Forgot your password?
typodupeerror
Security Open Source IT Your Rights Online

McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database 139

Posted by timothy
from the but-don't-say-they-didn't-ask dept.
mask.of.sanity (1228908) writes with this excerpt from The Register: "'Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The slurp was said to be conducted using fast scripts that rapidly changed the user agent, and was launched after McAfee formally inquired about purchasing a license to the data.' Law experts say the site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsequently disseminated."
This discussion has been archived. No new comments can be posted.

McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database

Comments Filter:
  • by jeffmeden (135043) on Thursday May 08, 2014 @10:09AM (#46948751) Homepage Journal

    "McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database"

    Smash and grab? I bet he is hiding out in Ecuador.

    • by Anonymous Coward

      I think to be consistent, Aaron Swartz's supporters have to take McAfee's side.

      • by MightyYar (622222)

        I think I agree. I mean, scraping data from a public-facing web page isn't exactly felony material - so long as your activities do not disrupt the service.

        On the other hand, there is a line that you can cross. Certainly, we'd all agree that brute-forcing passwords would be over the line. Making your scripts evasive to avoid countermeasures is not as blatant, but definitely is shadier than just scraping a site with no countermeasures....

        Anyway, this kind of disagreement is exactly why we have a civil court s

      • I think the difference is the utilization of the scraped data for profit which is a violation of the license.
      • by lister king of smeg (2481612) on Thursday May 08, 2014 @11:38AM (#46949745)

        I think to be consistent, Aaron Swartz's supporters have to take McAfee's side.

        No this is different.
        With Aaron it was scientific papers that were funded with public money then locked behind a private paywall and none of the proceeds going back to to the public, Arron then tried to download them a give them back to the public that paid for the writing of said documentation.
        In this case it is Mcafee is stealing info that was privatively funded by another private company and keeping it for themselves.
        The situations are completely different as well as their motivation.

        • by Shatrat (855151)

          You're right, but Aaron was prosecuted not for what he did, but for HOW he did it. Scary computer stuff. This is also scary computer stuff.

        • There is no copyright in facts, which is why the Register article says there is a "debate" about copyright protection in databases. If a database is nothing more than a collection of facts, it won't be eligible for copyright protection. (It might be eligible for a database protection right in Europe, though)

          That said, databases can be copyrighted if they contain original creative content, or if the selection and arrangement of the facts is original and creative. The article hints at a sweat of the brow just

          • by Mathinker (909784)

            > From what I understand, his intention was to release the articles to the public, but he never got that far.

            As far as I know, there is no evidence for this, except circumstantial (feel free to reply with supporting evidence). You could very well be correct, or he could have had a more nuanced plan, like only releasing the public domain stuff first, or threatening to do so, and somehow hoping to leverage that to achieve other goals (like, for example, the subsequent JSTOR relaxed access policy which ena

            • by langelgjm (860756)

              Yeah, I also read something suggesting he wanted to do some text mining on the articles to find bias in corporate funded research. I think it was the prosecution pushing the idea that he wanted to release the articles, based on quotes from the Guerilla Open Access Manifesto, etc.

          • by PaddyM (45763)

            How is Swartz worse? He may have intended to commit massive copyright violations, but he DID not. And he had rights to this information per JSTORs own terms of service. He was going to be prosecuted for 50 years to life for a thought crime. If thought crime is worse than actual crime, that is a big problem.

            OSVDB says there is a debate about whether this information is copyrightable, but they aren't pursuing that angle.

            If McAfee workers read these documents to improve software that they are developing, t

            • by langelgjm (860756)

              Well, he was going to be prosecuted primarily for violations of the CFAA, not copyright infringement.

              Anyway the point I was trying to make is that I'm not convinced that OSVDB has any exclusive right to the information, period. If they don't have any exclusive right to it, then can try and "license" it all they want, but it doesn't matter. You don't get to just throw up a bunch of factual, non-copyrighted (and non-copyrightable) information on a public web page, then claim that anyone who doesn't comply wit

              • by PaddyM (45763)

                Yeah, I see what you mean. CFAA is overly broad. Any "scary stuff with computer".

