Re: Cisco's stolen code

[Seth Alan Woolley <seth () tautology org>]

On Tue, May 25, 2004 at 06:08:52PM +0200, Tobias Weisserth wrote:
> Hi Brian,
>
> On Tue, 2004-05-25 at 17:28, Brian Toovey wrote:
> ...
> > Calm down - While I think it was kind of ignorant to post here asking
> > for code and not grep IRC, I dont think this was "not sticking to the
> > rules" or "not playing the game."  If and when this source becomes
> > available I hope decent coders will audit to find vulns and post here
> > - if whitehats dont audit the code, who will?  I find your response
> > more ignorant.
>
> Well, let's face the simple facts. Cisco's code is copyrighted and it's
> illegal to copy it, distribute it or even use it. There's no way around
> it. Whatever your intentions are the Cisco code is legally off-limits.
>
> This may stink and it may hinder security audits but if Cisco wanted you
> or anybody else to audit their code they would have licensed it to you.
>
> Since they didn't, this leaves you in a very shitty position if you
> touch their code. You may be able to find security flaws but you have
> broken laws to do so. Period.
>
> For me, breaking laws is NOT acceptable under ANY circumstance. I hope
> the majority of people on this list is with me on this. If this list
> evolves into a meeting place where copyrighted code is "negotiated" and
> its distribution organised then our goal of full disclosure of security
> flaws in IT is not met. You can't improve security by breaking laws.
> This renders this list and everybody posting here untrustworthy.
>
> If you want to audit code then stick to the code that is released under
> licenses that allow public code auditing. Don't even think to look at
> code that hasn't be released under an open license. Maybe this will
> motivate more vendors to license their products under an Open Source
> license.

Copyright means the right to publish a work in its entirety.  As long as
they aren't republishing the whole code when they find a vulnerability,
it's protected under fair use.  What is illegal to republish isn't
illegal to acquire.  If one acquires the Cisco code outside of a
licensing arrangement, they surely didn't agree to their additional
restrictions preventing audit or duplication.

Yes, the DMCA changes things slightly, but it doesn't change it in this
regard.  No 'protections' were circumvented if they merely got it from
somebody else.  Cisco will have to go after the original culprit.

I for one will not allow right-wing bigots to redefine copyright to mean
something it never intended.  The law is not broken in this case, even
though you think it is morally wrong.  Get over it.

Re-read your first sentence.  The only one that applies is
redistribution.  Copying for personal use and use itself are still
perfectly legal outside of an explicit contract with Cisco that says
otherwise, and even then, one would have to agree to it.

Are German laws different than American laws in this matter?  I doubt
it, but feel free to correct me.

-- 
Seth Alan Woolley [seth at positivism.org], SPAM/UCE is unauthorized
Key id EF10E21A = 36AD 8A92 8499 8439 E6A8  3724 D437 AF5D EF10 E21A
http://smgl.positivism.org:11371/pks/lookup?op=get&search=0xEF10E21A
Security Team Leader Source Mage GNU/Linux http://www.sourcemage.org

Attachment: _bin
Description: