Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database

timothy posted about 4 months ago | from the but-don't-say-they-didn't-ask dept.

Security 139

mask.of.sanity (1228908) writes with this excerpt from The Register: "'Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The slurp was said to be conducted using fast scripts that rapidly changed the user agent, and was launched after McAfee formally inquired about purchasing a license to the data.' Law experts say the site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsequently disseminated."

cancel ×

139 comments

Sorry! There are no comments related to the filter you selected.

McAfee in trouble (4, Funny)

jeffmeden (135043) | about 4 months ago | (#46948751)

"McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database"

Smash and grab? I bet he is hiding out in Ecuador.

Re:McAfee in trouble (1)

Anonymous Coward | about 4 months ago | (#46948791)

I think to be consistent, Aaron Swartz's supporters have to take McAfee's side.

Re:McAfee in trouble (2)

MightyYar (622222) | about 4 months ago | (#46948953)

I think I agree. I mean, scraping data from a public-facing web page isn't exactly felony material - so long as your activities do not disrupt the service.

On the other hand, there is a line that you can cross. Certainly, we'd all agree that brute-forcing passwords would be over the line. Making your scripts evasive to avoid countermeasures is not as blatant, but definitely is shadier than just scraping a site with no countermeasures....

Anyway, this kind of disagreement is exactly why we have a civil court system.

Re:McAfee in trouble (0)

Anonymous Coward | about 4 months ago | (#46949133)

"I mean, scraping data from a public-facing web page isn't exactly felony material - so long as your activities do not disrupt the service."

Maybe you should tell that to Barrett Brown, Andrew "Weev" Auernheimer, or the late Aaron Swartz...

Re:McAfee in trouble (2)

MightyYar (622222) | about 4 months ago | (#46949243)

I should have said "scaping data from a public-facing web page SHOULDN'T be felony material".

Re:McAfee in trouble (0)

Anonymous Coward | about 4 months ago | (#46949405)

Yes, that statement is a least arguable. Thus your parent statement should read "this is exactley why we have prisons". Not sure why the lawyers haven't assembled the correct combination of agrieved parties for their payday.

Re:McAfee in trouble (0)

Anonymous Coward | about 4 months ago | (#46949829)

Bet you if someone had "scraped" McAfee's site they would have a complete 180 opinion on the matter citing copyright violations, etc.

Re:McAfee in trouble (3, Insightful)

ConfusedVorlon (657247) | about 4 months ago | (#46950165)

If the site is clear about it's terms up front, then this seems like a serious issue.

McAfee clearly knew they needed a licence; They asked about getting one. Presumably, they just didn't like the price.

Plenty of software licences are the same; Free for personal use, paid for commercial use. The fact that the company does the world a favour by offering free access for some people doesn't make the commercial theft of the whole database less serious.

Re:McAfee in trouble (1)

MightyYar (622222) | about 4 months ago | (#46950811)

I agree - I just think it is a civil and not a criminal matter.

Re:McAfee in trouble (1)

davester666 (731373) | about 4 months ago | (#46950015)

Sorry, different laws apply to multinational corporations.

Re:McAfee in trouble (1)

tomhath (637240) | about 4 months ago | (#46950087)

"public-facing web page"

Re:McAfee in trouble (0)

Minwee (522556) | about 4 months ago | (#46950339)

"public-facing web page"

public-facing web page [jstor.org] .

Re:McAfee in trouble (0)

Anonymous Coward | about 4 months ago | (#46950411)

"face-paging public web"

Scrape culture (0)

Anonymous Coward | about 4 months ago | (#46949135)

It's all fun and games until a site you know gets scraped repeatedly by an unscrupulous villain!

Re:McAfee in trouble (0)

Anonymous Coward | about 4 months ago | (#46949025)

And to be consistent, Aaron Swartz's detractors have to go against McAffee. Detractors like the US DOJ.

because corps are people, too! (0)

Anonymous Coward | about 4 months ago | (#46949145)

And exactly how do you propose the DOJ harangue McAfee to the point where it commits suicide?!

Re:because corps are people, too! (0)

Anonymous Coward | about 4 months ago | (#46949287)

I dunno. Pile on a ton of charges seeking maximum sentencing for each charge? The usual way, I guess.

Re:because corps are people, too! (0)

Anonymous Coward | about 4 months ago | (#46950119)

And exactly how do you propose the DOJ harangue McAfee to the point where it commits suicide?!

McAfee is a zombie -- it committed suicide years ago.

Re: McAfee in trouble (1)

martin0641 (1912130) | about 4 months ago | (#46949441)

I think the difference is the utilization of the scraped data for profit which is a violation of the license.

Re:McAfee in trouble (5, Insightful)

lister king of smeg (2481612) | about 4 months ago | (#46949745)

I think to be consistent, Aaron Swartz's supporters have to take McAfee's side.

No this is different.
With Aaron it was scientific papers that were funded with public money then locked behind a private paywall and none of the proceeds going back to to the public, Arron then tried to download them a give them back to the public that paid for the writing of said documentation.
In this case it is Mcafee is stealing info that was privatively funded by another private company and keeping it for themselves.
The situations are completely different as well as their motivation.

Re:McAfee in trouble (1)

Shatrat (855151) | about 4 months ago | (#46950323)

You're right, but Aaron was prosecuted not for what he did, but for HOW he did it. Scary computer stuff. This is also scary computer stuff.

Re:McAfee in trouble (0)

Anonymous Coward | about 4 months ago | (#46950531)

So Aaron restricted his scraping only to papers supported by public funding, did he?

From a legal perspective, Swartz is probably worse (1)

langelgjm (860756) | about 4 months ago | (#46950579)

There is no copyright in facts, which is why the Register article says there is a "debate" about copyright protection in databases. If a database is nothing more than a collection of facts, it won't be eligible for copyright protection. (It might be eligible for a database protection right in Europe, though)

That said, databases can be copyrighted if they contain original creative content, or if the selection and arrangement of the facts is original and creative. The article hints at a sweat of the brow justification, which would not work - just because you spend a lot of time compiling facts doesn't mean you get copyright in them (well, at least not in the U.S.). But the threshold for originality and creativity is pretty low, so if OSVDB does any editing or categorization or summarizing of reports, that might be enough to get them copyright in the database.

From a purely legal perspective, Swartz's intentions would probably be considered "worse." He mass-downloaded a bunch of articles from JSTOR (and no, I doubt all of them or even most of them were funded with public money), although he arguably had the right to do so. From what I understand, his intention was to release the articles to the public, but he never got that far. Had he done so, that would certainly have been a massive copyright violation, and there would have been multiple suits from multiple publishers (meanwhile, I'd imagine most of the authors of the articles wouldn't care, since they rarely if ever receive royalties for those articles, and often have to pay fees to have them published).

Whereas McAfee scrapes data from a publicly-accessible database that may or may not be protected by copyright. OSVDB will first have to prove they have a valid copyright in order to claim infringement. Maybe they'll fall back on this argument that even if not copyrighted, the data was licensed, but it's hard to throw up uncopyrighted data on a public web page and claim that there is some kind of binding license on everyone who accesses it. When uncopyrightable databases are licensed, that will usually involve signing a contract.

Re:From a legal perspective, Swartz is probably wo (1)

Mathinker (909784) | about 4 months ago | (#46950955)

> From what I understand, his intention was to release the articles to the public, but he never got that far.

As far as I know, there is no evidence for this, except circumstantial (feel free to reply with supporting evidence). You could very well be correct, or he could have had a more nuanced plan, like only releasing the public domain stuff first, or threatening to do so, and somehow hoping to leverage that to achieve other goals (like, for example, the subsequent JSTOR relaxed access policy which enables private individuals to access 3 papers for free every two weeks), but now we will never know.

How much (0)

Anonymous Coward | about 4 months ago | (#46948781)

Just curious. How much would it have cost them to buy the data?

Open Source My Ass (0)

Anonymous Coward | about 4 months ago | (#46948783)

If you have to pay for it, it sure as hell ain't open source.

Re:Open Source My Ass (0)

Anonymous Coward | about 4 months ago | (#46949007)

Source code is free but user data is not. LOL. If the data has a price tag, shouldn't they pay the people who submitted the data in the first place?

Re:Open Source My Ass (1)

AC-x (735297) | about 4 months ago | (#46949319)

FYI if you want to use open source in a closed source / commercial project then often you do have to pay for it, depending on the licence it's open sourced under.

