lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040526201543.GE29855@positivism.org>
From: seth at tautology.org (Seth Alan Woolley)
Subject: Cisco's stolen code

On Tue, May 25, 2004 at 04:59:20PM -0400, Valdis.Kletnieks@...edu wrote:
> On Tue, 25 May 2004 11:05:03 PDT, Seth Alan Woolley said:
> > Copyright means the right to publish a work in its entirety.  As long as
> > they aren't republishing the whole code when they find a vulnerability,
> > it's protected under fair use.  What is illegal to republish isn't
> > illegal to acquire.  If one acquires the Cisco code outside of a
> > licensing arrangement, they surely didn't agree to their additional
> > restrictions preventing audit or duplication.
> 
> There's a few points you need to deal with:
> 
> 1) Although you can probably get away with "fair use" for a small code
> snippet demonstrating a problem in an advisory (the infamous "the problem
> is in these 15 lines" part), you will have a *very* hard time doing anything
> resembling a good audit while only accessing a "fair use" amount of code.
> How did you find the 15 problem lines without looking at an amount of
> code far in excess of what "fair use" authorizes?

Fair use allows limited redistribution and rather broad personal use
outside of a pre-existing contract.

Code auditing doesn't even require fair use rights, however.

> 2) The fact that you're getting a copy from somebody other than Cisco does NOT
> make it "clean".  That is true for trade secrets, where if the cat is out of
> the bag already, redistributing it further is no problem (although you better
> make sure the cat is *out* of the bag and not merely poking its nose out).
> Absent some licensing agreement, you can't copy it. Period, end of discussion.
> 
> Go read the GPL, the part where it says "You are not required to accept this
> License, since you have not signed it.  However, nothing else grants you
> permission to modify or distribute the Program or its derivative works.  These
> actions are prohibited by law if you do not accept this License.".  

That only applies to redistribution of derivative or modified works, as
I noted was illegal in substantial amounts.

Auditing does not require modification or distribution.

The FSF advocates that personal use should always be allowable, which is
why they explicitly don't prohibit it in their language above.

> A lot of very
> highly talented legal minds have looked at that, and they all come up
> with the same reading:  "You make a copy without accepting the GPL terms,
> you're screwed".

Republish, not "make a copy".  Making a copy is perfectly not enforced
by the GPL unless it involves redistribution.  Distributing it to others
is where the problem comes in.

> > Re-read your first sentence.  The only one that applies is
> > redistribution.  Copying for personal use and use itself are still
> > perfectly legal outside of an explicit contract with Cisco that says
> > otherwise, and even then, one would have to agree to it.
> 
> Umm. No.  It's Cisco's code, and you do *NOT* have *any* rights to it other
> than what (a) you're able to establish under "fair use" or (b) Cisco authorizes
> you to have.  

I presume I'm not allowed to discuss Cisco's code, even if I've not seen
it, then, since I have *no* rights to it under your logic.

Copyright, I repeat, applies to redistribution and the act of copying by
the copier (in modern copyright).  It literally meant, "the right of
redistribution", even though it may now mean "the right of copy".  The
sense of copy as in duplication without publishing is new to the word. 
Any etymologist would tell you that.  Even under the modern sense of the
right to control copying, obtaining something already copied is not
illegal as far as I can tell in Title 17 of the USC.

Why are the RIAA not going after downloaders and only after uploaders?

They muddy the waters in their press releases, but when they go to the
courtroom they know they don't have the law on their sides on that issue.

> Although the "Betamax case" granted the "fair use" right
> to videotape, timeshift, and (by extension) rip your own CD's to digital:
> 
> http://www.eff.org/Legal/Cases/sony_v_universal_decision.php

It wasn't granted.  It always existed.  The SC just upheld a previous right.

Regardless, the issue isn't one of copying, it is of obtaining an
already copied material covered under copyright.

> there is *still* a requirement that the original copy be legally obtained,

If there's no consideration, it fails to fall under contract law.

If I obtain a copy of a Beverly Cleary book, say, "Ramona the
Intellectual Property Pirate", from somebody who shoplifted the book,
then copied it illegally.  They will be obligated to return the original
book to the store, but my copy, not being made by me, despite being
"pirated" by its source, is still not itself illegal, even though the
"pirater" may even be instructed to destroy all copies they made by the
court to prevent its redistribution.  The material isn't illegal, only
the action of copying or the act of redistributing a copy.  Being a
participant in an illegal action isn't illegal so long as you aren't
breaking the law, otherwise bank tellers would fear for jail when they
get robbed.

Purchasing the copy might create an additional problem and null the
contract of purchase, but if obtaining it is without consideration, the
actual act of obtaining it is not illegal.

> and
> there are limitations - although the court held that making a copy for
> your *own* use was OK, other uses weren't covered - you can't distribute
> copies to others, and copying things you didn't have a clear right to have
> the first copy is right out as well.

Of course you can't distribute copies to others, but you can still
receive it.

A judge may order copies in a particular case destroyed if they were
duplicated illegally, however, they would have to do this for each
infringing duplicator.

http://www4.law.cornell.edu/uscode/17/503.html

but if it were hid for five years, they would get away with it:

http://www4.law.cornell.edu/uscode/17/507.html

> And I'd be very wary of trying to use "He made the copy, I just took the copy
> he made" as a defense - you're still liable for some penalties, and if you knew or
> should have known the copy was infringing you're probably equally liable as the
> person who made the copy....

I notice a lack of citations to the USC in your post.  I'll refer you to
Title 17, section 106 this time, which highlights what is actually liable:

http://www4.law.cornell.edu/uscode/17/106.html

http://www4.law.cornell.edu/uscode/17/117.html is notwithstanding on
section 106, and only makes to limit exlusive rights granted in section
106.  Section 106 still makes no mention of receiving a copy already
made.

To get the CISCO code, they could easily receive it on paper and not
actually have to copy it internally, although I would think a mv instead
of cp could be interpreted as not copying it.  I'm not sure what the
case law is on that issue, but regardless, it's still possible to do a
full audit as long as you can do it before a judge orders your specific
copy impounded or destroyed.

Seth

-- 
Seth Alan Woolley [seth at positivism.org], SPAM/UCE is unauthorized
Key id EF10E21A = 36AD 8A92 8499 8439 E6A8  3724 D437 AF5D EF10 E21A
http://smgl.positivism.org:11371/pks/lookup?op=get&search=0xEF10E21A
Security Team Leader Source Mage GNU/Linux http://www.sourcemage.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040526/70c3d659/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