Slashdot Mirror
Analysis Of Symantec's Stance On Censorship
robochan writes "According to this report in the Sydney Morning Herald, Chief Operating Officer of Symantec, John Schwarz, was quoted as 'calling for laws to make it a criminal offense to share information and tools online which could be used by malicious hackers and virus writers.' This article takes a look at the negative affects and also a couple of recent examples of "censorship legislation" backed by the COO of Symantec, and what little effect it has had on criminals, while having a substantial affect on responsible citizens."
But maybe it's time to rethink this portion of Speech.
Speech is not 100% protected. There are types of speech which have been declared illegal: obscenity, fighting words, etc. Perhaps it is time to take the fight to virus writers.
do not welcome our censorship promoting Symantec overloards.
GCC has been made illegal.
- Compilers
- API documentation
- Text editors (can be used to write VBScript virii)
- Microsoft Office (macro virii)
Sounds like a really well thought out idea.An important clarification from an article on this subject a few days ago:
6 85 53158.html
http://www.smh.com.au/articles/2003/09/12/10632
Asked whether Schwarz would like to clarify whether he had really meant that full disclosure should be legislated against, Symantec's Asia-Pacific public relations group manager Lindy Yarnold did not directly deal with the query but said: "Symantec fully supports information sharing on threats and vulnerabilities and believes it is an important tool for consumers and IT professionals to gain a measure of early warning of potential attacks."
I don't even understand why he would want this. Its in his companies interest to have worms and viruses going aroudn because if there weren't any, nobody would need antivirus software.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
It would make things like "Build your own virus" kits illegal. It's how the majority of virus writers formulate their viruses. They sure as hell couldn't write their own code.
In conclusion, whether or not Symantec's COO is just smokin' crack or understands what is at risk, any attempt to censor these critical security tools, including exploit code, from the Internet will result in a constitutional travesty followed by a significant market downturn, a degraded security community, and the commercialization of vulnerabilities where the market is driven by the criminals we are trying to "stop".
Those damn virus-helpers over at Symantec, I hope the law skins them alive.
I've found that my posts don't format quite right w/o a sig.
somewhere in the middle that we can agree on. for example the example code that was linked to on slashdot yesterday for the exploit should be outlawed. the person wrote and released that example code did just as much damage as the person that would use that code to write a worm and do damage across the internet. the blaster worm used copy/pasted example exploit code that had been released on the internet. its worse than irresponsible and i agree that it should be criminal. why shouldnt it? without that example code the blaster worm would probably not have been released. it gives people with very little programming knowledge the opportunity to inflict a hella lot of damage while the person who wrote half the virus walks free as if he had no part of it. its like handing out guns on the streets to show how easy it is for kids to get ahold of bullets and then not holding any responsibility when they put the 2 together and kill somebody.
I guesss they Symantec people themselves expect not to be subject of their new law?
If people can't discuss bugs and security problems online, the only places it will be done is privately, i.e. in Symantec's and NAI's labs... this is one way to kill your competition--get the government to outlaw it.
I believe it is illegal in most states to be in possession of 'burglary tools' such as slim-jims, lock picks, and the like unless you are licensed in some way to own them (mechanic, lock smith, etc...).
When (if ever) do 'hacking tools' fall under this category? Obviously any tool can be used with ill-intent, but are there specific pieces of software that could be classified as such?
I think this is the slippery slope defined. Even if it were a good idea to keep these tools away from easy access (I won't reiterate the many arguments why it isn't), it is extremely difficult to know exactly where the line from "general purpose networking tool" to "hacking tool" is drawn.
Considering that virtually any tool can be used to hack, when does something get legislated as illegal? Somebody uses a web browser to hack. Is the web browser now an illegal hacking tool?
Okay, maybe that was too easy. But a packet sniffer?
I think one could easily make an argument that that is a hacking tool. Ultimately, the legal definitions may center around "public perception" as often seems to be the case in technical legalities instead of technical accuracy. This is, unfortunately, because the general public typically doesn't understand technically how things work. Notice most bad press is based around technologies that the average guy doesn't understand.
We're treading on dangerous grounds Symantec...
Slippery Slope...
Sunny
Be my Friend
Well, there will always be virus authors, it's like banning weapons: you're only taking away from those who get things through legitimate means.
Think what this would ban: bug tracking and security lists, compilers, assemblers, debuggers, hex editors, etc. These are how viruses get written.
However, if the public doesn't have access to any of this (particularly security tracking lists), then antivirus companies become the one and only legal source for fixes. Presto, huge demand created, which means more legislated profit.
There's your paranoia for the evening.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
Why does it seem that every single proposed or actual law targeted at "cybercrime" puts absurd limitations on legitimate research while having absolutely no effect on the criminals?
