lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <42EADAF7.5010006@science.org>
Date: Sat Jul 30 02:41:41 2005
From: jasonc at science.org (Jason Coombs)
Subject: <Cisco Message> Mike Lynn's controversial Cisco
	Security Presentation

J.A. Terranson wrote:
>>>I believe that at the moment of disclosure it becomes public domain.
>>>Echoes of RC4...
>>http://www.infowarrior.org/users/rforno/lynn-cisco.pdf
> 
> That letter doesn't change anything.  Theres a lot of law that says that
> is now public data, and free of it's trade incumberances.

RC4 is an algorithm, which means it cannot be patented nor copyrighted 
nor protected as intellectual property as anything other than a trade 
secret.

The Cisco/ISS trade secrets remain so unless and until these companies 
forego the legal protections afforded to them under law. i.e. they fail 
to seek restraining orders and otherwise fail to attempt to keep control 
of the commercial advantage that they believe they enjoy as a result of 
their ownership of the trade secret.

Because RC4, as an algorithm, cannot be protected as a trade secret 
starting the moment it is embodied into a product where the product can 
be reverse engineered legally, it would not have been possible to obtain 
injunctions against the dissemination and use of the RC4 algorithm and 
this is where you end up feeling like RC4 became "public domain" upon 
its public disclosure. See:

http://en.wikipedia.org/wiki/RC4

Now, if RC4 had never been used to create a product and had been kept as 
a trade secret, and that secret had been published, then it would not 
have become, automatically, an unencumbered algorithm that could be used 
by anyone with impunity. There being no way other than theft of trade 
secret for a third party to come to know the algorithm, had a court 
order been obtained to halt the spread of the secret the algorithm 
itself could very well have been kept as protectable intellectual 
property until such time as the company that enjoyed a commercial 
advantage through preservation of their RC4 trade secret had concluded 
the public distribution of a product that somebody else could have 
reverse engineered.

The interesting question in the Lynn case arises when international 
jurisdictions come into play. It is very clear that anyone inside the 
U.S. who were to publish an article like the following one:

http://www.techworld.com/security/news/index.cfm?NewsID=4130

Would be subject to the injunction on distribution of the trade secrets 
in question, and could be sued for having knowingly possessed and made 
use of (for the purpose of writing the article) those secrets.

However, techworld.com is a UK-based publisher, apparently, and so 
should be fine until a UK court concurs with the U.S. court's granting 
of the injunction.

Sincerely,

Jason Coombs
jasonc@...ence.org

Powered by blists - more mailing lists