| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tobias at weisserth.de (Tobias Weisserth) Subject: Sasser author Dear van Helsing (spooky ;-)), On Thu, 2004-05-13 at 19:48, van Helsing wrote: > On Thu, 13 May 2004 07:55:01 -0700 (PDT) > Andrew Morris <husky_cat@...oo.com> wrote: > > > This must be a joke. > > > > Who, with a strait face, can believe that exploiting a > > buffer overflow is just the act of an inocent person > > using "Microsofts Features". > > > > If this is not a joke then the author must be a black > > hat. The comments alone indicate he/she is an MS > > bigot. > > > > Not that I believe MS is virtuous or the best, but > > exploiting a bug in any OS and then claiming that it > > is just a normal use of an OS's feature set is > > ridiculous. > > > > If anyone used the trojaned sendmail its no ones > > fault, just a feature right?! > > Maybe I'm a "blackhat" too... Maybe indeed. We'll see, won't we? > But you're to differ STRONGLY between datamanipulation and exploiting a > buffer overflow. You're joking, right? Exploiting a buffer overflow won't be possible without manipulating data and may it be only within the system's memory. Any exploitation of a bug whatsoever won't be possible without manipulating data. This is what "exploit" means. By overwriting memory stacks and executing code that wasn't supposed to run you have already manipulated data. There isn't anything else necessary to become a "blackhat". You're a criminal already then. > In case 1 we modify something (e.g. sendmailexample). > In case 2 we JUST USE the Software itselfs. There is a German law against that as well. This is already a federal felony in Germany. > Nobody can't arrest you for the misstakes other do... No, but you CAN be arrested for crimes you committed. And believe me, you'll BE prosecuted if you get arrested :-) > If the sasser-autor will be judged then NOT for exploiting the software. He will be judged for breaking the German law in several cases if the prosecution is able to prove that he wrote and spread the virus. > When you're car is open and I take your Wallet it is NOT a theft. Of course this is theft. At least by legal standards in Germany. I don't know from what banana republic you are from. > It is a pilfer without angreement. That's just another expression for theft :-) Open a German law book and convince yourself. > That's a difference for the law! ;) No, not at all. Leaving you door open doesn't make the crime of taking what is not yours less a theft. The same goes for computer crimes. > So if you exploit something you can't be judged for datamanipulation... As soon as your virus changes the content of any part of the system's memory, be it the RAM or any other medium you have already manipulated data and are guilty of the corresponding crime. It's as easy as that. In order to run on the victim's computer the virus has manipulate the content of the system memory. And if I'm not mistaken it manipulates the file system when it saves itself to the hard disk so that it's still there after the next reboot. Sasser MASSIVELY manipulates data. > So we can say that exploiting something isn't a crime couse you can't be > judged for the misstakes other guys make. This is idiotic. My point stands. Prosecute the author and his partners in crime who helped him spread the thing. If there is enough solid evidence usable for the courts lock them away as long as possible according to current laws. Maybe when they get their rear-ends penetrated by other inmates in jail they'll rethink messing around with other people's systems. I hope for them they won't drop the soap in the shower... Tobias W.
Powered by blists - more mailing lists