[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] IDS (ISS) and reverse engineering

To: "V.O." <vosipov@tpg.com.au>, <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] IDS (ISS) and reverse engineering
From: "Robert Graham" <full-disclosure-031126@post.robertgraham.com>
Date: Wed, 26 Nov 2003 13:58:13 +0200

From: "V.O." <vosipov@tpg.com.au>
> Recently I've got to listen to a marketing pitch by an ISS guy. He was
> going
> along the lines of "our X-force reverse-engineered Microsoft RPC libraries
> and created signatures..." and "we use protocol decoding, so we
> reverse-engineered various closed-source protocols in order to create out
> decoders".
>
> What struck me - isn't this kind of activity actually illegal in the US?
> To
> which extent it is possible to disassemble Windows code? And if it is
> illegal, then aren't their customers (plus many other IDSes, with the
> exclusion of Snort, probably) in danger - what if Microsoft or whoever
> else
> sues ISS for doing this? :)
>
> I'm puzzled.

The reverse is true. Reverse-engineering is broadly legal virtually
everywhere. (The DMCA copyright-circumvention being a rare
exception).

Whereas as government's don't, software license agreements do. Most
vendors have a clause banning reverse-engineering. However, such
agreements can only go so far. They do not apply to areas that are
clearly in the public interest. Vuln-research is one of those areas
(compatibility is another). For example:

 17 U.S.C. § 1201(j)(1999)
 ...the term 'security testing' means accessing a computer, computer 
 system, or computer network, solely for the purpose of good faith 
 testing, investigating, or correcting, a security flaw or 
 vulnerability, with the authorization of the owner or operator of 
 such computer, computer system, or computer network . . . [It] 
 is not a violation . . . for a person to develop, produce, 
 distribute or employ technological means for the sole purpose of 
 performing the acts of security testing...

FYI: this clause is largely due to ISS lobbying of congress.
Other countries likewise of explicit clauses like this as
well.

To be more clear on the matter: I personally (on my own time)
purchased a Microsoft software license and disassembled rpcss.dll
using IDApro in order to better undestand the MS03-026 vulnerability.
I state this in the clearest possible terms so that if U.S. law
enforcement or Microsoft lawyers believe they have a case, that 
they can come after me.

What will really bake your noodle is the following decompiled 
source of the Blaster worm:
 http://www.robertgraham.com/journal/030815-blaster.c
Imagine the author of the Blaster worm suing me over this :-)


Robert Graham
Chief Scientist, ISS


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] IDS (ISS) and reverse engineering
  - From: "V.O." <vosipov@tpg.com.au>

Prev by Date: [Full-Disclosure] [OpenCA Advisory] Vulnerabilities in signature verification
Next by Date: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 28/Nov/2003
Previous by thread: Re: [Full-Disclosure] IDS (ISS) and reverse engineering
Next by thread: RE: [Full-Disclosure] IDS (ISS) and reverse engineering
Index(es):
- Date
- Thread