  • by SuperBanana (662181) on Thursday May 08, 2014 @10:14AM (#46948809)

    open "sourced", not "open source."

    http://osvdb.org/about [osvdb.org]

    I was confused about how someone could be charged for access to "open source" information...

    Here's the NPO, with two officers, backing it:
    http://opensecurityfoundation.... [opensecuri...dation.org]

    • by jeffmeden (135043)

      open "sourced", not "open source."

      http://osvdb.org/about [osvdb.org]

      I was confused about how someone could be charged for access to "open source" information...

      Here's the NPO, with two officers, backing it:
      http://opensecurityfoundation.... [opensecuri...dation.org]

      I noticed that convenient typo, too. It's amazing how much of a difference one little d at the end of a word can make. Makes me almost want actual editors on slashdot instead of these uneducated rogues.

    • I was confused about how someone could be charged for access to "open source" information..

      Open source and public domain are not the same things - most open source data is copyrighted and made available through a suitably permissive licence. Break that licence and you can be sued just as easily as if you were breaking a closed source licence.

      • I've been using linux since 1998. I don't need a lecture on open source licensing.

        Charging for access to data is fundamentally incompatible with claiming it's "open source" by many people's definitions.

    • Open sources does not mean you have the right to copy them. The printer drivers for Richard Stallman's device were open source to a colleague at another college, however the fellow was under NDA not to share the code with RMS. Thus began the Free Software Movement, because Open Source does not actually imply Free Software, no matter how much you wish this was the case. There is no typo, you're just ignorant.

  • by Anonymous Coward on Thursday May 08, 2014 @10:16AM (#46948825)
    This is essentially what Aaron Swartz was charged with doing... from wikipedia:

    Federal prosecutors charged him with two counts of wire fraud and 11 violations of the Computer Fraud and Abuse Act,[12] carrying a cumulative maximum penalty of $1 million in fines, 35 years in prison, asset forfeiture, restitution and supervised release.

  • I'm no McAfee advocate by any means, but the span of time between the initial sales consultation and the unauthorized scraping indicates that the person involved with the scraping might not have been involved with the sales process and was ignorant of the need for a PO. The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice. Of course, McAfee's size and influence holds them to a higher standard that should preclude anyone running rogue like t
    • by jeffmeden (135043)

      I'm no McAfee advocate by any means, but the span of time between the initial sales consultation and the unauthorized scraping indicates that the person involved with the scraping might not have been involved with the sales process and was ignorant of the need for a PO. The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice. Of course, McAfee's size and influence holds them to a higher standard that should preclude anyone running rogue like this.

      Agreed, this is definitely a case where incompetence is more likely than malice. For fuck's sake, if it were malice they would at LEAST do it from an AWS, Azure, or [insert huge anonymizing cloud provider here] instance instead of from an IP directly registered to McAfee.

    • by bill_mcgonigle (4333) * on Thursday May 08, 2014 @11:12AM (#46949459) Homepage Journal

      The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice.

      I had an intern try a thing like this, ten years back or so. He was tired of the slow internet connection so he tried to scrape Wolfram's math tutorial website overnight and found the company's IP blocked in the morning. I sent a note to their admins saying I'd talked to the boy and that took care of it. It happens.

      But that talk was a "be nice" one, not a "you tried to avoid paying for a commerical product" one, which is different.

      But there's something odd about what OSVDB is saying. Here's the log snippet they show:


      161.69.163.20 â" - [04/May/2014:07:22:14 -0500]
      161.69.163.20 â" - [04/May/2014:07:22:16 -0500]
      161.69.163.20 â" - [04/May/2014:07:22:18 -0500]
      161.69.163.20 â" - [04/May/2014:07:22:20 -0500]

      Every two seconds - bad form. Your 2000 requests would have have been finished over a weekend if you rate limited to once a minute, to be nice to their servers.

