lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: simon at xhz.ca (Simon)
Subject: House approves spyware legislation

I agree with you Bankim.

At my parent's house, we have plenty of Macs (old and new ones), and except 
for some rare hardware failures, we never had any troubles or worries.

In the PC world, it seems that (at this very moment) worries are necessary 
for survival.  And until we get to get good software, good OS, default 
security and all that, we must educate the end user to take care of all what 
the vendors did not.

As a tech support agent, that is the job I do with each and every clients 
that call me, I take the time to speak with them and tell them what are 
viruses, malwarez, why they exists and how to protect them selves.  Usually, 
they are very happy with my practical solutions.  And sometimes, they just 
see that they will loose more time, trying to understand a new software 
(anti-virus for example) and making it work.

Actually, I was wondering if there existed such thing as a Lite Windows 
audit software, that would check if there is a firewall, if it is configured 
well, check if there is an anti-virus, anti-malwarez and so... this would 
facilitate my job greatly! ;)

Simon


On Thu, 7 Oct 2004 10:58:04 -0400, Bankim J. Tejani wrote
> Isn't that kind of like Jiffy Lube mechanics should go around and 
> unscrew the oil pan drain plug from people's to encourage them to 
> change their oil?
> 
> I don't think I want anyone to be doing that.
> 
> How about making software vendors responsible for the "features" in 
> their software that enable spyware, or buffer overflows, or remote 
> root access?  Or encouraging vendors to provide full versions anti-
> virus and firewall software by default and configured securely by default.
> 
> Blaming the users is always easy.  But the idea that all users 
> should know about spyware and computer security is ridiculous.  They 
> use their computer as a _tool_ for business, fun, or whatever other 
> purposes.  It should be our (as in computer scientists, software 
> engineers, IT people, computer security people, etc.) job to make 
> sure they can do that while implicitly and involuntarily maintaining 
> availability, confidentiality, and integrity.  Advanced users can 
> always disable it if they want to, so that's not a valid argument 
> against making it default.
> 
> Certainly, many tools require maintenance, but that should be 
> clearly described in the user manual that comes with the tool. 
>  Witness the maintenance schedule & guide that came in your car's 
> glovebox.  There's no reason computers are so special that they 
> needn't follow practices used by other consumer products.
> 
> Just my $0.02
> 
> --Bankim
> 
> On 07 Oct, 2004, at 10:39, Simon wrote:
> 
> > I work for an ISP as a tech support agent, and some customers often 
> > call
> > because they had spy/ad/malwarez in their computers.
> >
> > Some of them need the internet to work, and as any business man knows 
> > time
> > is money.  These folks take it very seriously and if they can't access
> > important information because their browser is not functionning 
> > properly (or
> > as usual) they loose time and money.
> >
> > This is called sabotage.  And there should be charges against 
> > saboteurs (I'm
> > not saying it can be done, or that it's possible, just that it is a 
> > sort of
> > damage).
> >
> > Of course, if they are able to browse the internet for a bit, I (the 
> > tech
> > guy) can help them so they can download an anti-malwarez such as 
> > ad-aware.
> > But sometimes, they have browser hi-jackers and can't browse at all, 
> > all
> > they get is "some Super-ultra-search could not be found." all the 
> > time.  And
> > if that is the case, all I can do is refer them to computer 
> > specialists that
> > can reinstall windows and backup their files, charging them 70$ for it 
> > and
> > taking a whole day or more for it!
> >
> > On the other hand, I am also a hacker, and I finally understood the 
> > good in
> > all this.  The best thing a virus or a malwarez can do is force the 
> > user to
> > go to a computer shop for a complete reinstall and 70$ charge.  This 
> > way
> > they learn.  Learning the hard way is not the best way, but it is
> > efficient.  I remember seeing on Symantec.com, a string that was found 
> > in a
> > certain virus (beagle??), symantec said the string was never displayed 
> > but
