lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: jbdubbs at jbdubbs.com (Jason Weisberger)
Subject: Re: Cisco's stolen code

I think the line needs to be drawn somewhere in the middle.  Using
stolen Cisco code to find vulnerabilities in their software and
publishing advisory notices based on stolen code is unethical.  A common
middle-ground would be to inform the company and not publish the
advisory.  In this way, the company can release it's own advisory and
will probably let you go unchecked.  If it's fame and fortune you're
looking for, then release the advisory while realizing the risk of being
sued by Cisco for posession of their intellectual property.

I suggest being humble.

Jason Weisberger
http://www.csrev.com

Mister Coffee wrote:

>>Excellent arguments. Let me restate. The spirit & intent of Fair Use 
>>Doctrine applies to materials that are publicly accessible. In college
>>I did not have to mark up the expensive music scores I bought as I could
>>make copies and not violate the copyright. I could photocopy scores from the 
>>library to study. Fair Use is intended to make sure copyright does
>>not unduly restrict the use of materials with copyright in an academic orr
>>educational context. A teacher may photocopy parts of a work to hand out 
>>in a lecture. Fair Use has nothing to do with penetrating Cisco's networks 
>>and copying the source to 12.3 IOS an later distribution. Fair Use Doctrine 
>>is about academic freedom, not commercial proprietary IP which only approved 
>>persons may posses. Fair Use keeps information and materials the were already 
>>very accessible the same. 
>>
>>    
>>
>Well said, but I don't believe the argument here (about whitehats staying away from the code) involves the actual penetration of Cisco's network and the illegal acquisition of the code.  The question was whether the concept of Fair Use gave a security professional some legal recourse if they choose to review the code (however -they- obtained it, since that's not the quesiton here) and published an advisory based on their findings.
>
>
>  
>
>>It is an incorrect argument to claim Fair Use here because IOS source was
>>never legally assessable to the general public.  To suggest using it, as such,
>>is a perversion of the spirit and intent of Fair Use Doctrine.
>>
>>    
>>
>I don't see it as a perversion of Fair Use at all.  While we all agree that the original intrusion that acquired the code was illegal, unethical, and generally a Bad Thing (tm), using the "It's stolen!  Don't touch it!" argument to disuade honest assessments doesn't help the community.
>
>Imagine "you" (generic "you" here) are a curious auditor who stumbles onto the code somehow.  Published to a website, for example, where you're not "accepting stolen property" (to eliminate that argument).  You find a subtle but potentially massive error in the IOS code.  Say an easy to exploit DOS that can take down a thousand routers in five seconds.  Further, a simple (but rarely used) config option can protect the router.
>
>What do you do?  As an honest security professional, you WANT to publish an alert about this flaw.  You want the vendor to be aware of it, you want the world's admins to be aware of it.  You want to "do the right thing" to protect the net's infrastructure.  But there's still that niggling issue of the code being copywritten and stolen somewhere along the line, and leaked to the world.
>
>Do you publish the advisory, and worry that Big Vendor will have you arrested?
>
>Do you sit on the advisory, and hope no Kiddie finds the error you found and brings down the net?
>
>Ethically and morally, "doing the right thing" means publishing the advisory - possibly including just enough of a code snippet to identify the offending part.
>
>Doing the "legal and safe thing" would have meant shutting off your browser when you found the site, and hoping to your favorite diety that someone else decides to audit the code for holes.  Because you KNOW the "bad guys" are going to be doing just that.
>
>This is one case (of too many to list) where ethics, morals, and the Law, don't quite align.
>
>Cheers,
>L4J
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
>  
>




Powered by blists - more mailing lists