lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40EE5205.7080908@science.org>
Date: Thu, 08 Jul 2004 22:06:29 -1000
From: Jason Coombs <jasonc@...ence.org>
To: bugtraq@...urityfocus.com
Cc: isn@...rition.org, InfoSec News <isn@....org>,
   full-disclosure@...ts.netsys.com
Subject: [Fwd: A FINFlash from the Freedom to Innovate Network]


 > TECH POLICY FEATURE: FEDERAL SPYWARE BILL COULD HURT INNOVATION
 > Online snooping and deceptive advertising practices should be stopped.
 > But Congress is now considering a bill, H.R. 2929, "Securely Protect
 > Yourself Against Cyber Trespass Act" (the "SPY ACT"), that could block
 > legitimate software operations and thwart innovation.
...
 > Read more <http://go.microsoft.com/?linkid=698586 >

This is related inversely to the recent appeals court decision that 
extends the Steve Jackson Games precedent excluding "stored electronic 
communications" from the Wiretap Act to not just hard drives, as were 
dealt with explicitly in the Steve Jackson Games case, but RAM and any 
other data storage device as well.

Microsoft and others are opposed to criminalizing the installation of 
software without user consent.

However, when you consider the legal impact of the installation of 
software on the rights of the computer owner there really can be no 
other conclusion than that unauthorized software installation must be 
made a crime.

Software installed on a box has access to RAM, hard drives, and other 
storage in which "stored electronic communications" may exist as defined 
by the Wiretap Act. Pursuant to the U.S. v. Councilman appeals court 
ruling, software that intercepts electronic communications is by 
definition not intercepting "electronic communications" but rather is 
intercepting "stored electronic communications" as the software accesses 
those communications by way of RAM not by way of direct physical tap of 
a wire that is transmitting "electronic communications."

http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf

Because of this new ruling, software can now be given features that 
allow access to any "stored electronic communications" that it can find, 
and there will not be any criminal prosecution possible of the persons 
responsible for harm that such software is used in order to cause.

There are many ways for attackers to get code executing on our boxes 
without our consent, and in the past it was presumed that planting of 
malware was usually, if not always, a criminal act in violation of 
various computer crime statutes.

Now, however, it appears that all one need do to successfully avoid 
prosecution is claim that software was not malicious because it didn't 
cause harm to the box it infected, that all it did was intercept "stored 
electronic communications" and give remote access to it, or variations 
on that theme, and because it was not a crime to install the software in 
the first place, it was not a crime to intercept the communications, and 
the software did no damage to the computer there can be, by definition, 
no criminal act.

Unless perhaps a remote exploitable vulnerability is used to plant the 
malware? Windows users authorized Windows to be installed, along with 
all of its default vulnerable ActiveX Controls and Internet Explorer -- 
how can a little bit of HTML, an OBJECT tag, a GUID, and some script, 
all of which make use of only those features of the authorized software 
present on the box through consent and willing participation on behalf 
of the box owner, be a criminal act? We're not talking about overflowing 
buffers here, we're just talking about asking IE to do what it was 
designed to do: allow unauthorized installation and execution of software.

This is all very strange, but very real.

Criminalize unauthorized software installation now!

And, criminalize unauthorized software installation that is enabled by 
another program that was previously authorized. It should be a crime to 
install software with authorization that then installs software without 
authorization.

Precisely where software starts and stops, whether updates to a single 
program are allowed without consent, whether a single "program" can grow 
  to include new features without consent, and so forth, are difficult 
issues that now need to be figured out and factored in to legislation.

Particularly since there are new legal loopholes that allow software to 
do what it pleases without consequences for those responsible.

Without the voice of information security professionals in this process, 
we are all going to regret the outcome.

Sincerely,

Jason Coombs
jasonc@...ence.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