Re: n.runs, Sophos, German laws, and customer safety
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--8323328-209837881-1188330628=:4248
Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8BIT
On Tue, 28 Aug 2007, Jerome Athias wrote:
> Hi,
>
> it is important to notice this.
> The mentioned german law comes after the similar french law called lcLEN (aka
> Fontaines's law).
> In 2003-2004, a petition was done against this law, with around 15,000
> signatories...
> http://www.iris.sgdg.org/actions/len/petition.html
>
> for nothing...
>
> "A new anti-security law was voted yesterday in France, this law called LEN
> (loi pour la confiance dans l'嶰onomie num廨ique)":
> http://www.securityfocus.com/archive/1/359969
>
> And after that we had the Guillermito's story
> "Hacker Indicted In France For Publishing Exploits":
> http://slashdot.org/article.pl?sid=04/03/31/1543248
> http://constitutionalcode.blogspot.com/2005/01/guillermito-reverse-engineering.html
>
> Good luck to our neighbours from Deutschland...
> I salute you!
I don't know of a good solution to stupid laws. My impulse is to
encourage security companies to boycott such governments. Don't sell (or
give) them products and services. (Tell them that you are afraid of
violating their laws. A valid concern.) Maybe they will get the hint
after the 42th successful hack/virus/whatever.
Of course, this will not work. As seen in the US, there are plenty of
people who will do anything for money, no matter who it hurts, including
themselves or the industry they work in.
The US has also gone after people revealing vulnerabilities. "Killing the
messenger" is a popular pasttime world wide.
> /JA
>
> Steven M. Christey a 嶰rit :
>> The n.runs-SA-2007.027 advisory claims code execution through a UPX
>> file. This claim is inconsistent with the vendor's statement that
>> it's only a "theoretical" DoS:
>>
>> http://www.sophos.com/support/knowledgebase/article/28407.html
>>
>> "A corrupt UPX file causes the virus engine to crash and Sophos
>> Anti-Virus to return 'unrecoverable error. leading to scanning being
>> terminated. It should not be a security threat although repeated
>> files could cause a denial of service."
>>
>> It is unfortunate that Germany's legal landscape prevents n.runs from
>> providing conclusive evidence of their claim. This directly affects
>> Sophos customers who want to know whether it's "just a DoS" or not.
>> Many in the research community know about n.runs and might believe
>> their claim, but the typical customer does not know who they are
>> (which is one reason why I think the Pwnies were a good idea). So,
>> many customers would be more likely to believe the vendor. If the
>> n.runs claim is true, then many customers might be less protected than
>> they would if German laws did not have the chilling effect they are
>> demonstrating.
>>
>> It should be noted that in 2000, a veritable Who's Who of computer
>> security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias
>> Levy, Alan Paller, and other well-known security professionals -
>> published a statement of concern about the Council of Europe draft
>> treaty on Crime in Cyberspace, which I believe was the predecessor to
>> the legal changes that have been happening in Germany:
>>
>> http://homes.cerias.purdue.edu/~spaf/coe/TREATY_LETTER.html
>>
>> Amongst many other things, this letter said:
>>
>> "Signatory states passing legislation to implement the treaty may
>> endanger the security of their computer systems, because computer
>> users in those countries will not be able to adequately protect
>> their computer systems... legislation that criminalizes security
>> software development, distribution, and use is counter to that goal,
>> as it would adversely impact security practitioners, researchers,
>> and educators."
>>
>> If I recall correctly, we were assured by representatives that such an
>> outcome would not occur.
>>
>> - Steve
>
--
Refrigerator Rule #1: If you don't remember when you bought it, Don't eat it.
--8323328-209837881-1188330628=:4248--
討論串 (同標題文章)
完整討論串 (本文為第 5 之 5 篇):