lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: live4java at stormcenter.net (Mister Coffee)
Subject: Re: Cisco's stolen code

On Wed, May 26, 2004 at 05:22:18PM +0200, Tobias Weisserth wrote:
> Hi,
> 
> On Wed, 2004-05-26 at 16:32, Mister Coffee wrote:
> ...
> > I don't see it as a perversion of Fair Use at all.  While we all agree that the original intrusion that acquired the code was illegal, unethical, and generally a Bad Thing (tm), using the "It's stolen!  Don't touch it!" argument to disuade honest assessments doesn't help the community.
> 
> I have to disagree with heart. It would do the community a great favour
> if law abiding security researchers would not touch leaked closed source
> code. If closed source vendors would realise that writing bad,
> embarrassing code could end up on the Internet anytime they would either
> double their efforts to increase code quality themselves or they would
> release the code under an Open Source license. Both would do us a great
> favour.
> 

I see you are in the "Don't touch it!  It's stolen!" camp.  No worries.  We've got different opinions on the matter.  However, I still don't see how _not_ looking at source code does the community a favor.  Note, I am not condoning the theft, or the intrusion that acquired it.  However, there are legitimate ways to see the code that don't involve theft or other illegal acts.

Staying completely hands off would certainly benefit the company (any company really) who's code's been leaked, but it won't encourage them to fix the holes that exist.  If only the bad guys are looking at it, then the first sign of trouble will be an exploit in the wild.  One that could possibly have been prevented by the good guys taking a look at the code.

You're argument that having embarassing code leaked will encourage them to fix the problem doesn't follow.  If "Good Guys (r)" aren't looking at the code, no one's going to tell the company "Guys, this is a Bad Thing (tm)", so they never get embarrassed - at least until the exploits come out, when it will be too late.

> > Imagine "you" (generic "you" here) are a curious auditor who stumbles onto the code somehow.
> 
> How would that happen? It just flies through the air onto my screen? I
> "accidentally" download it because I confuse it with my daily dose of
> porn?
>
You broke my paragraph up in your response, which changes the tone and context of the argument.  The fact is there are ways to stumble onto this stuff, which was the operating assumption here.

Please try and keep the argument in context, ok?
 
> If everybody would argue like that with illegal material ending up on
> their computers we would have a hard time prosecuting people for child
> pornography...
> 
> >   Published to a website, for example, where you're not "accepting stolen property" (to eliminate that argument)
> 
> As a maintainer of a website you are directly responsible for the breach
> of copyright if you haven't taken measures to prevent the upload of
> copyrighted material (to eliminate that argument).
>
To reassemble the argument here, "I" (the researcher) am doing a bit of exploration on the net and follow a link to a publicly accessible webserver.  The page displayed is "s3krit_c1sC0_ipV6_coR3.c" - where I find the aforementioned subtle error.

Now, let's clarify, since you seem to have broken context specifically to argue a different point.  "I" am not the maintainer of the website.  "I" have not downloaded anything.  "I" am viewing something that someone else made available.  While they are infringing copyright by publishing it, "I" have not done so simply by viewing it.

Again, I was very specific in the context.  Please try to stick to it, ok?  I'm not arguing the ethics of downloading the source code, or trading it, or anything else.  We are assuming, for the sake of argument, that "you" are legitimately viewing the code.
 
> > .  You find a subtle but potentially massive error in the IOS code.
> 
> You would have to take a close look at something that hasn't been
> released for your eyes and that you don't have a license to deal with
>
Again, you're in the "Don't touch it!  It's stolen!" camp.  This isn't really about that.  Obviously, you're not going to be in the position to find this potentially fatal error, and will never have to make the ethical decision on what to do about it.

That's the "safe and legal" approach.

I assert that "safe and legal" is not always the ethicaly and morally correct course.
 
> >   Say an easy to exploit DOS that can take down a thousand routers in five seconds.  Further, a simple (but rarely used) config option can protect the router.
> > 
> > What do you do?  As an honest security professional, you WANT to publish an alert about this flaw.
> 
> As an honest security professional you wouldn't have touched the code in
> the first place.
>
I consider myself both a security professional, and honest.

As the original argument states, I am looking at code that I acquired through unusual circumstances that did not require me to break any laws.
 
> >   You want the vendor to be aware of it, you want the world's admins to be aware of it.  You want to "do the right thing" to protect the net's infrastructure.
> 
> You should do the right thing to protect the law and respect other
> people's copyright first.
>
Here is a fundamental difference.  You seem to be of the opinion that "It is the law, therefore it is right."  I assert that in some cases, where the law is not clear (and as this thread has shown, viewing the code once it's escaped into the wild is not a cut and dried legal issue), that sitting on your hands - while safe - may not be the ethically correct course of action.
 
