Feeds

McAfee accused of McSlurping Open Source Vulnerability Database

Lawyers say security giant should have paid before it unleashed slurping scripts

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them.

The surreptitious slurp was said to be conducted using fast scripts after McAfee formally inquired about purchasing a license to the data.

Those scripts, OSVDB said in a blog post, deliberately subverted security controls design to protect the database by rapidly changing the user agent.

A fed-up OSVDB staffer took to the website's blog to out McAfee and Spanish infosec firm S21Sec which also hoovered up vulnerability data after being told such access was a paid service.

McAfee told The Register it was investigating the matter.

The OSVDB's Brian Martin said in an email to The Reg that McAfee, S21Sec and others alleged to have pilfered the databases ignored the paid license.

"There is debate on if a database can be copyrighted. Instead of saying they are infringing that, we are saying they are wilfully ignoring our posted license," Martin said.

"In the case of S21, they were sent an email explicitly saying that to use our data for the stated purpose required a license. In the case of McAfee, they were in negotiation with our commercial partner to subscribe to our commercial vulnerability feed, and then backed out saying they didn't think we could provide the data we claimed."

"In each case, the companies were aware of the license requirements. In each case, they waited some months later to systematically scrape our data".

OSVDB aggregates and formated public vulnerability records for free individual consumption but requests that those seeking more comprehensive access pay for the right. The outfit's site includes a copyright statement.

The site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsquently disseminated.

This contradicted heated debate online where pundits including respected infosec bod Robert Graham of Errata Security argued the OSVDB data was simply public, adding it was not unethical to scrape it.


Graham pointed out that the staffers behind the scraping could have done so for personal use or to test a project, but this argument was dubbed a 'popular misconception' by University of Technology Sydney Professor of Law Michael Fraser.

"The issue is not about public information, the issue is whether copyright applies," Fraser said.

"There is no copyright in 'fact', but if it amounts to original copyright work, then the expression of that work is copyright and you can't reproduce it without permission."

"They [McAfee and S21Sec] would breach it by communicating - downloading - the information."

That OSVD employed people to add value to the database means the data slurp looked likely to have breached copyright, said University of Melbourne law school professor Andrew Christie.

"The manual processing suggests to me that under US and Australian copyright law it would be protected," Christie said, emphasising that his analysis is preliminary.

"Whether it's copying from a website or breaking into a safe, it doesn't matter." ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.