Flag: Tornado!
Hurricane!
|
|
Topic created on: May 23, 2006 14:31 CDT by MohammadHosein  .
those of you who have experienced this :
would you please tell me how someone can analyze a software seeking for GPL violation while the software's author banned any RCE ?
thanks
Varies by device and/or software instance.
If, for instance, the device in question is running a Linux kernel you may be able to issue a command that will generate /proc related data (perhaps /proc/cpuinfo) that you can then correlate with Linux.
You should be able to run ident(1) on a given executable and see if there are any RCS strings in it. This would absolutely not be an RCE activity in my view as it is a standard approach and some virus scanner or other mechanism may employ something similiar.
With that said, strings(1) would also be employable as you are not actually looking at any binary data, simply the potential outputs.
Those would be my initial attempts.
|
what if our initial attempts couldnt be helpful ?
imagine there is a very important competition between two companies and you sure one of them is violating GPL , and you are working for the other one , you dont want to and cannot forget about author's policy ( which banned RCE ) and you should proof its GPL violation , what is the regular path ? staying in dark and publishing anonymous papers regards to this dirty company then flooding mailing lists with this anonym paper sounds a funny and working idea , am i missing something ?
|
Do you know any of the employees of the company in question? Perhaps search Google for their domain name and see if any of the employees are asking questions on open source related email lists.
Further do the same for Google Groups and see if there is a similiar result.
|
|
lets say yes , we found some questions and some active forums threads , and we sure about piece of code they stole , but these are not proofs , we surely should do some reversing , unpacking their modules , looking for function names and proto types , even reading raw disassembly to find some matches , maybe pay for some expensive bindiff and continue investigation to find what we want , and all these are against law , so i'm asking about a regular way , something lawful , in fact i want to know is there any one here who did something link this and sued a company ? and even more is there anybody who won a battle like this in court ? even a link or reference would be appreciated
|
Hi Mohammad,
There is a much better woking solution that I've seen used in the past.
First of all, investigating code theft is legal in most places around the world, regardless of the unenforcable and thereby meaningless conditions the vendor may have put into the license. In many coutries you do not even need a valid license to the product to investigate a code theft case, since your intent is gather information on a possible violation of the law. -Obviously, you need to check with a local lawyer in your region.
Secondly, since company stealing code is a competitor of your employer, a reasonable way to handle the situation is do the work yourself and then higher, or better ask, a third party to validate what you found and publish the results accordingly.
In the case of a GPL violation, find out who the copyright holder is and if the rights have been assigned to the Free Software Foundation (as they suggest with GPL usage), the FSF and EFF will most likely start legal proceedings against your competitor. If not, contact the copyright holder about the violation and work with him/her/them.
Meanwhile, after publication let your marketing team do the dirty work of properly promoting the third party results with news/press releases. Make certain you submit the violation findings to the major geek boards where GPL fanboys hang out -in other words slashdot. Flooding mailing lists sucks, regardless of who does it or why. Anonymous flooders suck even more and they are often ignored as attempted FUD or astroturfing.
Make sure the customers you are competing for know about your competitors violations and the probable removal of vital functionality from their competing products. The FSF/EFF are far too forgiving about GPL violations and often they settle for removal of the GPL code rather than trying to force the release of whole codebase including the GPL intermingled/infected code.
If possible, higher a credible firm to do the formal comparison analysis. HalVar and Eros at Sabre Security have an edge in proving a code theft cases due to their IDA plugin tools (binnavi and such). If they can't do the work themselves, they might be able to recommend one of their customers to do the work.
Hope This Helps...
jcr
|
Well, what to do is pretty simple. You ignore the no-reverse enginerring clause, and proceed anyway. If you find a GPL violation, you produce proof. If you don't, then you keep your mouth shut. I don't recall the GPL covering it explictly, but I don't think you can have some GPL'd code that you don't have the right to request source for, and if you can request source, I can't see how a no-RE clause would hold up.