They've just outlawed a large chunk of programming knowledge. Well, non-US programmers now have a lot less competition! ;)
If you stick to shrinkwrapped software, and DON'T run ANY other form of executable, then you DON'T need anti-virus software.
So what is this "Norton AntiVirus" for? To help people who download cracked software keep their computers healthy? Sounds like a shady product to me.
"make it a criminal offense to share information and tools online which could be used by malicious hackers and virus writers."
On the positive side, couldn't this also be applied to Windows, IE, and Outlook? Ignoring the buffer overflows (which all software has) these programs have been developing, promoting, and expanding the viral capabilities since at least 1998.
After all, there's more documentable evidence of Microsoft staunchly keeping an "open" envrionment to incubate and inspire malicious hackers much more so than the white hat hackers simply exchanging exploit documentation.
The real question is, why wont symantec create software that will deal woth these issue as they arrise. It seems like someone is trying to take the load off the company. It would be like Ford trying to make the speed limits of all roads 10mph. Now, they dont have to worry soo much about making a safe car, as accidents are less likely to occur.
Speaking at Defcon 12 - Credit Card Networks Revisted: Pen
This from the people who now own the full disclosure mailing list! What would they do with the list?
As Shaw said, patriotism is the last refuge of the scoundrel. Applied judiciously, it can also be very profitable.
Panurge has posted for the last time. Thanks for the positive moderations.
i get it: buy more symantec stuff ...
i wonder if there's a doc going like this:
"hello Mr. schwarz this is a slashdot editor."
"hello."
"we are running low on interessting articles. we decided to mention your company on our website if you pay us a small fee. is there anything you want to comment on?"
"sure. i'll send you 10k and please mention on your web-site that our company despises virus writers and people how encurage other people to write viruses."
"thank you mr. schwarz."
Don't look at me I voted for Kodos!
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
ANother poster mentioned that this would be a really bad idea for Symantec because they stand to profit from MORE viruses and worms, and more illegal activity in general. If this were true, this fool would never have mentioned this idea in public, let alone made a serious proposal.
But it's NOT true that a law like this would diminish incidents of new viruses and worms. Like the article says, it's already illegal to hack, and yet we still have hackers. Why?
1) 99.9% (or some similar ridiculous figure) of damaging incidents never lead to a prosecution--too little monetary loss to justify law enforcement attention.
2) Lack of willingness by private sector companies to report (and therefore allow legal penalties to accrue) computer security incidents--they don't want the bad publicity.
The existing laws don't work because they're not enforced often enough when violations exist, either because the violators aren't caught or because prosecution/investigation isn't done. So a new law will do WONDERS, I'm sure, to further intimidate those script kiddies.
It's obvious, though, just how much Symantec could gain from this--goodbye non-commercial security clearinghouses! You'd violate the law to post to an open forum, so nobody will bother (I'm sure Synamtec would contribute resources to policing that aspect), and so there won't be any good open, public security resources. That gives Symantec the perfect market opportunity to fill the vacuum with a new pay-for-info service on pending bugs. The creation of a commercial relationship with subscribers gets them a free pass on the new law (it's not really public, more like those $1500 Gartner reports). And we all get fucked in the meantime.
This is so fucking transparent. I hope that boycott idead gets off the ground--I'd start it, but me and mine are all off Symantec, anyway.
I swear, there needs to be a check after each law is passed such that it is even legal!
How many laws would we have today if they were checked before they were put into action by the high court of the land. Just even for that nasty bill of rights kinda deal.
Talk about checks and balances.
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
yeah, cheap too. It only costs a slashdot subsciption.
I really can't say I am happy with the current state of affairs concerning virii and such.
But what symantec wants is not to protect us, but
to protect themselves.
Now if they were to advocate, as a bare minimum, an open source directive. Which would entail any product which networked to have it's source readily available for peer review.
Yeah that would be something that is a step in the right direction.
Stop giving people guns and ammunition and not expect them to use it.
> Chief Operating Officer of Symantec, John Schwarz, was quoted as 'calling for laws to make it a criminal offense to share information and tools online which could be used by malicious hackers and virus writers.'
No more e-mail, folks!
Though I can't say I'll miss it much, after the past few days.
Sheesh, evil *and* a jerk. -- Jade
I've said it before, and I will say it again, hiring Yoran is going to produce a huge conflict of interest, and it seems it has already started. Personally I think this comment was made solely to gain a favorite view in the government's eyes. Remember government spends millions on pork barrel garbage, and I'm sure Symantec is looking forward to riding the gravy train back and forth.
All aboard!
MoFscker
my worst fear when Symantec bought SecurityFocus was the ability to exercise free of speech and free research on bugtraq... now it is just matter of time when corporate censorship begin to infect what can be said, research, discused or developed on the mailing list.
If you're parsing it with a language with an inefficient recursion scheme like Lisp.
In my post I specificly mentioned the Bill of Rights. If that does not have something to do with, "The province of the court is solely to decide the rights of individuals." (Marbury v. Madison.) then I don't know what does.
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
... right now. I know so, 'cos I saw so in my slashbox.
I find your ideas intriguing and I wish to subscribe to your newsletter.
This is the same mentality that would ban baking soda because it could be used to make crack, hunting rifles because "guns" are used in crimes, and information about making black powder because it could be used for explosives.
If the software provider has been warned about the issue and provided a copy of the exploit code for testing their fixes, I have absolutely NO sympathy for a vendor which doesn't provide a fix.
Nor do I subscribe to the asinine american penchant for blaming everyone else for the stupid decisions and accidents individuals encounter. Spill your coffee, "reenact" a video game, commit suicide after listening to Ozzy -- and blame/sue someone else.
Bullshit.
It's time to stop trying to make excuses for stupidity and put the blame squarely on the shoulders of the perpetrators. If you want to blame someone, blame our pathetic spineless north american governments who are more concerned about the "rights" of criminals than defending society from them.
If some script-kiddie is smart enough to download and fire up cracker scripts, they're damned well smart enough to know what they're doing is wrong, and should pay the price when caught.
I do not fail; I succeed at finding out what does not work.
when other countries won't have similar laws? Viruses don't follow political boundaries.
~Tommy Boomfiger http://www.gotapex.com/forums
the confused people seem to get into high places to deturmin the fate of millions?
"Laws that forbid the unrestricted distribution of information...make ignorant only those who are neither inclined nor determined to commit crimes...Such laws make things worse for the victim and better for the criminal; they serve rather to encourage than to prevent unauthorized access to computer systems, for an insecure system may be attacked with greater confidence and ease than a secure system."
The other side is that the second such censorship is enforced, people who right now are innocent will become criminals - why? - because they have no other way of defending themselves but to go against such censorship!
You are confusing me with someone who cares.
Is the InterNet going to become the domain of government and corporate interest, for whom the line is blurring every day? Or is it going to become the digital commons most Slashdotters, I would guess want it to develop into or remain? We need to start expressing our complicated technical concepts in laypeople's terms the average citizen can comprehend and find a way to deliver that to the masses that interests them otherwise we're never going to get across that these misguided requests for non-security are really veiled corporate protectionism. How do we band together to run our own TV ads, press runs, etc., etc.?
In otherwords, if you outlaw the legitimate dissemination of information regarding viruses and how they are made, you just made writing a GPL or BSD licensed antivirus program illegal - obviously anyone involved in such a project would have to break the law to obtain virus samples, disassemblies, and information. This might be good for Symantec, but it sucks for the rest of us.
However, there is a problem. There's a ton of viruses coming out every day, and the internet makes an extremely fertile ground for even a poorly written virus or worm. A simple virus or worm can literally bring a corporation's operations to a halt for a day or two - even if critical machines run moderately secure operating systems, the traffic overload and DDOS'ing from the compromised machines can be hell.
Most virus writers are kids that feel alienated by "the system". I think most studies have shown that the average virus writer ages are between 14 and 24 - meaning when people get older and join society, they generally phase out of virus writing for moral or practical reasons. For several papers on who exactly writes viruses, go here.
So how do we prevent these kids from writing viruses? Outlawing information regarding viruses is a lot like outlawing the purchase of spraypaint - it isn't going to work, and it makes life suck for the rest of us.
But could we find ways to engage kids within risk groups and help them find useful outlets for their talent, so they could receive positive feedback and recognition for their work instead of getting their kicks unleashing their work on the world? I bet if you got a teenager that otherwise felt the world was against him or her involved in an open-source project they got excited about, where they were tutored and provided with positive feedback by more experienced mentors - they wouldn't have the time or the inclination to write viruses and will learn some very valueable skills that will be useful to them.
So how about this - start something similar to SourceForge for teens, and find programmers willing to donate their time mentoring these kids and helping them take their skills to the next level while teaching them the ethics and responsibilities of a first-rate programmer? Obviously such a system would need to be watched for abusive adults and any found would need to be banned and/or prosecuted, but if a bunch of good coders that gave a shit about kids did it I think it could seriously make a dent in the growth of the virus problem.
The other solution would be to make apprenticeships mandatory for budding programmers :)
I write code.
It's not illegal to be in possession of burglary tools. If that was the case, you'd be breaking the law just by keeping a crowbar in the trunk of your car.
