[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40EE5205.7080908@science.org>
Date: Thu, 08 Jul 2004 22:06:29 -1000
From: Jason Coombs <jasonc@...ence.org>
To: bugtraq@...urityfocus.com
Cc: isn@...rition.org, InfoSec News <isn@....org>,
full-disclosure@...ts.netsys.com
Subject: [Fwd: A FINFlash from the Freedom to Innovate Network]
> TECH POLICY FEATURE: FEDERAL SPYWARE BILL COULD HURT INNOVATION
> Online snooping and deceptive advertising practices should be stopped.
> But Congress is now considering a bill, H.R. 2929, "Securely Protect
> Yourself Against Cyber Trespass Act" (the "SPY ACT"), that could block
> legitimate software operations and thwart innovation.
...
> Read more <http://go.microsoft.com/?linkid=698586 >
This is related inversely to the recent appeals court decision that
extends the Steve Jackson Games precedent excluding "stored electronic
communications" from the Wiretap Act to not just hard drives, as were
dealt with explicitly in the Steve Jackson Games case, but RAM and any
other data storage device as well.
Microsoft and others are opposed to criminalizing the installation of
software without user consent.
However, when you consider the legal impact of the installation of
software on the rights of the computer owner there really can be no
other conclusion than that unauthorized software installation must be
made a crime.
Software installed on a box has access to RAM, hard drives, and other
storage in which "stored electronic communications" may exist as defined
by the Wiretap Act. Pursuant to the U.S. v. Councilman appeals court
ruling, software that intercepts electronic communications is by
definition not intercepting "electronic communications" but rather is
intercepting "stored electronic communications" as the software accesses
those communications by way of RAM not by way of direct physical tap of
a wire that is transmitting "electronic communications."
http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf
Because of this new ruling, software can now be given features that
allow access to any "stored electronic communications" that it can find,
and there will not be any criminal prosecution possible of the persons
responsible for harm that such software is used in order to cause.
There are many ways for attackers to get code executing on our boxes
without our consent, and in the past it was presumed that planting of
malware was usually, if not always, a criminal act in violation of
various computer crime statutes.
Now, however, it appears that all one need do to successfully avoid
prosecution is claim that software was not malicious because it didn't
cause harm to the box it infected, that all it did was intercept "stored
electronic communications" and give remote access to it, or variations
on that theme, and because it was not a crime to install the software in
the first place, it was not a crime to intercept the communications, and
the software did no damage to the computer there can be, by definition,
no criminal act.
Unless perhaps a remote exploitable vulnerability is used to plant the
malware? Windows users authorized Windows to be installed, along with
all of its default vulnerable ActiveX Controls and Internet Explorer --
how can a little bit of HTML, an OBJECT tag, a GUID, and some script,
all of which make use of only those features of the authorized software
present on the box through consent and willing participation on behalf
of the box owner, be a criminal act? We're not talking about overflowing
buffers here, we're just talking about asking IE to do what it was
designed to do: allow unauthorized installation and execution of software.
This is all very strange, but very real.
Criminalize unauthorized software installation now!
And, criminalize unauthorized software installation that is enabled by
another program that was previously authorized. It should be a crime to
install software with authorization that then installs software without
authorization.
Precisely where software starts and stops, whether updates to a single
program are allowed without consent, whether a single "program" can grow
to include new features without consent, and so forth, are difficult
issues that now need to be figured out and factored in to legislation.
Particularly since there are new legal loopholes that allow software to
do what it pleases without consequences for those responsible.
Without the voice of information security professionals in this process,
we are all going to regret the outcome.
Sincerely,
Jason Coombs
jasonc@...ence.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists