Jailbreaks and Pirate Tractors: Reverse Engineering Do's and Don'ts

good good afternoon everybody I know we're so we deep into into a food coma time of day so I'll certainly try to keep this lively but uh I'm Mitch sults i'm a senior staff attorney at the Electronic Frontier Foundation item number of you were here for a Cooper's session on the in the last hour so i won't go totally repeat his wonderful introduction to eff but but but very briefly we are a non-profit donor supported civil liberties organization based in san francisco we defend individual rights in the use of digital technology and we focus and particularly on privacy on the free speech in on promoting promoting innovation and individual rights and we are supported largely by donations from individuals

and all of our legal work our software development and our activism are all funded by that and then our legal work is is his uh his pro bono is free in that sense EFS coders rights project which is which is a part of our legal operation is where we work to protect the rights of coders security research and researchers and developers building is safer a safer internet so we we do advise people from time to time we help people find lawyers when they need it and we pursue impact litigation so trying to set precedent that will protect people working in the field and hopefully protect them against threats to so being a lawyer I have to give you

the disclaimer here i am not your lawyer this talk will not give you legal advice everyone's circumstances are different and circumstances that you have you know are going to call for you for either

specific and careful consideration and and so if you're happy if you have an issue that you're concerned about and you think you need to talk to a lawyer you then you do we can help we do we try we have a referral service we try to help people with lawyers who specialize in the in this work and then some and in many cases we can even represent people for a reduced fee or no fee where possible we try to do that and the best way to get started on that process is to email info at AFF gorg so I want to tell you some kind of give you the lay of the land about those of the

legal pitfalls and and what to think about when you're doing a reverse engineering project or using the fruits of reverse engineering to build new things but these are but this is not legal advice and then so you shouldn't expect it to be specific to your issues that's that's a that's something different so what are we talking about here i'm talking about taking things apart to find out how they work whether that's hardware or software jailbreaking devices getting rude on on on devices devices that you didn't build you know third device that somebody else build reprogramming things and and then i think the big one is taking us to taking that taking that a step further is is

right thank you writing a software that's compatible with things that already exist out there in the world so so so writing to an interface maybe maybe not necessarily an open interface but but but building something new that interacts with something that already exists and there's there's there's all kind of examples with us i'm sure maybe you can give them doing this or what are familiar with it with these kind of things so the world we're going to take this this is these are in general the things that you're going to want to look out for and i'm going to go through these in a bit more detail that's you know on the thing that you reverse

engineering whether it's hardware or software do you own it or do you have permission to reverse engineer it question of fair use question of copyright that is due k you can you legally copy even sort of temporary or media copies then of the contract issue the fine print the Terms of Service the little dents in penetrable legal text that you click through or that is stuck in the box with the product or any of those things that we all get you know flashed in front of our eyeballs on a daily basis we usually ignore out of self-preservation I'd finalize something all the Digital Millennium Copyright Act this is the law against circumventing essentially we talk about drm here we're talking about

access controls on a software or media that's you know that's probably the biggest concern here so I'm save that for last and talk about how to navigate it but also what we need to do to fix it first issue here and it gives the kind of the simplest one is if your reverse engineering something the first question to ask is do I own this thing or do I have permission to tinker with it and the main issue here is something called the Computer Fraud and Abuse Act how many people here know remember a movie from the early 1980s called war games during Matthew Broderick a lot of folks okay up you know in 1986 after having

seen or heard about this movie it freaked out a bunch of members of Congress who were suddenly worried about teenagers launching world by 3 from their bedroom they passed this thing it their solution to that because this is sort of what lawmakers do when they get panic was was was is they pass a law and not always the best written law so within that the result was the Computer Fraud and Abuse Act which is still with us it has a few parts and it's good sort of all an attempt to define and capture malicious hacking and there's a few different parts but the relevant ones are here or here it's you who ever intentionally accesses a computer

