lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8kKni=K4y63fR1mPC5BQ1+5K1RFHq0YrQoFqj6g_noF7A@mail.gmail.com>
Date: Tue, 15 Jan 2013 06:28:53 -0500
From: Jeffrey Walton <noloader@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: how to sell and get a fair price

On Tue, Jan 15, 2013 at 2:48 AM,  <gremlin@...mlin.ru> wrote:
> On 14-Jan-2013 15:39:53 -0500, Valdis.Kletnieks@...edu wrote:
>
>  > > After all, a vulnerability and an exploit are intellectual
>  > > products. Not sure copyright could be claimed, but why not?
>
>  > Actually, claimed or not, if the exploit was coded in a Berne
>  > signatory country, it's almost always automatically copyrighted
>  > at creation (most likely to the coder, or to their employer if
>  > it was a work-for-hire). [...]
>  > More interesting is the question of how to enforce a copyright
>  > claim while remaining anonymous...
>
> Is it really necessary to stay anonymous? Writing hmmm... articles
> about vulnerabilities for some (very specific) media and getting a
> hmmm... fee for that is mostly legal.
>
> Opposed to the use of that information...
I think its a slippery slope in the US.

On one hand, you have, for example, Computer Fraud and Abuse Act
(FCAA), Digital Millennium Copyright Act (DMCA), and Unlawful
Intercept. US corporations are rarely prosecuted under the law
(confer, Trustwave [1], Nokia [2]); but individuals are regularly
prosecuted (confer, Weev (et al) [3], Wise Guys [4], Dmitry Sklyarov
[5]).

I'm amazed at how federal law is 'opt-in' for US corporations, but
individuals such as Weev/Goatse and Sklyarov must endure politically
motivated judicial heavy handedness. In Goatse's case, they aggregated
public data (names and email addresses) from a public server offering
public services hanging off a public internet. In Sklyarov case, he
demonstrated flaws in Adobe's PDF DRM scheme. Note that for Sklyarov,
the DMCA (PUBLIC LAW 105–304) has exceptions for reverse engineering
and security testing and evaluation. The RE exemption is in Section
1205 (f) REVERSE ENGINEERING). The ST&E exemption is in Section 1205
(i) SECURITY TESTING.

If I had copyright over material used for security testing and
evaluations, I would probably assert my copyright. If I wrote malware,
I would likely want to stay anonymous (confer, David L. Smith and
Melissa macro-virus [6]).

Jeff

[1] http://www.computerworld.com/s/article/9224082/Trustwave_admits_issuing_man_in_the_middle_digital_certificate_Mozilla_debates_punishment
[2] http://www.zdnet.com/nokia-hijacks-mobile-browser-traffic-decrypts-https-data-7000009655/
[3] http://en.wikipedia.org/wiki/Weev
[4] https://www.eff.org/deeplinks/2010/07/cfaa-prosecution-wiseguys-not-so-smart
[5] http://en.wikipedia.org/wiki/Dmitry_Sklyarov
[6] http://en.wikipedia.org/wiki/Melissa_(computer_virus)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