Slashdot Mirror
Analysis Of Symantec's Stance On Censorship
robochan writes "According to this report in the Sydney Morning Herald, Chief Operating Officer of Symantec, John Schwarz, was quoted as 'calling for laws to make it a criminal offense to share information and tools online which could be used by malicious hackers and virus writers.' This article takes a look at the negative affects and also a couple of recent examples of "censorship legislation" backed by the COO of Symantec, and what little effect it has had on criminals, while having a substantial affect on responsible citizens."
- Compilers
- API documentation
- Text editors (can be used to write VBScript virii)
- Microsoft Office (macro virii)
Sounds like a really well thought out idea.I don't even understand why he would want this. Its in his companies interest to have worms and viruses going aroudn because if there weren't any, nobody would need antivirus software.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
It would make things like "Build your own virus" kits illegal. It's how the majority of virus writers formulate their viruses. They sure as hell couldn't write their own code.
Isn't it more like this:
You can say whatever you want, but what happens afterwards is another thing.
somewhere in the middle that we can agree on. for example the example code that was linked to on slashdot yesterday for the exploit should be outlawed. the person wrote and released that example code did just as much damage as the person that would use that code to write a worm and do damage across the internet. the blaster worm used copy/pasted example exploit code that had been released on the internet. its worse than irresponsible and i agree that it should be criminal. why shouldnt it? without that example code the blaster worm would probably not have been released. it gives people with very little programming knowledge the opportunity to inflict a hella lot of damage while the person who wrote half the virus walks free as if he had no part of it. its like handing out guns on the streets to show how easy it is for kids to get ahold of bullets and then not holding any responsibility when they put the 2 together and kill somebody.
I guesss they Symantec people themselves expect not to be subject of their new law?
The tools and processes of discovering and disclosing exploits shouldn't be illegal. The use of them should, and is. Why should we add regulation on top of that to prevent this type of "speech?" You should be punished for doing something wrong, not for creating something that someone else might use with ill intent?
If people can't discuss bugs and security problems online, the only places it will be done is privately, i.e. in Symantec's and NAI's labs... this is one way to kill your competition--get the government to outlaw it.
I think this is the slippery slope defined. Even if it were a good idea to keep these tools away from easy access (I won't reiterate the many arguments why it isn't), it is extremely difficult to know exactly where the line from "general purpose networking tool" to "hacking tool" is drawn.
Considering that virtually any tool can be used to hack, when does something get legislated as illegal? Somebody uses a web browser to hack. Is the web browser now an illegal hacking tool?
Okay, maybe that was too easy. But a packet sniffer?
I think one could easily make an argument that that is a hacking tool. Ultimately, the legal definitions may center around "public perception" as often seems to be the case in technical legalities instead of technical accuracy. This is, unfortunately, because the general public typically doesn't understand technically how things work. Notice most bad press is based around technologies that the average guy doesn't understand.
We're treading on dangerous grounds Symantec...
Slippery Slope...
Sunny
Be my Friend
Well, there will always be virus authors, it's like banning weapons: you're only taking away from those who get things through legitimate means.
Think what this would ban: bug tracking and security lists, compilers, assemblers, debuggers, hex editors, etc. These are how viruses get written.
However, if the public doesn't have access to any of this (particularly security tracking lists), then antivirus companies become the one and only legal source for fixes. Presto, huge demand created, which means more legislated profit.
There's your paranoia for the evening.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
the article states that they want to criminalize "shar[ing] information and tools online which could be used by malicious hackers and virus writers".
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
this is like that crime in britain: "going equipped to commit arson". ie, having a lighter in yr pocket. it's all about selective enforcement. ie, the law is interpreted by the police officer.
now, extrapolate this situation to something like, say, computing - something that joe average judge-or-cop knows virtually nothing about.
am i the only person who can see this being a bad bad thing?
2 1337 4 u!
They've just outlawed a large chunk of programming knowledge. Well, non-US programmers now have a lot less competition! ;)
The real question is, why wont symantec create software that will deal woth these issue as they arrise. It seems like someone is trying to take the load off the company. It would be like Ford trying to make the speed limits of all roads 10mph. Now, they dont have to worry soo much about making a safe car, as accidents are less likely to occur.
Speaking at Defcon 12 - Credit Card Networks Revisted: Pen
um... no. I could write a full set of instructions detailing how to go from uranium ore to a working plutonium-based fissile nuclear weapon and be within my rights. moreover, if someone takes what I wrote and uses it to blow up Las Vegas, I will not be jailed or prosecuted for anything connected with that crime. I may be liable in a civil court for any actions directly facilitated by my speech, but my actions would be in no way illegal. Why should it be any different with computers?
ANother poster mentioned that this would be a really bad idea for Symantec because they stand to profit from MORE viruses and worms, and more illegal activity in general. If this were true, this fool would never have mentioned this idea in public, let alone made a serious proposal.
But it's NOT true that a law like this would diminish incidents of new viruses and worms. Like the article says, it's already illegal to hack, and yet we still have hackers. Why?
1) 99.9% (or some similar ridiculous figure) of damaging incidents never lead to a prosecution--too little monetary loss to justify law enforcement attention.
2) Lack of willingness by private sector companies to report (and therefore allow legal penalties to accrue) computer security incidents--they don't want the bad publicity.
The existing laws don't work because they're not enforced often enough when violations exist, either because the violators aren't caught or because prosecution/investigation isn't done. So a new law will do WONDERS, I'm sure, to further intimidate those script kiddies.
It's obvious, though, just how much Symantec could gain from this--goodbye non-commercial security clearinghouses! You'd violate the law to post to an open forum, so nobody will bother (I'm sure Synamtec would contribute resources to policing that aspect), and so there won't be any good open, public security resources. That gives Symantec the perfect market opportunity to fill the vacuum with a new pay-for-info service on pending bugs. The creation of a commercial relationship with subscribers gets them a free pass on the new law (it's not really public, more like those $1500 Gartner reports). And we all get fucked in the meantime.
This is so fucking transparent. I hope that boycott idead gets off the ground--I'd start it, but me and mine are all off Symantec, anyway.
I've said it before, and I will say it again, hiring Yoran is going to produce a huge conflict of interest, and it seems it has already started. Personally I think this comment was made solely to gain a favorite view in the government's eyes. Remember government spends millions on pork barrel garbage, and I'm sure Symantec is looking forward to riding the gravy train back and forth.
All aboard!
MoFscker
Not quite. First of all, this varies depending on jurisdiction--in some places, owning/possessing/carrying lock-opening tools is problematic (not illegal outright, though), and in other places it's perfectly acceptable.
In the places where it is trouble to carry lockpicks et al., you can't get busted for possession or ownership of the devices in the same way that you can get busted for possessing, say, pot or cocaine. Instead, the possession of those kinds of tools, WITHOUT a reasonable excuse, is considered prima facie evidence of an intent to commit wrongdoing. So if a cop catches you with lockpicks in one of these states, he can bust you for conspiring to commit a burgalary.
But remember, prima facie evidence only means anything in the absence of a countervailing explanation. If you're a locksmith on the way to a house call, you're obviously not planning to commit a crime, and so the cop can't assume that you have intent. Well, he could, but a good lawyer could get the whole beef thrown out in pretrial.
More to the point--I think this comparison fails because information and tools relating to virus/worm manufacture are even more "dual-use" than lockpicks. Lockpicks are for opening locks--the only question is whether you have permission to be opening those locks. Tools and information that could POTENTIALLY be used to code malware would include every CS textbook, compiler, and PC ever made. And my lecture notes from Data Structures in Java (which are already pretty criminal on the basis of the handwriting).
Even exploit code has a legit purpose. Am I going to take offline/patch every sshd in my organization because of a crappy rumor that there's a remote DOS overflow? Hells, no! I ain't gonna patch shit until somebody shows up with an actual, working exploit--you have to manage these risks based on the liklihood that a threat exists (potential threates get patched tomorrow morning, actual exploits get patched tonight) and the amount of shit required to fix it (will this break remote access to all my servers? Do I have the manpower to test and deploy the patch right now, when I'm still fucking around with Windows RPC stuff?).
This is the same mentality that would ban baking soda because it could be used to make crack, hunting rifles because "guns" are used in crimes, and information about making black powder because it could be used for explosives.
If the software provider has been warned about the issue and provided a copy of the exploit code for testing their fixes, I have absolutely NO sympathy for a vendor which doesn't provide a fix.