without authorization or exceeds authorized access and thereby obtain information from any protected computer that protect your computer kind of a red herring that's any computer really the the key to whether something vile is good violate CFAA or not is is is this words without authorization or exceeds authorized access and then the other one of the other sub parts of this is the person was obtaining information but also the transmission of a program information code or command that intentionally causes damage without authorization so you're either exfiltrating information or will or we're causing damage these get interpreted pretty creatively when someone has a bone to pick and then that's what you know in it because it goes we can probably all think of ways

in which we've all violated these super from time to time by some definition and then that's a problem these are these laws are broad they're vague and in this case other sometimes that you know we can be criminal this is the criminal or civil so you this can be this can this can lead to a lawsuit from a private company or the you know the feds bringing criminal charges and this and this has happened and it's you know but in the in that when we're talking about reverse engineering I mean there's there's really just two main concerns here today if you if you own the thing the risk is lower here not gone but it's

a but but it's lower you own the hardware it's really really a stretch to say that you are making you can make unauthorized access to something that you own now this has been tried this has come up in court cases the no court has really said this you know I mean it sort of gets thrown in the mix that it was a guy named George Hotz also known as geo ha who figured I had to hack the playstation three two run two run linux on it after sony i wasn't it wasn't just jihad it was it was he was part of a group of folks doing this but um after Sony withdrew the ability to run linux

and other operating systems on the playstation 3 he figured out how to crack that that security thing we're sued the court wear them to stop doing that and to stop disseminating even the knowledge of how to do that which was a bad result but one of the things that got thrown into that suit by Sony was well you've exceeded authorized access court didn't actually use that and I think it's you know it's pretty far-fetched but then the other thing to be the other area of concern assuming that you own it or you're you're you're tinkering with a hardware software with with with the permission of the owner is is it connecting to a network because even if

you are making authorized access to you know say you know the smart phone in your pocket it may be communicating with another computer that is that is owned by in the case of my phone here Samsung or verizon or Google or someone else and maybe that's unauthorized access this is going to come up in one other cut context which we so we'll put a pin in this and come back to it but the for good but take away this is the first question is here is do own the thing and do and is it communicating with a network for the purposes that you want to use it for the next thing is copyright and the reason copyright

always comes up in this context is because it's ubiquitous any creative material including code is automatically copyrighted from the moment it gets set down or you know it with a moment it's on paper or on our own hard drive the moment that's out of your head and into you know of physical reality copyright applies its you don't have to register it you don't have to you know be granted a copyright and have a certificate and framed on you while it's automatic and that means that whenever code is copied copyright comes into the picture doesn't always it doesn't always prevent you from doing that but it's always something you have to consider and fair use is the is the broad exception to

copyright where the we're copying is allowed in stance is where it should be allowed and it is it's vague in a sense I mean there there's there's a test for whether something is fair use or not it's a in a sense it's a bit of the golden rule it's a copy only what you would wish to be copied of yours that's that is a gross and probably misleading definition but but I think it's a good starting place there are some specifics when it comes to software and this is what to get this and this is what to keep in mind so I take you back if you will allow me to 1992 Sega Genesis one of the the the

most popular consoles of that era and a game publisher called accolade which didn't ask Sega's permission to write games for the Genesis system they simply reverse engineer the console to figure out the the API for those big plastic ROM cartridges took in order to write their own Genesis suit they said well you know you've disses you disassembled our console you made you make copies of the dump the ROM you make copies of the code you use them internally and then you wrote and then you roll your own games based on that court said ok that's fine that's that's that's fair use that's that's not that's not copyright infringement because first of all because the copies were intermediate the

the vehicle eight games the game cartridges that they were creating they didn't have any Sega code in them they were just written to the API of the console the copies were made internally and then there's an intermediate sense just to figure out how to do that the second thing was necessity whether there was there was no other way to do that it wasn't an open standard it was in a sense they had to do that in order to write games and and the third thing is that it was they were creating something new they hope the end goal here was was right new games they weren't so free riding on someone else's work they were

they were doing what necessary in order to bring something else new into the world all those things matter this is then a similar thing happened again but sort of reversing the reversing the size of the API here and this wasn't it was in two thousand SAR this one got cut off a little bit but but the premiere console one of the premier consoles and that arrows the PlayStation kinetics maker of for the most part emulation software right rather than writing new games for the playstation they wrote a playstation emulator that could play existing games same sort of lawsuits same result this was fair use this was okay and for similar reasons the the the the broad

principle and it's dangerous a little bit dangerous to generalize from here but but but there is a broad principle that emerges with some some caveats around the edges the brother is that disassembling and looking at code and using it in an intermediate sense to create a final product that is something new and that is compatible with the original product is likely to be fair use likely to be okay under copyright now going all the way up to 2015 similar case here that Oracle brought against Google because Google used large portions of the Java API in Android Java was son bought by oracle oracle suit google for copyright infringement for doing it was really pretty much it was

similar to what kinetics did so the android OS was in a sense emulating the java runtime so that it wasn't perfectly it wasn't i don't think binary compatible but it was it was source compatible in some sense somebody else probably knows this better than I do but this actually the this case is still going on and the outcome is a bit uncertain that was a pretty scary ruling from on appeals courts a different appeals court this time said that you can copyright an API and you can and you can and theory use copyright to stop someone from writing to your API pretty scary thought and not i think the sort of common wisdom amongst programmers but

we got this ruling the Supreme Court didn't take the case it still might be fair use in the courts that is probably likely fair use so the result from from the sony kinetics case probably still good way here's fair use I won't go I won't go too much into this but this is the test you'll see it's vague your ideal see that it's it's flexible which is good and bad both I mean this is very adaptable to new situations but it's also kind of difficult to predict like the outcome of any given thing is four factors the important ones really are the first in the four so that's the purpose and character of the use

including whether it's commercial or nonprofit and then the effective use upon the potential market for a value of the copyrighted work which an egg again kind of gets to are you are you simply free riding or replacing what's already there or are you complimenting it by creating something new now this is how this apply in the eye in general how those factors are apply to reverse engineering and the fair use given these cases give us things to keep in mind when we're reverse engineering code how much copy codes in the final product if any in those cases I mentioned it was almost none and that and that's key in some in the Sega Genesis case there was

there was four bytes copy the letters s EGA with in theory if there's some kind of key you know fixed key or something API key or something like that that has to copied I think that's probably going to be a fair use if if you must use that yeah in order to make to make something run

um it wasn't actually the mean it was it was more about the court went into this sort of the the layout of method function calls and secure suggested that just sort of the blue of hierarchy of method and function calls could be something that's been subject to copyright they copy they copied header files they copied see header files quite a lot of them but not implementation stick still an open question all right because I think so these are the takeaways i think it is it's it's how is did you use any any copy code in the final product the final new product that you're copying in order as necessary in order to create something new not to

avoid doing your own work and then lately and we're starting to see this ligand maury more recently in cases i think this is a bad trend but it's there so it's something we have to watch out for is is are you taking security precautions during this process so that save the trade secrets from the original or really the the the details that you've learned from the reverse engineering aren't leaking out to people who are who are just going to make careless use of them that's a factor that the courts are starting to take into account that's the copyright piece the next the next piece I like I call it the fine print lawyers would call it

contract it's it's an user license agreements terms of service terms of use it's it's all those names for all the ridiculous legal gobbledygook that we see or get exposed to every time we deal with digital products and software these days there was a study a couple of years ago they said that if we all actually try to read all of the legal terms that we are exposed to and asked to agree to in a year it would take us three weeks morning tonight and which means it's basically impossible and I'll tell you that the even lawyers who are sort of have a morbid interest in this stuff and are trained to do it don't read every

one of those things it's just not possible but when you want to reverse engineer something it is one of those moments where you actually do have to pay attention to what terms you were presented with when and how and whether you clicked the i agree button or how those were those were presented to you and the reason is is because they often have terms like this and I mean this is this is from the samsung galaxy note but this is pretty standard for both hardware and software right I'm sure you've all seen this language out of the corner of your eye at some point it says uh you agree that you will not and will