It's illegal to be in possession of burglary tools while committing a burglary, under the theory that bringing burglary tools to a burglary shows that you approached the burglary with premeditation and planning. Premeditated, thought-out-in-advance crimes are almost always punished more severely than "amateur night" or heat-of-the-moment crimes.
E.g.., if I use a rock to break a car window, reach inside and pull out the stereo... maybe I'm a career criminal, or maybe I'm just someone who made a really stupid choice.
But if I've picked the lock on the door with a SlimJim, brought open specialized tools to crack the dash and remove the radio in 15 seconds flat, then it's a pretty good bet I've done this crime before and I'll continue to do it in the future--both of which make me a more serious criminal in the eyes of the law.
My corner convenience store has buckets of Slim Jims! Now I have to get a license to eat one? Also, how do I burglar with one?
Strange women lying in ponds distributing swords is no basis for a system of government.
We'll just share them over freenet along with instructions on how to build bombs and the like.
Guns - Guns don't kill people, people kill people.
Hacker tools - Ban them, put anyone who writes or shares them behind bars??
File Sharing tools - Ban them, put anyone who uses file sharing behind bars??
You know, there are a lot of laws in the style of "let's make make our voters have the perception we are doing a good thing while doing bad things". Should I mention any?
I wonder what would happen if they used up all of the "good" acronyms? Like what happens when PATRIOT and GOODLAW and RE-ELECT are all taken? Is some sort of NEA funding bill going to get stuck with being called the POUND-ME-IN-THE-ASS act? You figure there are a limited number of sensical acronyms, after all.
It's just another company buying a new law. This however, I do not understand - since this is going to hurt Symnatec's business, at least in the long run if its effective, but its also going to put the whole realm of programming into a legal gray area.
Hrrm.
-Gwala
#!/bin/csh cat $0
For years all different manner of firearms and accesories have been banned and made illegal, because they "could" be used to commit a crime. just wait until there are sound bytes about "computershow loopholes" and "preban programs", or better yet when the latest technology you can legally own is ten or fifteen years old. Maybe we will have "common sense" computer control laws that allow you to have no more than two hacker friendly feature such as high capacity hard drives (over ten gigs), broadband network connection, CPU more than 500MHZ, or any detatchable media. I live with laws exactly like this in one hobby, I know that this is not a very sympathetic venue for this type of comparison, but maybe you will think a little more the next time somebody is wanting to sanatch the rights from a group of people you don't share interestes with. It is exactly the same situation, the average American has no understanding of how pointless gun control is, but is done with good intent, so they figure it is alright, well guess what, to the average american this law will seem like a good idea to fight the growing plague of cyber crime. These laws would do nothing to stop virii, just like the Assault Weapons Ban has done nothing to reduce gang violence.
The COO of a large pharmaceutical corporation explained why his firm was lobbying for a ban on all new forms of medicinal research...
Symantec make their money from viruses. Why on earth should we take their pronouncements in any other light? Their dream world is one in which only the criminals and the megacorporations have access to the technology, so that the citizenry squashed between the two can pay a jolly penny.
It's ridiculous. The only defense against malware is transparency, competition, and the evolution of something approaching a natural defense system. Not suppression of the tools people need in order to develop their defenses.
Ceci n'est pas une signature
I understand that without a crime there can be no test of a law due to what you have just established. Or to put it another way, without a party that has been wronged there can be no case that can be brought before the high court to rule upon.
Ok, right. So what we are saying here is that, its ok to pass laws that aren't legal until the wrong someone. And then when they get wronged they have to go though the *whole* court system before they finally get ruled on and then maybe if your lucky the high court will hear your case vs the law and rule against it thus striking down a law that never should have been enacted in the 1st place.
All of that takes time, money, and much much effort. But hey, it's ok because you can site some reference in the original constitution (Where I'm quite sure the founder fathers envisioned it that way.) to where that makes it so.
Well, all I'm saying is I call shenanigans on that clause and hello to a way to review laws that effect, lets face it, the whole gawd damn world before we enact them.
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
-StarMaven
-StarMaven
He's stating that "Only the information security elite should ever have access to information security issues." Or if Bill Gates stated: "Only large enterprises should write operating system software. Linux should be outlawed." This means we'd all be forced to eat Microsoft's or Symantec's 'dog food'.
I ask you this: When was the last time Symantec wrote a signature for Snort? How about a nessus plugin? They want to get rid of the open source security model because they can't profit from it!
As an information security professional, I don't even listen to Symantec as their information is generally 2-3 weeks too late. Its like waiting for the Sunday paper to read about the double homicide that's taking place right now on your front lawn. All their info is being published after the fact! If they successfully cut off all access to information that is happening in the security community, then they make everyone reactive rather than proactive.
