Full Disclosure mailing list archives

Re: Re: Cisco's stolen code

From: Jason Weisberger <jbdubbs () jbdubbs com>
Date: Wed, 26 May 2004 12:52:06 -0400

I think the line needs to be drawn somewhere in the middle.  Using
stolen Cisco code to find vulnerabilities in their software and
publishing advisory notices based on stolen code is unethical.  A common
middle-ground would be to inform the company and not publish the
advisory.  In this way, the company can release it's own advisory and
will probably let you go unchecked.  If it's fame and fortune you're
looking for, then release the advisory while realizing the risk of being
sued by Cisco for posession of their intellectual property.

I suggest being humble.

Jason Weisberger
http://www.csrev.com

Mister Coffee wrote:

Excellent arguments. Let me restate. The spirit & intent of Fair UseDoctrine applies to materials that are publicly accessible. In college
I did not have to mark up the expensive music scores I bought as I could
make copies and not violate the copyright. I could photocopy scores from thelibrary to study. Fair Use is intended to make sure copyright does
not unduly restrict the use of materials with copyright in an academic orr
educational context. A teacher may photocopy parts of a work to hand outin a lecture. Fair Use has nothing to do with penetrating Cisco's networksand copying the source to 12.3 IOS an later distribution. Fair Use Doctrineis about academic freedom, not commercial proprietary IP which only approvedpersons may posses. Fair Use keeps information and materials the were alreadyvery accessible the same.

Well said, but I don't believe the argument here (about whitehats staying away from the code) involves the actual penetration of 
Cisco's network and the illegal acquisition of the code.  The question was whether the concept of Fair Use gave a security 
professional some legal recourse if they choose to review the code (however -they- obtained it, since that's not the quesiton 
here) and published an advisory based on their findings.

It is an incorrect argument to claim Fair Use here because IOS source was
never legally assessable to the general public.  To suggest using it, as such,
is a perversion of the spirit and intent of Fair Use Doctrine.

I don't see it as a perversion of Fair Use at all. While we all agree that the original intrusion that acquired the code was illegal,
unethical, and generally a Bad Thing (tm), using the "It's stolen! Don't touch it!" argument to disuade honest assessments
doesn't help the community.

Imagine "you" (generic "you" here) are a curious auditor who stumbles onto the code somehow. Published to a website, for example,
where you're not "accepting stolen property" (to eliminate that argument). You find a subtle but potentially massive error in the IOS
code. Say an easy to exploit DOS that can take down a thousand routers in five seconds. Further, a simple (but rarely used) config option can protect
the router.

What do you do? As an honest security professional, you WANT to publish an alert about this flaw. You want the vendor to be aware of it, you
want the world's admins to be aware of it. You want to "do the right thing" to protect the net's infrastructure. But
there's still that niggling issue of the code being copywritten and stolen somewhere along the line, and leaked to the world.

Do you publish the advisory, and worry that Big Vendor will have you arrested?

Do you sit on the advisory, and hope no Kiddie finds the error you found and brings down the net?

Ethically and morally, "doing the right thing" means publishing the advisory - possibly including just enough of a code
snippet to identify the offending part.

Doing the "legal and safe thing" would have meant shutting off your browser when you found the site, and hoping to your favorite
diety that someone else decides to audit the code for holes. Because you KNOW the "bad guys" are going to be doing just that.

This is one case (of too many to list) where ethics, morals, and the Law, don't quite align.

Cheers,
L4J

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Re: Cisco's stolen code, (continued)
- - - Re: Re: Cisco's stolen code Tobias Weisserth (May 26)
    - Re: Re: Cisco's stolen code Mister Coffee (May 26)
    - Re: Re: Cisco's stolen code Ron DuFresne (May 26)
    - Re: Re: Cisco's stolen code Mister Coffee (May 26)
    - Re: Re: Cisco's stolen code Ron DuFresne (May 26)
    - Re: Re: Cisco's stolen code Mister Coffee (May 26)
    - Re: Re: Cisco's stolen code Ron DuFresne (May 26)
    - Re: Re: Cisco's stolen code Benjamin Krueger (May 26)
    - Re: Re: Cisco's stolen code Valdis . Kletnieks (May 27)
    - Re: Re: Cisco's stolen code Paolo Mattiangeli (May 26)
    - Re: Re: Cisco's stolen code Jason Weisberger (May 26)
    - Re: Cisco's stolen code Rodrigo Gutierrez (May 26)
    - Re: Re: Cisco's stolen code Mister Coffee (May 26)
- Re: Re: Cisco's stolen code Marek Isalski (May 26)
  - Re: Cisco's stolen code Cold Fire (May 26)
- RE: Cisco's stolen code Pikett/LKSI (May 26)
  - RE: Cisco's stolen code Tobias Weisserth (May 26)
- RE: Re: Cisco's stolen code Glenn_Everhart (May 26)
  - Re: Re: Cisco's stolen code Valdis . Kletnieks (May 26)
  - Re: Re: Cisco's stolen code Maarten (May 26)
    - Question About International Disclosure Tom (May 26)

(Thread continues...)