back to article McAfee accused of McSlurping Open Source Vulnerability Database

Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The surreptitious slurp was said to be conducted using fast scripts after McAfee formally inquired about purchasing a license to the data. Those scripts, …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    I presume the sex analogy could be taken further...

    it's like having sex in your living room and blaming your neighbours for filming it and then selling it as DVDs.

    1. Tom 7

      Re: I presume the sex analogy could be taken further...

      More like having sex in your bedroom and the neighbours popping a camera through the window and curtain and selling the DVD

  2. NT1

    More like...

    More like recording a film publicly broadcast on national TV and selling it on a DVD. Breach of copyright? I think so -- just because it's out there for public consumption does not make it free for any and all commercial purposes.

  3. Eradicate all BB entrants

    As the original is back in the tech business ......

    ..... can we have some way of it being discerned in the headline/tagline? At the first glance I had images on JM going wild on a few lines of crushed SSD's.

  4. Anonymous Coward

    Will corporations be dealt with in the same way as individuals?

    If this was some kid in their bedroom no doubt the US or UK authorities would be banging on the door and trying to get them imprisoned for years for computer misuse or worse. I wonder (no, not really) if the same standard will be applied to the actions of a large corporation?

  5. DrXym

    Doesn't it count as hacking?

    From reading the blog it sounds like they were silly to use a guessable sequence for record ids and to expose it in the url, but I don't think that is a defence for someone who systematically spams the site and requests each record in turn. They are constructing shaped urls to request data that were not publicly available from the website.

    In other words they were hacking it and most countries have laws against that sort of thing. Why don't they apply here?

    The OSVDB could protect itself by not exposing the id in requests, although perhaps they do so as a honey pot to identify abusers and block them. But if they did hide the id, then it would be better to generate keys - an encrypted id + ip address block + timestamp + salt. When the key is requested it will be decrypted and validated. The timestamp could be used to make the key stale after 5 minutes for example. The site could also throttle requests so that if more than X records are asked for in a short space of time they get redirected to a "cooldown" page which gets progressively longer and longer before auto blocking the requester entirely.

  6. bpfh
    Paris Hilton

    open source vs open source...

    OSVDB describe Open Source as Open Source Intelligence (not Free Open Source), where they scrape freely available public (free) data and aggregate it, I guess they want payment for their aggregation services.

    Someone probably saw "open source" in the name, thought w00t, free data lets suck it off.

    On the other hand, if you really want people to licence your data and pay for it, put it behind a bloody paywall and enforce some ip restrictions... its a joke that a vulnerability service cannot secure it's own business model... McAffee may not have been very ethical, but I can only say tough titties for OSVDB. Let it be a lesson for you!

    Paris, as she knows alot about sucking d....ata!

    1. big_D Silver badge

      Re: open source vs open source...

      Not really, the service is free for personal use, but for corporate use you have to buy a licence. That is fairly common. If it went behind a paywall, it wouldn't be free for personal use any more.

      1. Fluffy Bunny

        Re: open source vs open source...

        It isn't hard to put up a page requiring users to acknowledge the TOS before they get the goodies. The same page could direct commercial entities to the payment engine. It would be pretty hard to make a claim in court unless such basic steps had been taken.

  7. Anonymous Coward
    Anonymous Coward

    Aaron Swartz

    Did a similar thing (downloading all data that is publically available, but that the data holder thinks should be downloaded one piece at a time for a specific purpose). He was arrested and treated so poorly to the point he felt he only had one way out. Where are the police when corporations do things that people are arrested, even persecuted, for?

    1. 404

      Re: Aaron Swartz

      Ding, ding, ding!

      I was sitting here trying to remember that guy's name-> seems to me to equate to about the same thing he did.

      Well now...


    2. DrXym

      Re: Aaron Swartz

      Well it wasn't quite the same. Aaron Schwartz went onto a university campus which had licenced the data, hid his laptop in a cupboard where it couldn't be found and then systematically ripped the data causing a DOS on the provider. He also changed his MAC address to circumvent blocks put in by campus staff intended to put a halt to his attack.

