Monday, November 25, 2024

Docker-OSX image used for security research hit by Apple DMCA takedown

Docker-OSX image used for security research hit by Apple DMCA takedown

The popular Docker-OSX project has been removed from Docker Hub after Apple filed a DMCA (Digital Millennium Copyright Act) takedown request, alleging that it violated its copyright.

Docker-OSX is an open-source project created by security researcher Sick.Codes that allows for the virtualization of macOS on non-Apple hardware. It can be hosted on any system that supports Docker, including Linux and Windows.

The project is useful for developers who need to test software on macOS or security researchers trying out various configurations to uncover bugs or to research malware.

Its popularity is reflected in its 750,000 downloads and 500 stars on Docker Hub, as well as its 40,000 stars on GitHub.

Apple nukes the repository

On Wednesday, Docker-OSX users reported that they were unable to pull the latest macOS images from the Docker Hub repository, getting 404 errors.

“docker: Error response from daemon: pull access denied for sickcodes/docker-osx, repository does not exist or may require ‘docker login’: denied: requested access to the resource is denied,” read an error message when a user tried to install the image.

After other users reported a similar issue accessing the Docker image, the developer, Sick.Codes, replied that it was gone from their account and have received no information as to why.

404 errors seen by Docker-OSX users
404 errors seen by Docker-OSX users
Source: Sick.Codes

After posting about the removal on X, Docker confirmed it with Sick.Codes that the image was removed after they received a DMCA takedown request from Apple.

In the DMCA request sent to Sick.Codes and shared with BleepingComputer, a law firm representing Apple asserted that the “docker-osx” repository contains images of Apple’s macOS installer, which are protected by copyright.

The notice specifies that Docker-OSX reproduces Apple’s content without authorization, which constitutes copyright infringement under U.S. law, and requests that Docker act “expeditiously” to take down the repository.

“It has come to our attention that images of Apple’s macOS installer and installation have been posted at https://hub.docker.com/r/sickcodes/docker-osx,” reads the DMCA infringement notification sent by Apple’s lawyers at Kilpatrick, Townsend and Stockton LLP.

“Apple has exclusive rights in its macOS installer and installation. See macOS Sonoma. Docker-OSX reproduces this content without authorization. The unauthorized reproduction of Apple’s content constitutes copyright infringement and is a violation of the DMCA.”

Apple's DMCA takedown request to Docker Hub
Apple’s DMCA takedown request to Docker Hub
Source: Sick.Codes

Crossing legal boundaries

From a legal perspective, Apple’s actions are justified in this case, as its EULA for macOS restricts the use of the operating system to Apple-branded hardware, and enforcement of these licensing terms is within its rights.

Sick.Codes told BleepingComputer that Apple’s action would primarily impact security researchers using Docker-OSX to help make macOS safer.

“Every time I’m at a security conference, like DEFCON or http://Hardwear.io, other researchers come up and say that they used Docker-OSX to do bug bounty. It’s essentially one of the one ways to participate in Apple’s bug bounty program without an actual Mac,” explained Sick.Codes.

Sick.Codes added that Apple contradicts itself by encouraging security research contributions and bug reports but targets the projects that help researchers perform this activity. With that said, the researcher says his devotion to help in Apple security research remains unwavering.

“This is a legitimate good-faith security research project that I, and over 700,000 others, have used to try and find bugs in macOS.

They [Apple] explicitly permit researchers to test their products as part of the Apple Bug Bounty program, of which I am a participant and have submitted bugs to Apple before.

And will continue to do so.”

❖ Sick.Codes

Meanwhile, Docker-OSX remains available on GitHub at the time of writing, but the repository there only contains the project’s code, not the installer binaries, so Sick.Codes does not expect a DMCA request there.

Ultimately, the case highlights the legal challenges that can arise for open-source projects when dealing with proprietary software that is subject to intellectual property rights enforcement at any moment.

BleepingComputer has asked for a comment from both Apple and Docker, but we have not received a response by publication.

Related Articles

Latest Articles