      But, their blog says:

      They made 2,219 requests between 06:25:24 on May 4 and 21:18:26 on May 6. Excuse us, you clearly didnâ(TM)t want to try our service back then.

      Which indicates an average rate of 1.7 minutes per request. There's something OSVDB isn't telling us.

      It's also odd to see, on a post from May 7, something that happened on May 4th referred to as "back then". It's sounding rather "he-said", so I expect we'll soon hear the "she-said", at least from Intel. The S21Sec guys seem to have used an aggressive scraping-tool with anti-countermeasures deployed, so it's harder to expect them to have a good retort.

      It's not even clear to me that OSVDB has any copyright claim on a database - looking at a random entry [osvdb.com] I see text that could have come from the vendor or have been written by an OSVDB staffer - it's unclear what is what. If they are writing prose, then they get copyright protection on that. If it's just aggregating data, then what it's basically down to is clickwrap license enforceability, which is very unclear.

  • My data (Score:5, Funny)

    by StripedCow (776465) on Thursday May 08, 2014 @10:40AM (#46949071)

    Hi, MS programmer here. I caused most of those vulnerabilities, so actually it is MY data.

  • if this makes the crappy antivirus that is bundled on your parents computer a little less crappy, can you really complain?

  • by stenvar (2789879) on Thursday May 08, 2014 @11:04AM (#46949355)

    Based on their web site and description, "OSVD" may have started out as an "open source database", but now it seems to have morphed into something that is effectively a commercial data aggregator and vendor hiding behind a non-profit and giving out limited, free samples. In any case, whatever it is, their database clearly is not "open".

    • Based on their web site and description, "OSVD" may have started out as an "open source database", but now it seems to have morphed into something that is effectively a commercial data aggregator and vendor hiding behind a non-profit and giving out limited, free samples. In any case, whatever it is, their database clearly is not "open".

      They're "open sourced" not "OSS" -- meaning that they show their sources and allow community input, not that their product is free as in speech. Summary made a typo and left out the D.

      • by stenvar (2789879)

        Open Sourced" can mean "derived from open sources" or it can mean "released under an open source license", so it is at best ambiguous.

        But I think it's pretty clear that the people running OSVDB are deliberately trying to mislead people into thinking that they are somehow part of the open source movement, when in fact they are effectively nothing more than a commercial vendor of a proprietary database aggregated from public sources.

        The problem with OSVDB is not their business model, it's that they pretend to

  • The OSVDB went pay a few years ago. They have a wealth of interesting information and use to be fully open source however due to lack of community involvement they decided that the open source model wasn't working for them. If the OSVDB has a problem with people scraping their site, they should really update (or in their case - create) their robots.txt. I was interested in this data myself a year or so ago until I found out they wanted me to pay a subscription to access information I can view for free on
    • by hodet (620484)

      You shouldn't have to lock your data down. I can see GPL'd code and can use it and distribute it but I can't close source it and then resell it as a proprietary app and then say "hey if you didn't want me to use it you shouldn'thave made it available". That is the license we agree to. A clear license lines out acceptable use and it looks to me like they are trying to strike a balance between being solvent and user friendly. But freeloaders will ruin it for others.

      • by hilather (1079603)

        You shouldn't have to lock your data down. I can see GPL'd code and can use it and distribute it but I can't close source it and then resell it as a proprietary app and then say "hey if you didn't want me to use it you shouldn'thave made it available". That is the license we agree to. A clear license lines out acceptable use and it looks to me like they are trying to strike a balance between being solvent and user friendly. But freeloaders will ruin it for others.

        I agree you shouldn't have to go to any extremes to lock down your own data. But when publishing an website online, there are certain standards you need to follow if you don't want people copying the data on your website. If they are allowing search engines to index their proprietary data, then they should have no expectation that others will not do the same.

