Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-10-20 13:13:00

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Potential IP infringement issues

So, the other day I got an email... http://martin.swende.se/blog/IP-issues.html.

Offline

#2 2014-10-20 21:04:13

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Potential IP infringement issues

I think that it is absolutely hilarious that a General Manager (not a Legal Counsel) of a French Company (Inside Contactless) is citing United States Patent Law to a Swedish citizen. lol lol

You provided a great response but you were certainly more polite than I would have been.

I am sure that HID Global put them up to that just like they did with the letter written to Roel a few years ago.
The letter also looks very similar to the one that HID wrote to IOActive back in 2007 regarding material that was scheduled to be presented at the 2007 Blackhat conference in Las Vegas regarding hacking HID Prox technology.

I wouldn't lose any sleep over it. If they were serious you would have received a formal "Cease and Desist" letter from an actual attorney.

Offline

#3 2014-10-22 18:54:01

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Potential IP infringement issues

carl55 wrote:

I think that it is absolutely hilarious that a General Manager (not a Legal Counsel) of a French Company (Inside Contactless) is citing United States Patent Law to a Swedish citizen. lol lol

And the system is owned by HID Global, owned by Assa Abloy, which is Swedish.

You provided a great response but you were certainly more polite than I would have been.

Thanks. I felt it was best to be polite and agree to the warning. The warning is probably a good idea, if someone decides to use the source code to make their own iclass-compatible reader or whatever.

I wouldn't lose any sleep over it. If they were serious you would have received a formal "Cease and Desist" letter from an actual attorney.

That appears to be the general sentiment from 'teh internet'.

Boingboing and slashdot picked it up also, so it generated some bad publicity for them.

Offline

#4 2014-10-24 11:59:38

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Potential IP infringement issues

You should keep less private info about yourself in your blog. If I was blogging something about hacking/reversing, I would never write my real name. Why you didn't call that blog with your nickname instead?

Offline

#5 2014-10-24 20:14:25

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Potential IP infringement issues

If I considered what I do to be shadowy or suspicious, I wouldn't be doing it. I don't see the point of using a hacker-handle - that just gives credence to the belief that I'm / we're doing is not legitimate.

Offline

#6 2014-10-24 20:32:18

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Potential IP infringement issues

I agree with you holiman but before stating that what you are doing is not "shadowy or suspicious" you should consider that things that are legal in a country may be not in another. I suggest you to ask a lawyer before publishing stuff; this is a general consideration, not specific to this subject thread.

Offline

#7 2014-10-25 15:21:47

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Potential IP infringement issues

Naturally, there's a balance to be struck. What I mean is, that we shouldn't go out of our way to censor ourselves. Until proven otherwise, I'll continue to assume that what I'm doing is legal and right - if They (for any value of them) want things to be kept under a lid, let them do the work, let's not do it for them.

Everyone must decide for themselves where that balance is, and what may or may not be legal in different countries, but we also need to stand up for our rights and excercise our freedom of speech.

Offline

#8 2014-10-25 19:58:09

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Potential IP infringement issues

I am sorry holiman but rules are rules and not knowing (ignorance) or not listening (arbitrary exercise of the will) to them cannot be considered a freedom of speech. A simple example: if I discover a way to break into a security system and I arbitrarily decide to tell it to the community I can/must be legally prosecuted and this is correct because the diclosure must be "wise" that is to say I need to inform the security system administrator before releasing the "exploit" to the public; if he is not doing anything to solve the problem in a reasonable time I can inform the masses to protect them from the exploit. This is what I think is the best way to behave (and I think your one too). In this specific case the "exploit" was already widely known so i think that in this specific case you are not in the wrong way.

Last edited by asper (2014-10-25 19:59:37)

Offline

#9 2014-10-25 20:36:32

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Potential IP infringement issues

I half agree with your reasoning. Sure, I'm all for responsible disclosure. But if a flaw is found, I don't understand what would be criminal about disclosing it... It is arguably more *ethical* to do responsible disclosure, but either way - prosecution for disclosing a flaw ?? No way. I wouldn't publish the binary/decompiled code for e.g. an embedded device (such as a reader). That code clearly belongs to someone else, and I realize that doing so would probably be criminal. But the stuff we write ourselves is another matter completely.

Regarding ethics; sounds like you assume you're the first one to find the flaw, which is a mistake. There are clever people working on these systems, with a lot more resources. On the internet, a lot of 0day-bugs are found by analyzing attack patterns on honeypots - but this is not as easy to do on rfid-systems. So I think it is perfectly legit to spread awareness about flaws in these systems, so system owners can compensate for it (e.g. by ensuring that pincodes are used in addition to tags).

Look at some other sectors. Bunnie Huang, George Hotz, Saurik, Stefan Esser - all of these are hacking and reversing the hell out of Apple. Firewalls and network equipment firmware is dissected left and right, exploits and backdoors are found. And in the RFID world, taking iclass for example, a vendor claims a product to be secure ~5 years after it has been hacked (iclass still described as secure on HID global website).  It's tragic really.

Offline

#10 2014-10-25 20:50:10

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Potential IP infringement issues

But the stuff we write ourselves is another matter completely.

If it explains how to avoid/circumvent a security system (or worst it does the "hack" automatically) I can ensure you that this is not legal at least in lot of countries. Also modchips are illegal in lot of countries; we can argue about this is correct or not but actually they are illegal so you can be prosecuted if you produce/resell them.

I substantially agree with the rest of your statement, in particular with your last sentence.

Offline

#11 2014-10-25 21:02:52

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Potential IP infringement issues

asper wrote:

If it explains how to avoid/circumvent a security system (or worst it does the "hack" automatically) I can ensure you that this is not legal at least in lot of countries.

Well, what's a lot? I believe it to be legal in most - if not all- countries. Just one example, look at lock-picking, which is pretty related area:
Community: https://toool.nl/Toool
Detailed explanations: http://www.amazon.com/Practical-Lock-Pi … 214&sr=1-1
Hack tool: http://www.lockpicks.com/professional-b … brass.html

But sure, different rules apply in different countries.

Also modchips are illegal in lot of countries; we can argue about this is correct or not but actually they are illegal so you can be prosecuted if you produce/resell them.

But if you sell modchips, you are doing something else entirely. Then you are in business, selling a product which - probably - involves patented technology. That's pretty far from where this discussion started out, and also pretty far from what's happening within this community.

Offline

#12 2014-10-25 22:18:35

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Potential IP infringement issues

Just read at new disclaimers in consoles firmwares (ps3, ps4, wiiu), they state it is illegal and their software is widespread in many countries.
Anyway you are free to do whatever you want, and i must thank you for your improvements, just be conscious that actions can have (bad) consequences.

Offline

#13 2014-12-14 09:34:32

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Potential IP infringement issues

Offline

Board footer

Powered by FluxBB