Re: Re: Cisco's stolen code

[Mister Coffee <live4java () stormcenter net>]

> Excellent arguments. Let me restate. The spirit & intent of Fair Use 
> Doctrine applies to materials that are publicly accessible. In college
> I did not have to mark up the expensive music scores I bought as I could
> make copies and not violate the copyright. I could photocopy scores from the 
> library to study. Fair Use is intended to make sure copyright does
> not unduly restrict the use of materials with copyright in an academic orr
> educational context. A teacher may photocopy parts of a work to hand out 
> in a lecture. Fair Use has nothing to do with penetrating Cisco's networks 
> and copying the source to 12.3 IOS an later distribution. Fair Use Doctrine 
> is about academic freedom, not commercial proprietary IP which only approved 
> persons may posses. Fair Use keeps information and materials the were already 
> very accessible the same. 
Well said, but I don't believe the argument here (about whitehats staying away from the code) involves the actual 
penetration of Cisco's network and the illegal acquisition of the code.  The question was whether the concept of Fair 
Use gave a security professional some legal recourse if they choose to review the code (however -they- obtained it, 
since that's not the quesiton here) and published an advisory based on their findings.


> It is an incorrect argument to claim Fair Use here because IOS source was
> never legally assessable to the general public.  To suggest using it, as such,
> is a perversion of the spirit and intent of Fair Use Doctrine.
I don't see it as a perversion of Fair Use at all.  While we all agree that the original intrusion that acquired the 
code was illegal, unethical, and generally a Bad Thing (tm), using the "It's stolen!  Don't touch it!" argument to 
disuade honest assessments doesn't help the community.

Imagine "you" (generic "you" here) are a curious auditor who stumbles onto the code somehow.  Published to a website, 
for example, where you're not "accepting stolen property" (to eliminate that argument).  You find a subtle but 
potentially massive error in the IOS code.  Say an easy to exploit DOS that can take down a thousand routers in five 
seconds.  Further, a simple (but rarely used) config option can protect the router.

What do you do?  As an honest security professional, you WANT to publish an alert about this flaw.  You want the vendor 
to be aware of it, you want the world's admins to be aware of it.  You want to "do the right thing" to protect the 
net's infrastructure.  But there's still that niggling issue of the code being copywritten and stolen somewhere along 
the line, and leaked to the world.

Do you publish the advisory, and worry that Big Vendor will have you arrested?

Do you sit on the advisory, and hope no Kiddie finds the error you found and brings down the net?

Ethically and morally, "doing the right thing" means publishing the advisory - possibly including just enough of a code 
snippet to identify the offending part.

Doing the "legal and safe thing" would have meant shutting off your browser when you found the site, and hoping to your 
favorite diety that someone else decides to audit the code for holes.  Because you KNOW the "bad guys" are going to be 
doing just that.

This is one case (of too many to list) where ethics, morals, and the Law, don't quite align.

Cheers,
L4J


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html