lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1085501332.15304.33.camel@coruscant.weisserth.net>
From: tobias at weisserth.de (Tobias Weisserth)
Subject: Cisco's stolen code

Hi Brian,

On Tue, 2004-05-25 at 17:28, Brian Toovey wrote:
...
> Calm down - While I think it was kind of ignorant to post here asking
> for code and not grep IRC, I dont think this was "not sticking to the
> rules" or "not playing the game."  If and when this source becomes
> available I hope decent coders will audit to find vulns and post here
> - if whitehats dont audit the code, who will?  I find your response
> more ignorant.

Well, let's face the simple facts. Cisco's code is copyrighted and it's
illegal to copy it, distribute it or even use it. There's no way around
it. Whatever your intentions are the Cisco code is legally off-limits.

This may stink and it may hinder security audits but if Cisco wanted you
or anybody else to audit their code they would have licensed it to you.

Since they didn't, this leaves you in a very shitty position if you
touch their code. You may be able to find security flaws but you have
broken laws to do so. Period.

For me, breaking laws is NOT acceptable under ANY circumstance. I hope
the majority of people on this list is with me on this. If this list
evolves into a meeting place where copyrighted code is "negotiated" and
its distribution organised then our goal of full disclosure of security
flaws in IT is not met. You can't improve security by breaking laws.
This renders this list and everybody posting here untrustworthy.

If you want to audit code then stick to the code that is released under
licenses that allow public code auditing. Don't even think to look at
code that hasn't be released under an open license. Maybe this will
motivate more vendors to license their products under an Open Source
license.

regards,
Tobias W.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