From: Rob Shein (shoten@starpower.net)
Date: Thu May 06 2004 - 11:06:52 EDT
You're making another error with respect to copyright law. "Might" isn't
really an option; the license must state clearly what is restricted. If the
code (source or binary form) is all they say is covered, then that's all
that is covered. Any incidental commonality between the code and the output
of the code is irrelevant. The law doesn't acknowledge indirect definition
in the casual fashion you describe here; if it did, the potential for abuse
and conflicting claims to IP would be enormous. And anything in the reports
that referred to the nature of the vulnerability or exploit itself would be
quite hard to claim as proprietary information in the first place, seeing as
how it originates in the public domain.
The fact is, people use these tools, and their reports, in their work. They
charge for the work, and provide (hopefully with other things that add
value) the output. The entities behind these tools know this, and are fine
with it; they even promote it. That should tell you about their motives and
the purpose of the end-user agreements.
> -----Original Message-----
> From: Javier Fernandez-Sanguino [mailto:jfernandez@germinus.com]
> Sent: Thursday, May 06, 2004 4:32 AM
> To: Rob Shein
> Cc: 'Igor Filippov'; pen-test@securityfocus.com
> Subject: Re: MBSA scanner
>
>
> Rob Shein wrote:
>
> > I think you're confusing code with output. The licenses
> you cite with
> > regard to both SARA and MBSA have restrictions upon
> redistribution of
> > the product, not the output of the product.
>
> I'm confusing them because output might _include_ significant
> information that is in the code. The license covers both the software
> and the reports they generate, it does not explicitly exclude the
> later (so under copyright laws it _is_ included).
>
> Again, notice that the output of the product is based on (sometimes
> lengthy) information that is included in the code of the product. So,
> all the suggestions on how to fix a vulnerability that a report might
> include are like a "knowledge base" of sorts, which is copyrighted.
> This includes also detailed information on a vulnerabilities (what
> does it do, how does it affect a system). Without the original
> author's permission you can't translate that at will, you cannot
> provide that report as a commercial offering (inside a report or
> standalone) and you cannot (taking it to the extreme) include the
> information from that report into your new brand vulnerability
> assesment tool with different code to assess the vulnerabilities but
> similar output.
>
> Notice that, if that was permitted under copyright law, there
> would be
> nothing preventing Nessus, Internet Scanner, Cybercop, Retina,
> you_name_it from using the same vulnerability database. If you
> consider the output in the public domain you could run a test against
> a host that turns out vulnerable to everything that is in the
> database
> (maybe faking the answers) and then copy the information from the
> report to your propietary or free vulnerability assesment system.
> That's obviously illegal.
>
> > With regard to SAINT, however, you
> > may have a point.
> >
> > Nessus is another example; the GPL has the same restrictions on
> > distribution in either binary or source code format for money, but
> > it's very clear that using Nessus in the course of one's work and
> > including its output in the deliverable is entirely
> acceptable within
> > the license terms.
>
> That's because Reanud, as well as other Nessus developers (me
> included) wanted to make a distinction in that side. Notice that the
> output of Nessus is still copyrighted (it's part of the NASL script)
> and you cannot do whatever you like (such as including it in a closed
> source scanner)
>
> Please read the thread in the Nessus plugins writers that
> started at http://list.nessus.org/plugins-writers/0312/1001.html
>
>
> And also read the GPL FAQ:
> "In what cases is the output of a GPL program covered by the GPL too?"
> (http://www.gnu.org/licenses/gpl-faq.html#TOCWhatCaseIsOutputGPL)
> and
> "Is there some way that I can GPL the output people get from
> use of my
> program? For example, if my program is used to develop hardware
> designs, can I require that these designs must be free?"
> (http://www.gnu.org/licenses/gpl-faq.html#TOCGPLOutput)
>
>
> Regards
>
> Javier
>
>
> --------------------------------------------------------------
> ----------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and
> get $545 off any course! All of our class sizes are
> guaranteed to be 10 students or less to facilitate one-on-one
> interaction with one of our expert instructors. Attend a
> course taught by an expert instructor with years of
> in-the-field pen testing experience in our state of the art
> hacking lab. Master the skills of an Ethical Hacker to better
> assess the security of your organization. Visit us at:
> http://www.infosecinstitute.com/courses/ethica> l_hacking_training.html
> --------------------------------------------------------------
> -----------------
>
>
>
>
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:53 EDT