It doesn't matter how much detail Symantec offers about a virus or bug. I want to be able to take an exploit, compile it and run it against a test server on a test network. Capture the packets transmitted and analyze them. I want to dissect the 'worm' or 'virus' and develop an IDS signature as well as produce a Nessus plugin to scan other servers. If I use other tools, I want to have enough knowledge to look into their signature files to realize that they're looking for the wrong stuff and thereby giving false positives (or false negatives).
It's called FULL DISCLOSURE
Symantec is trying to tell us that I can do all this with a really descriptive set of documentation? Or maybe I should just turn my entire enterprise security model over to Symantec. Uh huh, sure... I don't think so. Gimme the code for the exploit.
Allow me to digress for a moment, stick with me though -- it's not too OT...
Lets talk for a moment about the MS03-039 exploit; the brother to MS Blaster. It's a really nasty bugger. Once it exploits a machine, it creates a user account of "e" with a password of "abc#321". Oh yeah, and the new user has admin rights.
This means the worm could use the newly created account to create other accounts, escalate privileges on existing accounts or just change everyone's password to a random string of garbage.
The price we could pay by not patching every single server and workstation this time around could exceed the damage done by blaster by a thousandfold. All it has to do is successfully nail just one Active Directory controller. Imagine if every single user on your entire network had their password changed on them, at the same time.
When blaster hit, it crashed the RPC service which forced the machine to reboot 60 seconds after the RPC service came crashing down. Imagine now that in the infection process changes admin and user passwords, revokes privileges, then reboots the machine... Your network is now down, and you can't even get back in. You are screwed.
So, how do I know this info? Well, it just so happens that I've got the source code to the worm sitting on my machine right now! I'm not contributing to the project, but I'm sure as hell monitoring what is going on, and I sure as hell didn't get ANY of this information from Symantec.
The only info I'll get from Symantec is the day after the worm's release when they announce that blaster.b is in the wild and that I should have patched my boxes, and they're very sorry but there is no cleanup file available if it compromised your AD controller and changed all the admin passwords. Symantec also recommends you have current tape backups. That's like telling the car accident victim to buckle up. Just a little late there, Jack.
We are going to continue down the road of Full Disclosure debate until M$ et al. starts writing secure code.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
The DMCA.
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
They're shipping all the programming jobs to India anyway..
Not just the possible (and unlikely, as explained in many other comments - how do you draw the line?) future ban.
By stirring up the issue he increases the chances of malware activity now, as various hats scramble to collect info and test their ideas.
Instant bump in virus and malware activity & thus profits.
His defense: "Law of unintended consequences"
Unintended. Riigghht!
I'll tell you: just what we did to Intuit: kick Symantec where it hurts, in the pocketbook, until Symantec is ready to disavow Chris Schwarz and his attempts to limit free speech and free inquiry in the name of profit.
I've always had a soft spot for Symantec because of that awesome DOS product, Norton Utilities. And I still have a copy of Peter Norton's 8086 assembler tutorial. Just saw it yesterday, but now I can't recall which bookcase it's in.
But no more. I'm afraid this uses up my good will, and my willingness to see Symantec as the "good guys".
First, let's let Symantec know how we feel. The main switchboard number in the US is (541) 335-5000. The worldwide headquarters number is (408) 517-8000. Tell them you're a computer professional or enthusiast, that many non-specialists rely on you for advice, and that you won't be recommending their products again. And tell them why: because Chris Schwarz whats to criminalize people like you for warning other people about security vulnerabilities.
And then let's do what we said we'd do:
Opinions on the Twiddler2 hand-held keyboard?
Someone linked to SMBDie on slashdot, somtime back. Seriously folks.. what hacker wannabe could resist testing it?
... But not information.
Youd have to eliminate the ultimate tools of virus writers. The idiotic users that go around opening attachments from people that they don't know and refuse to keep their computers properly patched.
Lets face it most virus propagation occurs because people don't know better or don't care because its not their problem. The real tool of virus writers is the willfull ignorance of the userbase. The truly sad thing about this law is it will tend to extinguish pockets of understanding.
Oh well one more Eye for an Eye idiot thats out to blind the world.
But could we find ways to engage kids within risk groups and help them find useful outlets for their talent, so they could receive positive feedback and recognition for their work instead of getting their kicks unleashing their work on the world?
/. long enough, you've seen the suggestions of what a really malicious virus/worm could do. Would you rather see the systems of those ill prepared to maintain them all knocked right offline by a premature brute, or would you rather let them silently fall prey to those with a real agenda?
Something occurred to me when reading this. What if we need these kiddie's to do what they do today? These recent news makers are relatively harmless compared to the worst that can happen. If you've read
We should regard the issues we have today as the side effects of a vaccine. A little bit of uneasiness now, but protection from all but the most determined adversary. And the law already completes the vaccine analogy by punishing those who are caught actually perpetrating the crime. Outlawing the vaccine of full disclosure itself is just as silly as it would be to skip those childhood vaccinations.
