Slashdot Mirror
Analysis Of Symantec's Stance On Censorship
robochan writes "According to this report in the Sydney Morning Herald, Chief Operating Officer of Symantec, John Schwarz, was quoted as 'calling for laws to make it a criminal offense to share information and tools online which could be used by malicious hackers and virus writers.' This article takes a look at the negative affects and also a couple of recent examples of "censorship legislation" backed by the COO of Symantec, and what little effect it has had on criminals, while having a substantial affect on responsible citizens."
- Compilers
- API documentation
- Text editors (can be used to write VBScript virii)
- Microsoft Office (macro virii)
Sounds like a really well thought out idea.I think this is the slippery slope defined. Even if it were a good idea to keep these tools away from easy access (I won't reiterate the many arguments why it isn't), it is extremely difficult to know exactly where the line from "general purpose networking tool" to "hacking tool" is drawn.
Considering that virtually any tool can be used to hack, when does something get legislated as illegal? Somebody uses a web browser to hack. Is the web browser now an illegal hacking tool?
Okay, maybe that was too easy. But a packet sniffer?
I think one could easily make an argument that that is a hacking tool. Ultimately, the legal definitions may center around "public perception" as often seems to be the case in technical legalities instead of technical accuracy. This is, unfortunately, because the general public typically doesn't understand technically how things work. Notice most bad press is based around technologies that the average guy doesn't understand.
We're treading on dangerous grounds Symantec...
Slippery Slope...
Sunny
Be my Friend
the article states that they want to criminalize "shar[ing] information and tools online which could be used by malicious hackers and virus writers".
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
this is like that crime in britain: "going equipped to commit arson". ie, having a lighter in yr pocket. it's all about selective enforcement. ie, the law is interpreted by the police officer.
now, extrapolate this situation to something like, say, computing - something that joe average judge-or-cop knows virtually nothing about.
am i the only person who can see this being a bad bad thing?
2 1337 4 u!
Not quite. First of all, this varies depending on jurisdiction--in some places, owning/possessing/carrying lock-opening tools is problematic (not illegal outright, though), and in other places it's perfectly acceptable.
In the places where it is trouble to carry lockpicks et al., you can't get busted for possession or ownership of the devices in the same way that you can get busted for possessing, say, pot or cocaine. Instead, the possession of those kinds of tools, WITHOUT a reasonable excuse, is considered prima facie evidence of an intent to commit wrongdoing. So if a cop catches you with lockpicks in one of these states, he can bust you for conspiring to commit a burgalary.
But remember, prima facie evidence only means anything in the absence of a countervailing explanation. If you're a locksmith on the way to a house call, you're obviously not planning to commit a crime, and so the cop can't assume that you have intent. Well, he could, but a good lawyer could get the whole beef thrown out in pretrial.
More to the point--I think this comparison fails because information and tools relating to virus/worm manufacture are even more "dual-use" than lockpicks. Lockpicks are for opening locks--the only question is whether you have permission to be opening those locks. Tools and information that could POTENTIALLY be used to code malware would include every CS textbook, compiler, and PC ever made. And my lecture notes from Data Structures in Java (which are already pretty criminal on the basis of the handwriting).
Even exploit code has a legit purpose. Am I going to take offline/patch every sshd in my organization because of a crappy rumor that there's a remote DOS overflow? Hells, no! I ain't gonna patch shit until somebody shows up with an actual, working exploit--you have to manage these risks based on the liklihood that a threat exists (potential threates get patched tomorrow morning, actual exploits get patched tonight) and the amount of shit required to fix it (will this break remote access to all my servers? Do I have the manpower to test and deploy the patch right now, when I'm still fucking around with Windows RPC stuff?).
In otherwords, if you outlaw the legitimate dissemination of information regarding viruses and how they are made, you just made writing a GPL or BSD licensed antivirus program illegal - obviously anyone involved in such a project would have to break the law to obtain virus samples, disassemblies, and information. This might be good for Symantec, but it sucks for the rest of us.
However, there is a problem. There's a ton of viruses coming out every day, and the internet makes an extremely fertile ground for even a poorly written virus or worm. A simple virus or worm can literally bring a corporation's operations to a halt for a day or two - even if critical machines run moderately secure operating systems, the traffic overload and DDOS'ing from the compromised machines can be hell.