not attempt to modify prepare derivative works of reverse engineer the compile disassembled or otherwise attempt to create source code from from the software yikes I mean this is all the things we want to do right and if this is we see this pretty commonly this standing alone you know it's it's not a law to contract at most you know you may just be words so the question is what effect does this have on you and in what you want to do and and this is good this is one of those talk to your lawyer moments because this is going to vary the important thing is just to note these things take a screenshot take a

you know download the terms if it's on paper save the paper and note how you you know how you got past it whether it was simply thrown up at you on a website or whether you had to click a and I agree but this is another example this is something else that we do this is raises another wrinkle this one's from the xbox 360 and it gets talking more about networking but it says you can't use unauthorized software hardware to access the services nor can you modify an authorized device in any unauthorized way through unauthorized repairs unauthorized upgrades or is downloads this is the sort of thing they're going to use to say okay you can

modify you know or you have modified your console you can't connect to our network with it anymore which is something which is you know always going to add another wrinkle I'll get back to that these may not matter that much if what you're doing is gathering information for for study or for your own edification you you know you may be breaking a contract they don't come to you and demand the your phone back I'm sure you definitely we're going to void the warranty right but assuming you made a contract or something you actually agreed to something which is which is a question for your lawyer you may you know there's there's not a whole lot

that can do about it unless two things or they're building a product from this in which case you know you want to try to do what you want to try to avoid these kind of things or there's this weird case to get back to the CFA and we've seen this is this is thankfully the courts are moving away from this but there have been cases where people have been accused of violating the Computer Fraud and Abuse Act that's war games because they violated the terms of service which is crazy innocence and the court n and overzealous prosecutors continue to bring this up but the courts are moving away from it and then there's a kind of the judge out in California

with a wry sense of humor said you know you talkin by violating the terms of service on an online dating site and and he said if you describe yourself as tall dark and handsome when you were actually shortened homely you may may earn you a handsome orange jumpsuit but he rejected that and said no that's not what this does you can't turn and violating the the fine print on a digital hardware software into a crime but that still gets bit still comes up every once in a while so it's just I'm the king but we are we've been mostly successful in moving a long way from that but it's not good it's not totally gone sometimes you can avoid these terms

by buying secondhand and not always it's not it's not a magic talisman it's something you really have to check in every case but but but they're definitely cases where it you know if you buy something used you didn't click the I agree and you never actually entered a contract with the original manufacturer or you know or anybody now now that's right now it's not a magic talisman and it doesn't always work basically you know so if you are if you're doing things for that you're basically any work that you plan to share with anyone else it's a good idea to get your ducks in a row and talk to a lawyer before you but you know before

you attempt this but it's possibility and then i got i mentioned it before but then even if even if your use of a device or or a piece of software yeah is not violating one of those things if it's connecting to someone else's network or a server then you may be exceeding authorized access to that and that's you know raises another wrinkle so then finally the last assuming you've cleared the three hurdles i've mentioned already so the the CFAA the ownership issue basic copyright & fair use and the the terms of the terms and the fine print we get to this thing the Digital Millennium Copyright Act which may be the biggest obstacle here to reverse

engineering but but again you know not not insurmountable and not you know we were not a reason to lose all hope this was passed in nineteen ninety eight it says no person shall circumvent a technological measure that effectively controls access to a work protected by copyright well what the hell does that mean well it says it is a bit more to it it is this that says what that means is a measure that in the ordinary course of its operation requires the application of information or a process or a treatment with the authority of the copyright owner to gain access to the work well gee that's not a whole lot more illuminating we know this means we

know that this covers the encryption this is this this was written to cover things that are consider that are commonly called drm digital rights management digital restrictions management technical protection measures access controls on digital media and or software that are that are designed to really sort in for someone else's business model and we know this doesn't cover just a label or an HTML tag that says please don't copy this it has to be some it has to be something with the the as being that it has some sort of technical process and not just a label or a legend even if it's even if that that label is digital but still the soap so what does this mean writing so the

question the big question where the DMCA is does it stop us from doing things that would be leaked that would be legal otherwise or does it only apply when we are circumventing access controls in order to make illegal copies of something or to help others make illegal copies of something courts are going both ways on this and that's the tricky part so it so I this is the early aughts lexmark actually this case is still going on it's been going on like like 15 years the lexmark printers lexmark laser printers do a handshake with a chip that lives in the toner cartridge and if they don't receive the right hand shake from the chip and the toner cartridge the