Nor do I subscribe to the asinine american penchant for blaming everyone else for the stupid decisions and accidents individuals encounter. Spill your coffee, "reenact" a video game, commit suicide after listening to Ozzy -- and blame/sue someone else.
Bullshit.
It's time to stop trying to make excuses for stupidity and put the blame squarely on the shoulders of the perpetrators. If you want to blame someone, blame our pathetic spineless north american governments who are more concerned about the "rights" of criminals than defending society from them.
If some script-kiddie is smart enough to download and fire up cracker scripts, they're damned well smart enough to know what they're doing is wrong, and should pay the price when caught.
I do not fail; I succeed at finding out what does not work.
the confused people seem to get into high places to deturmin the fate of millions?
"Laws that forbid the unrestricted distribution of information...make ignorant only those who are neither inclined nor determined to commit crimes...Such laws make things worse for the victim and better for the criminal; they serve rather to encourage than to prevent unauthorized access to computer systems, for an insecure system may be attacked with greater confidence and ease than a secure system."
The other side is that the second such censorship is enforced, people who right now are innocent will become criminals - why? - because they have no other way of defending themselves but to go against such censorship!
You are confusing me with someone who cares.
In otherwords, if you outlaw the legitimate dissemination of information regarding viruses and how they are made, you just made writing a GPL or BSD licensed antivirus program illegal - obviously anyone involved in such a project would have to break the law to obtain virus samples, disassemblies, and information. This might be good for Symantec, but it sucks for the rest of us.
However, there is a problem. There's a ton of viruses coming out every day, and the internet makes an extremely fertile ground for even a poorly written virus or worm. A simple virus or worm can literally bring a corporation's operations to a halt for a day or two - even if critical machines run moderately secure operating systems, the traffic overload and DDOS'ing from the compromised machines can be hell.
Most virus writers are kids that feel alienated by "the system". I think most studies have shown that the average virus writer ages are between 14 and 24 - meaning when people get older and join society, they generally phase out of virus writing for moral or practical reasons. For several papers on who exactly writes viruses, go here.
So how do we prevent these kids from writing viruses? Outlawing information regarding viruses is a lot like outlawing the purchase of spraypaint - it isn't going to work, and it makes life suck for the rest of us.
But could we find ways to engage kids within risk groups and help them find useful outlets for their talent, so they could receive positive feedback and recognition for their work instead of getting their kicks unleashing their work on the world? I bet if you got a teenager that otherwise felt the world was against him or her involved in an open-source project they got excited about, where they were tutored and provided with positive feedback by more experienced mentors - they wouldn't have the time or the inclination to write viruses and will learn some very valueable skills that will be useful to them.
So how about this - start something similar to SourceForge for teens, and find programmers willing to donate their time mentoring these kids and helping them take their skills to the next level while teaching them the ethics and responsibilities of a first-rate programmer? Obviously such a system would need to be watched for abusive adults and any found would need to be banned and/or prosecuted, but if a bunch of good coders that gave a shit about kids did it I think it could seriously make a dent in the growth of the virus problem.
The other solution would be to make apprenticeships mandatory for budding programmers :)
I write code.
It's not illegal to be in possession of burglary tools. If that was the case, you'd be breaking the law just by keeping a crowbar in the trunk of your car.
It's illegal to be in possession of burglary tools while committing a burglary, under the theory that bringing burglary tools to a burglary shows that you approached the burglary with premeditation and planning. Premeditated, thought-out-in-advance crimes are almost always punished more severely than "amateur night" or heat-of-the-moment crimes.
E.g.., if I use a rock to break a car window, reach inside and pull out the stereo... maybe I'm a career criminal, or maybe I'm just someone who made a really stupid choice.
But if I've picked the lock on the door with a SlimJim, brought open specialized tools to crack the dash and remove the radio in 15 seconds flat, then it's a pretty good bet I've done this crime before and I'll continue to do it in the future--both of which make me a more serious criminal in the eyes of the law.
We'll just share them over freenet along with instructions on how to build bombs and the like.
Guns - Guns don't kill people, people kill people.
Hacker tools - Ban them, put anyone who writes or shares them behind bars??
File Sharing tools - Ban them, put anyone who uses file sharing behind bars??
In my post I specificly mentioned the Bill of Rights. If that does not have something to do with, "The province of the court is solely to decide the rights of individuals." (Marbury v. Madison.) then I don't know what does.
