| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Cisco's stolen code On Tue, 25 May 2004 11:05:03 PDT, Seth Alan Woolley said: > Copyright means the right to publish a work in its entirety. As long as > they aren't republishing the whole code when they find a vulnerability, > it's protected under fair use. What is illegal to republish isn't > illegal to acquire. If one acquires the Cisco code outside of a > licensing arrangement, they surely didn't agree to their additional > restrictions preventing audit or duplication. There's a few points you need to deal with: 1) Although you can probably get away with "fair use" for a small code snippet demonstrating a problem in an advisory (the infamous "the problem is in these 15 lines" part), you will have a *very* hard time doing anything resembling a good audit while only accessing a "fair use" amount of code. How did you find the 15 problem lines without looking at an amount of code far in excess of what "fair use" authorizes? 2) The fact that you're getting a copy from somebody other than Cisco does NOT make it "clean". That is true for trade secrets, where if the cat is out of the bag already, redistributing it further is no problem (although you better make sure the cat is *out* of the bag and not merely poking its nose out). Absent some licensing agreement, you can't copy it. Period, end of discussion. Go read the GPL, the part where it says "You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License.". A lot of very highly talented legal minds have looked at that, and they all come up with the same reading: "You make a copy without accepting the GPL terms, you're screwed". > Re-read your first sentence. The only one that applies is > redistribution. Copying for personal use and use itself are still > perfectly legal outside of an explicit contract with Cisco that says > otherwise, and even then, one would have to agree to it. Umm. No. It's Cisco's code, and you do *NOT* have *any* rights to it other than what (a) you're able to establish under "fair use" or (b) Cisco authorizes you to have. Although the "Betamax case" granted the "fair use" right to videotape, timeshift, and (by extension) rip your own CD's to digital: http://www.eff.org/Legal/Cases/sony_v_universal_decision.php there is *still* a requirement that the original copy be legally obtained, and there are limitations - although the court held that making a copy for your *own* use was OK, other uses weren't covered - you can't distribute copies to others, and copying things you didn't have a clear right to have the first copy is right out as well. And I'd be very wary of trying to use "He made the copy, I just took the copy he made" as a defense - you're still liable for some penalties, and if you knew or should have known the copy was infringing you're probably equally liable as the person who made the copy.... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040525/b1e78ca9/attachment.bin
Powered by blists - more mailing lists