I think the DMCA may even give you power in a couple of cases, as it explicitly grants reverse engineering rights for a couple of narrow purposes. One could argue that an EULA is a contact, and that contract trumps that. If you really care about the legal situation, you have to consult a lawyer, of course.
|
Yo Ryan,
I think you, me and nearly everyone in this thread misrecognized the flag presented next to Mohammads' name. Since things were just not making sense, I checked his board profile...
Mohammad, my apologies for being a western idiot, not recognizing your nations flag and not realizing the laws in Iran are probably vastly different than the US/EU/AU/CA/NZ type laws most of us know.
If your competitors software is available for download, please post a link to this board or email it to me so I can post the link. I will work on it alone if need be but creating a group project for OpenRCE out of it is probably an even better idea. Though I do have an IDA tool I wrote for version by version comparison, it was made for checking/tracking/maintaining API changes in closed source code. I also used it once for looking through a "code theft" issue regarding ssl_eay and failure to give the required attribution according to the license.
To put it bluntly, what I know on the topic of code theft and the tool I created are nothing in comparison to what HalVar has done with BinDiff. Using BinDiff and IDA for what might be a rather public example of GPL code theft would be great publicity for both tools. Hopefully HalVar and Eros will want to get involved.
As you stated, you may not be able to legally do the work due to the laws where you live but I see no reason why that would stop an outside person or group of us from doing the required work in a totally different physical and legal jurisdiction. -If I'm still being ignorant with this assumption of mine, please let me know.
JCR
|
JC , Ryan , Aaron , thank you :)
well , the dirty company is a famous company actively involved in Broadband development and i cannot mentioned its name - at least now - but regards to the flag you see next to my name this company have a good business here , our local copyright law is not covering public licenses but while this company is doing some business in other countries we maybe able to sue them there , so with JC and ryan's comments i can be sure that if i show proofs regarding to a real GPL violation nobody cares about those liars no-RCE statement , and i will ask for help here any time i need , thanks .
now another question just came to my mind , most of agreements out there clearly focus on this topic , you buyers and customers should not think about any code reversing including debug and disassemble , i want to ask is this about "results" or just about the "act" ? is "disassembling" is illegal , or "disassembling and publishing something reversed" ? is "Reversing" is an act against law or the "reason" and "result" are more important ?
most of commercial soft wares are packed and protected heavily , and anti viruses (e.g Kaspersky ) are always trying to unpack or search for some polymorphic sig using their internal RE engine , so i'm curious to know what is the meaning of this no-RCE agreements in your countries ? can someone sue you just because you are playing with a commercial software inside IDA right now ?
|
(Caveat: I am not a lawyer, nor am I attempting to represent myself as one!)
My thinking on the RE subject with regards to the law comes down to publishing of one'ss finding or using one's for ill-will at which point it becomes plainly obvious how you arrived at your conclusion. Thus it is the act that precipitates the findings, but ultimately the findings are what demonstrate the act. (Ugh, that sounded like legalese - my deepest apologies!)
At least in the US, no one (okay that is not necessarily true) -- a sane individual/company would not consider bringing legal action against an anti-virus company with regards to its' ability to dynamically examine (aka, RE) a binary for malicious intent.
So to summarize my rather long winded attempt: Publication of findings that would immediately point toward reverse engineering activities would be what would ultimately cause a problem. But, ultimately everything comes down to interpretation of the law and since I am not a lawyer, I am taking an engineers perspective on the law sans four letter colorful metaphors.
Hopefully my ramblings make some sense and just one more caveat, this is a US-centric perspective as I have not had dealings with any other countries laws surrounding RE (yet).