The Court's statement signifies that it only settles disputes that arise between parties (i.e., individuals in most circumstances). These disputes have to satisfy the "case or controversy" requirement of Article III of the Constitution. To establish a case or controversy the plaintiff must have standing, which requires a (1) concrete, particular (as opposed to generalized) injury, (2) caused by the defendant's actions, (3) that can be redressed by favorable court adjudication.
With the foregoing established, the Supreme Court cannot issue advisory opinions because there are no sufficiently interested parties whose rights are to be decided and thus no "case or controversy."
For years all different manner of firearms and accesories have been banned and made illegal, because they "could" be used to commit a crime. just wait until there are sound bytes about "computershow loopholes" and "preban programs", or better yet when the latest technology you can legally own is ten or fifteen years old. Maybe we will have "common sense" computer control laws that allow you to have no more than two hacker friendly feature such as high capacity hard drives (over ten gigs), broadband network connection, CPU more than 500MHZ, or any detatchable media. I live with laws exactly like this in one hobby, I know that this is not a very sympathetic venue for this type of comparison, but maybe you will think a little more the next time somebody is wanting to sanatch the rights from a group of people you don't share interestes with. It is exactly the same situation, the average American has no understanding of how pointless gun control is, but is done with good intent, so they figure it is alright, well guess what, to the average american this law will seem like a good idea to fight the growing plague of cyber crime. These laws would do nothing to stop virii, just like the Assault Weapons Ban has done nothing to reduce gang violence.
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
Or, to take it to an extreme, Notepad/vi/emacs.
After all, the most basic tool required for writing a virus (or any piece of code) is your bog-standard Text Editor.
Tiggs
"120 chars should be enough for everyone..."
The COO of a large pharmaceutical corporation explained why his firm was lobbying for a ban on all new forms of medicinal research...
Symantec make their money from viruses. Why on earth should we take their pronouncements in any other light? Their dream world is one in which only the criminals and the megacorporations have access to the technology, so that the citizenry squashed between the two can pay a jolly penny.
It's ridiculous. The only defense against malware is transparency, competition, and the evolution of something approaching a natural defense system. Not suppression of the tools people need in order to develop their defenses.
Ceci n'est pas une signature
All of that takes time, money, and much much effort. But hey, it's ok because you can site some reference in the original constitution (Where I'm quite sure the founder fathers envisioned it that way.) to where that makes it so.
Here's the thing: Legislatures don't typically pass blatantly unconstitutional laws (folks in the peanut gallery please save your PATRIOT Act jokes). So, courts rely on sufficiently interested parties (and injury in-fact is usually a good proxy for interest) to provide them with perspective on the practical scope and effects of the legislation.
When a court acts issues an advisory opinion, there is great danger that not only will the court lack this proper perspective but also that it will substitute its policy judgments for that of the democratically elected legislature. The separation of powers implications are hopefully apparent.
Are these concerns worth the extra time and money? Reasonable minds may differ, but I tend to think so.
... But not information.
Personally, I'd rather not throw kids in jail and ban them from computer usage once they get out - that's a good way to create a hardened criminal or a very bitter and suicidal geek.
There will always be someone writing viruses - whether for misguided political motivations, as a last gesture from a disgruntled employee, or for commercial interests. For example, there's a lot of speculation that SoBig is the work of a professional spammer.
But it would be good to take the kids out of the equation without destroying their futures.
And unfortunately, I'd hardly say that typical security has gotten much better since the Morris worm made its rounds years ago. It's still the same in most places - nonexistant. Places that hire good people to protect their systems improve every day, but for most companies they don't seem to think security is worth the salary a really competent sysadmin usually requires (or they simply can't afford it).
I don't think that's going to change until having a virus take down a company's servers has a larger chance of destroying the company rather than just inconveniencing it.
I write code.
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
Pretty much what I thought. There isn't a lot that you can really ban that would stop a virus writer without negatively affecting regular ol' developers, much less people who work in the security field.
Frankly, I find all this silly. Most people that are handing around information on how to produce viruses will also hand around copyrighted software as well. That's illegal, but it really doesn't seem to stop them.
