Re: Can "rockyou" wordlist be packaged in Debian?
On Mon, Oct 3, 2016 at 5:09 AM, Florian Weimer wrote: > And a password database can be protected as a database in the EU. Some recent interesting articles on this topic: http://lu.is/blog/2016/09/12/copyleft-and-data-database-law-as-poor-platform/ http://lu.is/blog/2016/09/14/copyleft-and-data-databases-as-poor-subject/ http://lu.is/blog/2016/09/21/copyleft-attribution-and-data-other-considerations/ http://lu.is/blog/2016/09/26/public-licenses-and-data-so-what-to-do-instead/ -- bye, pabs https://wiki.debian.org/PaulWise
Re: Can "rockyou" wordlist be packaged in Debian?
* Paul Wise: > On Wed, Sep 21, 2016 at 12:47 AM, Eriberto Mota wrote: > >> Can rockyou be packaged in Debian, considering that Kali will put a >> DFSG-compatible license for this wordlist? > > Kali certainly isn't the owner of the wordlist so they definitely > can't put a license on it. > > OTOH, it probably is not copyrightable. I'm not convinced it is a good idea for Debian to distribute results of a data breach, even if copyright laws and data protection laws permit this. And a password database can be protected as a database in the EU.
Re: Can "rockyou" wordlist be packaged in Debian?
Hi all, Thanks for your opinions. I will drop my idea about to package this wordlist. Thanks! Eriberto 2016-09-22 1:24 GMT-03:00 Charles Plessy : >> Eriberto Mota writes: >> >> > However, I will wait more opinions before submit a package to Debian. > > Le Thu, Sep 22, 2016 at 10:33:02AM +1000, Ben Finney a écrit : >> >> Don't (only) wait for them here. I would advise you to ask the people >> distributing the work what they think the copyright status of the work >> is. > > Hi all, > > I am not entirely sure if it will be constructive, but in doubt, it might be > also preferable to get the opinion from those whom the data was stolen, even > if > it not copyrightable. For instance, they may advise on how to use (or not!) > their name in the package description, etc. > > Have a nice day, > > -- > Charles
Re: Can "rockyou" wordlist be packaged in Debian?
> Eriberto Mota writes: > > > However, I will wait more opinions before submit a package to Debian. Le Thu, Sep 22, 2016 at 10:33:02AM +1000, Ben Finney a écrit : > > Don't (only) wait for them here. I would advise you to ask the people > distributing the work what they think the copyright status of the work > is. Hi all, I am not entirely sure if it will be constructive, but in doubt, it might be also preferable to get the opinion from those whom the data was stolen, even if it not copyrightable. For instance, they may advise on how to use (or not!) their name in the package description, etc. Have a nice day, -- Charles
Re: Can "rockyou" wordlist be packaged in Debian?
Eriberto Mota writes: > However, I will wait more opinions before submit a package to Debian. Don't (only) wait for them here. I would advise you to ask the people distributing the work what they think the copyright status of the work is. Do they consider the work is subject to copyright? Do they consider themselves the sole copyright holders? If not, what other specific parties hold copyright in the work? Do the distributors consider they can unilaterally decide to set redistribution terms? What terms do they set? And, importantly: What compelling reasons are presented for *everyone else* to consider those answers sufficient? -- \“The difference between religions and cults is determined by | `\ how much real estate is owned.” —Frank Zappa | _o__) | Ben Finney
Re: Can "rockyou" wordlist be packaged in Debian?
On Wed, Sep 21, 2016 at 8:00 PM, Eriberto Mota wrote: > It is also a list about what don't to use for security. For security, don't use passwords unless you are forced to. If you must use passwords, use Diceware or similar: https://en.wikipedia.org/wiki/Diceware https://packages.debian.org/unstable/diceware https://packages.debian.org/unstable/xkcdpass -- bye, pabs https://wiki.debian.org/PaulWise
Re: Can "rockyou" wordlist be packaged in Debian?
Hi Ben, Ángel and Paul, Thanks a lot for your reply. I think that it is possible redistribute the wordlist in Debian. Seeing your considerations, is a bit clear to me that this wordlist can be considered as a "regular" dictionary with words and expressions used in now days. It is also a list about what don't to use for security. However, I will wait more opinions before submit a package to Debian. Regards, Eriberto
Re: Can "rockyou" wordlist be packaged in Debian?
On Wed, Sep 21, 2016 at 12:47 AM, Eriberto Mota wrote: > Can rockyou be packaged in Debian, considering that Kali will put a > DFSG-compatible license for this wordlist? Kali certainly isn't the owner of the wordlist so they definitely can't put a license on it. OTOH, it probably is not copyrightable. -- bye, pabs https://wiki.debian.org/PaulWise
Re: Can "rockyou" wordlist be packaged in Debian?
On 21/09/16 01:46, Ben Finney wrote: Thanks for raising this question. Eriberto Mota writes: Well, the quoted event resulted in a file with 14 million passwords, distributed by Kali Linux. Do you have any reference to the discussions those people had over their license to distribute that information? I would expect such a discussion to get into the issue of whether a single password is subject to copyright restrictions, and further whether a compiled collection of such works is itself subject to copyright restriction. I would want to see such a discussion with clear, solid support for the freedom to redistribute that work under a free license, before proposing its distribution in Debian. IMHO, the passwords themselves are unlikely to pass the threshold of originality. Looking at the longer entries, there are a few passphrases,¹ but not much that could be considered copyrightable. In addition, the fact that passwords appeared multiple times is also an indicator that there was little to no originality involved. Another question would be if the database itself could be copyrighted, but given that there was no compiling effort at all from rockyou, that won't be the case.² Plus, it was a US company, where there are no database rights. However, I wonder if the fact that it was stolen would be a problem. Best ¹ and a lot of waste. In some cases they were probably inserted from spambots which confused it with a comment field. ² Ok, they might claim that their only goal creating the rockyou website was getting such password list from their users, but that would equal admitting an ever bigger misdemeanor.
Re: Can "rockyou" wordlist be packaged in Debian?
Thanks for raising this question. Eriberto Mota writes: > Well, the quoted event resulted in a file with 14 million passwords, > distributed by Kali Linux. Do you have any reference to the discussions those people had over their license to distribute that information? I would expect such a discussion to get into the issue of whether a single password is subject to copyright restrictions, and further whether a compiled collection of such works is itself subject to copyright restriction. I would want to see such a discussion with clear, solid support for the freedom to redistribute that work under a free license, before proposing its distribution in Debian. -- \ “Airports are ugly. Some are very ugly. Some attain a degree of | `\ugliness that can only be the result of a special effort.” | _o__) —Douglas Adams, _The Long Dark Tea-Time of the Soul_, 1988 | Ben Finney