>We all know code and knowledge we release will be used to do harm if it is possible for it to do >so. If I were the prosecutor, I'd bring charges against anyone who releases any code, and some who >release knowledge, on the basis that there was specific foreknowledge as to harmful uses. The >Patriot Act, DMCA, and Computer Fraud and Abuse Act would give me legal grounds to do so, and as >prosecutor it's my job to exploit the law not interpret or judge it. I do think you have to be careful when tossing about phrases like 'foreknowledge of harmful use'. If your correct in assuming that the DMCA and PATRIOT take this into consideration, they must have a very specific definition of 'harmful use'. A compiler has many potential 'harmful uses' including and not limited to producing the binary form of pretty much all the malware out there (meaning compiler in a broad sense, including assemblers and interpreters). Yet Borland and Microsoft are hardly shaking in their booties. More philosophically, hammers have a multitude of harmful uses yet we don't generally prosecute their manufacturers. Blue Boar's suggestion is akin to both of these examples; it's creating a piece of code which can be used for malevolent purposes (making nasty viruses, rootkits and the like), but explicitly can be used for benevolent purposes (protectingg people from said viruses and rootkits). Of course, this is more an objection to the laws. I don't get the impression Jason agrees with them either. Incidentally, yeah, I do assume that code which demonstrates how to hide stuff your computer is doing/storing will not have very many positive applications. Cheers, ~ol -----Original Message----- From: Blue Boar [mailto:BlueBoarat_private] Sent: Thursday, January 23, 2003 12:58 PM To: jasoncat_private Cc: The Blueberry; oliver.laveryat_private; vuln-devat_private Subject: Re: What to do with a vulerability? Jason Coombs wrote: > Viral vs. non-viral is an unimportant distinction -- if you choose to engage > in this business, be sure you can document your good intentions and > your legal forensic procedures because they are your only legal > defense against prosecution. > > Persecution, on the other hand, is a given. Oh, I dunno. I think it would be a lot harder to make a case for innocent intentions if the code were written in viral/worm form. In this instance, what *appears* to be under discussion is a technique for process hiding. That's not even an exploit per se. On the whole spectrum of programs that someone might take offense to, that's not too bad. I think that the question of viruses and worms came up only because the person who made the discovery assumes that malicious code would be the main consumer of such a technique. I wish I could simply roll my eyes at your statement that releasing an exploit or technique might make one an accessory to a crime, but sadly I fear your concern now has a basis, and I can't dismiss it outright anymore. BB
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 08:32:23 PST