• Forum
  • Lounge
  • Disclaimer when writing software that ca

 
Disclaimer when writing software that can be used for harm

Hi I was wondering if anyone knows anything about disclaimers when it comes to software that may potentially be harmful?

I am currently writing a piece of software that can do things such as parameter tampering, look at cross site scripting and so forth - which I will personally use as an ethical pentesting tool. But, that got me thinking; what if I wanted to share this type of software (even source code)? Would I in that case need to put any special type of disclaimers on it?
Most open source licenses disclaim all warranties and all fitness for any purpose. That should be enough.
I think it comes down to a mix of behavior and intent. If the software self replicates and spreads to other machines, you will get into trouble. If it steals critical info (eg, credit card numbers or personal info (name/age/sex/location/address/etc type stuff) and sends that back to you, again, trouble. If it bypasses security measures intentionally to do harm or steal data, trouble. Takes control of a machine to do work not for the owner of the machine. All these things should be obvious, as well as other obvious 'I mean to do harm' things, and posting that kind of code no matter what disclaimer is going to get you into some trouble.

The grey areas beyond that are usually safe with just a normal disclaimer. Eg you can hack into a database with excel, given enough time and effort. This isn't microsoft's fault nor does that make excel the problem, the problem is how the user abused the software to make it do something it was not meant to do. Some grey areas may have someone in a black suit ask you 'nicely' to take the code down from public view, or alter it in some way, etc. This is rare, but say you cracked the current encryption standard in like 10 seconds with some exotic algorithm. The program itself isnt exactly malware or anything, but you may still get a cease and desist visit :P

From what you have said, it sounds like the user can do something 'bad' but the program itself would not, nor the code as-written. That feels like the excel example, and a normal license should be enough.
Last edited on
Open source licences or any other sort of warranty has little or nothing to do with the problem. The fitness for purpose comment is also totally irrelevant, in fact it misses the point completely.

Supplying or otherwise making tools available that are specifically designed to penetrate systems, tampering no less, is a very risky undertaking without getting expert legal advice. Even then, expect and prepare for at least one law suit, possibly a jail sentence where one of your 'downloaders' penetrates a less than happy, or otherwise litigious customer of their's.

Thank you all for the good replies! I am now certain that it isn't a good idea to share something like this. Which is somewhat unfortunate, as I can see it being used in such as CTF competitions.
Topic archived. No new replies allowed.