> >   But there's still that niggling issue of the code being copywritten and stolen somewhere along the line, and leaked to the world.
> 
> Big deal. This might be your problem on a short term basis. But if the
> fall-out is big enough Cisco will have to think whether to change their
> license or the quality of their code. If you intervene by possibly
> breaking the law and infringing on copyright you might have saved the
> day but the next decade is rotten because *nothing* changes.
>
Here, I think you are wrong.  1: If the problem is major, it will affect huge chunks of the Net.  While it may cause great pain for the vendor, it will cause everyone else at least as much pain.  I don't care whether the vendor "thinks about changing their model" - I care about protecting the net.   Mine specifically, but if my fix helps everyone else, then it's even better.

And if they prosecute me for releasing the advisory, it's -worse- for the community, because then they don't have to do anything, and have actively discouraged the Good Guys (tm) from lending their skills.  

2: I didn't violate copyright in the publication of my advisory.  If I include a 12 line code snippet out of 800Meg worth of source, it would be very hard to NOT consider it Fair Use (which, incidently, was my original reason for adding anything to this thread - I'm a strong believer in Fair Use)  Especially if I saw the code by "legal" means.

Your argument about the next decade being rotten and nothing changing doesn't follow from "my" releasing an advisory.  In fact, I would dare say that NOT auditing the code promotes the status quo, where the vendor is able to hide bad code behind legal arguments and the threat of prosecution.  Nothing changes in that case, and things may actually get worse.

What's the addage?  If pen-test tools become criminal, then only criminals will have pen-test tools?
 
> > Do you publish the advisory, and worry that Big Vendor will have you arrested?
> 
> Or do you keep your fingers from copyrighted material and enjoy the
> fallout that might lead to a change in Cisco's development process?
> 
So, given your arguments, I understand that you would rather let the script kiddies launch their exploits and bring down the net in the hopes of getting Vendor to change models, rather than possibly prevent large chunks of the internet from caving in?
i
This isn't a flame - but an honest question.  Different people (obviously!) havie different opinions on what constitutes "The Right Thing."

> > Do you sit on the advisory, and hope no Kiddie finds the error you found and brings down the net?
> 
> In fact, I wouldn't even look for bugs in the code and yes, I would let
> criminals take full advantage of Cisco's leaked code. This might hurt
> today but it could save the day tomorrow.
>
How, exactly, is this going to "save the day" tomorrow?

Remember, in your model, the Good Guys aren't looking at the code, and Big Vendor has no reason to open the code to review.
 
> > Ethically and morally, "doing the right thing" means publishing the advisory - possibly including just enough of a code snippet to identify the offending part.
> 
> > Doing the "legal and safe thing" would have meant shutting off your browser when you found the site, and hoping to your favorite diety that someone else decides to audit the code for holes.
> 
> You should hope that the copyright holder identifies the flaws. If he
> can't than that's a clear indication to the bad quality of its product.
> He might consider to release code under an open license next time so
> that you can help hunting bugs. Or he starts writing code that isn't so
> embarrassingly bad that as soon as the code leaks to script kiddies all
> hell breaks loose.
> 
Your argument doesn't follow.  The large commercial products we are talking about in the general case here are HUGE.  Even a consentious developer will have bugs in their code - and I know the Cisco folks in particular are interested in the quality of their product.  While I can hope the developers will identify all the bugs, the simple fact is that they won't.  

I suppose there's an argument in here for "Only use open source software!"  But the fact is that not all source is open, and staying completely hands-off in cases like this is not doing the community any favors.

No: I do not advocate stealing code.
No: I do not advocate violating copyrights.

However, the cat, as they say, is out of the bag.  The legal issues here are not clear cut, and the ethics seem at odds with your interpretation of the law.

> >   Because you KNOW the "bad guys" are going to be doing just that.
> 
> Let them. It's the vendor's fault if he doesn't allow for external code
> auditing. The vendor chose it this way. The vendor and his customers
> have got to bear the consequences. A large accident might change his
> mind for the future. Your "moral" behaviour certainly doesn't.
>
I'm not sure how your "Safe and Legal" behavior changes the future either.

Which is morally and ethically right?  Protecting the IP assets of one vendor, or protecting the infrastructure that will be affected by exploits against that vendor's code?
 
> > This is one case (of too many to list) where ethics, morals, and the Law, don't quite align.
> 
> Well, I have a different point of view. But suit yourself everybody ;-)
> 
Aye!  We indeed have different points of view here.  We may want to take our discussion here off line.  I don't want a "warm" discussion to take on the appearance of a flamewar.

> regards,
> Tobias
>

Cheers,
L4J

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