lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 13 Oct 2008 10:11:50 -0400
From: "Garrett M. Groff" <groffg@...design.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: security industry software license

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fiat licensure laws are invariably used (if not intended) to restrict new
entrants in a profession. The idea is to benefit existing members in that
profession (who are "grandfathered" into licensure by virtue of having
worked in that profession for a duration) and to constrict, by law, labor
competition with those who are already in that profession. In the short
term, existing members benefit at the expense of the consumer of the
products/services generated by members of the profession in question.

In the longer term, it's possible that aggregate loss of competitiveness of
the profession in question might cause alternatives to emerge and for the
protected, licensed members to achieve sub-optimal economic results even
among themselves. A non-identical (but related) legal construct, unions, is
causing this "aggregate loss" in the American "big 3" automobile
manufacturers, as well as other economic factors.

G


- ----- Original Message ----- 
From: "Freeman Y." <freeman_y@...abit.com>
To: "n3td3v" <xploitable@...il.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Sent: Sunday, October 12, 2008 10:07 PM
Subject: Re: [Full-disclosure] security industry software license


> This always has been, and still is, a stupid idea.
> 
> n3td3v wrote:
>> It would be a good way for the government to leverage control of
>> hackers and the people who use their tools though. Disclosure Scotland
>> is already in operation, all you need is a new law to say everyone who
>> uses security software must get a Disclosure Scotland background check
>> first.
>>
>>   
> These security tools can be thought of as lock picks. Who uses them? 
> Burglars, for sure. But so do locksmiths and people who are locked out 
> of their homes. But is it possible to regulate these things? Really, a 
> lock pick can be as simple as a bent paper clip that you make yourself, 
> in the same way that even if you ban programs like Metasploit you can't 
> stop somebody from writing their own.
>> I think the government will introduce the security industry software
>> license scheme and change the law to support it. There is also an
>> option where some tools wouldn't need a license, the government would
>> grade different types of security software depending on their
>> effectiveness and potential damage to infrastructure and computers.
>>
>>   
> I think they won't, because they know the futility of fighting with 
> 'advanced' computer users. If we really wanted those tools, we'd get 
> them, license or not. You're talking about hackers here. Do you really 
> think they can't obtain some software with a license on it? You put a 
> license on Metasploit and it'll be on Pirate Bay or something within a 
> few days.
>> For instance, category A,B,C..."A" being metasploit, "C" being angry
>> ip scanner (is angry ip scanner even classed as security software,
>> thats something that needs to be discussed as well, what defines
>> "security software"?).
>>
>>   
> Thats a good point - what is 'security software'? Is a web browser 
> considered one? After all, you could do many things with a browser, like 
> search up vulnerable websites and pen test their web apps.
> 
>> Hackers may start to use the category of software as a scoreboard of
>> how elite their software is, but who cares, its a reference for the
>> scheme and for people who need to know which software needs a license
>> and what type of license you need, and how deep a background check has
>> been done on individuals who already have a license and are using
>> software, or as an indicator to people who are about to apply for a
>> license, how indepth the background check will be.
>>   
> By the way, is this a global thing? I'm not really sure, but if it is, 
> how will this be organized?
>> C would mean no background check needed, B would mean basic background
>> check needed, with a "basic" security industry software license, and A
>> would mean "advanced" background check needed, with an advanced
>> software license type.
>>
>> So there would be two different licenses, "basic" and "advanced", and
>> C for no license required.
>>
>> Moreover, the category system can be setup by any of you, you don't
>> need to wait for this scheme to be introduced, securityfocus, sans
>> diary or other vendors could start categorizing software on
>> what"potential" damage could be caused with security software if the
>> bad guys were to use them for evil things.---we can get the category
>> system setup as part of a seperate project, even if the license scheme
>> doesn't get the go-ahead, it would still be a useful thing for folks
>> to do.
>>
>>   
> Do you mean like, the level of difficulty it takes for somebody to use a 
> tool to do something illegal? Or if its even possible with that tool?
> Can GCC be classified as a security tool, because technically you could 
> use it to code any security tool in the world :)
>> If anyone is bored and wants to compile a list of security software
>> and categorise them all, then that would be really helpful, even if
>> only for a pass time fun, not even for a serious reason or not part of
>> the security industry software license scheme. You can still do it. It
>> would be cool if you did it though and acknowledge the security
>> industry software license scheme though.
>>   
> No, thanks.
>> We talk about metasploit and the others being used for good things by
>> good people, but why not ask the question "What If" the bad guys did
>> use this software, what damage "could" be caused, and how far could
>> they get? Could metasploit be used to carry out a fire sale, or just
>> something small like finding a wireless access point thats not
>> password protected.
>>
>> If software could be used in a fire sale, then it should be a category
>> A software and require a full background check on every user who wants
>> to use the software, "just incase".
>>   
> Right and lets put baseball bats into a restricted weapons category, 
> "just incase" (sic). Because of course, it _could_ be used to beat 
> someone into a coma, thus requires a full background check etc etc etc.
>> Also, if you breach category "A" software licensing laws, you get a
>> bigger punishment than if you were in breach of the licensing law
>> using a category B software type. So the users know and the courts
>> know the seriousness of the crime of not having a license, breaking
>> the license agreement terms, and how stiff a sentence the person in
>> breach should get.
>>
>> I have taken ideas from driving licensing and drug law categorization
>> to come up with this email.
>>
>> So we can take ideas from current laws on driving and drug offences
>> and put them into forming the security industry software license
>> scheme.
>>
>> No I wasn't on drugs when I wrote this email... but mike simpson my
>> new stalker might speculate.
>>
>>   
> Stop with the personal attacks dude, lets just stay on topic.
>> Thank you for your time, keep the ideas coming.
>>
>> n3td3v
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>   
> Your idea is pretty much just fundamentally flawed. You cannot put a 
> license on security tools. It just cannot be done. It also goes head to 
> head against the free software and open source principles that we 
> embrace so much (unless you don't).
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028) - not licensed for commercial use: www.pgp.com
Charset: utf-8

wj8DBQFI81cOSGIRT5oVahwRAsMlAJ4g2Za2KPMdwcQOsh1lVBVAhEq9NgCfaYrg
mgjMHrErZPEDpJj/FTRAf00=
=6jvh
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists