lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Aug 2007 20:43:38 +0200
From: Jerome Athias <jerome.athias@...e.fr>
To: "Steven M. Christey" <coley@...re.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: n.runs, Sophos, German laws, and customer safety

Hi,

it is important to notice this.
The mentioned german law comes after the similar french law called lcLEN 
(aka Fontaines's law).
In 2003-2004, a petition was done against this law, with around 15,000 
signatories...
http://www.iris.sgdg.org/actions/len/petition.html

for nothing...

"A new anti-security law was voted yesterday in France, this law called 
LEN (loi pour la confiance dans l'économie numérique)":
http://www.securityfocus.com/archive/1/359969

And after that we had the Guillermito's story
"Hacker Indicted In France For Publishing Exploits": 
http://slashdot.org/article.pl?sid=04/03/31/1543248
http://constitutionalcode.blogspot.com/2005/01/guillermito-reverse-engineering.html

Good luck to our neighbours from Deutschland...
I salute you!
/JA

Steven M. Christey a écrit :
> The n.runs-SA-2007.027 advisory claims code execution through a UPX
> file.  This claim is inconsistent with the vendor's statement that
> it's only a "theoretical" DoS:
>
>   http://www.sophos.com/support/knowledgebase/article/28407.html
>
>   "A corrupt UPX file causes the virus engine to crash and Sophos
>   Anti-Virus to return 'unrecoverable error. leading to scanning being
>   terminated. It should not be a security threat although repeated
>   files could cause a denial of service."
>
> It is unfortunate that Germany's legal landscape prevents n.runs from
> providing conclusive evidence of their claim.  This directly affects
> Sophos customers who want to know whether it's "just a DoS" or not.
> Many in the research community know about n.runs and might believe
> their claim, but the typical customer does not know who they are
> (which is one reason why I think the Pwnies were a good idea).  So,
> many customers would be more likely to believe the vendor.  If the
> n.runs claim is true, then many customers might be less protected than
> they would if German laws did not have the chilling effect they are
> demonstrating.
>
> It should be noted that in 2000, a veritable Who's Who of computer
> security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias
> Levy, Alan Paller, and other well-known security professionals -
> published a statement of concern about the Council of Europe draft
> treaty on Crime in Cyberspace, which I believe was the predecessor to
> the legal changes that have been happening in Germany:
>
>   http://homes.cerias.purdue.edu/~spaf/coe/TREATY_LETTER.html
>
> Amongst many other things, this letter said:
>
>   "Signatory states passing legislation to implement the treaty may
>   endanger the security of their computer systems, because computer
>   users in those countries will not be able to adequately protect
>   their computer systems... legislation that criminalizes security
>   software development, distribution, and use is counter to that goal,
>   as it would adversely impact security practitioners, researchers,
>   and educators."
>
> If I recall correctly, we were assured by representatives that such an
> outcome would not occur.
>
> - Steve

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (3253 bytes)

Powered by blists - more mailing lists