Re:Open Source My Ass (1)

pr0fessor (1940368) | about 4 months ago | (#46950045)

Open Sourced has a different meaning in the context they use it, they are talking about how they get their data from many sources including volunteers.

http://osvdb.org/osvdb_license [osvdb.org]

"The coffee's FREE..." (-1)

Anonymous Coward | about 4 months ago | (#46949407)

"... 50 cent cup rental though..."

APK

P.S.=> So much for Open SORES = "free", eh? Not...

... apk

Re:Open Source My Ass (1)

Anonymous Coward | about 4 months ago | (#46949415)

If you have to pay for it, it sure as hell ain't open source.

Wrong. It is perfectly legal to charge for open source (GPL, BSD, etc).

Open source lets the customer modify, improve and fix the software, instead of being at the mercy of the software author.

Re:Open Source My Ass (-1, Troll)

gnupun (752725) | about 4 months ago | (#46950275)

Wrong. It is perfectly legal to charge for open source (GPL, BSD, etc).

Then why aren't the developers of Linux kernel getting paid? Google and other websites use Linux etc. to make billions off their free slave labor while giving nothing or little back.

Re:Open Source My Ass (2)

Minwee (522556) | about 4 months ago | (#46950401)

Then why aren't the developers of Linux kernel getting paid?

I think the question you're looking for is "Why are only 83.1% of the developers of the Linux kernel getting paid?' [arstechnica.com]

Re:Open Source My Ass (1)

gnupun (752725) | about 4 months ago | (#46950563)

The report covers almost 92,000 changes to Linux from 3,738 individuals since version 3.3 in March 2012.

That statistic is only after march 2012, when the kernel was more or less stable. What about 20 years worth of work before that? I don't think most of those developers have been paid. Also, making little changes to a stable product is easier that creating it from scratch.

Re:Open Source My Ass (0)

Anonymous Coward | about 4 months ago | (#46950639)

Google adheres to the open source licensing of Linux and other open source software. However none of those licenses require you to contribute your changes back to the community unless you plan on distributing your changes to others for free or a fee. Google used Linux as a early starting point but if you think they are running what everyone refers to as a Linux OS you are sadly mistaken. Google has contributed a lot of code to the open source community over the years but they certainly don't hand over their specialized OS that once upon a time bore a resemblance to the standard Linux kernel but today is a totally different animal. They also released an open source version of their no-SQL database but not the version they actually use themselves.

Re:Open Source My Ass (0)

Anonymous Coward | about 4 months ago | (#46950487)

If it were a song, then all of Slashdot would come to McAfee's defense.

Don't see a problem (0, Troll)

smooth wombat (796938) | about 4 months ago | (#46948793)

It's not real like a car, it's digital. Everyone should have access to it for free.

McAfee did nothing different than what millions of people do every day via TPB.

Re:Don't see a problem (0)

Anonymous Coward | about 4 months ago | (#46948939)

McAfee did nothing different than what millions of people do every day via TPB.

OK, so accept both or neither.

People who thinks it is OK that the TPB guys had to serve jail time while the McAdee guys doesn't are hypocrites who needs to be punched in the face.

Re:Don't see a problem (0)

mi (197448) | about 4 months ago | (#46949149)

People who thinks it is OK that the TPB guys had to serve jail time while the McAdee guys doesn't are hypocrites

I don't think, there are such people. Quite the contrary — Slashdot's general opinion remains, that copying copyrighted material around is Ok as long as the victim is big and the perpetrator — small. But the other way around is wrong somehow.

hypocrites who needs to be punched in the face

Yes, I tend to agree with this spirit — even if the actual punishment you are proposing is unusual.

Re:Don't see a problem (1)

by (1706743) (1706744) | about 4 months ago | (#46949009)

McAfee did nothing different than what millions of people do every day via TPB.

I would argue there's a bit of a difference. If true, McAfee is using this illegal data for *profit*, as opposed to just using it for entertainment/personal use. I think a more analogous scenario would be grabbing a movie via TPB and then charging your friends to watch it with you.

Re:Don't see a problem (1)

alen (225700) | about 4 months ago | (#46949129)

the TPB guys were making a lot of money off TPB

Re:Don't see a problem (0)

Anonymous Coward | about 4 months ago | (#46949215)

the TPB guys were making a lot of money off TPB

[citation needed]
Put up, or shut up.

Re:Don't see a problem (3, Insightful)

king neckbeard (1801738) | about 4 months ago | (#46949373)

This data is not illegal, and it would seem like it's probably not protected by copyright under US law, since it is most likely a collection of data lacking originality. Even if it is copyrightable, i would say it's still unethical to restrict the flow of this data moreso than other data.

Re:Don't see a problem (1)

gnupun (752725) | about 4 months ago | (#46950027)

it would seem like it's probably not protected by copyright under US law, since it is most likely a collection of data lacking originality.

Any original (non-plagiarized) content can be copyrighted. Further, if the site has an account signup license that states that "vulnerability report submitter assigns his/her posts' copyright to website so that it can modify, reproduce that post as it sees fit," then yes, you cannot mass copy the database freely without violating copyright laws.

Re:Don't see a problem (1)

Em Adespoton (792954) | about 4 months ago | (#46950171)

it would seem like it's probably not protected by copyright under US law, since it is most likely a collection of data lacking originality.

Any original (non-plagiarized) content is copyrighted by default. Further, if the site has an account signup license that states that "vulnerability report submitter assigns his/her posts' copyright to website so that it can modify, reproduce that post as it sees fit," then yes, you cannot mass copy the database freely without violating copyright laws.

FTFY

Re:Don't see a problem (1)

gnupun (752725) | about 4 months ago | (#46950349)

The default copyright goes to the author no the website, unless author assigns it to the website. Hosting a comment on your website does not mean you own it, at least that's what I think. You have to get express permission from the original copyright holders, the authors, to legally obtain copyright.

Re:Don't see a problem (1)

Em Adespoton (792954) | about 4 months ago | (#46950625)

Exactly. It's protected by copyright. Whether the copyright holders have granted the public permission to copy their content and use it for commercial gain is another issue (that is going before the courts).

Re:Don't see a problem (0)

Anonymous Coward | about 4 months ago | (#46950307)

I would imagine that a compilation of data is copyrightable, in the same way that cookbooks are copyrighted while individual recipes contained therein are not. But this does seem more of a TOS violation than a copyright issue.

Re:Don't see a problem (3, Insightful)

msauve (701917) | about 4 months ago | (#46949093)

They offer the info free for personal use, but expect commercial users to pay to support their efforts. McAfee knew this.

Regardless of the legality, it was ethically wrong.

Re:Don't see a problem (-1, Flamebait)

smooth wombat (796938) | about 4 months ago | (#46949147)

Regardless of the legality, it was ethically wrong.

But it's ethically okay for you (not necessarily you personally, but the big You) to take what you want from TPB, not paying the person who created the work for their efforts, right?

Re:Don't see a problem (2)

msauve (701917) | about 4 months ago | (#46949473)

TPB offers their information (torrent files, last time I looked) freely. I assume you mean the content many/most of those torrents point people to... and yes, pirating things is also unethical. Having said that, I believe that an ethical violation for commercial gain is more egregious.

Re:Don't see a problem (1)

MickLinux (579158) | about 4 months ago | (#46950249)

Ethical simply means following a consistent ethic (rule). So "I steal everything I can, and some I can't" is immoral, but ethical as long as that is the rule you consistently follow.

Which is why I hate the use of the word "ethical" in our society. It's a lie.

Bill Clinton was our most ethical president ever.

And if anyone didn't know ahead of time what was going to happen to whistleblowers with "the most transparent administration ever", they didn't understand the meaning of "transparent".

Hint: I absolutely despise modern language.

Re:Don't see a problem (1)

Anonymous Coward | about 4 months ago | (#46949237)

Actually, in the US, the data belongs to whoever collects it, not who it is about. If the scraped site has a terms and conditions page, McAfee will be sued on that, and that will be compounded due to the fact they were in discussions about buying the data.

Re:Don't see a problem (0)

Anonymous Coward | about 4 months ago | (#46949125)

It's not real like a car, it's digital. Everyone should have access to it for free.

McAfee did nothing different than what millions of people do every day via TPB.

Except they did it for profit.

Re:Don't see a problem (0)

Anonymous Coward | about 4 months ago | (#46949437)

Information just wants to be free. At least when its from those groups that we dislike.

Re:Don't see a problem (1)

lister king of smeg (2481612) | about 4 months ago | (#46949797)

It's not real like a car, it's digital. Everyone should have access to it for free.

McAfee did nothing different than what millions of people do every day via TPB.

The difference is while TPB may be dicks they are fighting even bigger dicks MPAA
mcafee is a dick but are screwing over non-dicks

Re:Don't see a problem (0)

Anonymous Coward | about 4 months ago | (#46950947)

McAfee did nothing different than what millions of people do every day via TPB.

Wrong, they got caught. Next time, McAfee, use a VPN, like everyone else does. You're not special.

open "sourced" database (4, Informative)

SuperBanana (662181) | about 4 months ago | (#46948809)

open "sourced", not "open source."

http://osvdb.org/about [osvdb.org]

I was confused about how someone could be charged for access to "open source" information...

Here's the NPO, with two officers, backing it:
http://opensecurityfoundation.... [opensecuri...dation.org]

Re:open "sourced" database (1)

jeffmeden (135043) | about 4 months ago | (#46948821)

open "sourced", not "open source."

http://osvdb.org/about [osvdb.org]

I was confused about how someone could be charged for access to "open source" information...

Here's the NPO, with two officers, backing it:
http://opensecurityfoundation.... [opensecuri...dation.org]

I noticed that convenient typo, too. It's amazing how much of a difference one little d at the end of a word can make. Makes me almost want actual editors on slashdot instead of these uneducated rogues.

Re:open "sourced" database (0)

Anonymous Coward | about 4 months ago | (#46949423)

The little d helps but is technically not necessary. "Open source" works if you think of "source" as "provenance" (dictionary meaning) instead of "code" (programmer meaning).

Re:open "sourced" database (0)

Anonymous Coward | about 4 months ago | (#46948923)

Don't feel bad. Timothy purposely alters articles so that they're misleading and inflammatory. He's been doing it for years, it shouldn't be surprising to anyone at this point. He may be a complete prick, but he knows what keeps his joke of a job afloat -- controversy created from falsehoods.

Re:open "sourced" database (1)

FireFury03 (653718) | about 4 months ago | (#46949315)

I was confused about how someone could be charged for access to "open source" information..

Open source and public domain are not the same things - most open source data is copyrighted and made available through a suitably permissive licence. Break that licence and you can be sued just as easily as if you were breaking a closed source licence.

fundamental incompatibility (1)

SuperBanana (662181) | about 4 months ago | (#46949951)

I've been using linux since 1998. I don't need a lecture on open source licensing.

Charging for access to data is fundamentally incompatible with claiming it's "open source" by many people's definitions.

Re:open "sourced" database (1)

VortexCortex (1117377) | about 4 months ago | (#46950255)

Open sources does not mean you have the right to copy them. The printer drivers for Richard Stallman's device were open source to a colleague at another college, however the fellow was under NDA not to share the code with RMS. Thus began the Free Software Movement, because Open Source does not actually imply Free Software, no matter how much you wish this was the case. There is no typo, you're just ignorant.

Aaron Swartz was charged for scraping content. (3, Insightful)

Anonymous Coward | about 4 months ago | (#46948825)

This is essentially what Aaron Swartz was charged with doing... from wikipedia:

Federal prosecutors charged him with two counts of wire fraud and 11 violations of the Computer Fraud and Abuse Act,[12] carrying a cumulative maximum penalty of $1 million in fines, 35 years in prison, asset forfeiture, restitution and supervised release.

Re:Aaron Swartz was charged for scraping content. (0)

Anonymous Coward | about 4 months ago | (#46949171)

The big difference between Swartz and McAffee is that Swartz's motive was for what he believed to be in the public interest. McAffee's motive is for profit.

Re:Aaron Swartz was charged for scraping content. (2)

alphatel (1450715) | about 4 months ago | (#46949861)

The big difference between Swartz and McAffee is that Swartz's motive was for what he believed to be in the public interest. McAffee's motive is for profit.

And since step 3 is profit, we all know that it's perfectly legal. And if not, endless litigation followed by a small fine will serve!

Re:Aaron Swartz was charged for scraping content. (0)

Anonymous Coward | about 4 months ago | (#46950123)

Motive is irrelevant, the crime is the still a crime.

just copying bits (0)

Anonymous Coward | about 4 months ago | (#46948889)

no one was hurt and the original bits are still there

and the people running the site shouldn't have left the door wide open

Re:just copying bits (1)

PktLoss (647983) | about 4 months ago | (#46949729)

It's behind Cloudflare, and they're leveraging other means to catch scraping. This hardly seems like "wide open"

Less malicious explanation (1)

operagost (62405) | about 4 months ago | (#46948981)

I'm no McAfee advocate by any means, but the span of time between the initial sales consultation and the unauthorized scraping indicates that the person involved with the scraping might not have been involved with the sales process and was ignorant of the need for a PO. The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice. Of course, McAfee's size and influence holds them to a higher standard that should preclude anyone running rogue like this.

