McAfee accused of McSlurping Open Source Vulnerability Database Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The surreptitious slurp was said to be conducted using fast scripts after McAfee formally inquired about purchasing a license to the data. Those scripts, …
If this was some kid in their bedroom no doubt the US or UK authorities would be banging on the door and trying to get them imprisoned for years for computer misuse or worse. I wonder (no, not really) if the same standard will be applied to the actions of a large corporation?
From reading the blog it sounds like they were silly to use a guessable sequence for record ids and to expose it in the url, but I don't think that is a defence for someone who systematically spams the site and requests each record in turn. They are constructing shaped urls to request data that were not publicly available from the website.
In other words they were hacking it and most countries have laws against that sort of thing. Why don't they apply here?
The OSVDB could protect itself by not exposing the id in requests, although perhaps they do so as a honey pot to identify abusers and block them. But if they did hide the id, then it would be better to generate keys - an encrypted id + ip address block + timestamp + salt. When the key is requested it will be decrypted and validated. The timestamp could be used to make the key stale after 5 minutes for example. The site could also throttle requests so that if more than X records are asked for in a short space of time they get redirected to a "cooldown" page which gets progressively longer and longer before auto blocking the requester entirely.
OSVDB describe Open Source as Open Source Intelligence (not Free Open Source), where they scrape freely available public (free) data and aggregate it, I guess they want payment for their aggregation services.
Someone probably saw "open source" in the name, thought w00t, free data lets suck it off.
On the other hand, if you really want people to licence your data and pay for it, put it behind a bloody paywall and enforce some ip restrictions... its a joke that a vulnerability service cannot secure it's own business model... McAffee may not have been very ethical, but I can only say tough titties for OSVDB. Let it be a lesson for you!
Paris, as she knows alot about sucking d....ata!
Did a similar thing (downloading all data that is publically available, but that the data holder thinks should be downloaded one piece at a time for a specific purpose). He was arrested and treated so poorly to the point he felt he only had one way out. Where are the police when corporations do things that people are arrested, even persecuted, for?
Well it wasn't quite the same. Aaron Schwartz went onto a university campus which had licenced the data, hid his laptop in a cupboard where it couldn't be found and then systematically ripped the data causing a DOS on the provider. He also changed his MAC address to circumvent blocks put in by campus staff intended to put a halt to his attack.
But it is IMO this incident should still be reported to the police, or at least form the basis of a sueball.
I never heard of any DOS caused as a result of Aaron's python script that was downloading articles from jstor. However, jstor download was not the only prosecution Aaron experienced with the feds. There was also the case with public legal papers from PACER (Public Access to Court Electronic Records). No hidden laptop was involved there, if I remember it correctly.
"He also changed his MAC address to circumvent blocks put in by campus staff intended to put a halt to his attack."
I suspect you've hit on the crux of both cases - accessing publicly accessible data in a way not intended by the person/people who published it.
I occasionally try to be a nice person but in these cases the only answer is to tell the publisher to suck it up. If you want something to have limited access, make it secure. 'Nearly secure' doesn't count.
From the OSVDB home page:
The project currently covers 105,316 vulnerabilities, spanning 123,155 products from 4,735 researchers, over 112 years.
The vulnerability with Id of 1 is dated 1998-12-25, presumably the 112 years comes from the date of another vulnerability...any idea which one?
Put in a call to McAfee sales, saying their business needs protection against data theft, and when they get to the nitty gritty with a technical department, email a log of McAfee's own data theft to them, saying that this is an example of the kind of issues they've been facing.
Shit them right up. Arseholes.
McAfee made 2,219 requests over about 3 days. This is from their web logs. Using Fiddler it looks like a single search request on vulnerability Id would produce 1 entry in the osvdb.org web logs so assume that represents the number of vulnerabilities that were looked up over 3 days...that's 2% of the database of 105,316 vulnerabilities.
I would say that that is probably automated so would breach these terms:
4. Obtaining data from this website in a programmatic fashion (e.g. scraping via enumeration, web robot, crawler, etc) is prohibited. Such activity is likely to trigger security software that will permanently block your IP from accessing the site.
But it doesn't look like an attempt to grab the database.
McSlurp or McBeatUp with sour grapes as a side?
Sounds like McAfee saw how much it would cost and say "screw that!" and got it for free instead by circumventing the license which was unenforceable.
Nobody should expect giant corporations to play fair or be nice as long as they have lawyers to tell the corporations what they can get away with but this is still very bad form.
This post has been deleted by its author
The odd thing is that the real McAfee is probably burning right now, seeing as he sold the company many years ago and no longer has anything to do with it. Maybe he can force the company to change it's name... No it would probably be easier for him to change his own. The Entrepeneur Formerly Known As McAfee (TEFKAM).
But check the reg and open source suing and Apple is the new MS! Apple buying marketed crap instead of leading, Google gonna take it next (IBM, MS, Apple, then Google)? And protecting a DB that is designed to protect a open OS? Or is the second part not cheap Fs looking to create a marketed app on the back of someone else's work, tis tis, but what to you expect from a free market of software?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
