Re: Cisco's stolen code

[Valdis.Kletnieks () vt edu]

On Tue, 25 May 2004 14:26:55 PDT, VX Dude <vxdude2003 () yahoo com>  said:

> Which law?  Does this mean whitehats will start
> recognizing EULAs pertaining to proprietary property?

In the US, the basic statute is 17 USC 106:
http://www4.law.cornell.edu/uscode/17/106.html

Sec. 106. - Exclusive rights in copyrighted works

Subject to sections 107 through 121, the owner of copyright under this title
has the exclusive rights to do and to authorize any of the following:

(1) to reproduce the copyrighted work in copies or phonorecords;

(2) to prepare derivative works based upon the copyrighted work;

(3) to distribute copies or phonorecords of the copyrighted work to the public
by sale or other transfer of ownership, or by rental, lease, or lending;

(4) in the case of literary, musical, dramatic, and choreographic works,
pantomimes, and motion pictures and other audiovisual works, to perform the
copyrighted work publicly;

(5) in the case of literary, musical, dramatic, and choreographic works,
pantomimes, and pictorial, graphic, or sculptural works, including the
individual images of a motion picture or other audiovisual work, to display the
copyrighted work publicly; and

(6) in the case of sound recordings, to perform the copyrighted work publicly
by means of a digital audio transmission

17 USC 107 discusses "fair use": http://www4.law.cornell.edu/uscode/17/107.html

Sec. 107. - Limitations on exclusive rights: Fair use

Notwithstanding the provisions of sections 106 and 106A, the fair use of a
copyrighted work, including such use by reproduction in copies or phonorecords
or by any other means specified by that section, for purposes such as
criticism, comment, news reporting, teaching (including multiple copies for
classroom use), scholarship, or research, is not an infringement of copyright.
In determining whether the use made of a work in any particular case is a fair
use the factors to be considered shall include -

(1) the purpose and character of the use, including whether such use is of a
commercial nature or is for nonprofit educational purposes;

(2)the nature of the copyrighted work;

(3) the amount and substantiality of the portion used in relation to the
copyrighted work as a whole; and

(4) the effect of the use upon the potential market for or value of the
copyrighted work.

The fact that a work is unpublished shall not itself bar a finding of fair use
if such finding is made upon consideration of all the above factors
---- end quote, start analysis..

Section 107 lets you *attempt* to claim "fair use" as a defense against a
charge of copyright infringement.  The judge is directed to consider *all 4*
factors.   Note that you *might* have a fighting chance on point (1), if
you're a recognized *non-profit* security researcher (if you're making a profit
(even indirectly) off your Cisco advisories, you're screwed).   You're also
likely to be screwed on point (4) - Cisco can probably claim a fairly large
chunk of their yearly revenue is based on a proprietary IOS....

> I agree that whitehats should only audit and/or "find"
> security holes in software in which they are invited
> or allowed to do so.  But isnt the whole point of the
> word full in full-disclosure to expose flaws that the
> owners of the property dont want known.  Sounds like a
> greyhat/blackhat mailing list to me.

Plenty of vulnerabilities have been found in open-source projects, where the
source is available.  Plenty *more* vulnerabilities have been found in
proprietary software *without* having access to the source, using the
well-understood methods of software reverse engineering.

Attachment: _bin
Description: