| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040526213916.GA13590@tempest.stormcenter.net> From: live4java at stormcenter.net (Mister Coffee) Subject: Re: Cisco's stolen code On Wed, May 26, 2004 at 03:46:45PM -0500, Ron DuFresne wrote: > > [BIGGER SNIPPAGE] > > I'm trying to understand how obtaining and using stolen code, for any > reason, is different then acquiring stolen property in any other context. > If you know the property was obtained illegally, that would make you an > acessory after the fact, would it not? > I suppose that's ultimately something for the lawyers to decide. But imagine it this way - in keeping with the hypothetical situation we're using in the example: Someone copies an article out of a magazine. They then leave the photocopies out on a table at the local coffee house that's known for having magazines and books and such out for people to read. How have you broken the law if you pick up the copies and read them? You know they are copies, but you don't know whether they were made with permission, etc. You're not making copies yourself: just reading the ones you find. My example used a publically accessible website, rather than a download. The website and the coffeehouse serve the same purpose in the example. There are actually two points here that are getting confused. The first is whether or not it's legal to get/view/etc., the code - and under what conditions. The second is whether it's ethical to publish an advisory based on a review of that code. While I strongly feel that simply viewing the code is not a violation of copyright, I readily acknowledge that the legality is a complex issue. Several people have been talking about the definition of copying, who's responsible, etc. That's not really the point I'm concerned about. My peronal interest is in whether it's ethical or morally correct to reveal your findings if you do choose to read the code. I don't want to delve into the "Legality of copy" issue. My sole purpose, and the reason I tried to use an example where the acquisition wasn't an issue, was the ethics of auditing. Cheers, L4J > > Thanks, > > Ron DuFresne > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. >
Powered by blists - more mailing lists