McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database

mask.of.sanity (1228908) writes with this excerpt from The Register: "'Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The slurp was said to be conducted using fast scripts that rapidly changed the user agent, and was launched after McAfee formally inquired about purchasing a license to the data.' Law experts say the site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsequently disseminated."

McAfee in trouble

[jeffmeden]

"McAfee Grabbed Data Without Paying, Says Open Source Vulnerability Database"

Smash and grab? I bet he is hiding out in Ecuador.

Re:

[Anonymous Coward]

I think to be consistent, Aaron Swartz's supporters have to take McAfee's side.

Re:

[MightyYar]

I think I agree. I mean, scraping data from a public-facing web page isn't exactly felony material - so long as your activities do not disrupt the service.

On the other hand, there is a line that you can cross. Certainly, we'd all agree that brute-forcing passwords would be over the line. Making your scripts evasive to avoid countermeasures is not as blatant, but definitely is shadier than just scraping a site with no countermeasures....

Anyway, this kind of disagreement is exactly why we have a civil court s

Re:

[MightyYar]

I should have said "scaping data from a public-facing web page SHOULDN'T be felony material".

Re:McAfee in trouble

[ConfusedVorlon]

If the site is clear about it's terms up front, then this seems like a serious issue.

McAfee clearly knew they needed a licence; They asked about getting one. Presumably, they just didn't like the price.

Plenty of software licences are the same; Free for personal use, paid for commercial use. The fact that the company does the world a favour by offering free access for some people doesn't make the commercial theft of the whole database less serious.

Re:

[MightyYar]

I agree - I just think it is a civil and not a criminal matter.

Re:

[American Patent Guy]

Nope. People get "licenses" to things they don't need to all the time. Just because McAffee entered negotiations for one doesn't mean they had to get it.

I could put up a pot and a sign in my front yard that says "everyone that passes must pay $1". Maybe some people would drop something in the pot, but the smart ones would just walk right on by.

Re:

[ConfusedVorlon]

agreed - entering negotiations doesn't show they needed the licence.

However - assuming the requirement for a licence is real (e.g. terms and conditions on the site are clear and forbid taking all the data for commercial use) - it makes it hard for McAffee to claim that they didn't realise they needed one.

Given that they seem to have been deliberately trying to avoid security restrictions (by rapidly changing user agents) - then it is even harder for them to claim an innocent error.

Re:

[American Patent Guy]

Actually, it's easy for McAffee: they just claim they didn't violate anyone's copyrights. If they copied publicly-available data, they probably have a good argument. The fact that that data was behind restrictions doesn't change the lack of copyrights. Accessing a website does not imply acceptance of any license (whether posted on the site or not.)

McAffee will claim they didn't need a license, because they didn't need a license. (probably)

Re:

[reve_etrange]

Especially not factual information, which should not be subject to copyright. The TOS violation issue I understand, but vulnerabilities seem not-subject-to-copyright to me.

Re:

[davester666]

Sorry, different laws apply to multinational corporations.

Re:

[tomhath]

"public-facing web page"

Re:

[Minwee]

"public-facing web page"

public-facing web page [jstor.org].

Re:

[Maritz]

Public-Paging Face Web

Re: McAfee in trouble

[martin0641]

I think the difference is the utilization of the scraped data for profit which is a violation of the license.

Re:McAfee in trouble

[lister king of smeg]

I think to be consistent, Aaron Swartz's supporters have to take McAfee's side.

No this is different.
With Aaron it was scientific papers that were funded with public money then locked behind a private paywall and none of the proceeds going back to to the public, Arron then tried to download them a give them back to the public that paid for the writing of said documentation.
In this case it is Mcafee is stealing info that was privatively funded by another private company and keeping it for themselves.
The situations are completely different as well as their motivation.

Re:

[Shatrat]

You're right, but Aaron was prosecuted not for what he did, but for HOW he did it. Scary computer stuff. This is also scary computer stuff.

From a legal perspective, Swartz is probably worse

[langelgjm]

There is no copyright in facts, which is why the Register article says there is a "debate" about copyright protection in databases. If a database is nothing more than a collection of facts, it won't be eligible for copyright protection. (It might be eligible for a database protection right in Europe, though)

That said, databases can be copyrighted if they contain original creative content, or if the selection and arrangement of the facts is original and creative. The article hints at a sweat of the brow just

Re:

[Mathinker]

> From what I understand, his intention was to release the articles to the public, but he never got that far.

As far as I know, there is no evidence for this, except circumstantial (feel free to reply with supporting evidence). You could very well be correct, or he could have had a more nuanced plan, like only releasing the public domain stuff first, or threatening to do so, and somehow hoping to leverage that to achieve other goals (like, for example, the subsequent JSTOR relaxed access policy which ena

Re:

[langelgjm]

Yeah, I also read something suggesting he wanted to do some text mining on the articles to find bias in corporate funded research. I think it was the prosecution pushing the idea that he wanted to release the articles, based on quotes from the Guerilla Open Access Manifesto, etc.

Re:

[PaddyM]

How is Swartz worse? He may have intended to commit massive copyright violations, but he DID not. And he had rights to this information per JSTORs own terms of service. He was going to be prosecuted for 50 years to life for a thought crime. If thought crime is worse than actual crime, that is a big problem.

OSVDB says there is a debate about whether this information is copyrightable, but they aren't pursuing that angle.

If McAfee workers read these documents to improve software that they are developing, t

Re:

[langelgjm]

Well, he was going to be prosecuted primarily for violations of the CFAA, not copyright infringement.

Anyway the point I was trying to make is that I'm not convinced that OSVDB has any exclusive right to the information, period. If they don't have any exclusive right to it, then can try and "license" it all they want, but it doesn't matter. You don't get to just throw up a bunch of factual, non-copyrighted (and non-copyrightable) information on a public web page, then claim that anyone who doesn't comply wit

Re:

[PaddyM]

Yeah, I see what you mean. CFAA is overly broad. Any "scary stuff with computer".

Re:

[AC-x]

FYI if you want to use open source in a closed source / commercial project then often you do have to pay for it, depending on the licence it's open sourced under.

Re:

[pr0fessor]

Open Sourced has a different meaning in the context they use it, they are talking about how they get their data from many sources including volunteers.

http://osvdb.org/osvdb_license [osvdb.org]

Re:

[Anonymous Coward]

If you have to pay for it, it sure as hell ain't open source.

Wrong. It is perfectly legal to charge for open source (GPL, BSD, etc).

Open source lets the customer modify, improve and fix the software, instead of being at the mercy of the software author.

Re:

[Minwee]

Then why aren't the developers of Linux kernel getting paid?

I think the question you're looking for is "Why are only 83.1% of the developers of the Linux kernel getting paid?' [arstechnica.com]

Re:

[gnupun]

The report covers almost 92,000 changes to Linux from 3,738 individuals since version 3.3 in March 2012.

That statistic is only after march 2012, when the kernel was more or less stable. What about 20 years worth of work before that? I don't think most of those developers have been paid. Also, making little changes to a stable product is easier that creating it from scratch.

Re:

[Minwee]

The first link in the article is for The Linux Foundation [linuxfoundation.org], who have been publishing the same report since at least 2008, when a minimum of 70% of the contributors (including people who submitted one-line fixes) had corporate sponsorship. Even before then it is easy to see who the top contributors to Linux were -- Kernel maintainer Alan Cox was employed by Red Hat from 1999 to 2009. Ted Ts'o worked with MIT, VA Linux and IBM while he developed /dev/random and the ext2 file system. John "Mad Dog" Hall was t

Re:

[TrollingForHostFiles]

APK once again misses
The obvious--that is,
The barn-sized difference
Between libre and gratis

BURMA SHAVE

Re:

[mi]

People who thinks it is OK that the TPB guys had to serve jail time while the McAdee guys doesn't are hypocrites

I don't think, there are such people. Quite the contrary — Slashdot's general opinion remains, that copying copyrighted material around is Ok as long as the victim is big and the perpetrator — small. But the other way around is wrong somehow.

hypocrites who needs to be punched in the face

Yes, I tend to agree with this spirit — even if the actual punishment you are proposing is unu

Re:

[by (1706743)]

McAfee did nothing different than what millions of people do every day via TPB.

I would argue there's a bit of a difference. If true, McAfee is using this illegal data for *profit*, as opposed to just using it for entertainment/personal use. I think a more analogous scenario would be grabbing a movie via TPB and then charging your friends to watch it with you.

Re:

[alen]

the TPB guys were making a lot of money off TPB

Re:

[Hategrin]

The site was heavily ad / adware littered. What do you think all the porno adds and what not were for if not monetising the site?

Re:

[Anonymice]

Uh...JFGI? There are a ton of articles on the advertising profits made by the likes of TPB.

Here is a more recent one [techienews.co.uk]

I remember reading an interview with the guys a few years ago, and apparently each of the prime flash slots along the sides of the site run at $20k per month.

Re:Don't see a problem

[king neckbeard]

This data is not illegal, and it would seem like it's probably not protected by copyright under US law, since it is most likely a collection of data lacking originality. Even if it is copyrightable, i would say it's still unethical to restrict the flow of this data moreso than other data.

Re:

[gnupun]

it would seem like it's probably not protected by copyright under US law, since it is most likely a collection of data lacking originality.

Any original (non-plagiarized) content can be copyrighted. Further, if the site has an account signup license that states that "vulnerability report submitter assigns his/her posts' copyright to website so that it can modify, reproduce that post as it sees fit," then yes, you cannot mass copy the database freely without violating copyright laws.

Re:

[Em Adespoton]

it would seem like it's probably not protected by copyright under US law, since it is most likely a collection of data lacking originality.

Any original (non-plagiarized) content is copyrighted by default. Further, if the site has an account signup license that states that "vulnerability report submitter assigns his/her posts' copyright to website so that it can modify, reproduce that post as it sees fit," then yes, you cannot mass copy the database freely without violating copyright laws.

FTFY

Re:

[gnupun]

The default copyright goes to the author no the website, unless author assigns it to the website. Hosting a comment on your website does not mean you own it, at least that's what I think. You have to get express permission from the original copyright holders, the authors, to legally obtain copyright.

Re:

[Em Adespoton]

Exactly. It's protected by copyright. Whether the copyright holders have granted the public permission to copy their content and use it for commercial gain is another issue (that is going before the courts).

Re:

[king neckbeard]

You are correct that any original content can be copyrighted, but are incorrect about the meaning of 'original.' I have doubts that this database could stand up in court due to the precedent set by Feist v. Rural.

Re:

[david_thornley]

But is this an original work, in the US copyright law sense? Mere compilations of facts are not. (Also, I don't know if such a copyright assignment would work, legally; the usual practice is that a submission implicitly carries a license with some rights.)

Re:

[king neckbeard]

The copyright of a cookbook is in the curation, the choices inclusion, exclusion, and order of recipes. The white pages of a phone book are not copyrightable because they lack originality in those areas. I suspect that a vulnerability database is more like a phonebook than a cookbook in that particular regard.

Re:Don't see a problem

[msauve]

They offer the info free for personal use, but expect commercial users to pay to support their efforts. McAfee knew this.

Regardless of the legality, it was ethically wrong.

Re:

[Anonymous Coward]

Actually, in the US, the data belongs to whoever collects it, not who it is about. If the scraped site has a terms and conditions page, McAfee will be sued on that, and that will be compounded due to the fact they were in discussions about buying the data.

Re:

[msauve]

TPB offers their information (torrent files, last time I looked) freely. I assume you mean the content many/most of those torrents point people to... and yes, pirating things is also unethical. Having said that, I believe that an ethical violation for commercial gain is more egregious.