printer won't run some folks who made recycle they refurbished toner cartridges so they refill them replace the chip and and and sell them as as as refurbished they wrote their own chip which emulates that handshake lexmark sued them they said you're circumventing and access control court said no that's okay essentially they said because of because the customer already owns both of those things so there's the again that there's no unauthorized access there and then there was a similar case with this as a company that made replacement garage door remotes and the company that makes the garage door opener engine sued them for reverse engineering the brf the communication protocol that opens the garage door they

said well basically this has nothing to do with copyright infringement you're not you're there's no we're not copying code here you're just making new remotes and if there's no connection to copyright infringement then you're not violating the DMCA either now unfortunately some courts went the other way this is kind of similar to the garage door opener but in in context this is World of Warcraft you know a famous multiplayer online game and a program called glider which automated gameplay I think it again reverse engineered the protocol by which of the world of warcraft client talks to the server and replayed some of those protocol actions to just I'm gonna make your character walk around and gather

gold or something like I do basic actions in this case the court said yeah you know even if if this isn't really about copyright infringement that doesn't matter this is a separate thing you're breaking and access control your circumventing reverse engineering and access control and that itself is illegal can't do it so when totally different way courts are split which is tricky right because then what do you do if you want to reverse engineer something to build new things if it's going to involve breaking an access control there's one there's another way to do this which is this the the Library of Congress and the US Copyright Office which is part of the Library of Congress

every three years does this rulemaking proceeding where people can propose things that are going to be exceptions to this law and where things and it's pretty they're tough to get and you have to and we have to ask for them again repeatedly every three years eff does these ffs participated in this in most years the last rulemaking just finished up past October it's tricky it's expensive and it tends to end up with pretty narrow exceptions we've gotten some good ones and we've got some good ones this time around this is just a few of them this is not a good but so uh jailbreak and routing modal mobile devices this is really defined as modifying the software on a mobile

device and and this used to be just phones but we've got them to include tablets and smart watches too so basically anything running a a mobile OS as opposed to a desktop OS that's how we've that's how we've sorted it out this time could modify it to run software of your choice and similar thing for carrier unlocking so mom assuming something you have the codes to do it or configure them or configure them out you could unlock a mobile device to change wireless carriers without this law getting in the way and then there's two more going to take effect this October the one on vehicle diagnosis repair and modification and another one on the good faith security

testing of various different kinds of products when we propose the an exception for vehicle repair the auto industry was up in arms and we even heard from John Deere who wrote to the copyright office to complain that people think this is dangerous because people might pirate music on their tractors

unfortunately it actually takes a lot of time and money to knock down these arguments even when they're silly but this is good but this is where we're at we're particularly excited about the vehicle repair and security testing exemptions windows when those come online because so you think those are really help provide protection for a look for a for a lot of independent repair and then for a lot of interesting security work but this is probably this process is not sustainable there's a bill introduced in Congress it's called the unlocking technology act of 2015 it'll expire at the end of this year but hope but we're pretty sure it'll be it'll be introduced again and when the

new Congress comes in next year and this is that what this what this law will do is it'll basically go take us back to the the toner cartridges and the garage door openers and to say if you're not if you're if you're circumventing things and you're not doing it to make look like DVDs or to steal your competitors code and sell it if you're doing it for purposes that are otherwise illegal then it's legal that's the really the fix that we need you can help us get there the Copyright Office is asking for comments the due date is April first if you go to this website there's instructions on how to on how to do it you can send you can send just

basic text comments you can upload a document in there accepting comments there April first just giving your opinion is great though I think the really valuable thing is if you if you have anecdotes remember this is public records so you know probably best not to tell them if you think you've broken the law or doing anything questionable but if you have personal stories about the importance of security testing repair reverse engineering and how it might be impacted by the DMCA and you can give attic goats about that I think that'll be really powerful for these guys because we are continuing to pursue this and again I'll make a shameless plug here for donations to eff we are many of

us working working every day and is going to be a major priority this year try to try to fix this law try to remove this Clyde this cloud of legal uncertainty over security research I'll leave this up here this is this is the the the points that i mentioned that mentioned earlier the things to think about before you start a reverse engineering process and happy to take questions remember i can't give a specific legal advice but I concert' but I can certainly try to cali uh what experiences others have had and and and hopefully clarify some of the things here fire

that's a good question i'm actually i'm sure it was asking if there are cases about using digital forensics as as evidence in a in a court case yeah i

don't know if there are any cases to touch on the DMCA there are cases about fair use because it did say that you know it basically you can't call copyright infringement because somebody made a copy of something to submit to a court case so that's so that's a that's a start there for the most part you know it's it's expert expert witness information it has to be reliable has to be a useful based on reliable methods yeah I haven't either not on the DMCA i miss you discover the locker room and I heard that some of life in the DMCA are about the three years that exemption for security testing I approved it some of

the security tools for the lost her arrangement in which day I guess they're currently reviewing i guess most recent news about it those were under fire so if if security testing isn't allowed but that was her ring is Rick do we not find ourselves to catch 22 where the tool you use duties things but you can do that yes we do find ourselves in a catch-22 the good news is the US government has basically rejected that that piece of the wasn't our agreement the the uncertain news is we don't know what the rest of the world is going to do yeah

the first point we sink have permission

yeah you say what sort of permission is that your mileage may vary the easiest thing the easy question is going to be if you own the thing beyond that you know if you are if you are concerned then you're going to want to talk to a lawyer this is the best answer I can give the trans-pacific partnership doesn't make that many changes to US law would not require that many changes to US law does it actually it's going to affect folks in other countries more what what it could do and we're fighting very hard against this is is it might make it harder in the u.s. to fix some of these one of these problems might politically

set these in stone a little more strongly both both here and in the other countries but it wouldn't it wouldn't cause a lot of immediate changes in the US where you try we are making cloud-based SAT models or rgrg systems you probably the better example being office 365 I no longer own office for my organization as a curious asere common what you think is going to happen in a world where the legal firms are being argued for at least one when constructing the wrong or software ownership plan do you own this thing when the things i'm buying anymore have specific clauses that i don't own them i have a nice on them or i have the

ability to use them but i don't know them so curious girl calm yeah things get much harder not only do you not own it and that's typical right this is going back to this is going back 30 years now that even when software was was sold in little cardboard boxes there'd be a text in the box that says we're not actually selling you anything we're just giving you a right to use this we're not telling you anything except a cardboard box everything else is at our sufferance that's not new what's new is you're not even in possession of the bits writing possession of the the object code is running on Microsoft servers or what have you that that that absolutely makes

these problems harder certainly legalities aside it makes it harder to audit the code it makes it harder to audit what it's doing with your information Oh seen any case wall or president coming through that potentially address that wrong I think we're going to start to see it in the context of data breaches and corp company liability for data breaches which it's possible you know could lead to essentially do this you know a software-as-a-service or you know saw at least software or that kind of thing maybe being being treated more like other kind of consumer goods as far as if it if it injures you or mangles your data then they're going to bear some responsibility for that but that's

but that's tough and then and I'm SMS tricky how much how much time do I have another another question yeah

the nature of have to ask my audience it's a given that my JavaScript chatter if there is a scent is all right there because they hire you to be so your mileage may vary I don't know what's in your employer agreements and couldn't tell you about it here if I did but in but in jet but it but but in general yes those things can be understood they don't necessarily have to be explicit yeah yeah one more where does one start I feel like that that's that's specifically talking about like ships that actually irregularly here we see if I can brig if you come up after I got my god I can show you the actual language

um it's it's it's broad enough to cover that I mean and Tesla is the extreme as far as as good being sort of a rolling iphone but but but like but but but all cars all modern cars have have an enormous amount of software and computing power and them and the exemption was designed to cover most of that with the exception of entertainment book audio visual stuff I can show you yeah thanks I'll be around