lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 3 May 2010 10:29:47 -0700
From: J Roger <securityhocus@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: go public to avoid jail

In the United States the burden of proof is on the prosecution, not the
defense. Stephen was innocent until proven guilty.

I'm suggesting Stephen could have released his tool to the public so anyone
authorized to audit cardholder data environments could have used it.

What he did was the same thing as someone supplying burglar tools
> to someone, knowing that they're going to break into someone's house
>

If the tool was released publicly, and not just to Mr. Gonzales, would the
prosecution be able to prove beyond a reasonable doubt, that this scenario
took place and not just that Mr. Gonzales used a publicly available tool his
friend happened to have created and distributed publicly, to commit his
crimes?


> Where do you get that idea?  Under what legal theory do you postulate
> that?


Common sense

He still knew his software was going to be used by a known
> individual, WHO TOLD HIM BEFOREHAND, that he was going to use the
> software to rip people off.  That makes him liable, period.


Could the prosecution prove this is the case if the tool wasn't distributed
only to Gonzales? Releasing the tool publicly could help the defense argue
the point that he was told beforehand, that he knew it would be used to rip
people off, etc.

no amount of twisting the facts is going to convince a
> judge otherwise.


 The defense doesn't need to convince the judge that Stephen is a saint,
only needs to weaken the prosecutions argument enough.

If your buddy comes to you and says "I'm going to go stab some people
> and take their money will you construct for me a custom knife
> particularly well-suited for that purpose" and you say "sure, here you
> go, heh, no charge this time" and this conversation is recorded as
> evidence then both of you are going to get prosecuted.


Could they prove his buddy came to him and said "I'm going to commit crime X
will you provide me with tool Y to do it?" Since the tool was made and
distributed only to Gonzales it was probably pretty difficult to argue the
above scenario did  not occur. If the tool was released publicly and
Gonzales went and downloaded it from PacketStorm along with a thousand other
people that day, proving the above scenario occurred could be more
challenging.

The point is that you
> knew this specific knife was intended to be used in for this purpose and
> you decided to go out of your way to help.


If the tool was released publicly, how much more difficult would it have
been for the prosecution to prove that you knew the tool was intended to be
used for a particular illegal purpose in a specific case and you went out of
your way to help?


JRoger

On Mon, May 3, 2010 at 9:27 AM, Marsh Ray <marsh@...endedsubset.com> wrote:

>
> If your knife is found in a dead body, you've going to have some
> explaining to do.
>
> If it turns out that you're a restaurant supply business that sells 3000
> of that model knife a week, then you don't have a problem.
>
> If your buddy comes to you and says "I'm going to go stab some people
> and take their money will you construct for me a custom knife
> particularly well-suited for that purpose" and you say "sure, here you
> go, heh, no charge this time" and this conversation is recorded as
> evidence then both of you are going to get prosecuted.
>
> No one (seriously, no one) is going to be the least bit impressed by the
> "factories sell knives all the time" argument. The point is that you
> knew this specific knife was intended to be used in for this purpose and
> you decided to go out of your way to help.
>
> Hacking/pen-test tools can definitely push the gray area a bit, but the
> custom-knife-in-dead-body example does not.
>
> - Marsh
>
> On 5/3/2010 5:34 AM, Christian Sciberras wrote:
> > No, I'm being damn realistic. If it weren't me providing a knife to "my
> > buddy" it would be someone else, or some kitchen drawer.
> >
> > Also, why do I go to jail, not the shop owner that sold me the knife? Or
> the
> > factory owner?
> >
> > It's this guy that should be liable to the crime, not the provider.
> >
> >
> > On Mon, May 3, 2010 at 12:04 PM, Ed Carp <erc@...ox.com> wrote:
> >
> >> Oh, stop it.  If you give your buddy a knife, knowing they're going to
> >> go out and stab someone with it, you're going to jail, too.  Stop
> >> playing the fool.
> >>
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