RE: What to do with a vulerability?
From: Oliver Lavery (oliver.lavery@sympatico.ca)
Date: 01/24/03
- Previous message: Jason Coombs: "RE: What to do with a vulerability?"
- Maybe in reply to: Oliver Lavery: "What to do with a vulerability?"
- Next in thread: Martin Mačok: "Re: What to do with a vulerability?"
- Reply: Martin Mačok: "Re: What to do with a vulerability?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Oliver Lavery" <oliver.lavery@sympatico.ca> To: <jasonc@science.org>, "'Blue Boar'" <BlueBoar@thievco.com> Date: Thu, 23 Jan 2003 19:47:46 -0500
>We all know code and knowledge we release will be used to do harm if it is
possible for it to do
>so. If I were the prosecutor, I'd bring charges against anyone who releases
any code, and some who
>release knowledge, on the basis that there was specific foreknowledge as to
harmful uses. The
>Patriot Act, DMCA, and Computer Fraud and Abuse Act would give me legal
grounds to do so, and as
>prosecutor it's my job to exploit the law not interpret or judge it.
I do think you have to be careful when tossing about phrases like
'foreknowledge of harmful use'. If your correct in assuming that the DMCA
and PATRIOT take this into consideration, they must have a very specific
definition of 'harmful use'. A compiler has many potential 'harmful uses'
including and not limited to producing the binary form of pretty much all
the malware out there (meaning compiler in a broad sense, including
assemblers and interpreters). Yet Borland and Microsoft are hardly shaking
in their booties. More philosophically, hammers have a multitude of harmful
uses yet we don't generally prosecute their manufacturers.
Blue Boar's suggestion is akin to both of these examples; it's
creating a piece of code which can be used for malevolent purposes (making
nasty viruses, rootkits and the like), but explicitly can be used for
benevolent purposes (protectingg people from said viruses and rootkits).
Of course, this is more an objection to the laws. I don't get the
impression Jason agrees with them either.
Incidentally, yeah, I do assume that code which demonstrates how to
hide stuff your computer is doing/storing will not have very many positive
applications.
Cheers,
~ol
-----Original Message-----
From: Blue Boar [mailto:BlueBoar@thievco.com]
Sent: Thursday, January 23, 2003 12:58 PM
To: jasonc@science.org
Cc: The Blueberry; oliver.lavery@sympatico.ca; vuln-dev@securityfocus.com
Subject: Re: What to do with a vulerability?
Jason Coombs wrote:
> Viral vs. non-viral is an unimportant distinction -- if you choose to
engage
> in this business, be sure you can document your good intentions and
> your legal forensic procedures because they are your only legal
> defense against prosecution.
>
> Persecution, on the other hand, is a given.
Oh, I dunno. I think it would be a lot harder to make a case for innocent
intentions if the code were written in viral/worm form. In this instance,
what *appears* to be under discussion is a technique for process hiding.
That's not even an exploit per se. On the whole spectrum of programs that
someone might take offense to, that's not too bad. I think that the
question of viruses and worms came up only because the person who made the
discovery assumes that malicious code would be the main consumer of such a
technique.
I wish I could simply roll my eyes at your statement that releasing an
exploit or technique might make one an accessory to a crime, but sadly I
fear your concern now has a basis, and I can't dismiss it outright anymore.
BB
- Next message: Blue Boar: "Re: What to do with a vulerability?"
- Previous message: Jason Coombs: "RE: What to do with a vulerability?"
- Maybe in reply to: Oliver Lavery: "What to do with a vulerability?"
- Next in thread: Martin Mačok: "Re: What to do with a vulerability?"
- Reply: Martin Mačok: "Re: What to do with a vulerability?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