Anyway, why should paid for tools be any different?
So if virus abetting tools are outlawed then I imagine that the Sale, Possesion, or Manufacture of Office would be punishable by no less than 10 years' imprisonment or fine no less than $100,000.
does the writer of the story know the difference between affect and effect?
affect is a VERB.. and effect is a NOUN..
not so hard.. eh mate?
I might be willing to lend a hand if anyone has such a project and needs a coder. I bet you could reduce the money available to lobby for such stupid laws by commoditizing the market and destroying the profit in creating such laws - and such a product, if done well, would benefit the net as a whole.
I'm aware of Clam AV, but since it's POSIX oriented, it's not really a replacement. I'm thinking of something that supports modern AV features under Windows - e.g. real-time scanning, prevention of execution, modern heuristics, auto-updates, etc.
Of course, for corporations, the best solution would probably be something more along the lines of an access control program that disallowed use of any products that weren't officially sanctioned.
I write code.
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
Pretty much what I thought. There isn't a lot that you can really ban that would stop a virus writer without negatively affecting regular ol' developers, much less people who work in the security field.
Frankly, I find all this silly. Most people that are handing around information on how to produce viruses will also hand around copyrighted software as well. That's illegal, but it really doesn't seem to stop them.
The right solution is to harden hosts against viruses and worms. Outlook is a huge vector, because it has traditionally made embedding active content and executing attachments very easy. Outlook should go away. The macro system in Word is inappropriate for a format frequently used for general document distribution. Permissions should be tightened up -- there's a reason the UNIX world doesn't run into viruses.
May we never see th
It's not a run-on sentence. It's gramatically correct, though it is quite long. Take a look at Webster's Run-on Reference.
May we never see th
information [...]which could be used by malicious hackers and virus writers
This is exactly the same information that's used to prevent and disable viruses.
Thou shalt not kill.
I don't see any species / race mentioned in that commandment.
Goddamn Christians are so selective in their interpretation.
fools
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
and a spellchecker.
Anything else and sound like a wanker.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Would that be the same North America Government that has more people locked up per head of population than any other country ?
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
For authorised use only.
Only to be used as a tool for insertion / extraction of screws.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
contrast this with the words of
so, "information sharing on threats and vulnerabilities" is OK, but "sharing of information and tools" isn't.
as a Symantec customer, i expect you to be smarter than the 16-24 year old punks who "share information and tools" to make variations on well-known hacks.
it seems to me that most problems are the result of programming flaws, mistakes, and plain old "gee wiz didn't think someone could do that" ignorance on the part of developers.
more law enforcement isn't the answer, banning books isn't the solution. technical diligence is.
the job of Symantec is stay ahead of the hackers, not to close the doors after them.
This is just marketing fluff. I've seen this so many times.
He was being interviewed by Wired, and wanted to make gruff noises about the virus issue. He's a COO, so obviously he isn't technical enough to know what he's talking about. The danger, of course, is that because he's a COO, some dimwit doesn't realise that COOs don't know anything, might take him seriously.
If this did ever happen, it would be disastrous for Symantec and the whole antivirus industry. Not because there would be fewer viruses - that would be almost unchanged.
The disaster happens in the sharing of specimens of viruses. In order to code up detection, identification and repair, you have to have one of the things youj're trying to handle. So, where do antivirus companies get specimens?
Two sources. 1) from their customers. This legislation would make it illegal for customers to send speciments to the AV companies using email or whatever. So what you gonna do, copy it onto a floppy disk and put it in the post? Not likely.
2) From the other AV companies. There's been an agreement in place for a great many years between the techies of the AV companies, that specimens get shared, so that when a new thing surfaces, customers aren't forced to buy an AV from any one source, customers still have choice. That specimen sharing would become criminalised.
I've just written to some people to explain that if they really want people like me (and you and you and you) to send them specimens of things that turn up, then they mustn't criminalise that.
make it a criminal offense to share information and tools online
I guess that makes MS Visual Studio and MSDN illegal?
I noticed you can still go into the hardware (screw drivers, power tools, etc.) section of Sears and buy bolt cutters. Bolt cutters have a legitimate use, even when used for cutting pad locks. However, I am sure that some have used them to gain illegal access, somewhere! Quickly, someone tell the government so we can make them illegal!
Of course, if Symantec has their way, they'll also make security testing illegal too. Idiots.
Join Tor today!
Fire this man immediatly! Seriously, corporations such as this have the most to gain from massive virus outbreaks.
www.bleepyou.com
negative "effects"
Ignorance kills, complacency kills, hatred kills, but usually not the ones guilty of them.
