18

Kali Linux, a Linux distribution for ethical hackers and penetration testers, has an "Undercover" mode that makes its UI look like Windows 10. It copies the desktop background, Windows logo Start menu icon, and the overall look and feel of the UI. The purpose is to allow ethical hackers/penetration testers to use Kali Linux in public places (e.g. a client's office) without drawing attention from bystanders who might not know that the testing is authorized. (The default Kali UI and [especially] desktop background are quite distinctive, and would likely look somewhat suspicious even to someone who doesn't know about Kali. Someone who does know about it would almost certainly be concerned to see someone using it at their workplace.) Assuming Offensive Security (the company that develops Kali Linux) didn't get permission from Microsoft, is this legal? I doubt Microsoft would give a license for an intentionally deceptive clone of Windows's UI.

Someone
  • 17,046
  • 10
  • 84
  • 177
  • 6
    Additional question: Is it legal if you have a legal version of windows installed on this computer (in another partition, perhaps), so the images are not copied to another computer? – gnasher729 Jul 22 '22 at 16:33
  • 2
    @gnasher729 no. "Restrictions. The manufacturer or installer and Microsoft reserve all rights (such as rights under intellectual property laws) not expressly granted in this agreement. For example, this license does not give you any right to, and you may not:

    (i) use or virtualize features of the software separately;..." Source: https://www.microsoft.com/en-us/Useterms/OEM/Windows/10/UseTerms_OEM_Windows_10_English.htm

     – Someone Jul 22 '22 at 16:56
  • 12
    @Someone note that the fact a company's ToS tell you not to do something doesn't always mean it's actually illegal to do it. – user253751 Jul 22 '22 at 18:12
  • 1
    You can run Citrix software on a Linux system and it will look like Windows, but it’s just a thin client. Of course you must have a properly licensed Windows version on some server. – gnasher729 Jul 22 '22 at 20:54
  • @gnasher729 in that case the combination of the remote desktop server, the two computer's NICs, all the network hardware between them, and the remote desktop client on Linux is basically just a very complicated monitor cable; Windows is still rendering the Windows UI. – Someone Jul 22 '22 at 21:30
  • Most UI designs probably fail to be copyrightable works. UI elements may be copyrightable though (but they may be too simple to qualify or too general that a similar looking icon may not be infringement). – xngtng Jul 23 '22 at 02:42
  • 1
    I think GNOME also used to have something that mimicked Windows XP. It was used on Tails many years ago. – forest Jul 23 '22 at 19:44
  • No matter what, only Microsoft would have the standing to sue them for copyright infringement. And you would think that they have either a specific license, or they bought a copy of Windows and act in a way they can use that license, or they might have some quiet understanding with Microsoft that this is or isn't copyright infringement, but Microsoft won't sue them because their actions benefit Microsoft's customers. – gnasher729 Dec 13 '22 at 09:43
  • Apple's licenses, that I looked at, usually require their software is run on an "Apple labelled computer", so if you buy a Mac, install Linux, and make it look like MacOS by actually using MacOS code that is still running on your machine, I would not be surprised if that is legal. And it might be legal if Linux code shows a MacOS UI as long as it happens on an Apple labelled computer. – gnasher729 Dec 13 '22 at 09:47

2 Answers2

15

Copyright would generally protect all aspects of the Windows operating system. Therefore, to the extend that Kali is visually similar to Windows, it might be illegal infringement. It would not be infringement if those elements were used with permission from MS (note that the product is available on the Microsoft store). Since you semi-stipulate that they do not have permission, we can move to the possibility of a fair use defense. That defense might be successful since at least apparently there would be no effect on market and the copying is somewhat transformative.

Finally, the finder of fact would have to decide if those elements of Kali are "substantially similar" to the Windows originals. It could be found that the similarity which you perceive is due to "copying the idea", not copying the expression. E.g. the idea of a manila folder as an icon is not protected, so it becomes a fairly technical discussion centering on copyright law and "look and feel".

