Re: [NSE script] vhosts on the same ip : copyright issues

[jah <jah () zadkiel plus com>]

On 26/08/2008 02:30, eldraco wrote:
> hi all, 
>
> I think this is really useful, but i think there also may be a problem here.
>
> The site search.live.com is covered by the ugly "Microsoft Service Agreement" 
> you can find here:
> http://help.live.com/help.aspx?project=tou&market=en-us
>
> It says things like this:
> --------------------------
> 4. How You May Not Use the Service.
>
> In using the service, you may not:
>
>     * engage in, facilitate or further unlawful conduct;
>   
I don't really think there's anything unlawful about the scripts purpose
nor the use of it.  If Microsoft provide the service then they can't
really argue that its use is unlawful, or can they?
In my opinion there are some quite legitimate use cases and not many
evil ones.
>     * use any automated process or service to access and/or use the service 
> (such as a BOT, a spider, periodic caching of information stored by 
> Microsoft, or "meta-searching");
>   
I can see how a script could be viewed as an automated process or at
least semi-automatic.  But then you could argue that it's no more
automatic than a web browser.
> ---------------------------
>
> This could arrise really bad effects in nmap, especially if this script came 
> by default.
>
> for example we can think of:
> 1- nmap can be potentially banned as an automated software in this search 
> engines
>   
Yes, this concerns me too, but with some HTTP headers we could make that
difficult to detect.
> 2- our ips can be banned perhaps
>   
I don't think that's very likely.  Kind of cutting off their nose to
spite their face.
> 3- more important: there are linux distributions out there like Debian that 
> can not include software that have problems with a copyright issue.
>   
I don't think that copyright comes into it.  The script isn't copying
the service it's merely utilising it.  We could do attribution:
"Results provided by Microsoft Live Search:" :)
> This is true also with google and the like.
>
> Can we find a way to do this and not to break any copyright?
>   
Maybe we should approach google, I bet they'd be happy to provide this
type of functionality to Nmap!
Again, such a script might be in breach of a service agreement, but I
don't think it's a copyright issue.  Maybe we should contact Redmond to
clarify.

There are measures we could take to limit the situations in which the
script would run.  For example, it's quite an expensive transaction in
terms of time and it's not likely to be useful for non-http servers so
we could limit it to targets on which it's been determined that http is
running and then only when the discovery category is called, or the
script explicitly called or when "all" scripts are called.

jah


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org