Re:Less malicious explanation (2)

jeffmeden (135043) | about 4 months ago | (#46949073)

I'm no McAfee advocate by any means, but the span of time between the initial sales consultation and the unauthorized scraping indicates that the person involved with the scraping might not have been involved with the sales process and was ignorant of the need for a PO. The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice. Of course, McAfee's size and influence holds them to a higher standard that should preclude anyone running rogue like this.

Agreed, this is definitely a case where incompetence is more likely than malice. For fuck's sake, if it were malice they would at LEAST do it from an AWS, Azure, or [insert huge anonymizing cloud provider here] instance instead of from an IP directly registered to McAfee.

Re:Less malicious explanation (4, Interesting)

bill_mcgonigle (4333) | about 4 months ago | (#46949459)

The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice.

I had an intern try a thing like this, ten years back or so. He was tired of the slow internet connection so he tried to scrape Wolfram's math tutorial website overnight and found the company's IP blocked in the morning. I sent a note to their admins saying I'd talked to the boy and that took care of it. It happens.

But that talk was a "be nice" one, not a "you tried to avoid paying for a commerical product" one, which is different.

But there's something odd about what OSVDB is saying. Here's the log snippet they show:


161.69.163.20 â" - [04/May/2014:07:22:14 -0500]
161.69.163.20 â" - [04/May/2014:07:22:16 -0500]
161.69.163.20 â" - [04/May/2014:07:22:18 -0500]
161.69.163.20 â" - [04/May/2014:07:22:20 -0500]

Every two seconds - bad form. Your 2000 requests would have have been finished over a weekend if you rate limited to once a minute, to be nice to their servers.

But, their blog says:

They made 2,219 requests between 06:25:24 on May 4 and 21:18:26 on May 6. Excuse us, you clearly didnâ(TM)t want to try our service back then.

Which indicates an average rate of 1.7 minutes per request. There's something OSVDB isn't telling us.

It's also odd to see, on a post from May 7, something that happened on May 4th referred to as "back then". It's sounding rather "he-said", so I expect we'll soon hear the "she-said", at least from Intel. The S21Sec guys seem to have used an aggressive scraping-tool with anti-countermeasures deployed, so it's harder to expect them to have a good retort.

It's not even clear to me that OSVDB has any copyright claim on a database - looking at a random entry [osvdb.com] I see text that could have come from the vendor or have been written by an OSVDB staffer - it's unclear what is what. If they are writing prose, then they get copyright protection on that. If it's just aggregating data, then what it's basically down to is clickwrap license enforceability, which is very unclear.

Re:Less malicious explanation (0)

Anonymous Coward | about 4 months ago | (#46949859)

The slurp was said to be conducted using fast scripts that rapidly changed the user agent

Can't even be bothered to read TFS.

My data (5, Funny)

StripedCow (776465) | about 4 months ago | (#46949071)

Hi, MS programmer here. I caused most of those vulnerabilities, so actually it is MY data.

mi8us 3, Troll) (-1)

Anonymous Coward | about 4 months ago | (#46949167)

work that= Fyou

does mcafee av still suck? (1)

steak (145650) | about 4 months ago | (#46949213)

if this makes the crappy antivirus that is bundled on your parents computer a little less crappy, can you really complain?

Facepalm (0)

Anonymous Coward | about 4 months ago | (#46949351)

As a sidenote, OSVDB's Twitter feed [twitter.com] surely gives a "professional image".

OSVD isn't open source (2)

stenvar (2789879) | about 4 months ago | (#46949355)

Based on their web site and description, "OSVD" may have started out as an "open source database", but now it seems to have morphed into something that is effectively a commercial data aggregator and vendor hiding behind a non-profit and giving out limited, free samples. In any case, whatever it is, their database clearly is not "open".

Re:OSVD isn't open source (1)

Em Adespoton (792954) | about 4 months ago | (#46950265)

Based on their web site and description, "OSVD" may have started out as an "open source database", but now it seems to have morphed into something that is effectively a commercial data aggregator and vendor hiding behind a non-profit and giving out limited, free samples. In any case, whatever it is, their database clearly is not "open".

