arbitrary dates/numbers too. Whenever possible I have used my birthday 11-02-1981. It made it also into their product. [2 plugins affected]

◦ Some plugins included typos and minor errors. Those made it also into their product. [5 plugins affected]

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

... so I gave them a last chance ...

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

... which they ignored. But tried to cover up :)

◦ Some plugins were altered to hide the obvious – Especially within the new release after my technical letter.

◦ Those changes usually destroyed the purpose of the code and rendered the checks useless! For example:

◦ The exfiltration tests were always negative if their website wasn’t hosting my daemon (which was not part of the ATK package) [3 plugins affected]

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Legal Problems | Threshold for Copyright

Hashdays 2011

◦ Article 2 of the Swiss Copyright Act:1. Works shall mean literary and artistic creations of the

mind, irrespective of their value or purpose, that possess an individual nature.

2. […]3. Computer programs shall also be deemed works.4. Protection shall also subsist in drafts, titles and parts

of works on condition that they are creations of the mind with an individual nature.

◦ Key elements of the definition:◦ Creation of the mind◦ Individuality

22/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Legal Problems | Threshold for Copyright

Hashdays 2011

◦ Software: ◦ Idea | plan◦ Object code | source code

◦ Case law (decision of the Zurich Court of Appeals, sic! 2009, p. 230): ◦ Very low threshold in terms of individuality◦ Exclusion of banal or trivial software

◦ Consequence:◦ As a matter of principle, software is generally

protected by the Copyright Act◦ Copyright protection is denied with regard to banal

software

23/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Legal Problems | Other Possible Protection

Hashdays 2011

◦ Patent law?◦ Brand | design?◦ Unfair Competition Act?

24/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

My options were: No. 1 – Legal Prosecution

◦ Had contact with differend lawyers from different countries (Switzerland, Germany, USA)

◦ Had contact with Free Software Foundation (FSF)

◦ There were multiple difficulties:

◦ Such a legal case in Switzerland was «unique» until then

◦ My legal insurance wasn’t covering «copyright violations» (no legal insurance in Switzerland was/is)

◦ It would cost me a not definable amount of money to prosecute

◦ The chances were zero to gain indemnity (because I distributed the ATK for «free» and therefore had no calculable loss of income).

◦ Within a trial I would have lost money anyway (that’s not my idea of an open-source project).

◦ Because I have waited a long time, I wasn’t able to enforce «immediate legal actions» anymore.

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

My options were: No. 2 – Media Rampage :)

◦ For me it wasn’t about the money. It was about law and justice ... and for the lulz!!1

◦ I started to prepare a broad media offensive.

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

If I don’t get enough attention, then I may go public!

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

But who did it?

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

I tried to contact my «old friend» ... But he ignored me :(

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

But wait? I know him and own his code too! :)

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Then they claimed that I was lying. (I didn’t like that!)

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

By accident I’ve got access to their «expert opinion» ...

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Evidence admitted in court

Hashdays 2011

◦ How does a court establish whether a violation of a copyright has occurred?◦ Expert opinion◦ Value of a private expert opinion?

◦ What will the expert analyze:◦ Description of the software | plan?◦ Functionalities?◦ Source Code?◦ Object Code?

33/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

I’m sorry, not everyone is an «expert»!

◦ There is a list of funny typos (e.g. «exploits» became «exploids»). (pp. 12) He might not be a language expert (there are many typos).

◦ He did compare the compiled software and not the source-code. (pp. 10) Not a brilliant approach to comment on a «code theft accusation».

◦ His argument why «to borrow» my code is legitimate was, that I have mentioned GPL just somewhere «hard to find». The project was therefore «open-source» and I have lost all my rights. (pp. 4) This conclusion is just plain stupid. You don’t lose copyrights by publishing the source code!

◦ On some pages he disapproved that those were the same plugins. On others he argued that the match might by «just by accident». (pp. 4, 9, 12, 15) Yeah sure, 380 plugins with the exact same 1.716 commands are just magical coincidence!

◦ The «expert opinion» contained a copy of the WikiPedia page about «General Public License». (pp. 22-26) Some say WP and Expert can’t be mentioned within the same sentence ;)

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Details | Particularities OSS and GPL

Hashdays 2011

◦ Copyright protection of OSS in general◦ With regard to GPL in particular:

◦ How to validly include GPL when distributing software◦ Rights and obligations of the licensor◦ Rights and obligations of the licensee◦ Copyleft◦ Auto-termination in case of violations

◦ Differences Copyright Act | GPL

35/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Details | What should Marc have done?

Hashdays 2011

◦ With regard to the inclusion of GPL?◦ Act quickly!◦ Act decisively!◦ Safeguard potential evidence

36/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

One more thing ...

◦ In version 1.8 they fragged their http engine. Because all http requests missed proper CRLF at the end, the http checks were rendered useless. 100% false-negatives!

◦ The «stresstest module» didn’t work if the http:// was missing in the target definition (which was no requirement and did not show a warning message). 100% false-negatives!

◦ The «webspider module» wasn’t able to collect file and path names which start with a dot. Have fun testing .htaccess files! More false-negatives!

◦ The «lan viewer module» did freeze the whole application if you clicked onto something during discovery mode. Denial of Service

◦ The «port scan module» did a full-connect without a timeout to every open destination port. Http services lead to denial of service. But chargen lead to memory corruption and code execution Pwnd by your target!

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Summary

◦ Legal prosecution is not easy.◦ Act quickly and take a good lawyer! #lfmf◦ Licenses and copyrights aren’t the same. You don’t lose a

copyright by publishing the source code.◦ Fight for your right as long as you’re sure about it.

Hashdays 2011 38/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Hashdays 2011

Literature

◦ ATK vs. ◦ ATK Project gegen (2006),

http://www.computec.ch/news.php?item.117◦ ATK gegen , Teil 2: Rückzug? (2006), http://

www.computec.ch/news.php?item.120◦ ATK gegen , Teil 3: Siege und Niederlagen,

http://www.computec.ch/news.php?item.126◦ ATK gegen - Technische Beweisführung

(2007), http://www.computec.ch/download.php?view.889

39/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Questions

Hashdays 2011

?40/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Hashdays 2011

Thank you for your Attention!

Homburger AGPrime TowerHardstrasse 201CH-8005 Zurich

Tel +41 43 222 10 00Fax +41 43 222 15 00Mail

luca.dalmolin@homburger.chWeb http://www.homburger.ch

41/42

Intro

Who?

What?

ATK Case

How it began

Technical Analysis

Legal Problems

Media Rampage

Additional Details

Outro

Summary

Questions

Hashdays 2011

Security is our Business!

scip AGBadenerstrasse 551CH-8048 Zürich

Tel +41 44 404 13 13Fax +41 44 404 13 14Mail info@scip.chWeb http://www.scip.chTwitter

http://twitter.com/scipag

Strategy | Consulting Auditing | Testing Forensics | Analysis

42/42