From: Aarón Mizrachi (unmanarcgmail.com)
Date: Fri May 29 2009 - 03:11:59 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jueves 28 Mayo 2009 15:23:13 subscribe subscribe escribió:
> Thanks for your interest.. I wanted to ask you guys this. I'm a bit
> worried if my tool will cause me any legal problems incase it is
> misused.. Is GPL enough to protect me?
>
GPL does not protect you against legal problems derived of illegal use by
third party...

GPL protect your software freedom to copy, modify, redistribute, etc.... And
protect your software from being reassembled with commercial pourporses ( GPL
is viric ;-) )

-----------------

Im not a lawyer... It may depend on country, but this is my opinion:

1. You can put a disclaimer who advice the end user that should not be used
for illegal pourporse. For many countries, this should be acceptable.

2. MANY software can be used for malicious pourporses... SSH could be used as
a backdoor, Microsoft SMB protocol also..., aircrack-ng suite also could be
used for malicious pourporses, inclusive, the linux popular command "rm" could
be used for crime also, Nessus is a harmful tool that can be used also for
criminal pourporses.

So, your software also can be used for malicious pourporses...

BUT. There is a fact, software like this one, can be used also for Pentesting
(Ethical Hacking), and proof of concept. That is a legal pourporse.

Ethical point of view:

Your software is not exploiting a zero day, the full disclosure method are
fulfilled, the vendor was adviced of WEP/WPA bugs and the time to patch this
bugs is over. Nothing else to say.

--------------

I released a software in the same situation on 2004.
Was called, URCS... and was a RAT (Remote Admin Tool).

URCS were designed with ethic, URCS does not hide their proccess, URCS have an
authentication plataform, URCS also have an installer. URCS does not have any
infection engines, URCS does not have also any method to prevent their hand
removal, URCS activate logs by default with connection IP address, and
commands executed.

URCS was the first remote admin tool that used the star and tree topology with
reverse connections. URCS were designed because in this time, my ISP used a
big NAT, therefore, if i wanted to connect to my computer, URCS help me a lot.
URCS were released opensource.

I used URCS for legal pourporses like manage my home computers over NAT, and
many of my users also used it for legal pourporses. But AV houses putted it on
a blacklist and rated him as a trojan/backdoor... while some compilation of
SSH and VNC servers, even Windows also can be used as a trojan/backdoor.

On many discussions with AV houses, their argument were that my program can be
used silently, but, my argument is that if you run the main program (not the
installer), then, this program is not automatically installed, only oppened
(like when you start an tftp service alone without installing it...).

> 2009/5/28 Renato Bovo Inácio <renatobovogmail.com>:
> > Very good, but where's the program to download? You can provide it with
> > GPL.
> >
> > Regards, congratulations,
> >
> > On Thu, May 28, 2009 at 12:59 PM, subscribe subscribe
> >
> > <subscr1b3m3gmail.com> wrote:
> >> Hi,
> >>
> >> Just recently I wrote a program for testing wireless security. The
> >> program automates another program called aircrack-ng.
> >> Will crack all wireless access point in one command. No need to type
> >> anything, just hit enter. Useful if you find it daunting
> >> to type commands while roaming around the client's premises during
> >> the wireless assessment. Check out the videos at:
> >> http://www.youtube.com/watch?v=aYWe4_zcY-I
> >>
> >> Please comment so I can make improvements before releasing it.. Thanks.
> >>
> >> ------------------------------------------------------------------------
> >> This list is sponsored by: Information Assurance Certification Review
> >> Board
> >>
> >> Prove to peers and potential employers without a doubt that you can
> >> actually do a proper penetration test. IACRB CPT and CEPT certs require
> >> a full practical examination in order to become certified.
> >>
> >> http://www.iacertification.org
> >> ------------------------------------------------------------------------
> >
> > --
> > ------------------------------------------
> > Renato Bovo Inácio
> > CSO - Chief Security Officer
> > ------------------------------------------
> >
> > AVISO LEGAL
> >
> > Esta mensagem é exclusivamente para a pessoa do destinatário, podendo
> > conter informações confidenciais ou legalmente protegidas. A transmissão
> > incorreta da mensagem não acarreta a perda de sua confidencialidade. É
> > vetado a qualquer pessoa que não seja destinatário usar, revelar,
> > distribuir ou copiar qualquer parte desta mensagem.
> >
> > LEGAL WARNING
> >
> > This message is intended exclusively for its addressee. It may contain
> > confidential or legally protected information. The incorrect transmission
> > of this message does not mean the loss of its confidentiality. It is
> > forbidden to any person who is not intended addressee to use, reveal,
> > distribute, or copy any part of this message.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require a
> full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

--
Ing. Aaron G. Mizrachi P.

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)

iEYEABECAAYFAkofmNgACgkQ2ixydRu83wD3sgCdEziQjnx23+m2DYIjDXRz6NiI
XCEAn221c72CmU2yNeB2AC43DnRTLmZd
=1PWl
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]