user6726
  • 214,947
  • 11
  • 343
  • 576
  • There's no doubt that at least the desktop background is substantially similar. – Someone Jul 22 '22 at 18:44
  • Of course, that determination depends on the skills of plaintiff's skill at proving that and defendant's skill at refuting the claim. For a legal hypothetical, you shouldn't stipulate a legal conclusion as "a fact". – user6726 Jul 22 '22 at 19:11
  • I don't know enough to even attempt an answer, but it may be relevant that there's a Kali-Linux app on apps.microsoft.com so it could be MS & K-L are working together with an (unpublished?) agreement? –  Jul 22 '22 at 20:57
  • The whole idea is obviously to look so similar that an average or more than average knowledgable Windows user in the Office wouldn't notice that Linux is running. However, in the end the whole thing is done to help and protect companies running Windows, so Microsoft might just ignore the whole matter, while fully knowing that it is legal / illegal / difficult to decide. On the other hand this site is not about what Microsoft could/should do but about whether it is legal. – gnasher729 Dec 13 '22 at 09:50
9

Separate from the copyright concerns discussed by user67726, there are also trademark concerns. The Lanham Act (15 U.S.C. § 1051) forbids using someone else's trademark in to deceive or cause confusion. It's hard to argue that an "undercover" mode doesn't deceive.

Of course, this assumes that the undercover mode makes use of a Microsoft trademark. This could be the case for the start menu icon, since it's part of Microsoft's logo.

Brian
  • 1,581
  • 10
  • 14
  • 13
    But that is confusion in a commercial transaction. If I have a Linux computer and pretend it runs windows so you buy it that would be a problem. But that’s not what is happening. – gnasher729 Jul 22 '22 at 20:48
  • 1
    @gnasher729: If you pretend it runs windows for a pen test, that's still "use in commerce." – Brian Jul 22 '22 at 20:53
  • 7
    @Brian But doesn't "deception" usually imply bad faith? Technically, Kali isn't designed for bad faith actions and you should be acting with permission from, and on behalf of, the owner of the network. It's sort of like selling a hide-a-stash can of Pepsi. – mchid Jul 23 '22 at 01:14
  • 10
    "It's hard to argue that an "undercover" mode doesn't deceive." I think I would interpret that differently. It is deceiving people overlooking your shoulder. It is not deceiving you into thinking you are buying Microsoft's operating system. – FK- Jul 23 '22 at 09:27
  • 16
    To use a soda analogy as the comment above: I think that if you put CocaCola in a Pepsi can and go walk around in public, you would be "deceiving" everyone that you are drinking Pepsi, but that wouldn't be illegal. It would be illegal to sell this can as Pepsi or give it to people and tell them it is Pepsi. – FK- Jul 23 '22 at 09:31
  • @Brian not unless the service is sold or marketed as using Windows. Besides, you could run commands that are executed by a completely different machine and OS. You could use your flip phone from 10 years ago to send a text that triggers the tesing from the laptop in your backpack or computer at home.... – FK- Jul 23 '22 at 09:37
  • 8
    @Brian In pentesting the commerce is between the pentester and an agent of the business who can consent to that. As long as the contract is clear, there is no deception in the transaction. The fact that other people are deceived (as per the contract expectations) does not constitute deception in commerce. – David Jul 23 '22 at 17:06
  • @FK- Though in that case, you have presumably legally purchased both the Pepsi (for the can) and the Coke that you poured into the can. If you have installed Kali and do not have a legally purchased copy of Windows 10, it might be a different story? – Darrel Hoffman Jul 24 '22 at 18:58
  • @DarrelHoffman I would say the copyright difference between stealing a phisycal object and copying files. Logos of companies are both trademarked and copyrighted, yet you could still use them as your desktop or phone background. All that changes when you use these logos to pretend to be from those companies or if you intentionally lead people to believe it. Same for selling products with said logos. Where I think it becomes legally grey is putting logo stickers on your tools. I imagine a dentist putting reputable brand stickers in they cheap, sketchy tools. I don't think that would fly BTW. – FK- Jul 25 '22 at 10:42
  • @David: I don't like that example, because selling counterfeit goods (i.e., counterfeit due to unauthorized use of trademark) is illegal even when the buyer is told that they are counterfeit. – Brian Jul 27 '22 at 19:33
  • 1
    @Brian OK, but at that point there's nothing to do with deception in commerce. That's illegal because selling counterfeit goods are illegal. Deception in commerce means that you misrepresent what you're selling. The pentester is being paid to break into a company's network systems, and is explicitly given permission to lie to employees to do so. There is no deception in the transaction, and the deception in execution is explicitly permitted in the contract. (And all pentesting contracts are very clear about this, because the basic element of all computer crimes is unauthorized access.) – David Jul 27 '22 at 20:20