The right solution is to harden hosts against viruses and worms. Outlook is a huge vector, because it has traditionally made embedding active content and executing attachments very easy. Outlook should go away. The macro system in Word is inappropriate for a format frequently used for general document distribution. Permissions should be tightened up -- there's a reason the UNIX world doesn't run into viruses.
May we never see th
information [...]which could be used by malicious hackers and virus writers
This is exactly the same information that's used to prevent and disable viruses.
contrast this with the words of
so, "information sharing on threats and vulnerabilities" is OK, but "sharing of information and tools" isn't.
as a Symantec customer, i expect you to be smarter than the 16-24 year old punks who "share information and tools" to make variations on well-known hacks.
it seems to me that most problems are the result of programming flaws, mistakes, and plain old "gee wiz didn't think someone could do that" ignorance on the part of developers.
more law enforcement isn't the answer, banning books isn't the solution. technical diligence is.
the job of Symantec is stay ahead of the hackers, not to close the doors after them.
This is just marketing fluff. I've seen this so many times.
He was being interviewed by Wired, and wanted to make gruff noises about the virus issue. He's a COO, so obviously he isn't technical enough to know what he's talking about. The danger, of course, is that because he's a COO, some dimwit doesn't realise that COOs don't know anything, might take him seriously.
If this did ever happen, it would be disastrous for Symantec and the whole antivirus industry. Not because there would be fewer viruses - that would be almost unchanged.
The disaster happens in the sharing of specimens of viruses. In order to code up detection, identification and repair, you have to have one of the things youj're trying to handle. So, where do antivirus companies get specimens?
Two sources. 1) from their customers. This legislation would make it illegal for customers to send speciments to the AV companies using email or whatever. So what you gonna do, copy it onto a floppy disk and put it in the post? Not likely.
2) From the other AV companies. There's been an agreement in place for a great many years between the techies of the AV companies, that specimens get shared, so that when a new thing surfaces, customers aren't forced to buy an AV from any one source, customers still have choice. That specimen sharing would become criminalised.
I've just written to some people to explain that if they really want people like me (and you and you and you) to send them specimens of things that turn up, then they mustn't criminalise that.
So, I guess the MS.Blaster worm was only propagated by corporate - and most often firewalled - networks? It wasn't caused by the vast numbers of broadband customers with entirely open computers on countless networks? Hmm.
The remarks that this statement targets (it was a statement made against Symantec) are uderly rediculous. The way to get things done is not to remain hush hush. NTBugTraq often forced Microsoft (et. al.)'s hand to fix a bug that was proven in concept but, perhaps, not yet exploited. It was only a matter of time before the hole would be exploited. If Symantec is turning their efforts of keeping machines "safe" to the "corporate machine", they aren't getting my or my company's business anymore. We need someone that will push to get bugs fixed and viri stopped at all costs - even if it means putting pressure on the publisher.
Besides, almost any post-back news site and development community on the 'net would be liable if such a law was passed. My email address is obtainable from this site and many others (SPAM-proofing aside, which isn't always hard to break if the crawlers look for common patterns). They're sharing my email address and, perhaps, other information.
If it's community backlash they're merely trying to avoid, then it's community backlash they deserve.
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
Or, to take it to an extreme, Notepad/vi/emacs.
No, take it to the logical ironic extreme, Norton AntiVirus 2004 is the best way to QA your virus to make sure it will get by anti-virus software. So, really we need to make sure that virus writers don't get access to such a powerful debugging tools. We obviously need to ban anti-virus software in in order to stop viruses from being written.
Sometimes the simple solutions are the most effective.
Of course, making anti-pick devices (exploit tools) illegal won't interfer with the activities of the criminal class any more than making firearms illegal has bothered them. This CEO is just another in the class of people who just can't seem to grasp the fact that lawbreakers don't care about laws.
The tools that create exploits are the tools the create software: lanugages and compilers for them. A case can be made that the Corporations real agenda is to gain control of the tools for making software. If your product isn't needed by the Linux platform then the Linux platform is your enemy. If they get compilers outlawed only outlaws will use them. It won't stop the flood of WinXX infectors, as if Symantec wanted that flood to stop their only income stream, but it will stop folks from migrating away from WinXX to a platform that doesn't need their Symantec's software.
Running with Linux for over 20 years!
So it would be illegal to distribute and use gcc / Delphi / Watcom C, and the other development tools hackers love to use?