| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040526143212.GA11020@tempest.stormcenter.net> From: live4java at stormcenter.net (Mister Coffee) Subject: Re: Cisco's stolen code > Excellent arguments. Let me restate. The spirit & intent of Fair Use > Doctrine applies to materials that are publicly accessible. In college > I did not have to mark up the expensive music scores I bought as I could > make copies and not violate the copyright. I could photocopy scores from the > library to study. Fair Use is intended to make sure copyright does > not unduly restrict the use of materials with copyright in an academic orr > educational context. A teacher may photocopy parts of a work to hand out > in a lecture. Fair Use has nothing to do with penetrating Cisco's networks > and copying the source to 12.3 IOS an later distribution. Fair Use Doctrine > is about academic freedom, not commercial proprietary IP which only approved > persons may posses. Fair Use keeps information and materials the were already > very accessible the same. > Well said, but I don't believe the argument here (about whitehats staying away from the code) involves the actual penetration of Cisco's network and the illegal acquisition of the code. The question was whether the concept of Fair Use gave a security professional some legal recourse if they choose to review the code (however -they- obtained it, since that's not the quesiton here) and published an advisory based on their findings. > It is an incorrect argument to claim Fair Use here because IOS source was > never legally assessable to the general public. To suggest using it, as such, > is a perversion of the spirit and intent of Fair Use Doctrine. > I don't see it as a perversion of Fair Use at all. While we all agree that the original intrusion that acquired the code was illegal, unethical, and generally a Bad Thing (tm), using the "It's stolen! Don't touch it!" argument to disuade honest assessments doesn't help the community. Imagine "you" (generic "you" here) are a curious auditor who stumbles onto the code somehow. Published to a website, for example, where you're not "accepting stolen property" (to eliminate that argument). You find a subtle but potentially massive error in the IOS code. Say an easy to exploit DOS that can take down a thousand routers in five seconds. Further, a simple (but rarely used) config option can protect the router. What do you do? As an honest security professional, you WANT to publish an alert about this flaw. You want the vendor to be aware of it, you want the world's admins to be aware of it. You want to "do the right thing" to protect the net's infrastructure. But there's still that niggling issue of the code being copywritten and stolen somewhere along the line, and leaked to the world. Do you publish the advisory, and worry that Big Vendor will have you arrested? Do you sit on the advisory, and hope no Kiddie finds the error you found and brings down the net? Ethically and morally, "doing the right thing" means publishing the advisory - possibly including just enough of a code snippet to identify the offending part. Doing the "legal and safe thing" would have meant shutting off your browser when you found the site, and hoping to your favorite diety that someone else decides to audit the code for holes. Because you KNOW the "bad guys" are going to be doing just that. This is one case (of too many to list) where ethics, morals, and the Law, don't quite align. Cheers, L4J
Powered by blists - more mailing lists