Re:

[MickLinux]

Ethical simply means following a consistent ethic (rule). So "I steal everything I can, and some I can't" is immoral, but ethical as long as that is the rule you consistently follow.

Which is why I hate the use of the word "ethical" in our society. It's a lie.

Bill Clinton was our most ethical president ever.

And if anyone didn't know ahead of time what was going to happen to whistleblowers with "the most transparent administration ever", they didn't understand the meaning of "transparent".

Hint: I absolute

Re:

[msauve]

I disagree, and I've never heard anyone give that as a definition of ethics. Often, "ethics" and "morals" are used interchangeably. But I believe that in common usage ethics implies following "the golden rule," whereas morality is based on a more personal (perhaps religious) belief. For example, some might believe sex outside of marriage to be immoral, but it would be rare to find someone claiming it to be unethical.

Re:

[lister king of smeg]

It's not real like a car, it's digital. Everyone should have access to it for free.

McAfee did nothing different than what millions of people do every day via TPB.

The difference is while TPB may be dicks they are fighting even bigger dicks MPAA
mcafee is a dick but are screwing over non-dicks

open "sourced" database

[SuperBanana]

open "sourced", not "open source."

http://osvdb.org/about [osvdb.org]

I was confused about how someone could be charged for access to "open source" information...

Here's the NPO, with two officers, backing it:
http://opensecurityfoundation.... [opensecuri...dation.org]

Re:

[jeffmeden]

open "sourced", not "open source."

http://osvdb.org/about [osvdb.org]

I was confused about how someone could be charged for access to "open source" information...

Here's the NPO, with two officers, backing it:
http://opensecurityfoundation.... [opensecuri...dation.org]

I noticed that convenient typo, too. It's amazing how much of a difference one little d at the end of a word can make. Makes me almost want actual editors on slashdot instead of these uneducated rogues.

Re:

[FireFury03]

I was confused about how someone could be charged for access to "open source" information..

Open source and public domain are not the same things - most open source data is copyrighted and made available through a suitably permissive licence. Break that licence and you can be sued just as easily as if you were breaking a closed source licence.

fundamental incompatibility

[SuperBanana]

I've been using linux since 1998. I don't need a lecture on open source licensing.

Charging for access to data is fundamentally incompatible with claiming it's "open source" by many people's definitions.

Re:

[VortexCortex]

Open sources does not mean you have the right to copy them. The printer drivers for Richard Stallman's device were open source to a colleague at another college, however the fellow was under NDA not to share the code with RMS. Thus began the Free Software Movement, because Open Source does not actually imply Free Software, no matter how much you wish this was the case. There is no typo, you're just ignorant.

Aaron Swartz was charged for scraping content.

[Anonymous Coward]

This is essentially what Aaron Swartz was charged with doing... from wikipedia:

Federal prosecutors charged him with two counts of wire fraud and 11 violations of the Computer Fraud and Abuse Act,[12] carrying a cumulative maximum penalty of $1 million in fines, 35 years in prison, asset forfeiture, restitution and supervised release.

Re:

[alphatel]

The big difference between Swartz and McAffee is that Swartz's motive was for what he believed to be in the public interest. McAffee's motive is for profit.

And since step 3 is profit, we all know that it's perfectly legal. And if not, endless litigation followed by a small fine will serve!

Re:

[canajin56]

Actually, motive and intent are perhaps the most fundamental aspects of a crime. This is codified as Mens rea [wikipedia.org]. Each law has its own mode of culpability. The weakest is called "strict liability", which is what you're thinking of. Under strict liability, the mind of the individual does not matter. If your vehicle is going 31 in a 30 zone, you are guilty of speeding no matter your metal state. I'm no expert, but I believe in the USA you cannot face jailtime or fines over...I want to say $1000? under

Re:

[PktLoss]

It's behind Cloudflare, and they're leveraging other means to catch scraping. This hardly seems like "wide open"

Less malicious explanation

[operagost]

