lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200405262046.33768.fulldisc@ultratux.org>
From: fulldisc at ultratux.org (Maarten)
Subject: Re: Cisco's stolen code

On Wednesday 26 May 2004 16:11, Glenn_Everhart@...kone.com wrote:
> Possession of the code does not prove one has copied it though.
> If someone posts it on usenet, he is copying it to numerous servers,
> but the recipient is certainly not acting as the copying agent. Similar

You have a twisted concept of what "a copy" is.
Ik someone downloads it, they DO make a copy; from the usenet server TO your 
machine.  Even if you 'merely view' it on a webpage, you still make a copy. 
You make a copy to your RAM, and to your browsers' cache dir.  The law 
doesn't really give a shit whether the copy is volatile (RAM) or not. 
In a court of law, you may be judged differently if instead of having burned a 
CDrom of the offending code it is only found in your browsers' cache.  
But still, that is subject to how the court interprets the law in every 
individual case. But the law in itself is quite rigid, and you must assume 
that viewing IS copying when it comes to digital media. 

Disclaimer: IANAL but I do read a lot on the subject.

> if someone who has the code does ftp send to drop copies on someone
> else's server: the person who receives such a copy is not the one who
> performed the copy action.

Not in that case, no.  It probably all depends on who initiated it though. If 
the receiving party has actively invited the upload, chances are the receiver 
is in trouble.  It's like with Spam / UCE: if you receive material that is 
deemed illegal in your state, there is no problem.  But if you save, collect, 
or keep that content however, you probably are...

>
> If one received such a copy, the copyright principles would seem to
> govern: fair use copy of parts might be ok, wholesale probably not,
> though an interesting argument can be made for looking for security
> holes as a part of protecting one's own network. If you are in the
> habit of looking at code that arrives on your doorstep in the course
> of protecting your net, the US Code title might govern.

This is all academic until you actually receive stuff on your doorstep and 
still can prove that you did not in any way sollicit it.  Good luck there...

> Still, it can be a major hassle to show that the code arrived unasked for
> at your door and it can be a hassle having people suspect your work might
> have derived from too-large-for-fair-use pieces thereof. I advise against
> seeking it or messing with it unbeknownst to the owners.

Yeah, precisely.

Maarten

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Tobias
> Weisserth
> Sent: Wednesday, May 26, 2004 4:39 AM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Re: Cisco's stolen code
>
>
> Hi Eric,
>
> On Wed, 2004-05-26 at 01:54, Eric Scher wrote:
> > ---------------------------------------------------------
> >
> > >On Tue, 2004-05-25  Tobias W.  wrote:
> > >
> > >Well, let's face the simple facts. Cisco's code is copyrighted and it's
> > >illegal to copy it, distribute it or even use it. There's no way around
> > >it.
> >
> > ----------------------------------------------------------
> >
> >
> > STATEMENT: "There's no way around it."
> >
> > RESPONSE: I beg to differ. No disrespect intended, but given the mission
> > statement for the Full Disclosure mailing list, the use of the "stolen
> > code" clearly falls under the "FAIR USE" exemption of copyright law.
> > Having said that, there may be criminal and civil liability issues
> > involved in possessing, transfering or receiving said code, but it is
> > manifestly not a violation of copyright law.
> >
> >
> > ==========================================
> > UNITED STATES CODE - TITLE 17 - CHAPTER ONE - SECTION 107
> >
> > Sec. 107.  -  Limitations on exclusive rights: Fair use
> >
> > Notwithstanding the provisions of sections 106 and 106A, the fair use of
> > a copyrighted work, including such use by reproduction in copies or
> > phonorecords or by any other means specified by that section, for
> > purposes such as criticism, comment, news reporting, teaching (including
> > multiple copies for classroom use), scholarship, or research, is not an
> > infringement of copyright.  In determining whether the use made of a work
> > in any particular case is a fair use the factors to be considered shall
> > include -
> >
> > (1) the purpose and character of the use, including whether such use is
> > of a commercial nature or is for nonprofit       educational purposes;
> >
> > (2) the nature of the copyrighted work;
> >
> > (3) the amount and substantiality of the portion used in relation to the
> > copyrighted work as a whole; and
> >
> > (4) the effect of the use upon the potential market for or value of the
> > copyrighted work. The fact that a work is unpublished shall not itself
> > bar a finding of fair use if such finding is made upon consideration of
> > all the above factors ==========================================
>
> As has been pointed out by Valdis, "fair use" certainly doesn't cover
> the distribution and copying of hundreds of megabytes of Cisco code that
> wasn't to end up on the Internet in the first place. The intentions, so
> for example security code audits, don't matter for determining "fair
> use" either. If we were to decide for ourselves what we define as fair
> use then there'd be no use for copyright at all since we would be using
> everything under "fair use". Whatever we do with code we would always
> define it "for educational purposes".
>
> And since you quoted only US law you should be aware that things might
> actually look a little different now that you have the DMCA.
>
> And let's just go a step further. Do we really /want/ to look at code
> that hasn't been licensed to us? Why /should/ we want to do this? So
> anytime in the future we are being creative Cisco can claim we must have
> copied it from their source code since we obviously "took a look at
> it"?!
>
> Closed source products don't become "Open" Source products over night
> just because the code leaked into the Internet. They stay closed source.
> Without a corresponding license the availability of Cisco's code (or any
> other) is useless.
>
> The "fair use" thing is an illusion here. But it isn't an illusion big
> enough to cover the legal risks that are obvious if you touch unlicensed
> propriety code.
>
> regards,
> Tobias
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> **********************************************************************
> This transmission may contain information that is privileged, confidential
> and/or exempt from disclosure under applicable law. If you are not the
> intended recipient, you are hereby notified that any disclosure, copying,
> distribution, or use of the information contained herein (including any
> reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
> in error, please immediately contact the sender and destroy the material in
> its entirety, whether in electronic or hard copy format. Thank you
> **********************************************************************
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