Full Disclosure mailing list archives
RE: Cisco's stolen code
From: Tobias Weisserth <tobias () weisserth de>
Date: Wed, 26 May 2004 14:44:54 +0200
Hi Pikett, On Wed, 2004-05-26 at 11:27, Pikett/LKSI wrote:
What is true for Cisco is even more true for Microsoft. Stay the hell away from code that hasn't been licensed for you.bad guys won't. they'll take their chances to find some holes in the code which could allow them to control your router and everybody else's...
So, what does this tell us about closed source products whose code leaked to the Internet? It's Cisco's responsibility to look after their code and fix whatever bug has made into their code. It's not our concern as long as we are not allowed to look into their code.
we can't be sure, that the few minor publicly known problems after the MS code leaked were all there was/is/will be. Do you trust MS or Cisco, that the code is all clean and secure? i don't.
True, but still you're not allowed to copy their code. The code is off-limits no matter what.
To my understanding, full dislosure means informing the good (and some bad) guys about the existence of a potential security hole in our configurations.
Yes. But full-disclosure does not include breaking laws in order to get there. That's my point.
"Opensource" software, be it GPL oder leaked CSS, is the best way to get to the point withouth the need of coincidence/reverse engineering/blackbox testing etc.
Leaked closed source software is sill closed software. Open Source software is defined by a license, not by the availability of code.
i'm thankful for every whitehat who analyzes the ios sources and helps to find holes before a blackhat does.
A whitehat wouldn't touch copyrighted code in a million years. Whitehats stick to the law. They don't infringe copyright.
And it's not because i think Cisco deserves some free working bugfinders...hell, every multibillion $ company should be charged for bugs found by outsiders.
You know what? They won't pay you for finding their bugs. They'll sue you. And if you ever write a single line of code yourself after you have taken a look at their code without a license, they'll claim it is theirs because you took a look at their code and that "necessarily" means that you have stolen from them.
Anybody who touches copyrighted code, be it MS or Cisco or whatever, is at risk. Why should I want to put myself at risk to solve problems the copyright holder of the code should solve? If I address a security flaw in MS code and say a year later I decide to write something that might attract the attention of MS as a competitor then I'm most certainly being confronted with accusations like "you took that from our code" and "you are a thief".you might be right on that one and <conspiracy> that might even be a motivation for some vendors to "coincidentially" leak their sources and later use it against competitors </conspiracy>, reminds me of the patent issue nightmare.
Don't underestimate this risk. The pure existence of the Lion book causes numerous accusations against Linus Torvalds who claims that he never has taken a look at the book.
still, how does that interfere with the searching for potential security holes in more or less publicly available sourcecode for the sake of knowing about any weaknesses?
The purpose does not matter here. Your intentions don't matter. You don't have a license to do so. You're even breaking laws in many places. And most importantly, the source code is *not* publicly available as long as it doesn't come with a license that allows you to work with it in a specific way. There's no merit in finding bugs in leaked closed source. There may be a slight short term increase in security for a specific product that has been leaked. But the long term effects are devastating. People finding bugs this way are at legal risk and their creativity can be blocked by by the pure fact they have eaten from the forbidden fruit. Vendors who find their lousy code leaking to the Internet and bugs being found by third parties will *never* be inclined to change their development process. They'll continue to write lousy code that is so bad they must be embarrassed like hell when it emerges in public. If you want to do improve security then stay the hell away from leaked closed source code. regards, Tobias W. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Cisco's stolen code, (continued)
- Re: Re: Cisco's stolen code Ron DuFresne (May 26)
- Re: Re: Cisco's stolen code Benjamin Krueger (May 26)
- Re: Re: Cisco's stolen code Valdis . Kletnieks (May 27)
- Re: Re: Cisco's stolen code Paolo Mattiangeli (May 26)
- Re: Re: Cisco's stolen code Jason Weisberger (May 26)
- Re: Cisco's stolen code Rodrigo Gutierrez (May 26)
- Re: Re: Cisco's stolen code Mister Coffee (May 26)
- Re: Cisco's stolen code Cold Fire (May 26)
- RE: Cisco's stolen code Tobias Weisserth (May 26)
- Re: Re: Cisco's stolen code Valdis . Kletnieks (May 26)
- Re: Re: Cisco's stolen code Maarten (May 26)
- Question About International Disclosure Tom (May 26)
- Re: Question About International Disclosure Ron DuFresne (May 26)
- Re: Re: Cisco's stolen code Valdis . Kletnieks (May 26)
- Re: Cisco's stolen code Seth Alan Woolley (May 27)