RE: What to do with a vulerability?

See:

http://www.eff.org/Privacy/Surveillance/Terrorism_militias/ 20011031_eff_usa_patriot_analysis.html

You may be accused of providing "material support" (?? 803, 805) to terrorists.

By creating and releasing an exploit tool you may be accused of "terrorism transcending national borders per 18 USC ?2332b"

You'll definitely be accused of violating the Computer Fraud and Abuse Act, which is really given some teeth by the Patriot Act:

"Computer Fraud and Abuse Act (CFAA), 18 USC ?1030. USAPA sec. 202 adds
felony violations of the CFAA"

"The EFF is also deeply dismayed to see that the Attorney General seized
upon the legitimate Congressional concern following the September 11, 2001 attacks to pad the USAPA with provisions that have at most, a tangential relationship to preventing terrorism. Instead, they appear targeted at low and mid-level computer defacement and damage cases which, although clearly criminal, are by no means terrorist offenses and have no business being included in this bill."

-----Original Message-----
From: Oliver Lavery [mailto:oliver.lavery@sympatico.ca] Sent: Thursday, January 23, 2003 10:22 AM To: jasonc@science.org; 'The Blueberry'; BlueBoar@thievco.com Cc: vuln-dev@securityfocus.com
Subject: RE: What to do with a vulerability?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Hi guys,

        Blue Boar's suggestion is pretty much how I'm going, after being brushed off by a few researchers (and CERT), who seem to have given me the 'once you have root you can do anything, so who cares?' line. I think that that's bullocks in certain cases, like this one, so I think publishing a non-viral PoC is the way to go. Oddly you don't even realy have to have root (*ehm* Administrator) to achieve what I'm talking about.

        Jason's point is well taken though. I get the connection with the DMCA, but would one of you yankees be so kind as to explain how P.A.T.R.I.O.T applies to this sort of thing? (I'm Canadian myself ... Fortunately we don't sign away our rights quite as easily).

        Thanks, btw. The discussion my post generated has been most informative. Sorry I haven't replied to the slew of responses and questions (many of which didn't hit the list), but I've received rather a surprisingly large amount of mail about this.

        BB, incidentally, you asked "So you are saying you've got a way to hide a process running on a Windows machine?". Yeah, that's precisely what I'm saying ... Hide a process, registry keys, files etc.

Cheers,
~ol

-----Original Message-----
From: Jason Coombs [mailto:jasonc@science.org] Sent: January 23, 2003 3:04 PM
To: The Blueberry; BlueBoar@thievco.com; oliver.lavery@sympatico.ca Cc: vuln-dev@securityfocus.com
Subject: RE: What to do with a vulerability?

When you think explicit thoughts and share them with others in detail you may be found guilty of violating the DMCA or the Patriot Act.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Viral vs. non-viral is an unimportant distinction -- if you choose to engage in this business, be sure you can document your good intentions and your legal forensic procedures because they are your only legal defense against prosecution.

Persecution, on the other hand, is a given.

Sincerely,

Jason Coombs
jasonc@science.org Received on Fri Jan 24 11:30:14 2003