lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAJVRA1QOj7-Kxzszbbub4P66wB+y3ui24Ht2gJDZRMrCTzjrVw@mail.gmail.com>
Date: Sun, 6 Apr 2014 02:28:23 -0700
From: coderman <coderman@...il.com>
To: Bryan Bickford <bryan@...wildhats.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Legality of Open Source Tools

On Fri, Apr 4, 2014 at 3:58 AM, Bryan Bickford <bryan@...wildhats.com> wrote:
> ...
> I am a security researcher who is working on a project in my free time,
> without going into details - the project will end with a powerful tool
> being publicly released.

yes, but released under what license? :)



> Obviously most cyber security tools have the potential for abuse. What sort
> of legal hurdles (if any) do you need to overcome to protect yourself when
> releasing software along the lines of metasploit?

you'll be asked to sell your time consulting on said tool.  so get
your corporate finance and tax legal hurdles settled first of all.

next, during some consignment work, you'll find a particularly
awesome/nasty/impressive/scary sploit and want to present or sell it.
you should expect arguments over your time as hourly consulting
service vs. your time as work for hire under third party ownership,
and so insulate your contracts with customers as another legal hurdle
with these considerations in mind.

last but not least, non disclosure agreements and trade secrets will
come into play under some engagements. be sure you legally cover your
own ass in any such terms you agree to.

assuming your tool of pwnage continues to be increasingly successful,
expect all the entrepreneurial legal concerns to show their ugly
heads, and allocate legal budget and expertise accordingly.


... hopefully you don't have to deal with an overly aggressive
attorney pushing absurd criminal charges for open source code repos on
github[0].  that's a whole other kind of legal ass covering of which i
am not even sure how to recommend you position yourself in your
multiple jurisdictions of concern....  good luck!



0. opensource scada scanner == felony hacker charges [citation needed]
  some scada scanning tool released as open source led to some total
insanity.  too lazy to cite sources this moment, but plenty of other
absurdity abounds.



last consideration: is limited disclosure the better course?  save it
for DEF CON (the parties not the conference) before you burn it if
really fun for all ages
 :P

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