lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: full-disclosure-031126 at post.robertgraham.com (Robert Graham)
Subject: IDS (ISS) and reverse engineering

From: "V.O." <vosipov@....com.au>
> Recently I've got to listen to a marketing pitch by an ISS guy. He was
> going
> along the lines of "our X-force reverse-engineered Microsoft RPC libraries
> and created signatures..." and "we use protocol decoding, so we
> reverse-engineered various closed-source protocols in order to create out
> decoders".
>
> What struck me - isn't this kind of activity actually illegal in the US?
> To
> which extent it is possible to disassemble Windows code? And if it is
> illegal, then aren't their customers (plus many other IDSes, with the
> exclusion of Snort, probably) in danger - what if Microsoft or whoever
> else
> sues ISS for doing this? :)
>
> I'm puzzled.

The reverse is true. Reverse-engineering is broadly legal virtually
everywhere. (The DMCA copyright-circumvention being a rare
exception).

Whereas as government's don't, software license agreements do. Most
vendors have a clause banning reverse-engineering. However, such
agreements can only go so far. They do not apply to areas that are
clearly in the public interest. Vuln-research is one of those areas
(compatibility is another). For example:

 17 U.S.C.  1201(j)(1999)
 ...the term 'security testing' means accessing a computer, computer 
 system, or computer network, solely for the purpose of good faith 
 testing, investigating, or correcting, a security flaw or 
 vulnerability, with the authorization of the owner or operator of 
 such computer, computer system, or computer network . . . [It] 
 is not a violation . . . for a person to develop, produce, 
 distribute or employ technological means for the sole purpose of 
 performing the acts of security testing...

FYI: this clause is largely due to ISS lobbying of congress.
Other countries likewise of explicit clauses like this as
well.

To be more clear on the matter: I personally (on my own time)
purchased a Microsoft software license and disassembled rpcss.dll
using IDApro in order to better undestand the MS03-026 vulnerability.
I state this in the clearest possible terms so that if U.S. law
enforcement or Microsoft lawyers believe they have a case, that 
they can come after me.

What will really bake your noodle is the following decompiled 
source of the Blaster worm:
 http://www.robertgraham.com/journal/030815-blaster.c
Imagine the author of the Blaster worm suing me over this :-)


Robert Graham
Chief Scientist, ISS



Powered by blists - more mailing lists