All Your IP Are Belong to Us: An Analysis of Intellectual Property Rights as Applied to Malware (pdf)

Article PDF cannot be displayed. You can download it here:

https://scholarship.law.tamu.edu/cgi/viewcontent.cgi?article=1095&context=lawreview

All Your IP Are Belong to Us: An Analysis of Intellectual Property Rights as Applied to Malware

Texas A&M Law Review Volume 3 | Issue 3 Article 9 5-2016 All Your IP Are Belong to Us: An Analysis of Intellectual Property Rights as Applied to Malware Miranda Rodriguez Follow this and additional works at: https://scholarship.law.tamu.edu/lawreview Part of the Law Commons Recommended Citation Miranda Rodriguez, All Your IP Are Belong to Us: An Analysis of Intellectual Property Rights as Applied to Malware, 3 Tex. A&M L. Rev. 663 (2016). Available at: https://scholarship.law.tamu.edu/lawreview/vol3/iss3/9 This Comment is brought to you for free and open access by Texas A&M Law Scholarship. It has been accepted for inclusion in Texas A&M Law Review by an authorized editor of Texas A&M Law Scholarship. For more information, please contact . ALL YOUR IP ARE BELONG TO US: AN ANALYSIS OF INTELLECTUAL PROPERTY RIGHTS AS APPLIED TO MALWARE By: Miranda Rodriguez* ABSTRACT The cybersecurity and cybercrime industries are tied together in an arms race where both seek out new security vulnerabilities to exploit on offense or to remediate on defense. Malware (malicious software) offers one of the primary weapons pioneering new computer technologies on both sides. However, the average Internet user sees malware at best as an annoyance that is merely the price of surfing the web. It is clear that cybersecurity is a business and a successful one. The cybersecurity industry maintains copyrights and patents on our cyber defense technologies—antivirus software, firewalls, intrusion prevention systems, and more. There are no federal copyrights and patents on malware, even regarding the cybersecurity industry’s creations. From an intellectual property perspective, there is no difference between ordinary software and malicious software. Malware, as offensive software, can and should be protected, just as we protect our defensive software. I. II. III. IV. V. TABLE OF CONTENTS INTRODUCTION: JUST A BIT OF MALWARE . . . . . . . . . . . . . MALWARE IN A NUTSHELL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B. The ZeuS Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C. Malware and its Authors in the Law . . . . . . . . . . . . . . . . MALWARE UNDER COPYRIGHT . . . . . . . . . . . . . . . . . . . . . . . . . A. Ordinary Software’s Qualifications for Copyright . . . B. Ordinary Software’s Rights & Limitations Under a Federally Registered Copyright . . . . . . . . . . . . . . . . . . . . . . C. Copyright Rule Application to the ZeuS Family . . . . . MALWARE UNDER PATENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A. Ordinary Software’s Qualifications for Patent PostAlice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B. Ordinary Software’s Rights & Limitations Under a Patent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C. Patent Rule Application to the ZeuS Family . . . . . . . . CONCLUSION: WHO AND WHAT ARE WE PROTECTING? . A. Protecting Innovation and Creation . . . . . . . . . . . . . . . . . B. Should Illegality or Immorality Matter? . . . . . . . . . . . . . C. White Hats vs. Black Hats . . . . . . . . . . . . . . . . . . . . . . . . . . 664 667 667 668 671 674 675 677 679 681 681 683 684 686 686 687 689 * J.D. Candidate, Texas A&M University School of Law, December 2015; B.S. Computer Science, Texas Tech University, 2008. The Author would like to thank her advising professor, Megan Carpenter, for her guidance during the writing and editing process. 663 664 TEXAS A&M LAW REVIEW I. INTRODUCTION: JUST A BIT OF [Vol. 3 MALWARE Malicious software (“malware”) is the bane of any Internet user’s daily experience. Entire industries have been born just to combat the spread of malware ever since Creeper, the first documented specimen, appeared in the 1970s. Creeper, though widely accepted as the first computer virus, was not a malicious creation.1 In 1971, Bob Thomas of BBN Technologies deployed Creeper onto the precursor to the Internet—the Advanced Research Projects Agency Network (“ARPANET”)—as an experiment in mobile code.2 Creeper would move to a system connected to ARPANET, print “I’M THE CREEPER : CATCH ME IF YOU CAN,” and then move to the next system.3 Later, Thomas’s partner, Ray Tomlinson, wrote a companion program, Reaper, designed to replicate itself on systems connected to ARPANET in order to find and remove Thomas’s Creeper.4 These two features, mobility and self-replication, would later become the primary indicia of a computer virus.5 It is important to note that Creeper and Reaper were not created maliciously. These were experiments in what was a new field of computing. These processes were something novel and had never been done before. Since 1971, this type of software has evolved to the malware we know today—viruses, worms, Trojans, adware, spyware, rootkits, botnets, and more. In the forty-four years since Creeper and Reaper, the malware space has pioneered technologies taking advantage of polymorphic encryption, novel ways to use Internet communication protocols, and manipulation of memory in much the same way as the more benign areas of Computer Science. But if you look for patents covering Distributed Denial of Service (“DDoS,” a common attack vector where an attacker blocks access to a system by using up the system’s available resources or bandwidth),6 you will not find them. Instead, you will find a multitude of patents regarding preventing DDoS.7 Neither are there patents for buffer overflow (another common attack vector where the attacker causes 1. See Richard E. Schantz, BBN’s Network Computing Software Infrastructure and Distributed Applications (1970–1990), 28 IEEE ANNALS HIST. COMPUTING, Jan.–Mar. 2006, at 72, 74. 2. See id. at 73–74. 3. First Computer Virus, Creeper, Was No Bug, DISCOVERY NEWS (Mar. 16, 2011, 4:41 PM), http://news.discovery.com/tech/first-computer-virus-creeper-was-no-bug110316.htm [http://perma.cc/G79S-3NUS]. 4. John F. Shoch & Jon A. Hupp, The “Worm” Programs—Early Experience With a Distributed Computation, 25 COMM. ACM, Mar. 1982, at 172, 179. 5. See What Is a Computer Virus or a Computer Worm?, KASPERSKY LAB, http:// www.kaspersky.com/internet-security-center/threats/viruses-worms [http://perma.cc/ 6TQV-9FSB] [hereinafter What Is a Computer Virus?]. 6. Botnets, SHADOW SERVER, https://www.shadowserver.org/wiki/pmwiki.php/In formation/Botnets (last updated Nov. 2, 2015) [http://perma.cc/PMY3-JG2G]. 7. See, e.g., U.S. Patent Nos. 8,359,648 (filed Sept. 1, 2009); 8,634,717 (filed Dec. 8, 2011); 8,886,927 (filed Jan. 14, 2013). 2016] ALL YOUR IP ARE BELONG TO US 665 the system to write outside the bounds of allocated memory to corrupt data or execute arbitrary commands),8 but there are for preventing it.9 In modern technology, these methods of attack are no longer novel creation (...truncated)