lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Jan 2013 06:28:53 -0500 From: Jeffrey Walton <noloader@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: how to sell and get a fair price On Tue, Jan 15, 2013 at 2:48 AM, <gremlin@...mlin.ru> wrote: > On 14-Jan-2013 15:39:53 -0500, Valdis.Kletnieks@...edu wrote: > > > > After all, a vulnerability and an exploit are intellectual > > > products. Not sure copyright could be claimed, but why not? > > > Actually, claimed or not, if the exploit was coded in a Berne > > signatory country, it's almost always automatically copyrighted > > at creation (most likely to the coder, or to their employer if > > it was a work-for-hire). [...] > > More interesting is the question of how to enforce a copyright > > claim while remaining anonymous... > > Is it really necessary to stay anonymous? Writing hmmm... articles > about vulnerabilities for some (very specific) media and getting a > hmmm... fee for that is mostly legal. > > Opposed to the use of that information... I think its a slippery slope in the US. On one hand, you have, for example, Computer Fraud and Abuse Act (FCAA), Digital Millennium Copyright Act (DMCA), and Unlawful Intercept. US corporations are rarely prosecuted under the law (confer, Trustwave [1], Nokia [2]); but individuals are regularly prosecuted (confer, Weev (et al) [3], Wise Guys [4], Dmitry Sklyarov [5]). I'm amazed at how federal law is 'opt-in' for US corporations, but individuals such as Weev/Goatse and Sklyarov must endure politically motivated judicial heavy handedness. In Goatse's case, they aggregated public data (names and email addresses) from a public server offering public services hanging off a public internet. In Sklyarov case, he demonstrated flaws in Adobe's PDF DRM scheme. Note that for Sklyarov, the DMCA (PUBLIC LAW 105–304) has exceptions for reverse engineering and security testing and evaluation. The RE exemption is in Section 1205 (f) REVERSE ENGINEERING). The ST&E exemption is in Section 1205 (i) SECURITY TESTING. If I had copyright over material used for security testing and evaluations, I would probably assert my copyright. If I wrote malware, I would likely want to stay anonymous (confer, David L. Smith and Melissa macro-virus [6]). Jeff [1] http://www.computerworld.com/s/article/9224082/Trustwave_admits_issuing_man_in_the_middle_digital_certificate_Mozilla_debates_punishment [2] http://www.zdnet.com/nokia-hijacks-mobile-browser-traffic-decrypts-https-data-7000009655/ [3] http://en.wikipedia.org/wiki/Weev [4] https://www.eff.org/deeplinks/2010/07/cfaa-prosecution-wiseguys-not-so-smart [5] http://en.wikipedia.org/wiki/Dmitry_Sklyarov [6] http://en.wikipedia.org/wiki/Melissa_(computer_virus) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists