Some one in the antivirus industry please clarify something for me. Which is more important/critical for an AV company: the software or regular virus definition updates. My guess is that the virus signature database is where they create maximum value?
I have been in the AV industry for a while and I would say both.
AV companies have a lot of behaviour analysis/decoding/parsing done inside their code that is as important as their "static" signature set.
In fact, I would say that having access to the code and how they analyze the files/memory/etc is more valuable to a competitor (and the "bad guys") than the static signature set.
In what sense have you ever been in the AV industry? I'm not sure whether this account belongs to David or Dre, but neither of you have an AV company on your LinkedIn profiles.
I admire you for building a business on cleaning up hacked Wordpress installs (seriously), but that's not the same game that Kaspersky is playing.
The signature database is where they'll get more money from. However, this is still bad for them. It gives people the chance to look through the code for vulnerabilities and it allows competitors to look at any techniques they're using. But the worst part is that they're a computer security company that couldn't keep their source code secure. Clearly, accidents happen even when one has the best policies and such in place. Sometimes it's merely chance as opposed to an indicator of something in a statistically valid way. However, it's still embarrassing. I don't find that there's a lot of testing of the efficacy of anti-virus software out there and so purchases are partially made on faith (would love to know if I'm wrong here since I'd be interested in the results). Anyway, as a purchase made partially on instinct, this makes purchasers feel less happy in their gut (so to speak).
There is some testing being done on them but it's really only the known viruses that are tested against. It's the viruses that are unknown that are what you want to worry about.
From an industry point of view its always the DB size that matters. When MS bought Giant it was due their DB size, it was huge and useless e.g there were installers that generated random guid for active x controls, registering those guids as a signature was pointless but they still went with it, when it was time to sell the MS guys fell for it. I worked for a company that was sold eventually and it was the same story when the founders decided that its time to sell it was all about the number of signatures.
Kasperskey are known to have a brilliant engine, this leak is a huge blow for them
On a different note: I wonder how this happened in the first place, the security companies that I worked for were pretty strict on code access, I couldn't checkout any code I wish, only a few people could pull the entire code repository.
I'm not in the AV industry, but as someone involved in malware cleanups I can tell you that having access to the source code makes it slightly easier to go through the code base in order to identify ways of getting around the AV.
It's also possible to do some source code analysis to identify vulnerabilities in the product that might not be otherwise fairly easily exposed.
The virus signature database is pretty much worthless for all but the lowest hanging of fruit. There are plenty of tricks botmasters use to get around signatures, and AV firms are moving (or have moved) to more behavioural characteristics to detect malicious code. It guess it all depends whether that's in the updates or in the code base.
Yes, downloading is akin to making a copy without consent of the copyright owner. (Edit: At least according to the Berne Convention, which most countries have signed.)
Edit2: I think dchest is right and illegality of the act of downloading does probably not follow from the Berne Convention, sorry. Distribution (offering for download) certainly is and I think at least according to German law the resulting copy has to be destroyed. Mind you, I'm no lawyer and might be mistaken.
I'm pretty sure Berne Convention says nothing about the act of downloading. Your use of "akin" may be incorrect. Of course, different counties have different laws, but if we try to infer legality or illegality of downloading purely from Berne Convention, I'd like to ask this question: how can you make a copy of something that you don't have the original in the first place? Thus, it's more likely that the party who's distributing the work is making a copy, not the downloader.
Theoretically yes but usually they target distributors in preference to users. It's easier to get a verdict or judgment against the distributor because it avoids the question of "what is a copy" and how that applies to the digital space and also because people are less sympathetic to distributors. The thing with P2P applications is that everyone is also automatically a distributor.
Yes it is! It is illegal in the Netherlands to download pirated software! It's only for music & movies where this doesn't count! See e.g.
http://www.iusmentis.com/maatschappij/juridisch/magdatopinte... , whose author is to put it mildly not known for being pro strong IE laws.
This is a source code file from my program, for which all rights belong to me. It has been obtained and put there by my wife without my permission. By opening this link you made an illegal copy of it. You'll soon hear from my lawyers.
This is not 'pirated software', it's leaked source code. That makes distribution copyright infringement and downloading in good faith legal.
If the source code is distributed then the user would have to download it in order to be able to see the copyright statement. In this case the title of the software will probably be reason enough to make it hard for you to argue that but technically you could claim you thought this was a source distribution and only after you downloaded it you found out that it was copyrighted and not meant for release.
If you keep the source code after downloading and finding out that it was copyrighted and not meant for release the situation becomes gray, after all nobody actually knows you've still got a copy, it might be that you deleted it upon finding out that it was copyrighted stuff. It will be pretty hard to prove that you still have a copy if you yourself do not make it available and if you defend yourself by saying you acted in good faith and destroyed your copy immediately after download and inspection. The act of downloading is not what matters here, what matters is what you do after downloading. I am not aware of any Dutch citizen that has been charged with downloading leaked source code, let alone a conviction. Source code has been leaked before and typically if there are steps taken it is against distributors, never against those that downloaded.
Downloading binaries is a different story, there you are clearly in violation.
If it wouldn't be like that how would you ever verify that it is legal for you to download any software at all (for instance an open source distro), after all typically you are not shown the license agreement prior to download but upon installation (or, in many cases after that).
This does not make sense in any legal sense, I mean not make sense like someone saying "I was programming html yesterday by uploadeding some ram chips into my programming software".
Works are by default copyrighted, it doesn't matter if the user has to download the copyright statement or read it or whatever - copyright is a ius sui generis, it has nothing to do with contract law. Furthermore downloading is distributing, see paragraph 5 of the Auteurswet; and no in this context it does not fall under the exceptions of art 13a.
Then, there is no "good faith" exception. This is completely irrelevant. The "thuiskopie" (home copy for non-Dutch speakers following along) is allowed explicitly through articles 16b and c of the Auteurswet ("Authors Law", Dutch copyright law). However there is an exception for software in art 45n that explicitly says that artt 16b and c are not applicable to works as defined in 10, 1st paragraph under 12. And when we look at that article, it defines software as "computerprogramma’s en het voorbereidend materiaal", meaning "computer programs and their preparation material". One could argue that "computer programs" already comprises source code but we don't have to - they are explictly defined as being treated the same as "software", however one may want to define that in itself (it is probably in the parliamentary history but I don't at the moment have access to Kluwer Online (the Dutch equivalent of Lexis Nexis) to check.
The rest makes equally little sense - no, it doesn't "become grey" if you decide not to delete it, all of that is completely irrelevant. It is the downloading that matters! This is the only thing the Auteurswet sees to, it says nothing of what you do with it afterward! (also, I'm using many exclamation marks in this post! Sorry about that!)
As for the last sentence, again reading the licence is irrelevant. What is relevant is the intent of the author. How that intent is communicated doesn't matter; in most cases it will be done through putting the link to the software somewhere and putting 'hey download my software here' or so next to it.
Way to side-step the substance of the discussion... If you're going to make outrageous claims like "Distributing it is illegal where I live, but downloading it is not." and "This is not 'pirated software', it's leaked source code. That makes distribution copyright infringement and downloading in good faith legal.", either stand by them and defend them in an intellectually honest way, or refine or explain your statements if I/other readers misunderstood them, or abandon your position all together. All you're doing now is arguing a straw man to not have to do any of those.
Besides, what, in your opinion, does you posting this link show? That it is factually possible to trick people into downloading copyright-protected works without the author of that work's consent? Please, you think I or anyone here needed convincing of that?
No, it simply means that the act of downloading source code in and of itself is not illegal.
Your intent, the circumstances and what you do afterwards figure in to the discussion as well.
You want to make it seem as though the simple act of downloading copyrighted software is illegal and I think that it is not that simple.
In practice the situation is complicated, and since there is no enforcement against downloaders of software that is illegal whatsoever anyway the whole point as far as I'm concerned is moot.
@your first sentence: IT IS. How can you interpret the Auteurswet any other way? Please tell me how you can come to this conclusion because I really do not understand how you can honestly make this claim.
@the third, IT IS, it says so right in the Auteurswet that I quoted several sections from a few posts up, explaining exactly why your reasoning was wrong!
And you of course the factual situation is so that it makes the legal reality irrelevant. But it's not because stealing a bike in practice does not have any consequences that it is legal. (I'm not trying to move this into a copyright violation/theft discussion, it's just an example of another infraction of the law). My beef here is that you are making broad sweeping, demonstrably factually wrong claims about the law and then weave a web of straw man and vigorous assertion fallacies to not have to address them.
I think the main problem here is that you approach the law as literal as possible without looking at the circumstances surrounding the issue.
I think that intent of a law matters, and I think that circumstances matter (a great deal in fact, in this case).
You refer to a text on 'pirated software', that is simply not the same as leaked source code, at least, not in my interpretation of the meaning of those terms.
The intent of this particular law is not to cover leaked software source code distributed by rogue employees but its intent is to cover the wholesale piracy of software for commercial gain, as well as piracy of commercial software by individuals to avoid paying for it. And the only parties that I'm aware of that have ever been prosecuted under that particular law with success are the whole sale distributors.
If someone were to download this software there is no judge in the Netherlands that would either fine them or jail them for that under that particular law. If there is proof to the contrary I'm not aware of it.
No, I approach the law as a given situation, as it currently stands in the land. A law degree tends to do that to you.
What I have said repeatedly, and what I have shown to be true by statute, is that source code is software for purposes of copyright and exemptions thereof. Your interpretation of those things is irrelevant. It's not because you think or feel that those are different, that they actually are. Additionally, the intent is not limited to what you claim, I have no idea why you would think so. It is a generic instrument to prevent unauthorized copying of works. Furthermore, the exceptions for personal use that do exist are explicitly declared not applicable to software and source code. So any 'non-commercial' angle one would take, simply does not hold when it comes to software.
No, I just have a Dutch law degree. I'm a programmer by day (I also have what is more or less the Belgian equivalent of a Business Information Systems degree). I did my law degree as a hobby. I haven't decided yet if I want to move into the legal profession.
Crappy excuse, because it applies to binary software too.
I find a file called "Microsoft Office" on a torrent site, I don't know the license until I download it.
If you're going to argue "but you can Google it" then (a) the same applies to source code, and (b) put some abandoned but stil payware & under copyright title instead of "Microsoft Office" and the argument will hold (Google won't help).
Hey, I'm not disagreeing with you. Only saying that your example is not actually applicable, because it's nothing to do with having seen the EULA. It's all about intent.
> If the source code is distributed then the user would have to download it in order to be able to see the copyright statement. In this case the title of the software will probably be reason enough to make it hard for you to argue that but technically you could claim you thought this was a source distribution and only after you downloaded it you found out that it was copyrighted and not meant for release.
The Netherlands has been a signatory of the Berne Convention since 1912. Under Berne, copyright must be automatic, so saying you had to download it to check if it was copyrighted is probably not going to get you very far.
That is a good point, and yes, if you were to download this torrent it would probably be wise to set the upload bandwidth to '0'.
As for whether or not it is useful, I can see only two parties that are potentially interested in downloading this code, the first are malware makers, I don't think they'll have any qualms about downloading it, illegally or otherwise, they're criminals already, one more notch on their belt will not make a difference.
The second are researchers that want to make sure that now that Kaspersky no longer has control over their code that there are no exploits that will be known to the 'bad' guys but not to the good guys.
If that is your game and you're a professional with a good reputation and you alert Kaspersky to any holes that you find you again will be operating in a 'gray' territory but I think the law would land on your side. Anybody else downloading this is probably doing it for all the wrong reasons.
Not that a competent security researcher would need access to the source to do his job.
I'm on the fence about that one. I used to sell licensed software and of course I lost plenty of money due to piracy (if a prospect cancels a sale but turns out to be running the product after all I think that qualifies ;)). Piracy is illegal (of software), but this case deals with source code. Now it is of course possible to see the name of the file and wonder 'hey, isn't that copyrighted software' but you could make that call for every package and you'd get a bunch of people arguing that the only way open source can function is by allowing people to download stuff, then verify the license is 'legit', compiling it and running it.
So there are good reasons for not criminalizing the downloading of code, and the responsibility of anybody that does download code is that they will deal with it in the proper way once they find out the terms. If the code says '(C) 2000-2007 Kaspersky Inc, NOT for distribution or resale' at the top (I made that up), you will probably have a good idea that it's not wise for you to proceed, if on the other hand it has an open source license as a rider and you can not find anything wrong with it after careful inspection you should be free to proceed.
To make an insightful decision you'd have to download it first.
It doesn't, because there's no transfer of anything here (well of the work itself, I mean of no legal thing, I'm not sure what the exact name in English is - "property right" or something I guess). There is no right on the work that is transferred by someone making a home copy; it's merely explicitly excluded from being an infringement on the author's copyright.
So the person doing to uploading isn't transferring anything of legal substance (which, if he doesn't have any rights on the work himself, can't, as you say).
Ok let me try again. In the following, 'Auteurswet' is the Dutch copyright law. Also, there are three parties in the example: 'the uploader', the one who provides the work and is assumed not to be entitled to do so (for the example); 'the downloader' who makes the copy; and 'the author', the holder of the copyright.
Also, 'nemo plus iuris' is an abbreviation of 'nemo plus iuris transferre potest quam ipse habet' which means 'nobody can transfer more than he has'. It's a cornerstone of property law which, in the context of physical goods but also of other property rights, means quite obviously that if you don't have rights to something, you can't transfer those rights to someone else. This may seem obvious but it comes into play when rights are retroactively discovered to have never existed at all (which is much more common than one might suspect; for example in cases of bankruptcy, non-payment with a reservation of ownership clause, ...). Then transfers of goods can be invalid and this has serious implications for purposes of ownership, repossession etc.
Anyway, back to the case at hand. First we need to distinguish between two things that can be transferred: the rights to the software, the 'copyright' (this is not a license, forget about 'licenses', it is the copyright itself.) and the software itself that is transferred. Because in English both are described by the word 'transfer' it is extra confusing; the copyright (can be but isn't in this case) 'transferred' ('overgedragen') in the same way a deed is transferred, while the software is merely 'transferred' ('gekopieerd', copied) over the wire. 'Transferring' a copyright needs to be done in writing (art 2 sub 2 Auteurswet), for example, 'transferring' some software over the internet doesn't, obviously.
Now then, the copyright is a 'property right' ('vermogensrecht'), and is with the author (in the case of the example). It is this 'copyright' that the nemo plus iuris sees to; and since 'the uploader' doesn't have it in the first place, he can't transfer it. Which makes sense.
Why then isn't the making of the copy covered by this nemo plus iuris? It's because there is no transfer of any property right going on at all. The downloader doesn't get a property right. The Auteurswet merely says that this specific making of a copy (for personal use, etc.; details are in artt 15 and 16 of the Auteurswet) is not a copyright infraction. That doesn't make the downloader holder of any copyright, or of any property right at all. And that is why the nemo plus iuris principle is not in play here.
I'm not normally one to complain about downvoting, but could whoever did so explain why, because it seems that each time I try to bring some legal facts into this whole discussion some people feel they need to express their dislike of reality by downvoting.
Because it is absolutely dense, inscrutable and grammatically incorrect legalese. According to my best effort to understand what you were writing in the comment was: "Downloading the sourcecode is not illegal, because no actual thing gets downloaded, and if the downloader then uploads the code, that cannot be illegal since he has no right to the software anyway." That makes no sense at all.
One thing that amazes me at most of commercial codebases I have seen (leaked or not) is the sheer size of them. How can one spend 1GB of source code on something like anti-virus program?
For the large code bases I've seen, the size is often taken up by Third party code.
If we depend on a third party library we'll down load the source and build it for all supported targets( x86 and x64) (debug and release) (windows and linux). This can really increase the size of your code base quickly.
Static and dynamic libraries for third-party code and imports from external repositories.
Code that's been around for a long time, with a team of developers working on it for a decade or more, tends to be big. The way it is with commercial software, you more or less have to keep adding features to compete; and it's dangerous to refactor much to eliminate code because of the risk of breaking backwards compatibility, so that introduces another form of duplication.
1GB of source, just source, is pretty big, though. Just the source from RAD Studio (the product I work on) is nearly 10 million lines, about 350 million characters - though that doesn't include the C++ compiler, C RTL, debugger kernel, and a bunch of other things.
It's not limited to commercial code... Lots of codebases for complex applications are substantially large. Often the translation files filled with strings alone will be 50% of it.
Well, the Linux kernel source code is around 71MB compressed, I'd guess maybe 200MB uncompressed. That's quite a difference in source code size, and I think that the same is true with most OSS projects. The WINE project for instance is also < 100MB for the full (huge and extensive, including translation) source.
I think that commercial codebases just end up with a lot of cruft and nobody ever feels like cleaning them up (plus, there is incentive for keeping things a bit clunky as it buys slack-off time and/or extra hourly pay). As above, I also think they use other commercial/crappy components like third-party widgets that had the same treatment, so it all snowballs into a huge/unwieldy thing.
Once again the human element proves to be the hardest to secure.
Three years in jail is a pretty solid sentence, but still, every company with employees handing sensitive data like this is potentially at risk. All it takes is one bad leave and your corporate crown jewels could be on the street.
While the leaked code may ease the work of malware writers, keep in mind that whoever writes malware regularly tests against all popular antivirus software.
No point in releasing something only to get caught right away.
I'm reading your comment to imply that Chinese are more interested in researching their production of malware.
But really, we'd need to know what proportion of leechers there are for other pirated software torrents before we could even think about drawing conclusions.
Very interesting. This should be obvious, but I'd just like to remind everyone that given the source, nature, and intended audience of this file, it is fairly likely that it contains novel malware to catch people from other AV companies, and that you should not open, compile, or run anything from it without the full set of malware-safety precautions. Use only a virtual machine with no network connectivity.
I realise that this is a pretty dubious request, but a part of me would much prefer to see a link to either GitHub or BitBucket than a torrent of a zip file.
Why? Cloning a repository doesn't improve the morality of downloading and viewing this code. In the same way that it is wrong to receive a stolen radio, you shouldn't touch this code with a 10 foot pole no matter how it's packaged.
Sorry man, but that's just a huge pile of dumb bullshit. If the information is out there it's, as a thinking human, your duty to learn about it and improve your knowledge.
Information want to be free per definition. If some company fails to guard their precious secrets - well, game over for them.
