Full Disclosure mailing list archives
Re: Re: Cisco's stolen code
From: Tobias Weisserth <tobias () weisserth de>
Date: Wed, 26 May 2004 17:22:18 +0200
Hi, On Wed, 2004-05-26 at 16:32, Mister Coffee wrote: ...
I don't see it as a perversion of Fair Use at all. While we all agree that the original intrusion that acquired the code was illegal, unethical, and generally a Bad Thing (tm), using the "It's stolen! Don't touch it!" argument to disuade honest assessments doesn't help the community.
I have to disagree with heart. It would do the community a great favour if law abiding security researchers would not touch leaked closed source code. If closed source vendors would realise that writing bad, embarrassing code could end up on the Internet anytime they would either double their efforts to increase code quality themselves or they would release the code under an Open Source license. Both would do us a great favour.
Imagine "you" (generic "you" here) are a curious auditor who stumbles onto the code somehow.
How would that happen? It just flies through the air onto my screen? I "accidentally" download it because I confuse it with my daily dose of porn? If everybody would argue like that with illegal material ending up on their computers we would have a hard time prosecuting people for child pornography...
Published to a website, for example, where you're not "accepting stolen property" (to eliminate that argument)
As a maintainer of a website you are directly responsible for the breach of copyright if you haven't taken measures to prevent the upload of copyrighted material (to eliminate that argument).
. You find a subtle but potentially massive error in the IOS code.
You would have to take a close look at something that hasn't been released for your eyes and that you don't have a license to deal with
Say an easy to exploit DOS that can take down a thousand routers in five seconds. Further, a simple (but rarely used) config option can protect the router. What do you do? As an honest security professional, you WANT to publish an alert about this flaw.
As an honest security professional you wouldn't have touched the code in the first place.
You want the vendor to be aware of it, you want the world's admins to be aware of it. You want to "do the right thing" to protect the net's infrastructure.
You should do the right thing to protect the law and respect other people's copyright first.
But there's still that niggling issue of the code being copywritten and stolen somewhere along the line, and leaked to the world.
Big deal. This might be your problem on a short term basis. But if the fall-out is big enough Cisco will have to think whether to change their license or the quality of their code. If you intervene by possibly breaking the law and infringing on copyright you might have saved the day but the next decade is rotten because *nothing* changes.
Do you publish the advisory, and worry that Big Vendor will have you arrested?
Or do you keep your fingers from copyrighted material and enjoy the fallout that might lead to a change in Cisco's development process?
Do you sit on the advisory, and hope no Kiddie finds the error you found and brings down the net?
In fact, I wouldn't even look for bugs in the code and yes, I would let criminals take full advantage of Cisco's leaked code. This might hurt today but it could save the day tomorrow.
Ethically and morally, "doing the right thing" means publishing the advisory - possibly including just enough of a code snippet to identify the offending part.
Doing the "legal and safe thing" would have meant shutting off your browser when you found the site, and hoping to your favorite diety that someone else decides to audit the code for holes.
You should hope that the copyright holder identifies the flaws. If he can't than that's a clear indication to the bad quality of its product. He might consider to release code under an open license next time so that you can help hunting bugs. Or he starts writing code that isn't so embarrassingly bad that as soon as the code leaks to script kiddies all hell breaks loose.
Because you KNOW the "bad guys" are going to be doing just that.
Let them. It's the vendor's fault if he doesn't allow for external code auditing. The vendor chose it this way. The vendor and his customers have got to bear the consequences. A large accident might change his mind for the future. Your "moral" behaviour certainly doesn't.
This is one case (of too many to list) where ethics, morals, and the Law, don't quite align.
Well, I have a different point of view. But suit yourself everybody ;-) regards, Tobias _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Cisco's stolen code, (continued)
- Re: Cisco's stolen code Azerail (May 27)
- Re: Cisco's stolen code Eric Scher (May 25)
- Re: Re: Cisco's stolen code James Edwards (May 25)
- Re: Cisco's stolen code x30n (May 25)
- RE: Re: Cisco's stolen code Aditya, ALD [Aditya Lalit Deshmukh] (May 25)
- Re: Re: Cisco's stolen code Adam Szilveszter (May 26)
- Re: Re: Cisco's stolen code Tobias Weisserth (May 26)
- Re: Re: Cisco's stolen code James Edwards (May 25)
- Re: Re: Cisco's stolen code tcleary2 (May 25)
- Re: Re: Cisco's stolen code James Edwards (May 25)
- Re: Re: Cisco's stolen code Mister Coffee (May 26)
- Re: Re: Cisco's stolen code Tobias Weisserth (May 26)
- Re: Re: Cisco's stolen code Mister Coffee (May 26)
- Re: Re: Cisco's stolen code Ron DuFresne (May 26)
- Re: Re: Cisco's stolen code Mister Coffee (May 26)
- Re: Re: Cisco's stolen code Ron DuFresne (May 26)
- Re: Re: Cisco's stolen code Mister Coffee (May 26)
- Re: Re: Cisco's stolen code Ron DuFresne (May 26)
- Re: Re: Cisco's stolen code James Edwards (May 25)
- Re: Re: Cisco's stolen code Benjamin Krueger (May 26)
- Re: Re: Cisco's stolen code Valdis . Kletnieks (May 27)
- Re: Re: Cisco's stolen code Paolo Mattiangeli (May 26)
- Re: Re: Cisco's stolen code Jason Weisberger (May 26)