Slashdot Mirror

← Back to Stories (view on slashdot.org)

McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database

Posted by timothy on from the but-don't-say-they-didn't-ask dept.

mask.of.sanity (1228908) writes with this excerpt from The Register: "'Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The slurp was said to be conducted using fast scripts that rapidly changed the user agent, and was launched after McAfee formally inquired about purchasing a license to the data.' Law experts say the site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsequently disseminated."

21 of 139 comments (clear)

  1. McAfee in trouble by jeffmeden · · Score: 4, Funny

    "McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database"

    Smash and grab? I bet he is hiding out in Ecuador.

    1. Re:McAfee in trouble by MightyYar · · Score: 2

      I think I agree. I mean, scraping data from a public-facing web page isn't exactly felony material - so long as your activities do not disrupt the service.

      On the other hand, there is a line that you can cross. Certainly, we'd all agree that brute-forcing passwords would be over the line. Making your scripts evasive to avoid countermeasures is not as blatant, but definitely is shadier than just scraping a site with no countermeasures....

      Anyway, this kind of disagreement is exactly why we have a civil court system.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:McAfee in trouble by MightyYar · · Score: 2

      I should have said "scaping data from a public-facing web page SHOULDN'T be felony material".

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    3. Re:McAfee in trouble by lister+king+of+smeg · · Score: 5, Insightful

      I think to be consistent, Aaron Swartz's supporters have to take McAfee's side.

      No this is different.
      With Aaron it was scientific papers that were funded with public money then locked behind a private paywall and none of the proceeds going back to to the public, Arron then tried to download them a give them back to the public that paid for the writing of said documentation.
      In this case it is Mcafee is stealing info that was privatively funded by another private company and keeping it for themselves.
      The situations are completely different as well as their motivation.

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
    4. Re:McAfee in trouble by ConfusedVorlon · · Score: 3, Insightful

      If the site is clear about it's terms up front, then this seems like a serious issue.

      McAfee clearly knew they needed a licence; They asked about getting one. Presumably, they just didn't like the price.

      Plenty of software licences are the same; Free for personal use, paid for commercial use. The fact that the company does the world a favour by offering free access for some people doesn't make the commercial theft of the whole database less serious.

      --
      VLC Remote for iPhone and Android
  2. open "sourced" database by SuperBanana · · Score: 4, Informative

    open "sourced", not "open source."

    http://osvdb.org/about

    I was confused about how someone could be charged for access to "open source" information...

    Here's the NPO, with two officers, backing it:
    http://opensecurityfoundation....

    --
    Please help metamoderate.
  3. Aaron Swartz was charged for scraping content. by Anonymous Coward · · Score: 3, Insightful
    This is essentially what Aaron Swartz was charged with doing... from wikipedia:

    Federal prosecutors charged him with two counts of wire fraud and 11 violations of the Computer Fraud and Abuse Act,[12] carrying a cumulative maximum penalty of $1 million in fines, 35 years in prison, asset forfeiture, restitution and supervised release.

    1. Re:Aaron Swartz was charged for scraping content. by alphatel · · Score: 2

      The big difference between Swartz and McAffee is that Swartz's motive was for what he believed to be in the public interest. McAffee's motive is for profit.

      And since step 3 is profit, we all know that it's perfectly legal. And if not, endless litigation followed by a small fine will serve!

      --
      When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
    2. Re:Aaron Swartz was charged for scraping content. by canajin56 · · Score: 2

      Actually, motive and intent are perhaps the most fundamental aspects of a crime. This is codified as Mens rea . Each law has its own mode of culpability. The weakest is called "strict liability", which is what you're thinking of. Under strict liability, the mind of the individual does not matter. If your vehicle is going 31 in a 30 zone, you are guilty of speeding no matter your metal state. I'm no expert, but I believe in the USA you cannot face jailtime or fines over...I want to say $1000? under strict liability. In Canada I know that you cannot face jailtime under strict liability. The rest of the levels of culpability are Negligently "Should have known their actions might lead to an illegal outcome, but didn't", Recklessly "Did know their actions might lead to an illegal outcome, but took them anyway hoping they wouldn't", Knowingly "Did know their actions certainly would lead to an illegal outcome, but took them anyway", and finally Willfully "Did know their actions certainly would lead to an illegal outcome, and took those actions because of the illegal outcome".

      --
      ASCII stupid question, get a stupid ANSI
  4. My data by StripedCow · · Score: 5, Funny

    Hi, MS programmer here. I caused most of those vulnerabilities, so actually it is MY data.

    --
    If Pandora's box is destined to be opened, *I* want to be the one to open it.
  5. Re:Less malicious explanation by jeffmeden · · Score: 2

    I'm no McAfee advocate by any means, but the span of time between the initial sales consultation and the unauthorized scraping indicates that the person involved with the scraping might not have been involved with the sales process and was ignorant of the need for a PO. The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice. Of course, McAfee's size and influence holds them to a higher standard that should preclude anyone running rogue like this.

    Agreed, this is definitely a case where incompetence is more likely than malice. For fuck's sake, if it were malice they would at LEAST do it from an AWS, Azure, or [insert huge anonymizing cloud provider here] instance instead of from an IP directly registered to McAfee.

  6. Re:Don't see a problem by msauve · · Score: 3, Insightful

    They offer the info free for personal use, but expect commercial users to pay to support their efforts. McAfee knew this.

