RE: What to do with a vulerability?

>We all know code and knowledge we release will be used to do harm if it is
possible for it to do
>so. If I were the prosecutor, I'd bring charges against anyone who releases
any code, and some who
>release knowledge, on the basis that there was specific foreknowledge as to
harmful uses. The
>Patriot Act, DMCA, and Computer Fraud and Abuse Act would give me legal
grounds to do so, and as
>prosecutor it's my job to exploit the law not interpret or judge it.

        I do think you have to be careful when tossing about phrases like 'foreknowledge of harmful use'. If your correct in assuming that the DMCA and PATRIOT take this into consideration, they must have a very specific definition of 'harmful use'. A compiler has many potential 'harmful uses' including and not limited to producing the binary form of pretty much all the malware out there (meaning compiler in a broad sense, including assemblers and interpreters). Yet Borland and Microsoft are hardly shaking in their booties. More philosophically, hammers have a multitude of harmful uses yet we don't generally prosecute their manufacturers.

        Blue Boar's suggestion is akin to both of these examples; it's creating a piece of code which can be used for malevolent purposes (making nasty viruses, rootkits and the like), but explicitly can be used for benevolent purposes (protectingg people from said viruses and rootkits).

        Of course, this is more an objection to the laws. I don't get the impression Jason agrees with them either.

        Incidentally, yeah, I do assume that code which demonstrates how to hide stuff your computer is doing/storing will not have very many positive applications.

Cheers,
~ol

-----Original Message-----
From: Blue Boar [mailto:BlueBoar@thievco.com] Sent: Thursday, January 23, 2003 12:58 PM To: jasonc@science.org
Cc: The Blueberry; oliver.lavery@sympatico.ca; vuln-dev@securityfocus.com Subject: Re: What to do with a vulerability?

Jason Coombs wrote:
> Viral vs. non-viral is an unimportant distinction -- if you choose to
engage
> in this business, be sure you can document your good intentions and
> your legal forensic procedures because they are your only legal
> defense against prosecution.
>
> Persecution, on the other hand, is a given.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Oh, I dunno. I think it would be a lot harder to make a case for innocent intentions if the code were written in viral/worm form. In this instance, what *appears* to be under discussion is a technique for process hiding. That's not even an exploit per se. On the whole spectrum of programs that someone might take offense to, that's not too bad. I think that the question of viruses and worms came up only because the person who made the discovery assumes that malicious code would be the main consumer of such a technique.

I wish I could simply roll my eyes at your statement that releasing an exploit or technique might make one an accessory to a crime, but sadly I fear your concern now has a basis, and I can't dismiss it outright anymore.

                                                BB Received on Fri Jan 24 11:35:48 2003