More on fortifying Lotus Notes

Nicholas Bohm nbohm at ernest.net
Mon, 07 Jun 1999 15:52:23 +0100 

At 10:41 AM 6/7/1999 +0100, Ben Laurie wrote:
>Nicholas Bohm wrote:
>> 
>> At 07:08 PM 6/4/1999 +0100, Paul Crowley wrote:
>> >Ian BROWN <I.Brown@cs.ucl.ac.uk> writes:
>> >> Paul Crowley wrote:
>> >> >Is that because Lotus has been engineered such that it's harder to
>> >> >reverse-engineer or modify?  Because presumably if we could find
>> >> >where the NSA's public key is stored in the binary, a Lotus-Fortify
>> >> >program could replace it with a randomly-generated one for which the
>> >> >private key has been discarded?
>> >>
>> >> "Playing hide and seek with stored keys" by Adi Shamir and Nicko van
>> >> Someren describes how to use the high entropy of keys compared to
>> >> program instructions and data to find an embedded key...
>> >>
>> >> http://www.ncipher.com/products/files/papers/anguilla/keyhide2.pdf
>> >
>> >I've finally fetched and read this paper, and it seems to be pretty
>> >straightforward to implement.  A few questions:
>> >
>> >* What legal hurdles stand in the way of (a) using a bunch of tools to
>> >search the binary files that come with Notes to find the embedded
>> >public key, (b) publishing the key, and (c) writing a program to find
>> >the key and scramble it?
>> 
>> Check the terms of the Notes licence.  Unless the licence imposes an
>> explicit contractual prohibition, neither searching a file nor modifying it
>> (manually or automatically) are copyright infringements.  Publishing the
>> key would be a copyright infringement; but why bother?
>> 
>> Also check that the licence does not prohibit the user from modifying the
>> program or running the program as modified.  Users concerned about the risk
>> of invalidating their Notes licences by making its encryption secure
>> against the NSA may wish to raise the matter with Lotus.
>
>I thought that reverse engineering and modifying a program for the
>benefit of the licence holder were specifically allowed, regardless of
>licence?

Not quite.  Section 50B of the Copyright, Designs & Patents Act 1988, as
amended by the Copyright (Computer Programs) Regulations 1992 in order to
implement the Software Directive (Council Directive No 91/250/EEC), permits
decompilation of a program if this is necessary in order to obtain
information required in order to create an independent program which can be
operated with the program to be decompiled.  

This is a fairly limited right of decompilation.  It might apply in the
present case if the fortifying program can be regarded as "an independent
program which can be operated with the program to be decompiled"; but I
wonder whether the fortifying program is really independent.  Perhaps it is.

Even so, this does not by itself permit Notes to be run in a modified form
if this is prohibited by the licence terms.  And section 50C, which permits
modification, does not override a contrary licence term.

Regards,

Nicholas Bohm

Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK

Phone		01279 871272	(+44 1279 871272)
Fax		01279 870215	(+44 1279 870215)
Mobile   	0860 636749  	(+44 860 636749)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF