Re: n.runs, Sophos, German laws, and customer safety

看板Bugtraq作者時間18年前 (2007/08/29 03:24), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串2/5 (看更多)
This is a cryptographically signed message in MIME format. --------------ms030708090002030507020704 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Hi, it is important to notice this. The mentioned german law comes after the similar french law called lcLEN (aka Fontaines's law). In 2003-2004, a petition was done against this law, with around 15,000 signatories... http://www.iris.sgdg.org/actions/len/petition.html for nothing... "A new anti-security law was voted yesterday in France, this law called LEN (loi pour la confiance dans l'嶰onomie num廨ique)": http://www.securityfocus.com/archive/1/359969 And after that we had the Guillermito's story "Hacker Indicted In France For Publishing Exploits": http://slashdot.org/article.pl?sid=04/03/31/1543248 http://constitutionalcode.blogspot.com/2005/01/guillermito-reverse-engineering.html Good luck to our neighbours from Deutschland... I salute you! /JA Steven M. Christey a 嶰rit : > The n.runs-SA-2007.027 advisory claims code execution through a UPX > file. This claim is inconsistent with the vendor's statement that > it's only a "theoretical" DoS: > > http://www.sophos.com/support/knowledgebase/article/28407.html > > "A corrupt UPX file causes the virus engine to crash and Sophos > Anti-Virus to return 'unrecoverable error. leading to scanning being > terminated. It should not be a security threat although repeated > files could cause a denial of service." > > It is unfortunate that Germany's legal landscape prevents n.runs from > providing conclusive evidence of their claim. This directly affects > Sophos customers who want to know whether it's "just a DoS" or not. > Many in the research community know about n.runs and might believe > their claim, but the typical customer does not know who they are > (which is one reason why I think the Pwnies were a good idea). So, > many customers would be more likely to believe the vendor. If the > n.runs claim is true, then many customers might be less protected than > they would if German laws did not have the chilling effect they are > demonstrating. > > It should be noted that in 2000, a veritable Who's Who of computer > security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias > Levy, Alan Paller, and other well-known security professionals - > published a statement of concern about the Council of Europe draft > treaty on Crime in Cyberspace, which I believe was the predecessor to > the legal changes that have been happening in Germany: > > http://homes.cerias.purdue.edu/~spaf/coe/TREATY_LETTER.html > > Amongst many other things, this letter said: > > "Signatory states passing legislation to implement the treaty may > endanger the security of their computer systems, because computer > users in those countries will not be able to adequately protect > their computer systems... legislation that criminalizes security > software development, distribution, and use is counter to that goal, > as it would adversely impact security practitioners, researchers, > and educators." > > If I recall correctly, we were assured by representatives that such an > outcome would not occur. > > - Steve --------------ms030708090002030507020704 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJEzCC AuQwggJNoAMCAQICEAIGtK6X1lHAKniUq1jU19owDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA3MDYxODIwNDgwNVoX DTA4MDYxNzIwNDgwNVowRzEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEkMCIG CSqGSIb3DQEJARYVamVyb21lLmF0aGlhc0BmcmVlLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAt7vI6VSIfa80UvUC1LCJe8rMKULNRWK18FAnbVcrGiQhIpCoOx1QYFqJ CtfmW+nRc6giAOkgjuq6SNG7pVsfYAzrRZp0vNoQhWj7mlf7tfXlqASi21inGtzNrTRnIrz6 7Rxz55MuUijnMzvXFx3NP3r3BSyGsJ0ePHeIjrvRvG7zpO4XjmKiDlw2w8CvBY8V6WUXJIFe 1Hc9SHIKUxLytB4Z3mbqJVxItI603uyop5uCRRwyaskkwfp/Zdh7NOKmEEE2jn5rgYi3m5yi kmUWFCJpoBwL/cfxETkPW4GZCUP2zBuz/8q5r8D2rg6qyoJ74cPlP5o1zVnM97N6t03JMwID AQABozIwMDAgBgNVHREEGTAXgRVqZXJvbWUuYXRoaWFzQGZyZWUuZnIwDAYDVR0TAQH/BAIw ADANBgkqhkiG9w0BAQUFAAOBgQC8Ia2KUqJLAemjgjbxsnQSNFQSDorCeNcAmGSCvXfcjacW GRDnglZMhIasx0QrfA9YysP/t+76lmLQ1QFm7V/BwUUsiuCDIK3TirbdHtM7F335nHezBt/o ISnD3WIdRtS00AGTc5G4MGTNI2JWrNJDNua4TW9GfflL7+rzpeHQRzCCAuQwggJNoAMCAQIC EAIGtK6X1lHAKniUq1jU19owDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNV BAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJz b25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA3MDYxODIwNDgwNVoXDTA4MDYxNzIwNDgw NVowRzEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEkMCIGCSqGSIb3DQEJARYV amVyb21lLmF0aGlhc0BmcmVlLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA t7vI6VSIfa80UvUC1LCJe8rMKULNRWK18FAnbVcrGiQhIpCoOx1QYFqJCtfmW+nRc6giAOkg juq6SNG7pVsfYAzrRZp0vNoQhWj7mlf7tfXlqASi21inGtzNrTRnIrz67Rxz55MuUijnMzvX Fx3NP3r3BSyGsJ0ePHeIjrvRvG7zpO4XjmKiDlw2w8CvBY8V6WUXJIFe1Hc9SHIKUxLytB4Z 3mbqJVxItI603uyop5uCRRwyaskkwfp/Zdh7NOKmEEE2jn5rgYi3m5yikmUWFCJpoBwL/cfx ETkPW4GZCUP2zBuz/8q5r8D2rg6qyoJ74cPlP5o1zVnM97N6t03JMwIDAQABozIwMDAgBgNV HREEGTAXgRVqZXJvbWUuYXRoaWFzQGZyZWUuZnIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B AQUFAAOBgQC8Ia2KUqJLAemjgjbxsnQSNFQSDorCeNcAmGSCvXfcjacWGRDnglZMhIasx0Qr fA9YysP/t+76lmLQ1QFm7V/BwUUsiuCDIK3TirbdHtM7F335nHezBt/oISnD3WIdRtS00AGT c5G4MGTNI2JWrNJDNua4TW9GfflL7+rzpeHQRzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcN AQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT CUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRp ZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNv bTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA xKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkV cI7dyfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUq VIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMG A1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZy ZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJp dmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIX oUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydx VyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8x ggNkMIIDYAIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGlu ZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWlu ZyBDQQIQAga0rpfWUcAqeJSrWNTX2jAJBgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJ KoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNzA4MjgxODQzMzhaMCMGCSqGSIb3DQEJBDEW BBTRXAFBFaSfO9kdw0AvoF7cQSoJ+TBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4G CCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCB hQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1 bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElz c3VpbmcgQ0ECEAIGtK6X1lHAKniUq1jU19owgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEAIGtK6X1lHAKniUq1jU 19owDQYJKoZIhvcNAQEBBQAEggEAJPurpl0nER1sUePYjXgP+I036uJKRZiW44obhIn3ygK4 eqZRueEZgZFuju6nfg/drC5RdZe/dAbocDVv5wK5zyfLKNNWQRm9OZOBJPSu/m8iE4bc1gZO OgssujzK2JjV1RpoaQ5CtSPgF0Zzt/M5QjA/+heGBFsyIMTuQLsEU3wccO3doiOLSk0lNdJl BSU+qcC7TaPd9pc9KRpqgUbvEtxaqJVOIgKYt9VFgPw0VvbKA7bNwXBpN7BMPhjUF4Q/Kto5 w67EgUf1Zi382I5SX5prZVdnJ/BimNoZVjsnXjhfPus1uiUifeBb94BcSBFXssaTYxoKuYHV iVnAvOTungAAAAAAAA== --------------ms030708090002030507020704--
更多 jerome. 的文章
文章代碼(AID): #16r7Pk00 (Bugtraq)
討論串 (同標題文章)
完整討論串 (本文為第 2 之 5 篇):
排序: 最新先 | 最舊先 | 留言數
在新視窗開啟完整討論串 (共5篇)
更多 jerome. 的文章
文章代碼(AID): #16r7Pk00 (Bugtraq)