      But it is IMO this incident should still be reported to the police, or at least form the basis of a sueball.

      1. eulampios


        I never heard of any DOS caused as a result of Aaron's python script that was downloading articles from jstor. However, jstor download was not the only prosecution Aaron experienced with the feds. There was also the case with public legal papers from PACER (Public Access to Court Electronic Records). No hidden laptop was involved there, if I remember it correctly.

      2. silent_count

        Re: Aaron Swartz

        "He also changed his MAC address to circumvent blocks put in by campus staff intended to put a halt to his attack."

        I suspect you've hit on the crux of both cases - accessing publicly accessible data in a way not intended by the person/people who published it.

        I occasionally try to be a nice person but in these cases the only answer is to tell the publisher to suck it up. If you want something to have limited access, make it secure. 'Nearly secure' doesn't count.

  8. Andrew Commons

    Data quality?

    From the OSVDB home page:

    The project currently covers 105,316 vulnerabilities, spanning 123,155 products from 4,735 researchers, over 112 years.

    The vulnerability with Id of 1 is dated 1998-12-25, presumably the 112 years comes from the date of another vulnerability...any idea which one?

    1. big_D Silver badge

      Re: Data quality?

      Man Year probably, and it looks like some products don't have any vulnerabilities... :-S

      1. Andrew Commons

        Re: Data quality?


        Possibly....but a real vulnerability reported in 1902 would be worth searching the database for...but the only way of finding it seems to be starting at 1, then 2, then.... A vulnerability discovered in the Dalton Adding Machine would rewrite computer security history!

        1. Fluffy Bunny

          Re: Data quality?

          I'm pretty sure I remember some vulnerability reports for the Babbage Differential Engine.

  9. Piro Silver badge

    If I was from the OSVDB, I would..

    Put in a call to McAfee sales, saying their business needs protection against data theft, and when they get to the nitty gritty with a technical department, email a log of McAfee's own data theft to them, saying that this is an example of the kind of issues they've been facing.

    Shit them right up. Arseholes.

  10. Message From A Self-Destructing Turnip

    Get orf my land!

    If the sheepdog turns wolf; then it is time to grab the twelve bore.

  11. Bob Hoskins

    Another Brian Martin fail

    This guy is a complete and utter douche and works for BT.

  12. Andrew Commons

    If you read the OSVDB blog post.....

    McAfee made 2,219 requests over about 3 days. This is from their web logs. Using Fiddler it looks like a single search request on vulnerability Id would produce 1 entry in the web logs so assume that represents the number of vulnerabilities that were looked up over 3 days...that's 2% of the database of 105,316 vulnerabilities.

    I would say that that is probably automated so would breach these terms:

    4. Obtaining data from this website in a programmatic fashion (e.g. scraping via enumeration, web robot, crawler, etc) is prohibited. Such activity is likely to trigger security software that will permanently block your IP from accessing the site.

    But it doesn't look like an attempt to grab the database.

    McSlurp or McBeatUp with sour grapes as a side?

  13. Jasey

    McAfee is a big jerk

    Sounds like McAfee saw how much it would cost and say "screw that!" and got it for free instead by circumventing the license which was unenforceable.

    Nobody should expect giant corporations to play fair or be nice as long as they have lawyers to tell the corporations what they can get away with but this is still very bad form.

    1. This post has been deleted by its author

    2. Fluffy Bunny

      Re: McAfee is a big jerk

      The odd thing is that the real McAfee is probably burning right now, seeing as he sold the company many years ago and no longer has anything to do with it. Maybe he can force the company to change it's name... No it would probably be easier for him to change his own. The Entrepeneur Formerly Known As McAfee (TEFKAM).

  14. Shane Kent

    what a busy bunch of months for me...

    But check the reg and open source suing and Apple is the new MS! Apple buying marketed crap instead of leading, Google gonna take it next (IBM, MS, Apple, then Google)? And protecting a DB that is designed to protect a open OS? Or is the second part not cheap Fs looking to create a marketed app on the back of someone else's work, tis tis, but what to you expect from a free market of software?

This topic is closed for new posts.

Other stories you might like