Re: n.runs, Sophos, German laws, and customer safety

Hi,

it is important to notice this.
The mentioned german law comes after the similar french law called lcLEN (aka Fontaines's law).
In 2003-2004, a petition was done against this law, with around 15,000 signatories...
http://www.iris.sgdg.org/actions/len/petition.html

for nothing...

"A new anti-security law was voted yesterday in France, this law called LEN (loi pour la confiance dans l'économie numérique)": http://www.securityfocus.com/archive/1/359969

And after that we had the Guillermito's story "Hacker Indicted In France For Publishing Exploits": http://slashdot.org/article.pl?sid=04/03/31/1543248 http://constitutionalcode.blogspot.com/2005/01/guillermito-reverse-engineering.html

Good luck to our neighbours from Deutschland... I salute you!
/JA

Steven M. Christey a écrit :
> The n.runs-SA-2007.027 advisory claims code execution through a UPX
> file. This claim is inconsistent with the vendor's statement that
> it's only a "theoretical" DoS:
>
> http://www.sophos.com/support/knowledgebase/article/28407.html
>
> "A corrupt UPX file causes the virus engine to crash and Sophos
> Anti-Virus to return 'unrecoverable error. leading to scanning being
> terminated. It should not be a security threat although repeated
> files could cause a denial of service."
>
> It is unfortunate that Germany's legal landscape prevents n.runs from
> providing conclusive evidence of their claim. This directly affects
> Sophos customers who want to know whether it's "just a DoS" or not.
> Many in the research community know about n.runs and might believe
> their claim, but the typical customer does not know who they are
> (which is one reason why I think the Pwnies were a good idea). So,
> many customers would be more likely to believe the vendor. If the
> n.runs claim is true, then many customers might be less protected than
> they would if German laws did not have the chilling effect they are
> demonstrating.
>
> It should be noted that in 2000, a veritable Who's Who of computer
> security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias
> Levy, Alan Paller, and other well-known security professionals -
> published a statement of concern about the Council of Europe draft
> treaty on Crime in Cyberspace, which I believe was the predecessor to
> the legal changes that have been happening in Germany:
>
> http://homes.cerias.purdue.edu/~spaf/coe/TREATY_LETTER.html
>
> Amongst many other things, this letter said:
>
> "Signatory states passing legislation to implement the treaty may
> endanger the security of their computer systems, because computer
> users in those countries will not be able to adequately protect
> their computer systems... legislation that criminalizes security
> software development, distribution, and use is counter to that goal,
> as it would adversely impact security practitioners, researchers,
> and educators."
>
> If I recall correctly, we were assured by representatives that such an
> outcome would not occur.
>
> - Steve