RE: Cisco's stolen code

[Tobias Weisserth <tobias () weisserth de>]

Hi Pikett,

On Wed, 2004-05-26 at 11:27, Pikett/LKSI wrote:

> > What is true for Cisco is even more true for Microsoft. Stay the hell
> > away from code that hasn't been licensed for you.
>
> bad guys won't. they'll take their chances to find some holes in the code
> which could allow them to control your router and everybody 
> else's...

So, what does this tell us about closed source products whose code
leaked to the Internet?

It's Cisco's responsibility to look after their code and fix whatever
bug has made into their code. It's not our concern as long as we are not
allowed to look into their code.

> we can't be sure, that the few minor publicly known problems after
> the MS code leaked were all there was/is/will be. Do you trust MS or Cisco,
> that the code is all clean and secure? i don't.

True, but still you're not allowed to copy their code. The code is
off-limits no matter what.

>  To my understanding, full
> dislosure means informing the good (and some bad) guys about the existence
> of a potential security hole in our configurations.

Yes. But full-disclosure does not include breaking laws in order to get
there. That's my point.

> "Opensource" software,
> be it GPL oder leaked CSS, is the best way to get to the point withouth the
> need of coincidence/reverse engineering/blackbox testing etc.

Leaked closed source software is sill closed software. Open Source
software is defined by a license, not by the availability of code.

>  i'm thankful
> for every whitehat who analyzes the ios sources and helps to find holes
> before a blackhat does.

A whitehat wouldn't touch copyrighted code in a million years. Whitehats
stick to the law. They don't infringe copyright.

>  And it's not because i think Cisco deserves some
> free working bugfinders...hell, every multibillion $ company should be
> charged for bugs found by outsiders. 

You know what? They won't pay you for finding their bugs. They'll sue
you. And if you ever write a single line of code yourself after you have
taken a look at their code without a license, they'll claim it is theirs
because you took a look at their code and that "necessarily" means that
you have stolen from them.

> > Anybody who touches copyrighted code, be it MS or Cisco or whatever, is
> > at risk. Why should I want to put myself at risk to solve problems the
> > copyright holder of the code should solve? If I address a security flaw
> > in MS code and say a year later I decide to write something that might
> > attract the attention of MS as a competitor then I'm most certainly
> > being confronted with accusations like "you took that from our code" and
> > "you are a thief".
>
> you might be right on that one and <conspiracy> that might even be a
> motivation for some vendors to "coincidentially" leak their sources and
> later use it against competitors </conspiracy>, reminds me of the patent
> issue nightmare.

Don't underestimate this risk. The pure existence of the Lion book
causes numerous accusations against Linus Torvalds who claims that he
never has taken a look at the book.

> still, how does that interfere with the searching for
> potential security holes in more or less publicly available sourcecode for
> the sake of knowing about any weaknesses? 

The purpose does not matter here. Your intentions don't matter. You
don't have a license to do so. You're even breaking laws in many places.
And most importantly, the source code is *not* publicly available as
long as it doesn't come with a license that allows you to work with it
in a specific way.

There's no merit in finding bugs in leaked closed source. There may be a
slight short term increase in security for a specific product that has
been leaked. But the long term effects are devastating. People finding
bugs this way are at legal risk and their creativity can be blocked by
by the pure fact they have eaten from the forbidden fruit. Vendors who
find their lousy code leaking to the Internet and bugs being found by
third parties will *never* be inclined to change their development
process. They'll continue to write lousy code that is so bad they must
be embarrassed like hell when it emerges in public.

If you want to do improve security then stay the hell away from leaked
closed source code.

regards,
Tobias W.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html