Aaron
|
|
I am also not a Lawyer :) But, in the situation where the possibly offending party is a competitor, I would strongly recommend utilizing a independent third party to do the analysis and give you a summary report. If you do the analysis yourself, you gain all kinds of 'inside' information in addition to the possible GPL violation. Now, you go to a meeting and are asked a question. You are now quite possibly in a hard spot; if you answer based on your knowledge, you may be using knowledge you gain via RE (by mistake while pursuing the code violation) and that could put your company in a hard place. Even in countries where RE is completely legal, it could easily put you in the position of being accused of copyright violation if any of your code is even similiar to the competitions. It is better to not know your competitors code, IMO.
|
Hi Mohammad,
It seems you are not making a necessary separation and therefore you have two different things confused together as one.
There is a difference between a copyright and a license.
A copyright is government granted right to authors of works which allows the authors to control copying of their works. In other words, only the copyright holder (author) is allowed to make and sell copies of his work. Depending on country and jurisdiction, some places have "Fair Use" laws that allow an individual who purchased a copy of a work to make additional copies for backup and similar private purposes.
The rights granted by copyright are internationally protected through treaties between the governments of various countries. If you're curious, the most commonly quoted treaty is the Bern Convention.
A license is simply a legal contract which states the terms of use. Both parties, the copyright holder (licensor) and the end user (licensee), must agree to conditions and sign a license contract for it to be legally valid. For decades software vendors have been using "click through" licenses but unfortunately, no one has legally proven such licenses are legally valid contracts (click-through licenses do not have the signature required to make them valid).
Even if a license contract is signed by both parties, the contract may contain conditions which are not legally valid. This is a very important thing to remember. The typical "No Reverse Engineering" clauses you see in licenses are not actually legally valid.
Here in the US (and in many other countries), we have the right to reverse engineer whatever we want for the sake of validating it's operation, fixing broken things, and even customizing our purchased copy. Of course, you can not sell your changes but you are legally allowed to make them.
The routines within a program which prevent copying (i.e. copy protection), have additional protection under the law so changes made by the end user are generally not allowed to by-pass the program copy protection. Different than other modifications, you can not sell or even publish details on how to by-pass the copy protection and you are generally not allowed to make them. -When I say "generally" I mean there are a few exceptions but they will just confuse things.
When it comes to security/malware and code theft analysis, one does not even need to purchase a licesne for the software. The reason you do not need a buy a license is because you are investigating a possible crime. Of course, you can not use the software for it's intended purpose since that would be a violation of the authors copyright. On the other hand, if you can obtain a copy of the software, you can analyze it for the purpose finding security/theft evidence.
In short, investigating potential criminal activity is protected under "fair use" provisions of copyright as well as other provisions of the law. The reasoning is law enfocement (police) must be able to do their job and in many situations, they need to bring in expert help from the outside (non police) to do it.
To put it as clearly as possible, if you told us who is stealing GPL code, what product it was in and what GPL code has been taken, the majority of people on this board are legally able to investigate this possible crime and publish all of our findings.
Please realize the above is the best explanation *I* can give you. Though I've often considered becomoing one, I am *NOT* a lawyer. The only advantage I have is I work with lawyers constantly and I've learned a lot from them.
Kind Regards,
jcr
|
huh , addition to these answers i got 4 private messages regards this topic , amazing :)
JC , Billy and Aaron , thank you all .
i learned there are too many possibilities when we talk about software violation and crime even when there are too many no-RCE agreements around , and i found out in most countries we dont need to worry about our RE efforts while we are able to claim something about a crime evidence or violation investigation etc etc , and copyright is protected by world wide rules and i would be able to sue a GPL violation here in my country while there is no local law covering GPL and similar licenses , and also nobody gonna call 110 ( mmmmm , our version of your 911 ) because i'm playing with a commercial and protected software , even with no-RCE mark , and even more , sometimes these no-RCE marks are illegal too !
well , nice chat .
i may convince our managers to define a totally private task for me so i can ask for your help and teach some lessons to this big "eastern" company , who knows...thank you all .
and again , Pedram , is this possible to publish some papers ( some short papers ) about our violation-related findings in commercial softwares here over forum or blogs ? do you think this is a good idea for openrce ? i'm not talking about the current discussion , its a general question .
i'm enjoying openrce
best Regards
-Mh
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}