    Regardless of the legality, it was ethically wrong.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  7. OSVD isn't open source by stenvar · · Score: 2

    Based on their web site and description, "OSVD" may have started out as an "open source database", but now it seems to have morphed into something that is effectively a commercial data aggregator and vendor hiding behind a non-profit and giving out limited, free samples. In any case, whatever it is, their database clearly is not "open".

  8. Re:Don't see a problem by king+neckbeard · · Score: 3, Insightful

    This data is not illegal, and it would seem like it's probably not protected by copyright under US law, since it is most likely a collection of data lacking originality. Even if it is copyrightable, i would say it's still unethical to restrict the flow of this data moreso than other data.

    --
    This is my signature. There are many like it, but this one is mine.
  9. Re:Less malicious explanation by bill_mcgonigle · · Score: 4, Interesting

    The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice.

    I had an intern try a thing like this, ten years back or so. He was tired of the slow internet connection so he tried to scrape Wolfram's math tutorial website overnight and found the company's IP blocked in the morning. I sent a note to their admins saying I'd talked to the boy and that took care of it. It happens.

    But that talk was a "be nice" one, not a "you tried to avoid paying for a commerical product" one, which is different.

    But there's something odd about what OSVDB is saying. Here's the log snippet they show:


    161.69.163.20 â" - [04/May/2014:07:22:14 -0500]
    161.69.163.20 â" - [04/May/2014:07:22:16 -0500]
    161.69.163.20 â" - [04/May/2014:07:22:18 -0500]
    161.69.163.20 â" - [04/May/2014:07:22:20 -0500]

    Every two seconds - bad form. Your 2000 requests would have have been finished over a weekend if you rate limited to once a minute, to be nice to their servers.

    But, their blog says:

    They made 2,219 requests between 06:25:24 on May 4 and 21:18:26 on May 6. Excuse us, you clearly didnâ(TM)t want to try our service back then.

    Which indicates an average rate of 1.7 minutes per request. There's something OSVDB isn't telling us.

    It's also odd to see, on a post from May 7, something that happened on May 4th referred to as "back then". It's sounding rather "he-said", so I expect we'll soon hear the "she-said", at least from Intel. The S21Sec guys seem to have used an aggressive scraping-tool with anti-countermeasures deployed, so it's harder to expect them to have a good retort.

    It's not even clear to me that OSVDB has any copyright claim on a database - looking at a random entry I see text that could have come from the vendor or have been written by an OSVDB staffer - it's unclear what is what. If they are writing prose, then they get copyright protection on that. If it's just aggregating data, then what it's basically down to is clickwrap license enforceability, which is very unclear.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  10. Re:Don't see a problem by msauve · · Score: 2

    TPB offers their information (torrent files, last time I looked) freely. I assume you mean the content many/most of those torrents point people to... and yes, pirating things is also unethical. Having said that, I believe that an ethical violation for commercial gain is more egregious.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  11. Re:I considered doing the same myself by GTRacer · · Score: 3

    ... Getting a little tired of this disingenuous strawman. The purpose of personal property is to belong to its owner. The purpose of clothing is to cover our bodies. Neither suggests access is explicitly or implicitly granted to third parties.

    Now, put a water fountain up at a public park with the intent (but no access control measures implemented) to limit its access and then let's talk. A publicly-available website's purpose is to disseminate information! Robots.txt is a timeworn and standard way to show your intent for access. As is having a log in page or similar. If you put up a public-facing website which conveys information relevant for public consumption, don't be surprised when the public uses it! Heaven forbid a speedreader with eidetic memory accesses pages too fast for your liking...

    Now, if you implement a page cap and someone uses tricksy browsing to bypass THAT, then I agree that that is bad form. Until then, if you put the site up and effectively say "OPEN FOR BUSINESS"...

    --
    Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
  12. Aaron Swartz by Mozai · · Score: 2

    Isn't this what Aaron Swartz did? Is the US Government going to "make an example" of McAfee too?

  13. Copyright or no, it's trouble by tygt · · Score: 2

    Doesn't matter if the data is free or not - if you're circumventing access restrictions, it's effectively breaking in (not like most of us haven't done it, but still).

  14. Re:Open Source My Ass by Minwee · · Score: 2

    Then why aren't the developers of Linux kernel getting paid?

    I think the question you're looking for is "Why are only 83.1% of the developers of the Linux kernel getting paid?'

  15. Re:Open Source My Ass by Minwee · · Score: 2

    The first link in the article is for The Linux Foundation, who have been publishing the same report since at least 2008, when a minimum of 70% of the contributors (including people who submitted one-line fixes) had corporate sponsorship. Even before then it is easy to see who the top contributors to Linux were -- Kernel maintainer Alan Cox was employed by Red Hat from 1999 to 2009. Ted Ts'o worked with MIT, VA Linux and IBM while he developed /dev/random and the ext2 file system. John "Mad Dog" Hall was the man responsible for making Alpha the second architecture Linux ran on while he worked with Digital. Prior to his employment with Transmeta and the Linux Foundation, Linus Torvalds was paid $20,000,000 in stock options by Red Hat and VA Linux.

    Even before the majority of kernel development was done with corporate sponsorship, it was done to further academic goals. While not every one of these people is a dot com millionaire for their work with Linux, calling it a product of slave labour is disingenuous at best.