Most virus writers are kids that feel alienated by "the system". I think most studies have shown that the average virus writer ages are between 14 and 24 - meaning when people get older and join society, they generally phase out of virus writing for moral or practical reasons. For several papers on who exactly writes viruses, go here.
So how do we prevent these kids from writing viruses? Outlawing information regarding viruses is a lot like outlawing the purchase of spraypaint - it isn't going to work, and it makes life suck for the rest of us.
But could we find ways to engage kids within risk groups and help them find useful outlets for their talent, so they could receive positive feedback and recognition for their work instead of getting their kicks unleashing their work on the world? I bet if you got a teenager that otherwise felt the world was against him or her involved in an open-source project they got excited about, where they were tutored and provided with positive feedback by more experienced mentors - they wouldn't have the time or the inclination to write viruses and will learn some very valueable skills that will be useful to them.
So how about this - start something similar to SourceForge for teens, and find programmers willing to donate their time mentoring these kids and helping them take their skills to the next level while teaching them the ethics and responsibilities of a first-rate programmer? Obviously such a system would need to be watched for abusive adults and any found would need to be banned and/or prosecuted, but if a bunch of good coders that gave a shit about kids did it I think it could seriously make a dent in the growth of the virus problem.
The other solution would be to make apprenticeships mandatory for budding programmers :)
I write code.
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
Or, to take it to an extreme, Notepad/vi/emacs.
After all, the most basic tool required for writing a virus (or any piece of code) is your bog-standard Text Editor.
Tiggs
"120 chars should be enough for everyone..."
It would make things like "Build your own virus" kits illegal. It's how the majority of virus writers formulate their viruses. They sure as hell couldn't write their own code.
Well, you're quite right. It would make virus building kits illegal.
But Schwarz also wants "to make it a criminal offense to share information". This means that indentifying a security vulnerability could also be prosecuted.
Now, Symantec won't be prosecuted, because they'll keep vulnerability information close to their corporate chest, as "proprietary trade secrets"; they don't benefit from revealing the information. And they'll make sure to make the right bi-partisan contributions, so everybody will know they are good upstanding citizens.
But if you, or I, or Willie White-Hat Hacker publicizes the information, we'll be facing one of Mr. Ashcroft's boys. One of his prosecuters with the unlimited budget, the Federal warrant, and the granite-faced gentlemen who are paid to carry guns.
That this just happens to scare off any upstart competitor to Symantec and MacAfee's control of their market, is, I'm sure, a purely unintended consequence of the fight against terrorism and the terrible threat to our nation of a haxored box adding a few hundred more spam emails to the torrent already flowing in from China.
Opinions on the Twiddler2 hand-held keyboard?
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
Pretty much what I thought. There isn't a lot that you can really ban that would stop a virus writer without negatively affecting regular ol' developers, much less people who work in the security field.
Frankly, I find all this silly. Most people that are handing around information on how to produce viruses will also hand around copyrighted software as well. That's illegal, but it really doesn't seem to stop them.
The right solution is to harden hosts against viruses and worms. Outlook is a huge vector, because it has traditionally made embedding active content and executing attachments very easy. Outlook should go away. The macro system in Word is inappropriate for a format frequently used for general document distribution. Permissions should be tightened up -- there's a reason the UNIX world doesn't run into viruses.
May we never see th
This is just marketing fluff. I've seen this so many times.
He was being interviewed by Wired, and wanted to make gruff noises about the virus issue. He's a COO, so obviously he isn't technical enough to know what he's talking about. The danger, of course, is that because he's a COO, some dimwit doesn't realise that COOs don't know anything, might take him seriously.
If this did ever happen, it would be disastrous for Symantec and the whole antivirus industry. Not because there would be fewer viruses - that would be almost unchanged.
The disaster happens in the sharing of specimens of viruses. In order to code up detection, identification and repair, you have to have one of the things youj're trying to handle. So, where do antivirus companies get specimens?
Two sources. 1) from their customers. This legislation would make it illegal for customers to send speciments to the AV companies using email or whatever. So what you gonna do, copy it onto a floppy disk and put it in the post? Not likely.
2) From the other AV companies. There's been an agreement in place for a great many years between the techies of the AV companies, that specimens get shared, so that when a new thing surfaces, customers aren't forced to buy an AV from any one source, customers still have choice. That specimen sharing would become criminalised.
I've just written to some people to explain that if they really want people like me (and you and you and you) to send them specimens of things that turn up, then they mustn't criminalise that.