lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: fw at deneb.enyo.de (Florian Weimer) Subject: AV companies better hire good lawyers soon. * Jason Coombs PivX Solutions: > I work as an expert witness in addition to being an infosec > researcher, etc. and you would not believe how terrible the quality of > computer forensics is in the real world today. To begin with, are you > aware that people are going to prison in the U.S. for nothing more > than having a compromised Windows box in their possession? In this case, there's a fundamental flaw in the U.S. legal system. Any attempt to fix it with computer software or hardware will fail. A few years ago, I had similar concerns with German law enforcement, but then I had the chance to see how they operate, and I was positively surprised. > We must put a stop to the rampant deployment of code as though there > is some sort of 'freedom to innovate' guaranteed to every person who > can learn how to program. Well, the market demands exactly that sort of software, at that price, even from large software companies. > Anyone who ships code without coordinating with others and joining the > effort to figure out how to put a stop to the care-free deployment of > code in the future is literally sending innocent people to prison. Sorry, even in your flawed logic, this is statement is false, or remarkable short-sighted. User install software without any actual knowledge. My preferred solution is to make software so hard to set up that once the users get it remotely working, they know enough about the system to defend themselves against false complaints. > It is time to impose licensing requirements for software > publishers. And users, of course. > This is the only way to force compliance with standards of > practice that have yet to be devised but that must include some > centralized repository of forensic information and knowledge about all > licensed programmers and program code. You're kidding, aren't you? The customer doesn't want to pay for security. Most of the time, this is a sane business decision. Apart from the free speech issues, you'd also have to regulate the market so that adopts practices which are currently considered economic suicide by *all* players. > The solution is hard. Just explaining the full scope of the problem to > people is hard. There's a reason for your troubles: In democratic countries, people are used to their free speech rights. In the U.S., companies can even rely on the protection of commercial speech. There are methods to improve security by government regulation which do not come close to Stalinist typewriter registration. For example, you could make software companies liable for defects in their products. Back to your code registration proposal. It's remarkably short-sighted even from a technical perspective. What do you want to register? Source code? Binaries? There's a problem with both. There's injective mapping from source code to binaries, so pure source code registration doesn't help with forensic analysis. Even for binaries, there are legitimate reasons why installed copies can differ from the official ones: prelinking and other forms of optimizations, inoculation, applied hotfixes. Code registration doesn't solve the problem that someone is framed with the help of malicious software, either. If your justice system is broken in the way you described, and there is no unregistered code on the machine, this will be taken as a proof that any action that was carried out by the machine was requested by its owner. As a result, a code registry would have the opposite effect you intended. Furthermore, most code that is used for malicious purposes has been written by completely legitimate software companies, for completely legitimate reasons.
Powered by blists - more mailing lists