I'm no McAfee advocate by any means, but the span of time between the initial sales consultation and the unauthorized scraping indicates that the person involved with the scraping might not have been involved with the sales process and was ignorant of the need for a PO. The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice. Of course, McAfee's size and influence holds them to a higher standard that should preclude anyone running rogue like t

Re:

[jeffmeden]

I'm no McAfee advocate by any means, but the span of time between the initial sales consultation and the unauthorized scraping indicates that the person involved with the scraping might not have been involved with the sales process and was ignorant of the need for a PO. The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice. Of course, McAfee's size and influence holds them to a higher standard that should preclude anyone running rogue like this.

Agreed, this is definitely a case where incompetence is more likely than malice. For fuck's sake, if it were malice they would at LEAST do it from an AWS, Azure, or [insert huge anonymizing cloud provider here] instance instead of from an IP directly registered to McAfee.

Re:Less malicious explanation

[bill_mcgonigle]

The clumsy way they scraped without even trying to conceal their user agent indicates incompetence, rather than malice.

I had an intern try a thing like this, ten years back or so. He was tired of the slow internet connection so he tried to scrape Wolfram's math tutorial website overnight and found the company's IP blocked in the morning. I sent a note to their admins saying I'd talked to the boy and that took care of it. It happens.

But that talk was a "be nice" one, not a "you tried to avoid paying for a commerical product" one, which is different.

But there's something odd about what OSVDB is saying. Here's the log snippet they show:

161.69.163.20 â" - [04/May/2014:07:22:14 -0500]
161.69.163.20 â" - [04/May/2014:07:22:16 -0500]
161.69.163.20 â" - [04/May/2014:07:22:18 -0500]
161.69.163.20 â" - [04/May/2014:07:22:20 -0500]

Every two seconds - bad form. Your 2000 requests would have have been finished over a weekend if you rate limited to once a minute, to be nice to their servers.

But, their blog says:

They made 2,219 requests between 06:25:24 on May 4 and 21:18:26 on May 6. Excuse us, you clearly didnâ(TM)t want to try our service back then.

Which indicates an average rate of 1.7 minutes per request. There's something OSVDB isn't telling us.

It's also odd to see, on a post from May 7, something that happened on May 4th referred to as "back then". It's sounding rather "he-said", so I expect we'll soon hear the "she-said", at least from Intel. The S21Sec guys seem to have used an aggressive scraping-tool with anti-countermeasures deployed, so it's harder to expect them to have a good retort.

It's not even clear to me that OSVDB has any copyright claim on a database - looking at a random entry [osvdb.com] I see text that could have come from the vendor or have been written by an OSVDB staffer - it's unclear what is what. If they are writing prose, then they get copyright protection on that. If it's just aggregating data, then what it's basically down to is clickwrap license enforceability, which is very unclear.

My data

[StripedCow]

Hi, MS programmer here. I caused most of those vulnerabilities, so actually it is MY data.

does mcafee av still suck?

[steak]

if this makes the crappy antivirus that is bundled on your parents computer a little less crappy, can you really complain?

OSVD isn't open source

[stenvar]

Based on their web site and description, "OSVD" may have started out as an "open source database", but now it seems to have morphed into something that is effectively a commercial data aggregator and vendor hiding behind a non-profit and giving out limited, free samples. In any case, whatever it is, their database clearly is not "open".

Re:

[Em Adespoton]

Based on their web site and description, "OSVD" may have started out as an "open source database", but now it seems to have morphed into something that is effectively a commercial data aggregator and vendor hiding behind a non-profit and giving out limited, free samples. In any case, whatever it is, their database clearly is not "open".

They're "open sourced" not "OSS" -- meaning that they show their sources and allow community input, not that their product is free as in speech. Summary made a typo and left out the D.

Re:

[stenvar]

Open Sourced" can mean "derived from open sources" or it can mean "released under an open source license", so it is at best ambiguous.

