lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: tobias at weisserth.de (Tobias Weisserth)
Subject: Re: Cisco's stolen code

Hi,

On Wed, 2004-05-26 at 16:32, Mister Coffee wrote:
...
> I don't see it as a perversion of Fair Use at all.  While we all agree that the original intrusion that acquired the code was illegal, unethical, and generally a Bad Thing (tm), using the "It's stolen!  Don't touch it!" argument to disuade honest assessments doesn't help the community.

I have to disagree with heart. It would do the community a great favour
if law abiding security researchers would not touch leaked closed source
code. If closed source vendors would realise that writing bad,
embarrassing code could end up on the Internet anytime they would either
double their efforts to increase code quality themselves or they would
release the code under an Open Source license. Both would do us a great
favour.

> Imagine "you" (generic "you" here) are a curious auditor who stumbles onto the code somehow.

How would that happen? It just flies through the air onto my screen? I
"accidentally" download it because I confuse it with my daily dose of
porn?

If everybody would argue like that with illegal material ending up on
their computers we would have a hard time prosecuting people for child
pornography...

>   Published to a website, for example, where you're not "accepting stolen property" (to eliminate that argument)

As a maintainer of a website you are directly responsible for the breach
of copyright if you haven't taken measures to prevent the upload of
copyrighted material (to eliminate that argument).

> .  You find a subtle but potentially massive error in the IOS code.

You would have to take a close look at something that hasn't been
released for your eyes and that you don't have a license to deal with

>   Say an easy to exploit DOS that can take down a thousand routers in five seconds.  Further, a simple (but rarely used) config option can protect the router.
> 
> What do you do?  As an honest security professional, you WANT to publish an alert about this flaw.

As an honest security professional you wouldn't have touched the code in
the first place.

>   You want the vendor to be aware of it, you want the world's admins to be aware of it.  You want to "do the right thing" to protect the net's infrastructure.

You should do the right thing to protect the law and respect other
people's copyright first.

>   But there's still that niggling issue of the code being copywritten and stolen somewhere along the line, and leaked to the world.

Big deal. This might be your problem on a short term basis. But if the
fall-out is big enough Cisco will have to think whether to change their
license or the quality of their code. If you intervene by possibly
breaking the law and infringing on copyright you might have saved the
day but the next decade is rotten because *nothing* changes.

> Do you publish the advisory, and worry that Big Vendor will have you arrested?

Or do you keep your fingers from copyrighted material and enjoy the
fallout that might lead to a change in Cisco's development process?

> Do you sit on the advisory, and hope no Kiddie finds the error you found and brings down the net?

In fact, I wouldn't even look for bugs in the code and yes, I would let
criminals take full advantage of Cisco's leaked code. This might hurt
today but it could save the day tomorrow.

> Ethically and morally, "doing the right thing" means publishing the advisory - possibly including just enough of a code snippet to identify the offending part.

> Doing the "legal and safe thing" would have meant shutting off your browser when you found the site, and hoping to your favorite diety that someone else decides to audit the code for holes.

You should hope that the copyright holder identifies the flaws. If he
can't than that's a clear indication to the bad quality of its product.
He might consider to release code under an open license next time so
that you can help hunting bugs. Or he starts writing code that isn't so
embarrassingly bad that as soon as the code leaks to script kiddies all
hell breaks loose.

>   Because you KNOW the "bad guys" are going to be doing just that.

Let them. It's the vendor's fault if he doesn't allow for external code
auditing. The vendor chose it this way. The vendor and his customers
have got to bear the consequences. A large accident might change his
mind for the future. Your "moral" behaviour certainly doesn't.

> This is one case (of too many to list) where ethics, morals, and the Law, don't quite align.

Well, I have a different point of view. But suit yourself everybody ;-)

regards,
Tobias

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