Full Disclosure mailing list archives

Re: IDS (ISS) and reverse engineering

From: "Robert Graham" <full-disclosure-031126 () post robertgraham com>
Date: Wed, 26 Nov 2003 13:58:13 +0200


From: "V.O." <vosipov () tpg com au>

Recently I've got to listen to a marketing pitch by an ISS guy. He was
going
along the lines of "our X-force reverse-engineered Microsoft RPC libraries
and created signatures..." and "we use protocol decoding, so we
reverse-engineered various closed-source protocols in order to create out
decoders".

What struck me - isn't this kind of activity actually illegal in the US?
To
which extent it is possible to disassemble Windows code? And if it is
illegal, then aren't their customers (plus many other IDSes, with the
exclusion of Snort, probably) in danger - what if Microsoft or whoever
else
sues ISS for doing this? :)

I'm puzzled.


The reverse is true. Reverse-engineering is broadly legal virtually
everywhere. (The DMCA copyright-circumvention being a rare
exception).

Whereas as government's don't, software license agreements do. Most
vendors have a clause banning reverse-engineering. However, such
agreements can only go so far. They do not apply to areas that are
clearly in the public interest. Vuln-research is one of those areas
(compatibility is another). For example:

 17 U.S.C. § 1201(j)(1999)
 ...the term 'security testing' means accessing a computer, computer 
 system, or computer network, solely for the purpose of good faith 
 testing, investigating, or correcting, a security flaw or 
 vulnerability, with the authorization of the owner or operator of 
 such computer, computer system, or computer network . . . [It] 
 is not a violation . . . for a person to develop, produce, 
 distribute or employ technological means for the sole purpose of 
 performing the acts of security testing...

FYI: this clause is largely due to ISS lobbying of congress.
Other countries likewise of explicit clauses like this as
well.

To be more clear on the matter: I personally (on my own time)
purchased a Microsoft software license and disassembled rpcss.dll
using IDApro in order to better undestand the MS03-026 vulnerability.
I state this in the clearest possible terms so that if U.S. law
enforcement or Microsoft lawyers believe they have a case, that 
they can come after me.

What will really bake your noodle is the following decompiled 
source of the Blaster worm:
 http://www.robertgraham.com/journal/030815-blaster.c
Imagine the author of the Blaster worm suing me over this :-)


Robert Graham
Chief Scientist, ISS


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Nokia IPSO, (continued)
- Nokia IPSO Frederic Charpentier (Nov 26)
  - Re: Nokia IPSO Sandro Littke (Nov 26)
    - Re: Nokia IPSO William Brady (Nov 26)
    - Re: Nokia IPSO Keith W. McCammon (Nov 26)
    - Re: Nokia IPSO Sandro Littke (Nov 26)
    - RE: Nokia IPSO jussi jaakonaho (Nov 26)
    - Re: Nokia IPSO Gareth Bromley (Nov 26)
    - Re: Nokia IPSO Stephen Perciballi (Nov 26)
- Re: IDS (ISS) and reverse engineering Lan Guy (Nov 26)
- Re: IDS (ISS) and reverse engineering Valdis . Kletnieks (Nov 27)
- Re: IDS (ISS) and reverse engineering Robert Graham (Nov 28)
- RE: IDS (ISS) and reverse engineering Christopher F. Herot (Nov 27)