They're "open sourced" not "OSS" -- meaning that they show their sources and allow community input, not that their product is free as in speech. Summary made a typo and left out the D.

I considered doing the same myself (1)

hilather (1079603) | about 4 months ago | (#46949433)

The OSVDB went pay a few years ago. They have a wealth of interesting information and use to be fully open source however due to lack of community involvement they decided that the open source model wasn't working for them. If the OSVDB has a problem with people scraping their site, they should really update (or in their case - create) their robots.txt. I was interested in this data myself a year or so ago until I found out they wanted me to pay a subscription to access information I can view for free on their website and screen scrape for free if I really wanted to. Further more, I noticed that google has completely cached their site because they take no preventative measures against it. If anyone wanted this data, they could easily screen scrape it from the google cache and the OSVDB would be none the wiser. Why should anyone pay for data that the OSVDB has literally done nothing to protect?

Re:I considered doing the same myself (0)

Anonymous Coward | about 4 months ago | (#46949525)

By this logic, someone who leaves their house or car unlocked is leaving an open invitation for you to do what you will? Or if a woman is wearing a shirt which shows some sideboob, that you're completely in the clear if you reach over and cop a feel?

Re:I considered doing the same myself (3)

GTRacer (234395) | about 4 months ago | (#46949717)

... Getting a little tired of this disingenuous strawman. The purpose of personal property is to belong to its owner. The purpose of clothing is to cover our bodies. Neither suggests access is explicitly or implicitly granted to third parties.

Now, put a water fountain up at a public park with the intent (but no access control measures implemented) to limit its access and then let's talk. A publicly-available website's purpose is to disseminate information! Robots.txt is a timeworn and standard way to show your intent for access. As is having a log in page or similar. If you put up a public-facing website which conveys information relevant for public consumption, don't be surprised when the public uses it! Heaven forbid a speedreader with eidetic memory accesses pages too fast for your liking...

Now, if you implement a page cap and someone uses tricksy browsing to bypass THAT, then I agree that that is bad form. Until then, if you put the site up and effectively say "OPEN FOR BUSINESS"...

Re:I considered doing the same myself (0)

Anonymous Coward | about 4 months ago | (#46949937)

Well, if you leave the doors open, insurance won't pay.

Re:I considered doing the same myself (1)

Anonymous Coward | about 4 months ago | (#46950207)

>By this logic, someone who leaves their house or car unlocked is leaving an open invitation for you to do what you will?

If their house or car is a business, yes. Do you knock and ask for permission to enter a business?

If you start charging for money, you're a business. Deal with it.

Re:I considered doing the same myself (1)

hodet (620484) | about 4 months ago | (#46950479)

You shouldn't have to lock your data down. I can see GPL'd code and can use it and distribute it but I can't close source it and then resell it as a proprietary app and then say "hey if you didn't want me to use it you shouldn'thave made it available". That is the license we agree to. A clear license lines out acceptable use and it looks to me like they are trying to strike a balance between being solvent and user friendly. But freeloaders will ruin it for others.

Re:I considered doing the same myself (1)

hilather (1079603) | about 4 months ago | (#46950551)

You shouldn't have to lock your data down. I can see GPL'd code and can use it and distribute it but I can't close source it and then resell it as a proprietary app and then say "hey if you didn't want me to use it you shouldn'thave made it available". That is the license we agree to. A clear license lines out acceptable use and it looks to me like they are trying to strike a balance between being solvent and user friendly. But freeloaders will ruin it for others.

I agree you shouldn't have to go to any extremes to lock down your own data. But when publishing an website online, there are certain standards you need to follow if you don't want people copying the data on your website. If they are allowing search engines to index their proprietary data, then they should have no expectation that others will not do the same.

Virus or antivirus (1)

Kharny (239931) | about 4 months ago | (#46949573)

Concidering mcafee has long since made the jump from antivirus to fully blown virus/malware, what were they expecting?

But is the data protected by copyright? (1)

American Patent Guy (653432) | about 4 months ago | (#46949631)

Not all data is protected by copyright. If someone makes data available on a website that is not protected by copyright, then it's perfectly legal to scrape it. (At least by U.S. law.) The posting of a license on a website makes no difference where there are no copyrights in the material copied. By posting web pages and data in a location available to the public, the website granted an "implied license" to copy the pages and data.

