[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <46D46CDA.8090707@free.fr>
Date: Tue, 28 Aug 2007 20:43:38 +0200
From: Jerome Athias <jerome.athias@...e.fr>
To: "Steven M. Christey" <coley@...re.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: n.runs, Sophos, German laws, and customer safety
Hi,
it is important to notice this.
The mentioned german law comes after the similar french law called lcLEN
(aka Fontaines's law).
In 2003-2004, a petition was done against this law, with around 15,000
signatories...
http://www.iris.sgdg.org/actions/len/petition.html
for nothing...
"A new anti-security law was voted yesterday in France, this law called
LEN (loi pour la confiance dans l'économie numérique)":
http://www.securityfocus.com/archive/1/359969
And after that we had the Guillermito's story
"Hacker Indicted In France For Publishing Exploits":
http://slashdot.org/article.pl?sid=04/03/31/1543248
http://constitutionalcode.blogspot.com/2005/01/guillermito-reverse-engineering.html
Good luck to our neighbours from Deutschland...
I salute you!
/JA
Steven M. Christey a écrit :
> The n.runs-SA-2007.027 advisory claims code execution through a UPX
> file. This claim is inconsistent with the vendor's statement that
> it's only a "theoretical" DoS:
>
> http://www.sophos.com/support/knowledgebase/article/28407.html
>
> "A corrupt UPX file causes the virus engine to crash and Sophos
> Anti-Virus to return 'unrecoverable error. leading to scanning being
> terminated. It should not be a security threat although repeated
> files could cause a denial of service."
>
> It is unfortunate that Germany's legal landscape prevents n.runs from
> providing conclusive evidence of their claim. This directly affects
> Sophos customers who want to know whether it's "just a DoS" or not.
> Many in the research community know about n.runs and might believe
> their claim, but the typical customer does not know who they are
> (which is one reason why I think the Pwnies were a good idea). So,
> many customers would be more likely to believe the vendor. If the
> n.runs claim is true, then many customers might be less protected than
> they would if German laws did not have the chilling effect they are
> demonstrating.
>
> It should be noted that in 2000, a veritable Who's Who of computer
> security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias
> Levy, Alan Paller, and other well-known security professionals -
> published a statement of concern about the Council of Europe draft
> treaty on Crime in Cyberspace, which I believe was the predecessor to
> the legal changes that have been happening in Germany:
>
> http://homes.cerias.purdue.edu/~spaf/coe/TREATY_LETTER.html
>
> Amongst many other things, this letter said:
>
> "Signatory states passing legislation to implement the treaty may
> endanger the security of their computer systems, because computer
> users in those countries will not be able to adequately protect
> their computer systems... legislation that criminalizes security
> software development, distribution, and use is counter to that goal,
> as it would adversely impact security practitioners, researchers,
> and educators."
>
> If I recall correctly, we were assured by representatives that such an
> outcome would not occur.
>
> - Steve
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (3253 bytes)
Powered by blists - more mailing lists