Slashdot Mirror

← Back to Stories (view on slashdot.org)

Including Source for a Potential Hacking Tool?

Posted by Cliff on from the exploits-in-the-wild dept.

rajinder asks: "What are the experiences of Slashdot folk when it comes to including the source code of a security tool in their final year dissertation? I have a project in mind that I want to submit that can be used by admins to evaluate the security of their wireless network(s), but it could just as easily be used for their nefarious purposes. Before I submit the idea, I wanted to see if anyone knew of potential hurdles I would have to face. Anybody ever done something similar? The official rules about what is allowed is available in this PDF [or the HTML version], but I don't see anything relevant to my dilemma (the relevant section is 2.4, page 9) UK university-system specific info would be appreciated, but I plan on carrying on my education in the US, so info from either side of the pond would be good. Does anyone know if I would be able to GPL the code afterwards and put it out there? Would it remain property of the University or the student that wrote it?"

20 comments

  1. Academic policy by Anonymous Coward · · Score: 1, Insightful

    final year dissertation

    Doesn't the policy say you're required to include it? Whatever you develop as part of your academic project has to fall within public domain into the university library.

    I would include all the source in the printed copy as Appendix and then distribute the online copy without the Appendix.

    1. Re:Academic policy by evalhalla · · Score: 2, Informative

      Unless specified by your university the final year dissertation is your own, or at most it can be your and your advisor's, or similar things. You're required to give a (certain number of) copy(es) to your university library, and they will let the public see it, but that's not public domain.

      Of course different universities have different policies, so you may end up with stricter conditions, here the rule is to ask local competent people (if reading the official rules doesn't help).

  2. GPL issue by tomcio.s · · Score: 3, Informative

    For that you have to contact your undergrad advisor.
    For me it was possible to GPL the code.

    Some profs however like to keep it.
    Some universities have different rules as to this sort of thing.

    Sometimes you can get away with a simple NDA in the Document.

    I would ask you specific registrar/school office about the detailed rules that you have to abide by.

    1. Re:GPL issue by clifyt · · Score: 1

      Good plan -- always ask before you put it out there. If you don't like he decision, program something else.

      I had an employee interning with me a few years in her final year of graduate school. She asked if I wouldn't mind if she used the project we were working on as her thesis project. I paid her for the work, gave her guidance and showed her code not related to what she was working on so I wouldn't interfere with her schooling. In return, the cocksucker that was her advisor took the work and tried selling it to the same target audience we were competing again -- but claimed it was HIS work and that she did very little. He even claimed it was his idea -- even though I had versions 1 - 3 in actual use and this was a rewrite based on that source code (honestly, he COULD have claimed this because 1&2 were already GPL'd by the time V4.0 -- her version -- came out -- we always release old code back into the wild when we are finished with it).

      The school decided during arbitration that they should get the use of it, but that it wasn't to be sold...they even tried to sneak in a 'We Get 50% of The Profits', but our lawyer caught that -- sad part is, my department is actually a part of the university -- just funded from outside and generally funded through items like this.

      Make sure you get in writing what is yours and what isn't. As the parent says -- contact your advisor -- no one here knows the policies of your particular school.

  3. concern by Anonymous Coward · · Score: 2, Interesting

    Are your concerns about ethics or liability?

    1. Re:concern by Anonymous Coward · · Score: 0

      Are your concerns about ethics or liability?

      sounds like he's after both to me.

  4. Author vs Publish by MountainLogic · · Score: 3, Insightful
    An import question to ask the IAAL types is:

    Is there a differance between authoring (and submitting) vs. publishing (as in what the Uni. dept. will do)?

  5. Basically, by kyz · · Score: 3, Interesting

    You HAVE to submit all your project source code with your dissertation. I even had to print mine out. Those are the rules.

    Once you submit the dissertation, it is the University's property, their copyright. They get your code, you get a degree. Trust me, you'll write a lot of code in your lifetime, you're getting the far better end of the bargain. Some poxy code for a ticket to the good life. Jobs that need degrees just to apply pay a LOT more than jobs that let anyone in.

    If you really want to GPL your work, talk with your project supervisor BEFORE you do anything rash. Check that the university doesn't want to take the code further and develop it, or market it, or such. Then they might GPL it themselves (as they now own it), or they might allow you to create a GPL work-alike of the code you just gave to them without setting the attack lawyers on you.

    --
    Does my bum look big in this?
    1. Re:Basically, by AvitarX · · Score: 1

      Why can't you giv it to them to do as they pease, and GPL it. If it not theres until it is submitted I don't see why you couldn't.

      Unless they specify that noone else is allowed to have had access to the code before they see it.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    2. Re:Basically, by Anonymous Coward · · Score: 0
      Once you submit the dissertation, it is the University's property, their copyright.

      Bollocks. If they don't make you sign a copyright transfer document, then it's still yours. Some unis tried putting this as a clause in the regulations that all students sign on entry, but my uni never did because their lawyers told them it would never stand up in court unless they made it explicit.

      Hell, I know university lecturers who take the code they are paid to develop at work and sell it privately. They advertise this on their university homepages, and the uni does nothing to discourage it. (I wouldn't do a project with one of them, they tend to try to claim their students code as their own too. In fact it was that which prompted me to research this issue in the first place.)

      Of course, postgraduate work is quite different. They do sometimes ask for copyright to that.

    3. Re:Basically, by Anonymous+Brave+Guy · · Score: 1
      Bollocks. If they don't make you sign a copyright transfer document, then it's still yours.

      And the rules for submitting your project, diploma dissertation, masters thesis or whatever at many UK universities include just such a declaration. The rules are quite clear on this from the start, or at least were where I studied. That's the deal; take it or leave it.

      Of course, postgraduate work is quite different. They do sometimes ask for copyright to that.

      On the contrary; you typically have rather more control over postgrad work. Obviously you'll be required to give them a copy of, say, a PhD thesis, and some relevant rights to have it in libraries etc. Many people from my university have gone on to set up successful businesses based on the research they did during their PhDs, completely independent of the university, though.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    4. Re:Basically, by Anonymous Coward · · Score: 0
      And the rules for submitting your project, diploma dissertation, masters thesis or whatever at many UK universities include just such a declaration.

      I have never encountered one. You well could be right, but I have my doubts, because myself and any other student with any sense would never choose to attend an institution that tried to pull a stunt like that.

      On the contrary; you typically have rather more control over postgrad work.

      Are you sure you are in Computer Science? Postgrad work is usually part of an existing research project, i.e. your work is a 'derived work' from what the university has already done, so you don't have complete copyright control over it in the first place.

    5. Re:Basically, by Anonymous+Brave+Guy · · Score: 1
      You well could be right, but I have my doubts, because myself and any other student with any sense would never choose to attend an institution that tried to pull a stunt like that.

      Beggars can't be choosers. Most of the top universities I know about in the UK seem to have this sort of policy, and while a serious PhD student might just register on their scale as someone worth negotiating with, an undergrad barely pays the rent.

      I'll try to find a copy of the rules for submitting my diploma dissertation and check the details, but I'm pretty sure they included a fairly generic rights transfer; I did check at the time.

      Are you sure you are in Computer Science?

      University of Cambridge Computer Lab, albeit a few years ago.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  6. Repeat After Me by 4of12 · · Score: 4, Insightful

    You are not responsible for what other people chose to do.

    (The number of people leading screwed-up lives or screwing up other peoples' lives, because they don't understand that principle, is vast.)

    That said, there's no reason to leave your tool in ready-made form for nefarious attack that any script kiddie to download and run.

    Since you're producing a professional work, publishing the code in the text of your thesis pretty much guarantees the only people that will get a hold of it will be intelligent and perserving people with an interest in what you've contributed.

    While it's not absolutely foolproof, the set of people who are both intelligent and persevering have better than average ethics, IMHO.

    Exactly the same principles apply to other non-IT information (chemistry, biology, nuclear physics) which can potentially be used for evil purposes.

    The solution is not to try and stuff the genie back into the bottle, but to try to find ways of generating fewer new nefarious people.

    --
    "Provided by the management for your protection."
    1. Re:Repeat After Me by penguinboy · · Score: 1

      Since you're producing a professional work, publishing the code in the text of your thesis pretty much guarantees the only people that will get a hold of it will be intelligent and perserving people with an interest in what you've contributed.

      No, all you need is one slightly unethical person to come across it and repackage it for l33t h4x0r use.

  7. Tools by Goo.cc · · Score: 1

    I think that your problem is that you are assigning good/evil values to a tool which is neither. Like any tool, it can be used for both.

  8. Advice from an academic security researcher by digitaltraveller · · Score: 3, Informative

    A few things:
    1) Unless you sign an IP agreement (usually for an industry funded research project) you can GPL it.
    2) The dirty little secret the mainstream security industry doesn't want you to know is that all the useful & good tools security tools are open source. In general, you risk losing credibility among your peers if your software is NOT open source.
    3) If your project has to do with wireless (in)security it's likely not going to be very novel. Just about all the wireless encryption standards (GSM A/51, W/TLS, WEP) are all broken with implementations to verify this.
    4) Security researchers long ago realised that full disclosure is the only way to fix security vulnerabilities. Besides as another poster pointed out kiddiez will not understand your paper, only serious security researchers. And in general, they probably already know whatever it is your paper is going to be about.

    1. Re:Advice from an academic security researcher by maharito · · Score: 1

      Unless you sign an IP agreement...

      Chances are that by enrolling at a university, you've already engaged yourself in some type of IP agreement. You should check with the particular university that you attend / plan to attend for the specifics of any IP agreements that enrolling has made you subject to.

  9. last post winner by muirhead · · Score: 1

    Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins,

  10. very last post by Ruby+last+post · · Score: 1

    Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins,

    --
    Ruby Sleeps