I would seem to think it is usefull, and would be a nice replacement for buggy, proprietary, craptools, like McAfee. And Yeah, it should run on windows. /Dread
Great! Maybe this will mean that Symantec's awful product will finally become illegal to use. After all, one of the first thing a virus writer needs to check is whether his virus gets caught by common antivirus software. And, unlikely as it may seem, even Symantec's software occasionally does actually catch viruses (usually, it just incorrectly claims that random shareware or free software contains virusese).
So, I guess the MS.Blaster worm was only propagated by corporate - and most often firewalled - networks? It wasn't caused by the vast numbers of broadband customers with entirely open computers on countless networks? Hmm.
The remarks that this statement targets (it was a statement made against Symantec) are uderly rediculous. The way to get things done is not to remain hush hush. NTBugTraq often forced Microsoft (et. al.)'s hand to fix a bug that was proven in concept but, perhaps, not yet exploited. It was only a matter of time before the hole would be exploited. If Symantec is turning their efforts of keeping machines "safe" to the "corporate machine", they aren't getting my or my company's business anymore. We need someone that will push to get bugs fixed and viri stopped at all costs - even if it means putting pressure on the publisher.
Besides, almost any post-back news site and development community on the 'net would be liable if such a law was passed. My email address is obtainable from this site and many others (SPAM-proofing aside, which isn't always hard to break if the crawlers look for common patterns). They're sharing my email address and, perhaps, other information.
If it's community backlash they're merely trying to avoid, then it's community backlash they deserve.
The Liberian "government" wasn't able to govern at all and look at the mess the country went into.
As Aristotle once said, there is virtue between the extremes. Too much government and things stagnate because everything is predictable. Too little government and things stagnate because nothing can be predicted (including your safety from injury or theft) even using the best precautions and forethought.
Negative effect . Not affect
Thank you, I feel better now.
It's probably worth pointing out that this discussion took place on Bugtraq, the Symantec-owned full-disclosure mailing-list, a few days ago. Apparently, this is more of a misquote than anything. See http://www.securityfocus.com/archive/1/337333.
Well, even if Symantec were one of the "security elite" (whatever that means) I suppose that they are saying we should blindly trust both their competence and their ethics. As I am not one of the "elite" I can't speak for their technical competence however any company that stoops to using spam to the degree that they do has questionable ethics so far as I'm concerned. I frequently get a dozen or more Symantec messages every day.
The higher the technology, the sharper that two-edged sword.
My conclusion is that he's just posturing. Responsible legislators should ignore him. I hope they do.
Someone has to develop a kick ass virus scanner and make it freely available. Symantec is becoming a monster. Cut off Symantec's revenue. Make them go away.
It is important in issues such as this that people not only complain here but also write letters to their Congressmen, Senators, MP's whatever, explaining their point of view. This is the only way that obviously crooked motions such as this can be dismissed.
Another way is to write to companies such as Symantec and inform them that you will no longer be purchasing their products.
Do it. Complaining here won't stop any laws.
Yeesh. Why is it the slashdot community, some of the brightest people around, cannot grasp this simple concept?
"Effect" is the noun form. "What effect will it have if I punch your smug, stupid face in the mouth?"
"Affect" is the verb form. "Would it affect you negatively to have your tongue removed?"
GET IT RIGHT ALREADY!
Wouldn't this be a little like shooting themselves in the foot considering how they make their money? You'd think they'd want as many script kiddies and viruses out there as possible as that would increase demand for their products and services.
http://www.archive.org/details/ThePowerOfNightmares
...and just make Microsoft Windows illegal since it is the root of 99.9% of *ALL* the virus/worm/trojan problems the world is experiencing right here, right now, today.
You're ill equipped to practice debate or logic then, as pretty much every writing formative of our cultures is in a language other than modern english. You would be well advised to learn Greek, Latin (both of which are used extensively in antiquity) and Aramaic (ancient hebrew, a very colorful language when used in poetry). You seem to have some unresolved bitterness issues too. You might ask yourself why you hate Christians.
funny munging
If it is, then Symantec will be out of business. Why would they want that?
I've never responded to a Slashdot post without first reading the article and a number of comments before but this time I am just climbing straight up on my soapbox!
I know this is outlandish but I propose we outlaw knives because they can be used to kill someone. History shows us how dangerous the knife is; For generations, the knife in various forms has been used to kill and maim people. Therefore, I think we should outlaw it. While we are at it, lets outlaw hammers, candle sticks, and rope since they have all been used to kill people.
