| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: seth at tautology.org (Seth Alan Woolley) Subject: Cisco's stolen code On Tue, May 25, 2004 at 04:59:20PM -0400, Valdis.Kletnieks@...edu wrote: > On Tue, 25 May 2004 11:05:03 PDT, Seth Alan Woolley said: > > Copyright means the right to publish a work in its entirety. As long as > > they aren't republishing the whole code when they find a vulnerability, > > it's protected under fair use. What is illegal to republish isn't > > illegal to acquire. If one acquires the Cisco code outside of a > > licensing arrangement, they surely didn't agree to their additional > > restrictions preventing audit or duplication. > > There's a few points you need to deal with: > > 1) Although you can probably get away with "fair use" for a small code > snippet demonstrating a problem in an advisory (the infamous "the problem > is in these 15 lines" part), you will have a *very* hard time doing anything > resembling a good audit while only accessing a "fair use" amount of code. > How did you find the 15 problem lines without looking at an amount of > code far in excess of what "fair use" authorizes? Fair use allows limited redistribution and rather broad personal use outside of a pre-existing contract. Code auditing doesn't even require fair use rights, however. > 2) The fact that you're getting a copy from somebody other than Cisco does NOT > make it "clean". That is true for trade secrets, where if the cat is out of > the bag already, redistributing it further is no problem (although you better > make sure the cat is *out* of the bag and not merely poking its nose out). > Absent some licensing agreement, you can't copy it. Period, end of discussion. > > Go read the GPL, the part where it says "You are not required to accept this > License, since you have not signed it. However, nothing else grants you > permission to modify or distribute the Program or its derivative works. These > actions are prohibited by law if you do not accept this License.". That only applies to redistribution of derivative or modified works, as I noted was illegal in substantial amounts. Auditing does not require modification or distribution. The FSF advocates that personal use should always be allowable, which is why they explicitly don't prohibit it in their language above. > A lot of very > highly talented legal minds have looked at that, and they all come up > with the same reading: "You make a copy without accepting the GPL terms, > you're screwed". Republish, not "make a copy". Making a copy is perfectly not enforced by the GPL unless it involves redistribution. Distributing it to others is where the problem comes in. > > Re-read your first sentence. The only one that applies is > > redistribution. Copying for personal use and use itself are still > > perfectly legal outside of an explicit contract with Cisco that says > > otherwise, and even then, one would have to agree to it. > > Umm. No. It's Cisco's code, and you do *NOT* have *any* rights to it other > than what (a) you're able to establish under "fair use" or (b) Cisco authorizes > you to have. I presume I'm not allowed to discuss Cisco's code, even if I've not seen it, then, since I have *no* rights to it under your logic. Copyright, I repeat, applies to redistribution and the act of copying by the copier (in modern copyright). It literally meant, "the right of redistribution", even though it may now mean "the right of copy". The sense of copy as in duplication without publishing is new to the word. Any etymologist would tell you that. Even under the modern sense of the right to control copying, obtaining something already copied is not illegal as far as I can tell in Title 17 of the USC. Why are the RIAA not going after downloaders and only after uploaders? They muddy the waters in their press releases, but when they go to the courtroom they know they don't have the law on their sides on that issue. > Although the "Betamax case" granted the "fair use" right > to videotape, timeshift, and (by extension) rip your own CD's to digital: > > http://www.eff.org/Legal/Cases/sony_v_universal_decision.php It wasn't granted. It always existed. The SC just upheld a previous right. Regardless, the issue isn't one of copying, it is of obtaining an already copied material covered under copyright. > there is *still* a requirement that the original copy be legally obtained, If there's no consideration, it fails to fall under contract law. If I obtain a copy of a Beverly Cleary book, say, "Ramona the Intellectual Property Pirate", from somebody who shoplifted the book, then copied it illegally. They will be obligated to return the original book to the store, but my copy, not being made by me, despite being "pirated" by its source, is still not itself illegal, even though the "pirater" may even be instructed to destroy all copies they made by the court to prevent its redistribution. The material isn't illegal, only the action of copying or the act of redistributing a copy. Being a participant in an illegal action isn't illegal so long as you aren't breaking the law, otherwise bank tellers would fear for jail when they get robbed. Purchasing the copy might create an additional problem and null the contract of purchase, but if obtaining it is without consideration, the actual act of obtaining it is not illegal. > and > there are limitations - although the court held that making a copy for > your *own* use was OK, other uses weren't covered - you can't distribute > copies to others, and copying things you didn't have a clear right to have > the first copy is right out as well. Of course you can't distribute copies to others, but you can still receive it. A judge may order copies in a particular case destroyed if they were duplicated illegally, however, they would have to do this for each infringing duplicator. http://www4.law.cornell.edu/uscode/17/503.html but if it were hid for five years, they would get away with it: http://www4.law.cornell.edu/uscode/17/507.html > And I'd be very wary of trying to use "He made the copy, I just took the copy > he made" as a defense - you're still liable for some penalties, and if you knew or > should have known the copy was infringing you're probably equally liable as the > person who made the copy.... I notice a lack of citations to the USC in your post. I'll refer you to Title 17, section 106 this time, which highlights what is actually liable: http://www4.law.cornell.edu/uscode/17/106.html http://www4.law.cornell.edu/uscode/17/117.html is notwithstanding on section 106, and only makes to limit exlusive rights granted in section 106. Section 106 still makes no mention of receiving a copy already made. To get the CISCO code, they could easily receive it on paper and not actually have to copy it internally, although I would think a mv instead of cp could be interpreted as not copying it. I'm not sure what the case law is on that issue, but regardless, it's still possible to do a full audit as long as you can do it before a judge orders your specific copy impounded or destroyed. Seth -- Seth Alan Woolley [seth at positivism.org], SPAM/UCE is unauthorized Key id EF10E21A = 36AD 8A92 8499 8439 E6A8 3724 D437 AF5D EF10 E21A http://smgl.positivism.org:11371/pks/lookup?op=get&search=0xEF10E21A Security Team Leader Source Mage GNU/Linux http://www.sourcemage.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040526/70c3d659/attachment.bin
Powered by blists - more mailing lists