But I think it's pretty clear that the people running OSVDB are deliberately trying to mislead people into thinking that they are somehow part of the open source movement, when in fact they are effectively nothing more than a commercial vendor of a proprietary database aggregated from public sources.

The problem with OSVDB is not their business model, it's that they pretend to

I considered doing the same myself

[hilather]

The OSVDB went pay a few years ago. They have a wealth of interesting information and use to be fully open source however due to lack of community involvement they decided that the open source model wasn't working for them. If the OSVDB has a problem with people scraping their site, they should really update (or in their case - create) their robots.txt. I was interested in this data myself a year or so ago until I found out they wanted me to pay a subscription to access information I can view for free on

Re:

[hodet]

You shouldn't have to lock your data down. I can see GPL'd code and can use it and distribute it but I can't close source it and then resell it as a proprietary app and then say "hey if you didn't want me to use it you shouldn'thave made it available". That is the license we agree to. A clear license lines out acceptable use and it looks to me like they are trying to strike a balance between being solvent and user friendly. But freeloaders will ruin it for others.

Re:

[hilather]

You shouldn't have to lock your data down. I can see GPL'd code and can use it and distribute it but I can't close source it and then resell it as a proprietary app and then say "hey if you didn't want me to use it you shouldn'thave made it available". That is the license we agree to. A clear license lines out acceptable use and it looks to me like they are trying to strike a balance between being solvent and user friendly. But freeloaders will ruin it for others.

I agree you shouldn't have to go to any extremes to lock down your own data. But when publishing an website online, there are certain standards you need to follow if you don't want people copying the data on your website. If they are allowing search engines to index their proprietary data, then they should have no expectation that others will not do the same.

Re:

[Hategrin]

The deal was "free for proprietary use commercial users pay." It's really a very common form of licensing. Anyway, it doesn't really matter what you "think" is a good/proper business plan, you didn't write the license. When you go to get a resource from somebody, a water-well or a web-page, you do so on THEIR terms, hence a license. That's life, sorry Mein Furher but you don't get to dictate your ethics and terms to everyone in the free world. It doesn't matter if the license was somewhat permissive to beg

Re:

[Hategrin]

personal use*

Re:I considered doing the same myself

[GTRacer]

... Getting a little tired of this disingenuous strawman. The purpose of personal property is to belong to its owner. The purpose of clothing is to cover our bodies. Neither suggests access is explicitly or implicitly granted to third parties.

Now, put a water fountain up at a public park with the intent (but no access control measures implemented) to limit its access and then let's talk. A publicly-available website's purpose is to disseminate information! Robots.txt is a timeworn and standard way to show your intent for access. As is having a log in page or similar. If you put up a public-facing website which conveys information relevant for public consumption, don't be surprised when the public uses it! Heaven forbid a speedreader with eidetic memory accesses pages too fast for your liking...

Now, if you implement a page cap and someone uses tricksy browsing to bypass THAT, then I agree that that is bad form. Until then, if you put the site up and effectively say "OPEN FOR BUSINESS"...

Re:

[OdinOdin_]

Huh...

Neither suggests access was explicitly or implicitly DENIED to third parties.
All someone else was doing was taking a photo of you.

Oh you have a Terms & Conditions document in your back pocket do you!

robots.txt is great and all, but someone did actually sit there pressing a button for each website hit, the button generated a random number and this number was used to randomize the delay and User-Agent data. It was under 2500 hits after all, sheesh I can hit ebay that many times just by browsing the

Re:

[Anonymous Coward]

>By this logic, someone who leaves their house or car unlocked is leaving an open invitation for you to do what you will?

If their house or car is a business, yes. Do you knock and ask for permission to enter a business?

If you start charging for money, you're a business. Deal with it.

Virus or antivirus

[Kharny]

Concidering mcafee has long since made the jump from antivirus to fully blown virus/malware, what were they expecting?

But is the data protected by copyright?

[American Patent Guy]

Not all data is protected by copyright. If someone makes data available on a website that is not protected by copyright, then it's perfectly legal to scrape it. (At least by U.S. law.) The posting of a license on a website makes no difference where there are no copyrights in the material copied. By posting web pages and data in a location available to the public, the website granted an "implied license" to copy the pages and data.

Copyrights attach to "works of authorship". A database can be such a work, but

Re:

[American Patent Guy]

RIAA and the MPAA overstate their positions all the time. I'll bet McAffee has a team of intellectual property attorneys who have developed a well thought out procedure for scraping and handling these kinds of disputes.

Now if RIAA and the MPAA actually wrote the law or ran the courts, then I'd be worried.

Aaron Swartz

[Mozai]

Isn't this what Aaron Swartz did? Is the US Government going to "make an example" of McAfee too?

Copyright or no, it's trouble

[tygt]

Doesn't matter if the data is free or not - if you're circumventing access restrictions, it's effectively breaking in (not like most of us haven't done it, but still).

Re:

[American Patent Guy]

"OSVDB aggregates and formated public vulnerability records for free individual consumption but requests that those seeking more comprehensive access pay for the right. The outfit's site includes a copyright statement."

So, OSVDB is copying vulnerability records from others and then providing free access to their database. That access sounds pretty "comprehensive" to me.

If OSVDB wants to be paid, then they'll have to actually "restrict" access. A copyright statement doesn't "restrict" anything, particularly

Re:

[Sentrion]

Data wants to be free, free as a billionaire fleeing a Belize murder rap.

Re:

[RobSwider]

It's like going into the grocery store and getting a sample BBQ cocktail wiener. Then you go back out to the car, change your clothes, go back in and get another... Rinse and repeat until you have a cooler full, then open up a wiener stand outside the store to sell your ill-gotten meats.

Oh, NOT about John

[Scot Seese]

Wait, wha.. OH! For a second I thought this was another zany article about John.

OSVDB scraped NVD

[sinij]

OSVDB is notorious for scraping NVD (NIST National Vulnerability Database) and both follow CVE and CCE standards that are maintained by Mitre. Both OSVDB and NVD are public vulnerability databases maintained by outside submissions. NVD/OSVDB do not conduct any kind of vulnerability discovery activity.

I don't see how OSVDB can claim any rights to this data. They certainly didn't produce it. Thankfully, if they stupid enough to claim it NIST will quickly put them in their place.

So What?

[Luthair]

At least in North America facts (which is what SV data is) are not considered to be copyrightable. (In Europe I believe there is some protection for databases) This might be a ToS violation but I think most Slashdot'ers would agree those are questionable and that public websites should not have different protection from the phonebook delivered to your door. (Which Yellowpages has previously complained about Google and others "copying")

As someone who looks at SV data regularly and has previously pointed th

Re:

[AvitarX]

I think specifically writing a script that is dishonest, in an attempt to get information from a server that is for sale, has been demonstrated to not be allowed (a craigslist searcher did this I believe).

I would think they are on the hook for the cost of the data, and there is a real case for punitive damages too, even if the data itself is not copyrightable in the US (due to the lck of sweat of the brow being relevant for intellectual property here).

Re:

[PaddyM]

Yeah I'd have to agree. Clearly they violated the terms of service, although it's debatable about whether that's legal or not.

Re:

[American Patent Guy]

I just LOVE being an intellectual property attorney. The level of ignorance in the field (as demonstrated by the majority of the posts here) give me great comfort in my job security. THANKS GUYS!

This brings up an interesting conundrum about copy

[tekrat]

This brings up an interesting conundrum about copyright... So, if I scrape TRW (Sorry, Experian)'s website and it's only to download information about MYSELF, who's got the copyright on that? Experian is supposed to provide the information for free to me anyhow, on request, so, can I be charged with a crime for taking it without asking?

And lets talk about all the other thousands of companies (Facebook, Google, United Healthcare, BlueCross, Amazon, Slashdot, yadda yadda yadda) that collect and resell informa

Re:

[tomhath]

McAfee left the company over twenty years ago