lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: listuser at seifried.org (Kurt Seifried)
Subject: A funny  (but real) story for XMAS

> The reason OSVDB isn't well populated yet is that each
> vulnerability has to be evaluated and written up afresh
> in order to avoid violating any existing DB's copyrights.
> That takes time.  If you want to shorten that time, go
> volunteer. :-)

I like the idea of osvdb, I have concerns about the execution. I tried to
read:

http://www.osvdb.org/terms-conditions.php

But after a few pages got tired of trying to figure out how all the various
loopholes and things like "We reserve the right, at our discretion, to
change, modify, add or remove portions of these terms periodically." will
interact. Then there is things like:

"You agree not to sell, resell or offer for any commercial purposes, any
portion of the Services, use of the Services or access to the Services."

So what happens if I reference an osvdb writeup in a commercial product, it
would seem even just using whatever identifier osvdb uses for an issue (the
name) would violate their terms of service.

While the osvdb claims they will use a license similar to the CPL (according
to http://www.osvdb.org/status.php/):

http://www.opensource.org/licenses/cpl.php

They then go on to say:

"Currently OSVDB is seeking legal aid to determine how to best reuse the
CPL, or draft a similar license. "

With all the above loopholes, and the uncertainty about the license and
conflicting license/terms of service/etc I have a feeling this company may
pull a CDDB (that is, let people enter stuff, and use it for free and then
yank it and go commercial). This is sponsored by two commercial companies
and let's face it, at the end of the day if it comes down to making an extra
buck, or being "nice to the community" most companies will go with the
dollar.

I could be wrong of course, and sincerely hope I am. But the execution of
this project makes me nervous.

Kurt Seifried, kurt@...fried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/




> m5x
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