Full Disclosure mailing list archives
Re: IDS (ISS) and reverse engineering
From: "Robert Graham" <full-disclosure-031126 () post robertgraham com>
Date: Wed, 26 Nov 2003 13:58:13 +0200
From: "V.O." <vosipov () tpg com au>
Recently I've got to listen to a marketing pitch by an ISS guy. He was going along the lines of "our X-force reverse-engineered Microsoft RPC libraries and created signatures..." and "we use protocol decoding, so we reverse-engineered various closed-source protocols in order to create out decoders". What struck me - isn't this kind of activity actually illegal in the US? To which extent it is possible to disassemble Windows code? And if it is illegal, then aren't their customers (plus many other IDSes, with the exclusion of Snort, probably) in danger - what if Microsoft or whoever else sues ISS for doing this? :) I'm puzzled.
The reverse is true. Reverse-engineering is broadly legal virtually everywhere. (The DMCA copyright-circumvention being a rare exception). Whereas as government's don't, software license agreements do. Most vendors have a clause banning reverse-engineering. However, such agreements can only go so far. They do not apply to areas that are clearly in the public interest. Vuln-research is one of those areas (compatibility is another). For example: 17 U.S.C. ยง 1201(j)(1999) ...the term 'security testing' means accessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator of such computer, computer system, or computer network . . . [It] is not a violation . . . for a person to develop, produce, distribute or employ technological means for the sole purpose of performing the acts of security testing... FYI: this clause is largely due to ISS lobbying of congress. Other countries likewise of explicit clauses like this as well. To be more clear on the matter: I personally (on my own time) purchased a Microsoft software license and disassembled rpcss.dll using IDApro in order to better undestand the MS03-026 vulnerability. I state this in the clearest possible terms so that if U.S. law enforcement or Microsoft lawyers believe they have a case, that they can come after me. What will really bake your noodle is the following decompiled source of the Blaster worm: http://www.robertgraham.com/journal/030815-blaster.c Imagine the author of the Blaster worm suing me over this :-) Robert Graham Chief Scientist, ISS _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Nokia IPSO, (continued)
- Nokia IPSO Frederic Charpentier (Nov 26)
- Re: Nokia IPSO Sandro Littke (Nov 26)
- Re: Nokia IPSO William Brady (Nov 26)
- Re: Nokia IPSO Keith W. McCammon (Nov 26)
- Re: Nokia IPSO Sandro Littke (Nov 26)
- RE: Nokia IPSO jussi jaakonaho (Nov 26)
- Re: Nokia IPSO Gareth Bromley (Nov 26)
- Re: Nokia IPSO Sandro Littke (Nov 26)
- Re: Nokia IPSO Stephen Perciballi (Nov 26)
- Nokia IPSO Frederic Charpentier (Nov 26)