My point is that tools sometimes have to be dangerous in order to do their jobs. It is not the hammers fault if someone decides to use it to bash someone's head in! The same is true for the knife. Software "hacker's tools" are tools, just like hammers and knives. They can be used for good (and usually are) or bad (and sometimes are) but that does not mean they should be outlawed.
You know those "emergency hammers" that they sell to break car windows with? My guess is that more of them are sold to car-burgulars than are sold for their legitimate purpose. They are easy to conceal and break windows with a minimum of noise and fuss. Crooks use them every day. Why hasn't there been a cry to have those things outlawed, regulated, or controlled? It is because they are a tool, that the tool has a legitimate purpose, and that the crooks would simply use something else if it were made unavailable to them. I guess I'd rather have them carrying these hammers than a hatchett. Of course, I would rather see the crook in jail where he would have neither.
Only outlaws will have information.
Making the law-abiding sheep ignorant and unable to support themselves.. requiring governmental influence.
---- Booth was a patriot ----
"make it a criminal offense to share information and tools online which could be used by malicious hackers and virus writers"
So, goodbye to downloading DevCPP, getting code from Sourceforge.net, and CVS in general. Im sure you guys could think of more.
"Sorry Im not more user-friendly."
Hum....
Would it also make Outlook, Word, and Windows illegal? After all, they are the tools most commonly used to write viruses...
plus-good, double-plus-good
Every advisory sent by a company to the public would therefore be considered criminal. I've read the jokes about notepad, vi, etc and yes they are funny. But in my line of work we find security holes all the time. And we publish enough details that one who is intelligent enough could reconstruct our work.
This kind of assinine law would essentially shut down all major security vendors (ISS, eEye, Foundstone, etc).
This may be to Symantec's liking since they have been aching to get into that market (after purchasing a small company called SecurityFocus). Oh wait they might have forgotten about that purchase. Because bugtraq DOES distribute that info.
Of course, making anti-pick devices (exploit tools) illegal won't interfer with the activities of the criminal class any more than making firearms illegal has bothered them. This CEO is just another in the class of people who just can't seem to grasp the fact that lawbreakers don't care about laws.
The tools that create exploits are the tools the create software: lanugages and compilers for them. A case can be made that the Corporations real agenda is to gain control of the tools for making software. If your product isn't needed by the Linux platform then the Linux platform is your enemy. If they get compilers outlawed only outlaws will use them. It won't stop the flood of WinXX infectors, as if Symantec wanted that flood to stop their only income stream, but it will stop folks from migrating away from WinXX to a platform that doesn't need their Symantec's software.
Running with Linux for over 20 years!
So it would be illegal to distribute and use gcc / Delphi / Watcom C, and the other development tools hackers love to use?
but they can fuck off and take the catholics, the protestants, the muslims, the buhddists, the toasists, the athiests, the marxists and the agnostics, the gnositics, the mormons, the hindus and the rastafarians with them.
So long as you are at the front, carrying the standard.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
...is encased in concrete, wrapped in high explosives with hair-trigger detonators, locked in a vault, and dropped into the sun.
I know the comment I'm replying to is a "funny" remark, but I also know folks who believe it.
Nevermind that a system running only shrunk software on the net is still in danger; I am personally aware of *two* cases where shrink-wrapped software (SWSW?) was shipped *with a virus*. (Not intentionally, of course.) I'm sure there are more. One was *from* a company at which I was employed (I won't go into the details, but I will note that it was a security-related product, and the customer finding the virus was the DOD - it wasn't a happy day for anyone). In the other case, an acquaintance discovered the virus on a CD his company had bought.
So if you find a vulnerability in Windows and try to report it to Microsoft, you can be put in prison. They don't want to hear that shit. They just pay Symantec to make the statement because MS has no more credibility.
Avoid Missing Ball for High Score
by the antivirus comercial sector.
Why won't it fly? Simple.
Symantec, and other antivirus companies, are no different than any other company person out there.. they are NOT elected officials, and are not police officers, or other law enforcement officers.
They have the same level of access, as far as the law is concernd, to virus materials as you or I do. To outlaw sharing such materials means an exception has to be made for them... and that leads to a government controlled, adn enforced, business... something we don't want.
Umm, that's John Schwarz.
Bad people don't obey good laws... That is just the way it works. Investing in today's youth is a good idea. I suspect though that the modern cyberpunk is striving for a world of more substance and reality. These kids don't respect the system because the system is such a joke in so many ways. The computer is a taskmaster instead of a tool, it must be overcome. Also many of them feel that if they wrote a program as insecure as windows they would expect to be fired, sued, or at the least be ashamed of themselves and disrespected by their peers. -- I hope whoever you get to teach kids understands such things... that is my take on it all
Chief Operating Officer of Symantec, John Schwarz, cleverly distupts /.ers from their usual thoughtful discussions....