Forgot your password?
typodupeerror
Security Open Source IT Your Rights Online

McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database 139

Posted by timothy
from the but-don't-say-they-didn't-ask dept.
mask.of.sanity (1228908) writes with this excerpt from The Register: "'Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The slurp was said to be conducted using fast scripts that rapidly changed the user agent, and was launched after McAfee formally inquired about purchasing a license to the data.' Law experts say the site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsequently disseminated."
This discussion has been archived. No new comments can be posted.

McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database

Comments Filter:
  • by bill_mcgonigle (4333) * on Thursday May 08, 2014 @11:12AM (#46949459) Homepage Journal

    The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice.

    I had an intern try a thing like this, ten years back or so. He was tired of the slow internet connection so he tried to scrape Wolfram's math tutorial website overnight and found the company's IP blocked in the morning. I sent a note to their admins saying I'd talked to the boy and that took care of it. It happens.

    But that talk was a "be nice" one, not a "you tried to avoid paying for a commerical product" one, which is different.

    But there's something odd about what OSVDB is saying. Here's the log snippet they show:


    161.69.163.20 â" - [04/May/2014:07:22:14 -0500]
    161.69.163.20 â" - [04/May/2014:07:22:16 -0500]
    161.69.163.20 â" - [04/May/2014:07:22:18 -0500]
    161.69.163.20 â" - [04/May/2014:07:22:20 -0500]

    Every two seconds - bad form. Your 2000 requests would have have been finished over a weekend if you rate limited to once a minute, to be nice to their servers.

    But, their blog says:

    They made 2,219 requests between 06:25:24 on May 4 and 21:18:26 on May 6. Excuse us, you clearly didnâ(TM)t want to try our service back then.

    Which indicates an average rate of 1.7 minutes per request. There's something OSVDB isn't telling us.

    It's also odd to see, on a post from May 7, something that happened on May 4th referred to as "back then". It's sounding rather "he-said", so I expect we'll soon hear the "she-said", at least from Intel. The S21Sec guys seem to have used an aggressive scraping-tool with anti-countermeasures deployed, so it's harder to expect them to have a good retort.

    It's not even clear to me that OSVDB has any copyright claim on a database - looking at a random entry [osvdb.com] I see text that could have come from the vendor or have been written by an OSVDB staffer - it's unclear what is what. If they are writing prose, then they get copyright protection on that. If it's just aggregating data, then what it's basically down to is clickwrap license enforceability, which is very unclear.

Time sharing: The use of many people by the computer.

Working...