Copyrights attach to "works of authorship". A database can be such a work, but simple data in a database probably isn't. If the scraping engine looked up the unprotected data in the database without copying substantial parts thereof (as seems to be the case from the article), then no copyrights were infringed.

So I'd have to ask the question: what did McAffee scrape, and was it a "work of authorship"? If all they got was the fingerprints, filenames and names of viruses/vulnerabilities, then I'd have to say "no".

This will be one of the times that I shout "hurrah" for McAfee!

What do you expect? (0)

Anonymous Coward | about 4 months ago | (#46949935)

This is the company run by a murdering drug addict who has spent his fortunes and a chunk of his life in search of the ultimate high, while constantly running afoul of the law.

He is a man completely devoid of morality. Is there any real expectation that his company will abide by the law too?

Re:What do you expect? (1)

tomhath (637240) | about 4 months ago | (#46950167)

McAfee left the company over twenty years ago

Re:What do you expect? (0)

Anonymous Coward | about 4 months ago | (#46950577)

This is the company run by a murdering drug addict who has spent his fortunes and a chunk of his life in search of the ultimate high, while constantly running afoul of the law.

He is a man completely devoid of morality. Is there any real expectation that his company will abide by the law too?

No :)

It's the company formerly (like over 20 years ago) run by a drug dealer. Now it's owned by Intel, and John M would be more than happy if they changed its name so he doesn't have to be associated with it anymore (the way he speaks, he's happier to be called a drug dealer than to be called "the founder of that AV company")....

Aaron Swartz (2)

Mozai (3547) | about 4 months ago | (#46950093)

Isn't this what Aaron Swartz did? Is the US Government going to "make an example" of McAfee too?

Copyright or no, it's trouble (2)

tygt (792974) | about 4 months ago | (#46950245)

Doesn't matter if the data is free or not - if you're circumventing access restrictions, it's effectively breaking in (not like most of us haven't done it, but still).

Re:Copyright or no, it's trouble (1)

American Patent Guy (653432) | about 4 months ago | (#46950481)

"OSVDB aggregates and formated public vulnerability records for free individual consumption but requests that those seeking more comprehensive access pay for the right. The outfit's site includes a copyright statement."

So, OSVDB is copying vulnerability records from others and then providing free access to their database. That access sounds pretty "comprehensive" to me.

If OSVDB wants to be paid, then they'll have to actually "restrict" access. A copyright statement doesn't "restrict" anything, particularly where they don't have any copyrights in the data to begin with.

Re:Copyright or no, it's trouble (1)

Sentrion (964745) | about 4 months ago | (#46950673)

Data wants to be free, free as a billionaire fleeing a Belize murder rap.

Oh, NOT about John (1)

Scot Seese (137975) | about 4 months ago | (#46950421)

Wait, wha.. OH! For a second I thought this was another zany article about John.

OSVDB scraped NVD (1)

sinij (911942) | about 4 months ago | (#46950629)

OSVDB is notorious for scraping NVD (NIST National Vulnerability Database) and both follow CVE and CCE standards that are maintained by Mitre. Both OSVDB and NVD are public vulnerability databases maintained by outside submissions. NVD/OSVDB do not conduct any kind of vulnerability discovery activity.

I don't see how OSVDB can claim any rights to this data. They certainly didn't produce it. Thankfully, if they stupid enough to claim it NIST will quickly put them in their place.

So What? (1)

Luthair (847766) | about 4 months ago | (#46950671)

At least in North America facts (which is what SV data is) are not considered to be copyrightable. (In Europe I believe there is some protection for databases) This might be a ToS violation but I think most Slashdot'ers would agree those are questionable and that public websites should not have different protection from the phonebook delivered to your door. (Which Yellowpages has previously complained about Google and others "copying")

As someone who looks at SV data regularly and has previously pointed things out to OSVDB maintainers, I would also point out that the majority of the OSVDB database is simply a clone of CVE, thus in reality isn't even "theirs".

Re:So What? (1)

AvitarX (172628) | about 4 months ago | (#46950857)

I think specifically writing a script that is dishonest, in an attempt to get information from a server that is for sale, has been demonstrated to not be allowed (a craigslist searcher did this I believe).

I would think they are on the hook for the cost of the data, and there is a real case for punitive damages too, even if the data itself is not copyrightable in the US (due to the lck of sweat of the brow being relevant for intellectual property here).

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>