lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200405271811.01762.fulldisc@ultratux.org>
From: fulldisc at ultratux.org (Maarten)
Subject: FW: Re: Cisco's stolen code

[ cc: FD ]

On Thursday 27 May 2004 15:18, you wrote:
> Maarten -
> This letter I wrote is relevant to your point also. It offers a
> scenario in which the code is acquired legally.
>
> To be sure I am not really that concerned with Cisco's code one way
> or the other. I AM concerned with police prosecuting folks who they
> find with other forbidden content on their PCs and who are unaware
> (perhaps willfully so) of the possibility that this content might
> be there due to someone's action other than the machine owner (or
> perhaps family thereof).

Yes, I know.  There was a slashdot article on that topic a few weeks back.

> I'd have thought security folks would know very well that content can
> be placed on your box due to mistake, due to worms, due to channels
> like usenet or p2p...but the discussion here seems to reenforce the
> police perception that content only gets somewhere because the owner
> did something to put it there. Every time my mail agent opens a spam
> picture (they don't give us freedom to choose decent mail agents
> here and I've tried to turn off html mail without any luck so far),
> I worry this might happen. Yet we have police complaining that these
> considerations make it hard to prosecute people. (They apparently
> would prefer never to bring up the possibility.)

Yeah... difficult subject indeed.  My guess is, it will eventually lead to a 
"better world" as legislative forces and consumers and softwaremakers will 
wake up what consequences use of dubious (in all possible aspects) software 
can have on their lives / sales / bottom line.
For now, I just worry about my own problems.  I take all possible precautions, 
so I do sleep fine.  

Note that if you came into possession of something but there is no evidence of 
a worm uploading that stuff, you'd probably still be screwed.  Let's say they 
find you have all manuscipts of Stephen King in your possession.  Would you 
be successful in argueing that you got that through spyware ? I think not.

Meanwhile, your point tends to get a little offtopic, if only for the fact 
that the OP asked for [a place to find] the code.  Whatever happens after 
that, if he later receives the code 'by miracle' he will still be unable to 
convince a court he did not actively sollicit it.  It's akin to asking around 
for poison: from then on you better pray your wife doesn't suddenly die.
Cause if she does, you'd be prime suspect number One, with sugar on top...

Anyway, why are we discussing this off-list ? It's not like its highly 
sensitive, or uninteresting or something...?

> By pointing out that this assumption is false I have been hoping to do
> my bit for civil liberties.

I'm ambiguous.  I certainly do not want somebody falsely convicted, but it 
would not be pleasant either if every collector of kiddieporn could get away 
with "Yes your Honor, spyware did this to me. It put 60 GB of junk on my 
system unbeknownst to me, sorted and renamed it and started Nero to burn 
CDroms of it.  It also sent email in my name and chatted on IRC, it was 
obviously highly intelligent neural net type stuff.  I wasn't aware of any of 
this until you guys came knocking down my door. Please, your honor..."

Oh well.  It's not like people do not get away with murder sometimes, or get 
convicted innocent.  And I guess the digital world is no exception...

Just a last remark on the Cisco code thingy:  Where I live (the Netherlands) 
there is someting like "a reasonable suspicion of stolen goods".  It works 
something like this. If you buy a laptop off of someone -let's say a spanking 
brand new Dell or so- for just 100 euros, you _know_ in your heart that it 
must have been stolen cause it's way too cheap. A Dutch court then WILL 
convict you for fencing.  In other words, you don't have to know for a fact 
that something is stolen. If something is too good to be true, it is enough 
evidence for the courts to convict you.  That's an eyeopener, huh ?
I guess your legal system works differently, but just be aware that not all 
courts in the world are naive when it comes down to proving stuff.
So, in case a dutch resident was found in possession of the Cisco code, they 
would try to find proof you knew it was stolen (media, online, etc.) If they 
can prove that you knew, (and prove that you knew you had it) you're fscked.

Greetings,
Maarten

-- 
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