From: "V.O." <[EMAIL PROTECTED]> > Recently I've got to listen to a marketing pitch by an ISS guy. He was > going > along the lines of "our X-force reverse-engineered Microsoft RPC libraries > and created signatures..." and "we use protocol decoding, so we > reverse-engineered various closed-source protocols in order to create out > decoders". > > What struck me - isn't this kind of activity actually illegal in the US? > To > which extent it is possible to disassemble Windows code? And if it is > illegal, then aren't their customers (plus many other IDSes, with the > exclusion of Snort, probably) in danger - what if Microsoft or whoever > else > sues ISS for doing this? :) > > I'm puzzled.
The reverse is true. Reverse-engineering is broadly legal virtually everywhere. (The DMCA copyright-circumvention being a rare exception). Whereas as government's don't, software license agreements do. Most vendors have a clause banning reverse-engineering. However, such agreements can only go so far. They do not apply to areas that are clearly in the public interest. Vuln-research is one of those areas (compatibility is another). For example: 17 U.S.C. � 1201(j)(1999) ...the term 'security testing' means accessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator of such computer, computer system, or computer network . . . [It] is not a violation . . . for a person to develop, produce, distribute or employ technological means for the sole purpose of performing the acts of security testing... FYI: this clause is largely due to ISS lobbying of congress. Other countries likewise of explicit clauses like this as well. To be more clear on the matter: I personally (on my own time) purchased a Microsoft software license and disassembled rpcss.dll using IDApro in order to better undestand the MS03-026 vulnerability. I state this in the clearest possible terms so that if U.S. law enforcement or Microsoft lawyers believe they have a case, that they can come after me. What will really bake your noodle is the following decompiled source of the Blaster worm: http://www.robertgraham.com/journal/030815-blaster.c Imagine the author of the Blaster worm suing me over this :-) Robert Graham Chief Scientist, ISS _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
