Re: Re: Cisco's stolen code

[Adam Szilveszter <adam () hif hu>]

Aditya, ALD [Aditya Lalit Deshmukh] wrote:
>

> are there any lawayers on the list who can confirm / deny this ? or any other list where i can ask this. this has 
> started to get intresting from the legal point of view !

No specific comments on the USC section cited (because, although it is 
often forgotten, not all the world is the USA ;-) but some general 
comments on the situation:

As others have already said, the situation is not the same in all legal 
systems. In the Anglo-saxon copyright system, the whole notion of 
"copyright" and the exceptions to it are somewhat different from the 
Continental European "authors' right" system and the statutory 
limitations to it.

While inclined minds might want to dig up precedents for the "fair use" 
exception under copyright, and might even argue that it is possible to 
break other civil and criminal laws but not infringe on copyright (as if 
that made a huge difference... being taken away in handcuffs is 
certainly no more fun from knowing that you were not a copyright 
infringer...), the situation might be very different under the 
continental European system. There a general "fair use" does not exist, 
only specific exceptions like the right of citation, the right of 
academic use and scientific research and the right to make private 
copies. Unfortunately, the latter often does not apply to software at 
all, therefore a specific right to make one backup copy has been 
established. So, there is no opportunity to copy without explicit 
permission - even for private purposes - a piece of software in its 
entirety except if you already have a legal copy and make a backup. (but 
only one is allowed to exist at a time) The right to citation certainly 
does not apply here, since that would only allow the famous "these 15 
lines" snippets. The right to research would not cover this either, 
because that one is also very limited. Distribution  lending etc in any 
form, including simply making it available to others to make copies from 
is mostly prohibited as well. Oh and often copyright infringement in 
itself is a crime (may depend on the amount of damage caused), so you 
are not merely facing civil charges, but possibly some time in prison, 
and quite surely the confiscation of all of your equipment as well. 
Quite a few computers have made it out the door in this manner 
already... no need to exercise your brain to prove a physical "theft" as 
someone posted, because this is not it, it's a separate crime. Software 
patents will change much in this, although they will create new 
opportunities for litigation for sure. The exact details will vary from 
one country to the next within continental Europe, but the gist will not.

So, I do suggest to not play with the Cisco code if you are in 
continental Europe... there are enough open-source projects out there.

Oh, and another thing. In Europe, the general rule is that it *is* 
allowed to test a lawfully obtained piece of software by making various 
inputs to it and watching outputs, or by watching how it is run. So if 
you vuln researcher use the famous "let's send 2000 A-s to the input and 
let's see if it crashes" technique with Perl, and then check the core 
with a debugger, you are within the limits of the law, provided that you 
used a legal copy ;-) It is even allowed to look for errors and fix them 
 (eg binary patching) but this applies only to the lawful user and even 
they are not allowed to distribute eg the fixed software (also, the 
author may be allowed to exclude this right in a contract). Again, exact 
details will vary from country to country, but this means that it is 
generally not forbidden to look for vulns in closed-source software for 
as long as you do not use pirated copies and do not go too much into 
disassembly but merely inspect system memory etc.

Regards:
Sz.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html