[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8kKni=K4y63fR1mPC5BQ1+5K1RFHq0YrQoFqj6g_noF7A@mail.gmail.com>
Date: Tue, 15 Jan 2013 06:28:53 -0500
From: Jeffrey Walton <noloader@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: how to sell and get a fair price
On Tue, Jan 15, 2013 at 2:48 AM, <gremlin@...mlin.ru> wrote:
> On 14-Jan-2013 15:39:53 -0500, Valdis.Kletnieks@...edu wrote:
>
> > > After all, a vulnerability and an exploit are intellectual
> > > products. Not sure copyright could be claimed, but why not?
>
> > Actually, claimed or not, if the exploit was coded in a Berne
> > signatory country, it's almost always automatically copyrighted
> > at creation (most likely to the coder, or to their employer if
> > it was a work-for-hire). [...]
> > More interesting is the question of how to enforce a copyright
> > claim while remaining anonymous...
>
> Is it really necessary to stay anonymous? Writing hmmm... articles
> about vulnerabilities for some (very specific) media and getting a
> hmmm... fee for that is mostly legal.
>
> Opposed to the use of that information...
I think its a slippery slope in the US.
On one hand, you have, for example, Computer Fraud and Abuse Act
(FCAA), Digital Millennium Copyright Act (DMCA), and Unlawful
Intercept. US corporations are rarely prosecuted under the law
(confer, Trustwave [1], Nokia [2]); but individuals are regularly
prosecuted (confer, Weev (et al) [3], Wise Guys [4], Dmitry Sklyarov
[5]).
I'm amazed at how federal law is 'opt-in' for US corporations, but
individuals such as Weev/Goatse and Sklyarov must endure politically
motivated judicial heavy handedness. In Goatse's case, they aggregated
public data (names and email addresses) from a public server offering
public services hanging off a public internet. In Sklyarov case, he
demonstrated flaws in Adobe's PDF DRM scheme. Note that for Sklyarov,
the DMCA (PUBLIC LAW 105–304) has exceptions for reverse engineering
and security testing and evaluation. The RE exemption is in Section
1205 (f) REVERSE ENGINEERING). The ST&E exemption is in Section 1205
(i) SECURITY TESTING.
If I had copyright over material used for security testing and
evaluations, I would probably assert my copyright. If I wrote malware,
I would likely want to stay anonymous (confer, David L. Smith and
Melissa macro-virus [6]).
Jeff
[1] http://www.computerworld.com/s/article/9224082/Trustwave_admits_issuing_man_in_the_middle_digital_certificate_Mozilla_debates_punishment
[2] http://www.zdnet.com/nokia-hijacks-mobile-browser-traffic-decrypts-https-data-7000009655/
[3] http://en.wikipedia.org/wiki/Weev
[4] https://www.eff.org/deeplinks/2010/07/cfaa-prosecution-wiseguys-not-so-smart
[5] http://en.wikipedia.org/wiki/Dmitry_Sklyarov
[6] http://en.wikipedia.org/wiki/Melissa_(computer_virus)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists