Slashdot Mirror
McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database
mask.of.sanity (1228908) writes with this excerpt from The Register: "'Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The slurp was said to be conducted using fast scripts that rapidly changed the user agent, and was launched after McAfee formally inquired about purchasing a license to the data.' Law experts say the site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsequently disseminated."
"McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database"
Smash and grab? I bet he is hiding out in Ecuador.
Just curious. How much would it have cost them to buy the data?
If you have to pay for it, it sure as hell ain't open source.
It's not real like a car, it's digital. Everyone should have access to it for free.
McAfee did nothing different than what millions of people do every day via TPB.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
open "sourced", not "open source."
http://osvdb.org/about
I was confused about how someone could be charged for access to "open source" information...
Here's the NPO, with two officers, backing it:
http://opensecurityfoundation....
Please help metamoderate.
Federal prosecutors charged him with two counts of wire fraud and 11 violations of the Computer Fraud and Abuse Act,[12] carrying a cumulative maximum penalty of $1 million in fines, 35 years in prison, asset forfeiture, restitution and supervised release.
no one was hurt and the original bits are still there
and the people running the site shouldn't have left the door wide open
I'm no McAfee advocate by any means, but the span of time between the initial sales consultation and the unauthorized scraping indicates that the person involved with the scraping might not have been involved with the sales process and was ignorant of the need for a PO. The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice. Of course, McAfee's size and influence holds them to a higher standard that should preclude anyone running rogue like this.
Gamingmuseum.com: Give your 3D accelerator a rest.
Hi, MS programmer here. I caused most of those vulnerabilities, so actually it is MY data.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
It's all fun and games until a site you know gets scraped repeatedly by an unscrupulous villain!
And exactly how do you propose the DOJ harangue McAfee to the point where it commits suicide?!
if this makes the crappy antivirus that is bundled on your parents computer a little less crappy, can you really complain?
lose != loose
As a sidenote, OSVDB's Twitter feed surely gives a "professional image".
Based on their web site and description, "OSVD" may have started out as an "open source database", but now it seems to have morphed into something that is effectively a commercial data aggregator and vendor hiding behind a non-profit and giving out limited, free samples. In any case, whatever it is, their database clearly is not "open".
The OSVDB went pay a few years ago. They have a wealth of interesting information and use to be fully open source however due to lack of community involvement they decided that the open source model wasn't working for them. If the OSVDB has a problem with people scraping their site, they should really update (or in their case - create) their robots.txt. I was interested in this data myself a year or so ago until I found out they wanted me to pay a subscription to access information I can view for free on their website and screen scrape for free if I really wanted to. Further more, I noticed that google has completely cached their site because they take no preventative measures against it. If anyone wanted this data, they could easily screen scrape it from the google cache and the OSVDB would be none the wiser. Why should anyone pay for data that the OSVDB has literally done nothing to protect?
Concidering mcafee has long since made the jump from antivirus to fully blown virus/malware, what were they expecting?
Make a man a fire and he will be warm for a day, set a man on fire and he will be warm for the rest of his life
Not all data is protected by copyright. If someone makes data available on a website that is not protected by copyright, then it's perfectly legal to scrape it. (At least by U.S. law.) The posting of a license on a website makes no difference where there are no copyrights in the material copied. By posting web pages and data in a location available to the public, the website granted an "implied license" to copy the pages and data.
Copyrights attach to "works of authorship". A database can be such a work, but simple data in a database probably isn't. If the scraping engine looked up the unprotected data in the database without copying substantial parts thereof (as seems to be the case from the article), then no copyrights were infringed.
So I'd have to ask the question: what did McAffee scrape, and was it a "work of authorship"? If all they got was the fingerprints, filenames and names of viruses/vulnerabilities, then I'd have to say "no".
This will be one of the times that I shout "hurrah" for McAfee!
This is the company run by a murdering drug addict who has spent his fortunes and a chunk of his life in search of the ultimate high, while constantly running afoul of the law.
He is a man completely devoid of morality. Is there any real expectation that his company will abide by the law too?
I've been using linux since 1998. I don't need a lecture on open source licensing.
Charging for access to data is fundamentally incompatible with claiming it's "open source" by many people's definitions.
Please help metamoderate.
Isn't this what Aaron Swartz did? Is the US Government going to "make an example" of McAfee too?
Doesn't matter if the data is free or not - if you're circumventing access restrictions, it's effectively breaking in (not like most of us haven't done it, but still).
Wait, wha.. OH! For a second I thought this was another zany article about John.
THIS SPACE INTENTIONALLY LEFT BLANK.
There is no copyright in facts, which is why the Register article says there is a "debate" about copyright protection in databases. If a database is nothing more than a collection of facts, it won't be eligible for copyright protection. (It might be eligible for a database protection right in Europe, though)
That said, databases can be copyrighted if they contain original creative content, or if the selection and arrangement of the facts is original and creative. The article hints at a sweat of the brow justification, which would not work - just because you spend a lot of time compiling facts doesn't mean you get copyright in them (well, at least not in the U.S.). But the threshold for originality and creativity is pretty low, so if OSVDB does any editing or categorization or summarizing of reports, that might be enough to get them copyright in the database.
From a purely legal perspective, Swartz's intentions would probably be considered "worse." He mass-downloaded a bunch of articles from JSTOR (and no, I doubt all of them or even most of them were funded with public money), although he arguably had the right to do so. From what I understand, his intention was to release the articles to the public, but he never got that far. Had he done so, that would certainly have been a massive copyright violation, and there would have been multiple suits from multiple publishers (meanwhile, I'd imagine most of the authors of the articles wouldn't care, since they rarely if ever receive royalties for those articles, and often have to pay fees to have them published).
Whereas McAfee scrapes data from a publicly-accessible database that may or may not be protected by copyright. OSVDB will first have to prove they have a valid copyright in order to claim infringement. Maybe they'll fall back on this argument that even if not copyrighted, the data was licensed, but it's hard to throw up uncopyrighted data on a public web page and claim that there is some kind of binding license on everyone who accesses it. When uncopyrightable databases are licensed, that will usually involve signing a contract.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
OSVDB is notorious for scraping NVD (NIST National Vulnerability Database) and both follow CVE and CCE standards that are maintained by Mitre. Both OSVDB and NVD are public vulnerability databases maintained by outside submissions. NVD/OSVDB do not conduct any kind of vulnerability discovery activity.
I don't see how OSVDB can claim any rights to this data. They certainly didn't produce it. Thankfully, if they stupid enough to claim it NIST will quickly put them in their place.
At least in North America facts (which is what SV data is) are not considered to be copyrightable. (In Europe I believe there is some protection for databases) This might be a ToS violation but I think most Slashdot'ers would agree those are questionable and that public websites should not have different protection from the phonebook delivered to your door. (Which Yellowpages has previously complained about Google and others "copying")
As someone who looks at SV data regularly and has previously pointed things out to OSVDB maintainers, I would also point out that the majority of the OSVDB database is simply a clone of CVE, thus in reality isn't even "theirs".
> From what I understand, his intention was to release the articles to the public, but he never got that far.
As far as I know, there is no evidence for this, except circumstantial (feel free to reply with supporting evidence). You could very well be correct, or he could have had a more nuanced plan, like only releasing the public domain stuff first, or threatening to do so, and somehow hoping to leverage that to achieve other goals (like, for example, the subsequent JSTOR relaxed access policy which enables private individuals to access 3 papers for free every two weeks), but now we will never know.
How is Swartz worse? He may have intended to commit massive copyright violations, but he DID not. And he had rights to this information per JSTORs own terms of service. He was going to be prosecuted for 50 years to life for a thought crime. If thought crime is worse than actual crime, that is a big problem.
OSVDB says there is a debate about whether this information is copyrightable, but they aren't pursuing that angle.
If McAfee workers read these documents to improve software that they are developing, then that's a commercial use and it violates the terms under which the information was provided.
Your analogies left something out. From hilather's comment:
They're on the public Internet and not using the #1 over-a-decade-established standard-AND-common-sense method of communicating their exceptional desire to be treated as though they aren't offering their information on the public Internet. Ergo, your analogies should include a billboard out in front of the house, which says "come on in and do what you will," signed by the owner of the house, who greets people as they walk in and makes an inviting gesture.
And the front of the woman's shirt should say in big letters "yes, you may grab my boobs," and every time someone looks at her and makes eye contact, she smiles warmly and says "Yes, really," and pulls open the sideboob shirt revealing the nipple and says, "Touch it. Touch me. Please. [lower] Please." And then when you touch her, she sighs and starts breathing heavily, and after a few seconds she starts pawing at bulge in the front of your pants, and grins with a strange expression, somewhere in between mischief and hunger. (Oh, "lust," that's what the expression is called. Right.) She kisses you slowly and passionately, and says "Let's go to my place. It's the loft right upstairs from this bar that we're standing in, that you probably didn't even know you were in, at the beginning of this computer analogy." You ask, "Really, you wanna go upstairs?" and she says "really" and moves your boob hand to her crotch, where you feel the wetness. But then she adds, "My roommate, who is on the Swedish Bikini Team, is bi and sometimes doesn't respect our quaint American boundaries, so if she joins in, just try to be cool, ok?" She says, "Hmmm. We'll be thirsty after the first couple of rounds. BARTENDER! Fill my growler with the barleywine. No, the ten year old one." Hours later, when you're exhausted yet cannot sleep, you talk. And instead of talking about stupid chick shit, she wants to talk about AMD-vs-Intel, Emacs-vs-Vi, Windows-vs-Linux-MacOS and amazingly, before even hearing your opinions, hers happen to be on your side, in each of the stupid debates. The conversation moves on to Monty Python, but then just to keep you on your toes, she throws in a Fawty Towers reference and you both laugh joyously and realize that maybe you're not so tired yet. And that's when the roommate gets home, slightly annoyed at being stood-up by her date, but mostly just horny and un-fulfilled. She says something about a "moose" but I can't do it justice because Slashdot still doesn't do utf-8 yet. As the girls take turns on you, the one whose mouth isn't full says derogatory things about something called "beta" and Slashdot's priorities.
I think I got a little off track with the second analogy there, but my wife's been out of town all week so just let it slide, ok? And it really did start out accurate and fair. Oh, but the server that acts like the woman in the second analogy, no -- just like OSVDB's server, it would not have a robots.txt either. It would have a fuckme.txt or something like that.
This brings up an interesting conundrum about copyright... So, if I scrape TRW (Sorry, Experian)'s website and it's only to download information about MYSELF, who's got the copyright on that? Experian is supposed to provide the information for free to me anyhow, on request, so, can I be charged with a crime for taking it without asking?
And lets talk about all the other thousands of companies (Facebook, Google, United Healthcare, BlueCross, Amazon, Slashdot, yadda yadda yadda) that collect and resell information about me. Who owns that information about me? And isn't it sad that I can't get to all that information about me, in fact, I seem to spend most of my time now making sure that what information about me out there is wildly inaccurate, and if it's something I made up in a web form, then it should be copyright ME, no???
If telephones are outlawed, then only outlaws will have telephones.
APK once again misses
The obvious--that is,
The barn-sized difference
Between libre and gratis
BURMA SHAVE
cat
It's entirely possible to write "møøse" or even "mööse" in a Slashdot comment.
BTW, Swedish uses "ö"--it's Danish and Norwegian that use "ø".
Nice to point that out, but couldn't you have done it .. [Zapp Brannigan voice] more sexily? [/Zapp]
It wouldn't even have to be lame, like her exclaiming "You're hung like a mööse." It could be "She invites you to take her like a rampant møøse" or something like that.
But that aside, thanks for the character set correction.
Yeah, I also read something suggesting he wanted to do some text mining on the articles to find bias in corporate funded research. I think it was the prosecution pushing the idea that he wanted to release the articles, based on quotes from the Guerilla Open Access Manifesto, etc.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Well, he was going to be prosecuted primarily for violations of the CFAA, not copyright infringement.
Anyway the point I was trying to make is that I'm not convinced that OSVDB has any exclusive right to the information, period. If they don't have any exclusive right to it, then can try and "license" it all they want, but it doesn't matter. You don't get to just throw up a bunch of factual, non-copyrighted (and non-copyrightable) information on a public web page, then claim that anyone who doesn't comply with your "license" is doing something illegal... because they're facts. If you want to play that game, you'd better get your audience to sign a contract. There's no trade secrecy here, either, because the information is public.
Maybe OSVDB has some claim for unfair competition under state misappropriation laws, similar to the "hot news" doctrine. But their case would be much more convincing if they had a copyright claim, which even they don't seem convinced about.
Actually, given the way the CFAA is written (and abused), maybe that would cover the situation.
Of course McAfee is probably being a bad citizen here - I assume the point of the license, whether enforceable or not, is to try to defray the costs of establishing and maintaining the database. But simply being a bad citizen isn't necessarily illegal.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Yeah, I see what you mean. CFAA is overly broad. Any "scary stuff with computer".
Proof = http://slashdot.org/comments.p... apk caught him in the act red-handed admittedly using sockpuppets. What a scumbag Zontar is.