> > was found inside the virus, the string was something like "Love sarah.
> > Billy gates fix your software".  This is an example of very good 
> > virus.  The
> > worst damage it can do is cost you some time and money.  But it does 
> > not
> > Destroy anything.
> >
> > The best thing we could do is make a petition against ActiveX, to 
> > remove
> > that product from the market, that would certainly solve A LOT of 
> > troubles!
> >
> > That was my 2c.
> >
> > Simon
> >
> > On Wed, 6 Oct 2004 23:18:12 -0400, Bankim J. Tejani wrote
> >> While good in principle, this legislation is hopelessly
> >> unenforceable and is almost certainly just election year politics.
> >>  Somebody knows this and is probably the 1 vote against it.  Think
> >> about it:
> >>
> >> Say that this was a law and someone does what you say and changes
> >> your homepage or something similar with some spyware.  Here are
> >> somethings that any prosecutor or civil attorney would have to
> >> consider before pressing charges:
> >>
> >> 1) How can you prove what the setting was before?  It's one thing
> >> for you to know what it was, but another to prove it in a court of
> >> law.  Otherwise it's your word versus theirs.
> >>
> >> 2) How can you find out who exactly was the person or company that
> >> took this action?  You're talking about a massive time undertaking
> >> to trace the packet data through every router between you and the 
> >> accused.
> >>
> >> 3) Was their machine used by some hacker?  This, unfortunately (or
> >> fortunately, depending on how you see it), has been used in court
> >> and proved to be a successful defense.
> >>
> >> 4) What was the motive for changing your computer specifically?
> >>
> >> 5) What type of crime is appropriate?  Is it theft?  trespassing?
> >> moving your plant from your front yard to your back yard?
> >>
> >> 6) What is an appropriate sentence?  The five minutes you lost
> >> changing it back paid at your current salary?  A fine?   jail time?
> >>
> >> I am not a lawyer, but only a little common sense about the law is
> >> needed here.  Some of these issues apply not only to this law, but
> >> all forms of cyber-related law.  Few organizations have successfully
> >> prosecuted under any form of cyber law.  The most notable so far has
> >> been the RIAA, whose cases were never tested in court, but used to
> >> torque people into paying fines rather than facing legal bills that
> >> would bankrupt them.
> >>
> >> If we keep passing unenforceable legislation, all we'll end up with
> >> is a tomb of law with hundreds of thousands of lawyers looking
> >> through it and an internet that's just as lawless as it is right
> >> now.  On second thought, keep passing those laws.  <<searching for
> >> LSAT book>>
> >>
> >> --Bankim
> >>
> >> On 06 Oct, 2004, at 19:09, RandallM wrote:
> >>
> >>>
> >>>
> >>>
> >>> <|>On Wed, 6 Oct 2004 05:03:45 -0700, Gregory Gilliss
> >>> <|><ggilliss@...publishing.com> wrote:
> >>> <|>> Great, Not that I'm any fan of spyware, but this is just
> >>> <|>another law
> >>> <|>> against hacking. Think - what's the difference between this and
> >>> <|>> someone using XSS to "take control" of a computer? If you
> >>> <|>r00t a box
> >>> <|>> and deface the home page, then you've broken this law.
> >>> <|>>
> >>> <|>> <sigh> Instead of fixing the problem (poor software
> >>> <|>security) we pass
> >>> <|>> laws to punish the people who do the things that
> >>> <|>illustrate the problem.
> >>> <|>> Basic philosophical differences, blah blah blah ...
> >>> <|>>
> >>> <|>> Worst of all, do you really think that the spyware rackets
> >>> <|>will slow
> >>> <|>> down or cease because of this? Nope - they'll just migrate
> >>> <|>out of the jurisdiction.
> >>> <|>>
> >>> <|>> -- Greg
> >>> <|>End of Full-Disclosure Digest
> >>> <|>
> >>>
> >>>
> >>> I guess one has to decide if browser hijacking is not the taking of
> >>> personal
> >>> property. I for one do not fine it amusing to open my browser and it
> >>> has
> >>> been redirected to a hijacked page as my new Homepage!
> >>> If this law would allow me...the user to bring down hell upon these
> >>> people
> >>> then I'm all for it.
> >>>
> >>> _______________________________________________
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.netsys.com/full-disclosure-charter.html
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> > --
> > Simon Lemieux (Simon@....ca)
> >


--
Simon Lemieux (Simon@....ca)


Powered by blists - more mailing lists