        • by Hategrin (3579025)
          The deal was "free for proprietary use commercial users pay." It's really a very common form of licensing. Anyway, it doesn't really matter what you "think" is a good/proper business plan, you didn't write the license. When you go to get a resource from somebody, a water-well or a web-page, you do so on THEIR terms, hence a license. That's life, sorry Mein Furher but you don't get to dictate your ethics and terms to everyone in the free world. It doesn't matter if the license was somewhat permissive to beg
  • Concidering mcafee has long since made the jump from antivirus to fully blown virus/malware, what were they expecting?

  • Not all data is protected by copyright. If someone makes data available on a website that is not protected by copyright, then it's perfectly legal to scrape it. (At least by U.S. law.) The posting of a license on a website makes no difference where there are no copyrights in the material copied. By posting web pages and data in a location available to the public, the website granted an "implied license" to copy the pages and data.

    Copyrights attach to "works of authorship". A database can be such a work, but

  • by Mozai (3547) on Thursday May 08, 2014 @12:07PM (#46950093) Homepage

    Isn't this what Aaron Swartz did? Is the US Government going to "make an example" of McAfee too?

  • by tygt (792974) on Thursday May 08, 2014 @12:19PM (#46950245)

    Doesn't matter if the data is free or not - if you're circumventing access restrictions, it's effectively breaking in (not like most of us haven't done it, but still).

    • "OSVDB aggregates and formated public vulnerability records for free individual consumption but requests that those seeking more comprehensive access pay for the right. The outfit's site includes a copyright statement."

      So, OSVDB is copying vulnerability records from others and then providing free access to their database. That access sounds pretty "comprehensive" to me.

      If OSVDB wants to be paid, then they'll have to actually "restrict" access. A copyright statement doesn't "restrict" anything, particularly

    • by Sentrion (964745)

      Data wants to be free, free as a billionaire fleeing a Belize murder rap.

    • by RobSwider (669148)
      It's like going into the grocery store and getting a sample BBQ cocktail wiener. Then you go back out to the car, change your clothes, go back in and get another... Rinse and repeat until you have a cooler full, then open up a wiener stand outside the store to sell your ill-gotten meats.
  • Wait, wha.. OH! For a second I thought this was another zany article about John.

  • OSVDB is notorious for scraping NVD (NIST National Vulnerability Database) and both follow CVE and CCE standards that are maintained by Mitre. Both OSVDB and NVD are public vulnerability databases maintained by outside submissions. NVD/OSVDB do not conduct any kind of vulnerability discovery activity.

    I don't see how OSVDB can claim any rights to this data. They certainly didn't produce it. Thankfully, if they stupid enough to claim it NIST will quickly put them in their place.
  • At least in North America facts (which is what SV data is) are not considered to be copyrightable. (In Europe I believe there is some protection for databases) This might be a ToS violation but I think most Slashdot'ers would agree those are questionable and that public websites should not have different protection from the phonebook delivered to your door. (Which Yellowpages has previously complained about Google and others "copying")

    As someone who looks at SV data regularly and has previously pointed th

    • by AvitarX (172628)

      I think specifically writing a script that is dishonest, in an attempt to get information from a server that is for sale, has been demonstrated to not be allowed (a craigslist searcher did this I believe).

      I would think they are on the hook for the cost of the data, and there is a real case for punitive damages too, even if the data itself is not copyrightable in the US (due to the lck of sweat of the brow being relevant for intellectual property here).

    • by PaddyM (45763)

      Yeah I'd have to agree. Clearly they violated the terms of service, although it's debatable about whether that's legal or not.

      • I just LOVE being an intellectual property attorney. The level of ignorance in the field (as demonstrated by the majority of the posts here) give me great comfort in my job security. THANKS GUYS!

  • This brings up an interesting conundrum about copyright... So, if I scrape TRW (Sorry, Experian)'s website and it's only to download information about MYSELF, who's got the copyright on that? Experian is supposed to provide the information for free to me anyhow, on request, so, can I be charged with a crime for taking it without asking?

    And lets talk about all the other thousands of companies (Facebook, Google, United Healthcare, BlueCross, Amazon, Slashdot, yadda yadda yadda) that collect and resell informa

The biggest mistake you can make is to believe that you are working for someone else.

Working...