Slashdot Mirror

← Back to Stories (view on slashdot.org)

McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database

Posted by timothy on from the but-don't-say-they-didn't-ask dept.

mask.of.sanity (1228908) writes with this excerpt from The Register: "'Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The slurp was said to be conducted using fast scripts that rapidly changed the user agent, and was launched after McAfee formally inquired about purchasing a license to the data.' Law experts say the site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsequently disseminated."

10 of 139 comments (clear)

  1. McAfee in trouble by jeffmeden · · Score: 4, Funny

    "McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database"

    Smash and grab? I bet he is hiding out in Ecuador.

    1. Re:McAfee in trouble by lister+king+of+smeg · · Score: 5, Insightful

      I think to be consistent, Aaron Swartz's supporters have to take McAfee's side.

      No this is different.
      With Aaron it was scientific papers that were funded with public money then locked behind a private paywall and none of the proceeds going back to to the public, Arron then tried to download them a give them back to the public that paid for the writing of said documentation.
      In this case it is Mcafee is stealing info that was privatively funded by another private company and keeping it for themselves.
      The situations are completely different as well as their motivation.

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
    2. Re:McAfee in trouble by ConfusedVorlon · · Score: 3, Insightful

      If the site is clear about it's terms up front, then this seems like a serious issue.

      McAfee clearly knew they needed a licence; They asked about getting one. Presumably, they just didn't like the price.

      Plenty of software licences are the same; Free for personal use, paid for commercial use. The fact that the company does the world a favour by offering free access for some people doesn't make the commercial theft of the whole database less serious.

      --
      VLC Remote for iPhone and Android
  2. open "sourced" database by SuperBanana · · Score: 4, Informative

    open "sourced", not "open source."

    http://osvdb.org/about

    I was confused about how someone could be charged for access to "open source" information...

    Here's the NPO, with two officers, backing it:
    http://opensecurityfoundation....

    --
    Please help metamoderate.
  3. Aaron Swartz was charged for scraping content. by Anonymous Coward · · Score: 3, Insightful
    This is essentially what Aaron Swartz was charged with doing... from wikipedia:

    Federal prosecutors charged him with two counts of wire fraud and 11 violations of the Computer Fraud and Abuse Act,[12] carrying a cumulative maximum penalty of $1 million in fines, 35 years in prison, asset forfeiture, restitution and supervised release.

  4. My data by StripedCow · · Score: 5, Funny

    Hi, MS programmer here. I caused most of those vulnerabilities, so actually it is MY data.

    --
    If Pandora's box is destined to be opened, *I* want to be the one to open it.
  5. Re:Don't see a problem by msauve · · Score: 3, Insightful

    They offer the info free for personal use, but expect commercial users to pay to support their efforts. McAfee knew this.

    Regardless of the legality, it was ethically wrong.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  6. Re:Don't see a problem by king+neckbeard · · Score: 3, Insightful

    This data is not illegal, and it would seem like it's probably not protected by copyright under US law, since it is most likely a collection of data lacking originality. Even if it is copyrightable, i would say it's still unethical to restrict the flow of this data moreso than other data.

    --
    This is my signature. There are many like it, but this one is mine.
  7. Re:Less malicious explanation by bill_mcgonigle · · Score: 4, Interesting

    The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice.

    I had an intern try a thing like this, ten years back or so. He was tired of the slow internet connection so he tried to scrape Wolfram's math tutorial website overnight and found the company's IP blocked in the morning. I sent a note to their admins saying I'd talked to the boy and that took care of it. It happens.

    But that talk was a "be nice" one, not a "you tried to avoid paying for a commerical product" one, which is different.

    But there's something odd about what OSVDB is saying. Here's the log snippet they show:


    161.69.163.20 â" - [04/May/2014:07:22:14 -0500]
    161.69.163.20 â" - [04/May/2014:07:22:16 -0500]
    161.69.163.20 â" - [04/May/2014:07:22:18 -0500]
    161.69.163.20 â" - [04/May/2014:07:22:20 -0500]

    Every two seconds - bad form. Your 2000 requests would have have been finished over a weekend if you rate limited to once a minute, to be nice to their servers.

    But, their blog says:

    They made 2,219 requests between 06:25:24 on May 4 and 21:18:26 on May 6. Excuse us, you clearly didnâ(TM)t want to try our service back then.

    Which indicates an average rate of 1.7 minutes per request. There's something OSVDB isn't telling us.

    It's also odd to see, on a post from May 7, something that happened on May 4th referred to as "back then". It's sounding rather "he-said", so I expect we'll soon hear the "she-said", at least from Intel. The S21Sec guys seem to have used an aggressive scraping-tool with anti-countermeasures deployed, so it's harder to expect them to have a good retort.

    It's not even clear to me that OSVDB has any copyright claim on a database - looking at a random entry I see text that could have come from the vendor or have been written by an OSVDB staffer - it's unclear what is what. If they are writing prose, then they get copyright protection on that. If it's just aggregating data, then what it's basically down to is clickwrap license enforceability, which is very unclear.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  8. Re:I considered doing the same myself by GTRacer · · Score: 3

    ... Getting a little tired of this disingenuous strawman. The purpose of personal property is to belong to its owner. The purpose of clothing is to cover our bodies. Neither suggests access is explicitly or implicitly granted to third parties.

    Now, put a water fountain up at a public park with the intent (but no access control measures implemented) to limit its access and then let's talk. A publicly-available website's purpose is to disseminate information! Robots.txt is a timeworn and standard way to show your intent for access. As is having a log in page or similar. If you put up a public-facing website which conveys information relevant for public consumption, don't be surprised when the public uses it! Heaven forbid a speedreader with eidetic memory accesses pages too fast for your liking...

    Now, if you implement a page cap and someone uses tricksy browsing to bypass THAT, then I agree that that is bad form. Until then, if you put the site up and effectively say "OPEN FOR BUSINESS"...

    --
    Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!