lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200405261541.i4QFfkTY006345@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Cisco's stolen code 

On Tue, 25 May 2004 14:26:55 PDT, VX Dude <vxdude2003@...oo.com>  said:

> Which law?  Does this mean whitehats will start
> recognizing EULAs pertaining to proprietary property?

In the US, the basic statute is 17 USC 106:
http://www4.law.cornell.edu/uscode/17/106.html

Sec. 106. - Exclusive rights in copyrighted works

Subject to sections 107 through 121, the owner of copyright under this title
has the exclusive rights to do and to authorize any of the following:

(1) to reproduce the copyrighted work in copies or phonorecords;

(2) to prepare derivative works based upon the copyrighted work;

(3) to distribute copies or phonorecords of the copyrighted work to the public
by sale or other transfer of ownership, or by rental, lease, or lending;

(4) in the case of literary, musical, dramatic, and choreographic works,
pantomimes, and motion pictures and other audiovisual works, to perform the
copyrighted work publicly;

(5) in the case of literary, musical, dramatic, and choreographic works,
pantomimes, and pictorial, graphic, or sculptural works, including the
individual images of a motion picture or other audiovisual work, to display the
copyrighted work publicly; and

(6) in the case of sound recordings, to perform the copyrighted work publicly
by means of a digital audio transmission

17 USC 107 discusses "fair use": http://www4.law.cornell.edu/uscode/17/107.html

Sec. 107. - Limitations on exclusive rights: Fair use

Notwithstanding the provisions of sections 106 and 106A, the fair use of a
copyrighted work, including such use by reproduction in copies or phonorecords
or by any other means specified by that section, for purposes such as
criticism, comment, news reporting, teaching (including multiple copies for
classroom use), scholarship, or research, is not an infringement of copyright.
In determining whether the use made of a work in any particular case is a fair
use the factors to be considered shall include -

(1) the purpose and character of the use, including whether such use is of a
commercial nature or is for nonprofit educational purposes;

(2)the nature of the copyrighted work;

(3) the amount and substantiality of the portion used in relation to the
copyrighted work as a whole; and

(4) the effect of the use upon the potential market for or value of the
copyrighted work.

The fact that a work is unpublished shall not itself bar a finding of fair use
if such finding is made upon consideration of all the above factors
---- end quote, start analysis..

Section 107 lets you *attempt* to claim "fair use" as a defense against a
charge of copyright infringement.  The judge is directed to consider *all 4*
factors.   Note that you *might* have a fighting chance on point (1), if
you're a recognized *non-profit* security researcher (if you're making a profit
(even indirectly) off your Cisco advisories, you're screwed).   You're also
likely to be screwed on point (4) - Cisco can probably claim a fairly large
chunk of their yearly revenue is based on a proprietary IOS....

> I agree that whitehats should only audit and/or "find"
> security holes in software in which they are invited
> or allowed to do so.  But isnt the whole point of the
> word full in full-disclosure to expose flaws that the
> owners of the property dont want known.  Sounds like a
> greyhat/blackhat mailing list to me.

Plenty of vulnerabilities have been found in open-source projects, where the
source is available.  Plenty *more* vulnerabilities have been found in
proprietary software *without* having access to the source, using the
well-understood methods of software reverse engineering.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040526/b4479155/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