I think the line needs to be drawn somewhere in the middle. Using
stolen Cisco code to find vulnerabilities in their software and
publishing advisory notices based on stolen code is unethical. A common
middle-ground would be to inform the company and not publish the
advisory. In this way, the company can release it's own advisory and
will probably let you go unchecked. If it's fame and fortune you're
looking for, then release the advisory while realizing the risk of being
sued by Cisco for posession of their intellectual property.
I suggest being humble.
Jason Weisberger
http://www.csrev.com
Mister Coffee wrote:
Excellent arguments. Let me restate. The spirit & intent of Fair Use
Doctrine applies to materials that are publicly accessible. In college
I did not have to mark up the expensive music scores I bought as I could
make copies and not violate the copyright. I could photocopy scores from the
library to study. Fair Use is intended to make sure copyright does
not unduly restrict the use of materials with copyright in an academic orr
educational context. A teacher may photocopy parts of a work to hand out
in a lecture. Fair Use has nothing to do with penetrating Cisco's networks
and copying the source to 12.3 IOS an later distribution. Fair Use Doctrine
is about academic freedom, not commercial proprietary IP which only approved
persons may posses. Fair Use keeps information and materials the were already
very accessible the same.
Well said, but I don't believe the argument here (about whitehats staying away
from the code) involves the actual penetration of Cisco's network and the
illegal acquisition of the code. The question was whether the concept of Fair
Use gave a security professional some legal recourse if they choose to review
the code (however -they- obtained it, since that's not the quesiton here) and
published an advisory based on their findings.
It is an incorrect argument to claim Fair Use here because IOS source was
never legally assessable to the general public. To suggest using it, as such,
is a perversion of the spirit and intent of Fair Use Doctrine.
I don't see it as a perversion of Fair Use at all. While we all agree that the original
intrusion that acquired the code was illegal, unethical, and generally a Bad Thing (tm),
using the "It's stolen! Don't touch it!" argument to disuade honest
assessments doesn't help the community.
Imagine "you" (generic "you" here) are a curious auditor who stumbles onto the code
somehow. Published to a website, for example, where you're not "accepting stolen property" (to
eliminate that argument). You find a subtle but potentially massive error in the IOS code. Say an easy to
exploit DOS that can take down a thousand routers in five seconds. Further, a simple (but rarely used)
config option can protect the router.
What do you do? As an honest security professional, you WANT to publish an alert about
this flaw. You want the vendor to be aware of it, you want the world's admins to be
aware of it. You want to "do the right thing" to protect the net's
infrastructure. But there's still that niggling issue of the code being copywritten and
stolen somewhere along the line, and leaked to the world.
Do you publish the advisory, and worry that Big Vendor will have you arrested?
Do you sit on the advisory, and hope no Kiddie finds the error you found and
brings down the net?
Ethically and morally, "doing the right thing" means publishing the advisory -
possibly including just enough of a code snippet to identify the offending part.
Doing the "legal and safe thing" would have meant shutting off your browser when you
found the site, and hoping to your favorite diety that someone else decides to audit the code for
holes. Because you KNOW the "bad guys" are going to be doing just that.
This is one case (of too many to list) where ethics, morals, and the Law, don't
quite align.
Cheers,
L4J
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
