lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e92364c30410060853411a96e5@mail.gmail.com>
From: jftucker at gmail.com (James Tucker)
Subject: House approves spyware legislation

On Wed, 6 Oct 2004 08:07:38 -0500, Todd Towles
<toddtowles@...okshires.com> wrote:
> Why make more computer laws...when the current computer laws can not be
> enforced correctl? We all know that the CAN-SPAM Act really cut the spam
> out of our e-mails *sigh* 

There is clearly allot of computer related crime that cannot be
enforced, but this is not dissimilar from the physical crime that is
carried out all over the world undetected (fights, drugs, fraud,
(war?), you name it). The difference is scale (or is it really that
different? maybe not). When a physical law is broken and it has been
brought to the attention of the authorities they can prosecute because
the law exists. Many physical offences also go unnoticed as with the
digital world. If the laws don't exist in either world, then in both
the result is the same -> you can't prosecute. While this law may not
be a solution to the problem, it does mean that people can be
prosecuted when they are found. It is clear that it is significantly
easier to prove this law has been broken than it is to prove that an
offence has been committed under older laws. This also includes the
ability to target the developers as well as the middle men
(distributors).

> Then the INDUCE act will make half the stuff
> in a normal person's house illegal.

This should fall under "proper authorisation" and some companies may
need to make changes to their software licenses and install routines
in order to comply.

> Making laws is just playing around...paper on top of paper doesn't stop
> anything.

It does put a significant brake on those who are prosecuted as a
result of its existence.

> It all falls back to the old saying - Action speaks louder
> than words.

Any proposals as to how it could be done properly, without breaching
privacy laws?
Should we be requesting ISP's to deny all addresses which are housing
malware? could they ever afford to manage such a task? Should the
government subsidise security systems? Again, could they afford to?
What about the millions of ways around the protections, proxies,
tunnels, bouncers, undiscovered regions, de-centralised connection
mechanisms?

This is a multinational issue and it is very true that one country can
only regulate so much. The underlying infrastructure of the Internet
(in particular its protocols and connectedness) is built to withstand
outside influence (such as a connection orientated attack of the
malware) and to successfully provide communication even in 'bad'
scenarios, as a result it will always be subject to the ability for
people to 'hide under' and 'go around' most of the technological
challenges that are put in front of them, at very least in terms of
communications. This means it is hard to fight this battle from the
technology side unless you can impact a significant proportion of the
world (like making changes to the functionality of a common operating
system for example; but even this takes significant time to spread).

Given the above, I suppose all I can say is "every little helps".


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