Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-Disclosure] Cisco's stolen code

from [Tobias Weisserth] Network Security [Permanent Link]
Subject: RE: [Full-Disclosure] Cisco's stolen code
Date: Wed, 26 May 2004 14:44:54 +0200 
Hi Pikett,

On Wed, 2004-05-26 at 11:27, Pikett/LKSI wrote:


What is true for Cisco is even more true for Microsoft. Stay the hell
away from code that hasn't been licensed for you.


bad guys won't. they'll take their chances to find some holes in the code
which could allow them to control your router and everybody 
else's...


So, what does this tell us about closed source products whose code
leaked to the Internet?

It's Cisco's responsibility to look after their code and fix whatever
bug has made into their code. It's not our concern as long as we are not
allowed to look into their code.


we can't be sure, that the few minor publicly known problems after
the MS code leaked were all there was/is/will be. Do you trust MS or Cisco,
that the code is all clean and secure? i don't.


True, but still you're not allowed to copy their code. The code is
off-limits no matter what.


 To my understanding, full
dislosure means informing the good (and some bad) guys about the existence
of a potential security hole in our configurations.


Yes. But full-disclosure does not include breaking laws in order to get
there. That's my point.


"Opensource" software,
be it GPL oder leaked CSS, is the best way to get to the point withouth the
need of coincidence/reverse engineering/blackbox testing etc.


Leaked closed source software is sill closed software. Open Source
software is defined by a license, not by the availability of code.


 i'm thankful
for every whitehat who analyzes the ios sources and helps to find holes
before a blackhat does.


A whitehat wouldn't touch copyrighted code in a million years. Whitehats
stick to the law. They don't infringe copyright.


 And it's not because i think Cisco deserves some
free working bugfinders...hell, every multibillion $ company should be
charged for bugs found by outsiders. 


You know what? They won't pay you for finding their bugs. They'll sue
you. And if you ever write a single line of code yourself after you have
taken a look at their code without a license, they'll claim it is theirs
because you took a look at their code and that "necessarily" means that
you have stolen from them.


Anybody who touches copyrighted code, be it MS or Cisco or whatever, is
at risk. Why should I want to put myself at risk to solve problems the
copyright holder of the code should solve? If I address a security flaw
in MS code and say a year later I decide to write something that might
attract the attention of MS as a competitor then I'm most certainly
being confronted with accusations like "you took that from our code" and
"you are a thief".


you might be right on that one and <conspiracy> that might even be a
motivation for some vendors to "coincidentially" leak their sources and
later use it against competitors </conspiracy>, reminds me of the patent
issue nightmare.


Don't underestimate this risk. The pure existence of the Lion book
causes numerous accusations against Linus Torvalds who claims that he
never has taken a look at the book.


still, how does that interfere with the searching for
potential security holes in more or less publicly available sourcecode for
the sake of knowing about any weaknesses? 


The purpose does not matter here. Your intentions don't matter. You
don't have a license to do so. You're even breaking laws in many places.
And most importantly, the source code is *not* publicly available as
long as it doesn't come with a license that allows you to work with it
in a specific way.

There's no merit in finding bugs in leaked closed source. There may be a
slight short term increase in security for a specific product that has
been leaked. But the long term effects are devastating. People finding
bugs this way are at legal risk and their creativity can be blocked by
by the pure fact they have eaten from the forbidden fruit. Vendors who
find their lousy code leaking to the Internet and bugs being found by
third parties will *never* be inclined to change their development
process. They'll continue to write lousy code that is so bad they must
be embarrassed like hell when it emerges in public.

If you want to do improve security then stay the hell away from leaked
closed source code.

regards,
Tobias W.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] IEBUG : All Information Related to Internet Explorer and Outlook, liudieyu
Next by Date:  Re: [Full-Disclosure] Odd packet?, full-disclosure
Previous by Thread:  RE: [Full-Disclosure] Cisco's stolen code, Pikett/LKSI
Next by Thread:  RE: [Full-Disclosure] Cisco's stolen code, Brad Griffin
Indexes:  [Date] [Thread] [Top] [All Lists]