Slashdot Mirror
Analysis Of Symantec's Stance On Censorship
robochan writes "According to this report in the Sydney Morning Herald, Chief Operating Officer of Symantec, John Schwarz, was quoted as 'calling for laws to make it a criminal offense to share information and tools online which could be used by malicious hackers and virus writers.' This article takes a look at the negative affects and also a couple of recent examples of "censorship legislation" backed by the COO of Symantec, and what little effect it has had on criminals, while having a substantial affect on responsible citizens."
But maybe it's time to rethink this portion of Speech.
Speech is not 100% protected. There are types of speech which have been declared illegal: obscenity, fighting words, etc. Perhaps it is time to take the fight to virus writers.
I believe it is illegal in most states to be in possession of 'burglary tools' such as slim-jims, lock picks, and the like unless you are licensed in some way to own them (mechanic, lock smith, etc...).
When (if ever) do 'hacking tools' fall under this category? Obviously any tool can be used with ill-intent, but are there specific pieces of software that could be classified as such?
Why does it seem that every single proposed or actual law targeted at "cybercrime" puts absurd limitations on legitimate research while having absolutely no effect on the criminals?
"make it a criminal offense to share information and tools online which could be used by malicious hackers and virus writers."
On the positive side, couldn't this also be applied to Windows, IE, and Outlook? Ignoring the buffer overflows (which all software has) these programs have been developing, promoting, and expanding the viral capabilities since at least 1998.
After all, there's more documentable evidence of Microsoft staunchly keeping an "open" envrionment to incubate and inspire malicious hackers much more so than the white hat hackers simply exchanging exploit documentation.
As Shaw said, patriotism is the last refuge of the scoundrel. Applied judiciously, it can also be very profitable.
Panurge has posted for the last time. Thanks for the positive moderations.
my worst fear when Symantec bought SecurityFocus was the ability to exercise free of speech and free research on bugtraq... now it is just matter of time when corporate censorship begin to infect what can be said, research, discused or developed on the mailing list.
As others have noted, what Symantec really wants is to prevent people from cleaning up the worms and viruses without paying Symantec a fee.
But if the number of viruses and worms goes down, I'm sure Symantec would be happy to write a few more to keep their profits up.
I remember some PHB type at a university i worked at had this list of 'hacking tools' that he had gotten from some 'security expert' that we were supposed to be on the watch for if we saw any of the students using these dangerous and evil things. These tools included things like text editors and resource fork editors for macintosh and such. I thought at first that it was some prank played upon the the PHB but whoever gave the this list to them was apparently completely serious about it.it was funny and scary at the same time. When text editors are illegal only outlaws will have text editors.
I understand that without a crime there can be no test of a law due to what you have just established. Or to put it another way, without a party that has been wronged there can be no case that can be brought before the high court to rule upon.
Ok, right. So what we are saying here is that, its ok to pass laws that aren't legal until the wrong someone. And then when they get wronged they have to go though the *whole* court system before they finally get ruled on and then maybe if your lucky the high court will hear your case vs the law and rule against it thus striking down a law that never should have been enacted in the 1st place.
All of that takes time, money, and much much effort. But hey, it's ok because you can site some reference in the original constitution (Where I'm quite sure the founder fathers envisioned it that way.) to where that makes it so.
Well, all I'm saying is I call shenanigans on that clause and hello to a way to review laws that effect, lets face it, the whole gawd damn world before we enact them.
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
He's stating that "Only the information security elite should ever have access to information security issues." Or if Bill Gates stated: "Only large enterprises should write operating system software. Linux should be outlawed." This means we'd all be forced to eat Microsoft's or Symantec's 'dog food'.
I ask you this: When was the last time Symantec wrote a signature for Snort? How about a nessus plugin? They want to get rid of the open source security model because they can't profit from it!
As an information security professional, I don't even listen to Symantec as their information is generally 2-3 weeks too late. Its like waiting for the Sunday paper to read about the double homicide that's taking place right now on your front lawn. All their info is being published after the fact! If they successfully cut off all access to information that is happening in the security community, then they make everyone reactive rather than proactive.
It doesn't matter how much detail Symantec offers about a virus or bug. I want to be able to take an exploit, compile it and run it against a test server on a test network. Capture the packets transmitted and analyze them. I want to dissect the 'worm' or 'virus' and develop an IDS signature as well as produce a Nessus plugin to scan other servers. If I use other tools, I want to have enough knowledge to look into their signature files to realize that they're looking for the wrong stuff and thereby giving false positives (or false negatives).
It's called FULL DISCLOSURE
Symantec is trying to tell us that I can do all this with a really descriptive set of documentation? Or maybe I should just turn my entire enterprise security model over to Symantec. Uh huh, sure... I don't think so. Gimme the code for the exploit.
Allow me to digress for a moment, stick with me though -- it's not too OT...
Lets talk for a moment about the MS03-039 exploit; the brother to MS Blaster. It's a really nasty bugger. Once it exploits a machine, it creates a user account of "e" with a password of "abc#321". Oh yeah, and the new user has admin rights.
This means the worm could use the newly created account to create other accounts, escalate privileges on existing accounts or just change everyone's password to a random string of garbage.
The price we could pay by not patching every single server and workstation this time around could exceed the damage done by blaster by a thousandfold. All it has to do is successfully nail just one Active Directory controller. Imagine if every single user on your entire network had their password changed on them, at the same time.
When blaster hit, it crashed the RPC service which forced the machine to reboot 60 seconds after the RPC service came crashing down. Imagine now that in the infection process changes admin and user passwords, revokes privileges, then reboots the machine... Your network is now down, and you can't even get back in. You are screwed.
So, how do I know this info? Well, it just so happens that I've got the source code to the worm sitting on my machine right now! I'm not contributing to the project, but I'm sure as hell monitoring what is going on, and I sure as hell didn't get ANY of this information from Symantec.
The only info I'll get from Symantec is the day after the worm's release when they announce that blaster.b is in the wild and that I should have patched my boxes, and they're very sorry but there is no cleanup file available if it compromised your AD controller and changed all the admin passwords. Symantec also recommends you have current tape backups. That's like telling the car accident victim to buckle up. Just a little late there, Jack.
We are going to continue down the road of Full Disclosure debate until M$ et al. starts writing secure code.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
I'll tell you: just what we did to Intuit: kick Symantec where it hurts, in the pocketbook, until Symantec is ready to disavow Chris Schwarz and his attempts to limit free speech and free inquiry in the name of profit.
I've always had a soft spot for Symantec because of that awesome DOS product, Norton Utilities. And I still have a copy of Peter Norton's 8086 assembler tutorial. Just saw it yesterday, but now I can't recall which bookcase it's in.
But no more. I'm afraid this uses up my good will, and my willingness to see Symantec as the "good guys".
First, let's let Symantec know how we feel. The main switchboard number in the US is (541) 335-5000. The worldwide headquarters number is (408) 517-8000. Tell them you're a computer professional or enthusiast, that many non-specialists rely on you for advice, and that you won't be recommending their products again. And tell them why: because Chris Schwarz whats to criminalize people like you for warning other people about security vulnerabilities.
And then let's do what we said we'd do:
Opinions on the Twiddler2 hand-held keyboard?
Anyway, why should paid for tools be any different?
I might be willing to lend a hand if anyone has such a project and needs a coder. I bet you could reduce the money available to lobby for such stupid laws by commoditizing the market and destroying the profit in creating such laws - and such a product, if done well, would benefit the net as a whole.
I'm aware of Clam AV, but since it's POSIX oriented, it's not really a replacement. I'm thinking of something that supports modern AV features under Windows - e.g. real-time scanning, prevention of execution, modern heuristics, auto-updates, etc.
Of course, for corporations, the best solution would probably be something more along the lines of an access control program that disallowed use of any products that weren't officially sanctioned.
I write code.
I'm curious - what do you think of my suggestion for reducing the number of kids in virus writing? I know it would be very ambitious, and would need considerable effort and cooperation between a large number of ethical and talented professionals with no direct monetary gain to encourage such participation, but to me it seems like it might help. If such an alternative had been present in the late 80's and early 90's, I suspect I would have been interested.
I write code.
I've never responded to a Slashdot post without first reading the article and a number of comments before but this time I am just climbing straight up on my soapbox!
I know this is outlandish but I propose we outlaw knives because they can be used to kill someone. History shows us how dangerous the knife is; For generations, the knife in various forms has been used to kill and maim people. Therefore, I think we should outlaw it. While we are at it, lets outlaw hammers, candle sticks, and rope since they have all been used to kill people.
My point is that tools sometimes have to be dangerous in order to do their jobs. It is not the hammers fault if someone decides to use it to bash someone's head in! The same is true for the knife. Software "hacker's tools" are tools, just like hammers and knives. They can be used for good (and usually are) or bad (and sometimes are) but that does not mean they should be outlawed.
You know those "emergency hammers" that they sell to break car windows with? My guess is that more of them are sold to car-burgulars than are sold for their legitimate purpose. They are easy to conceal and break windows with a minimum of noise and fuss. Crooks use them every day. Why hasn't there been a cry to have those things outlawed, regulated, or controlled? It is because they are a tool, that the tool has a legitimate purpose, and that the crooks would simply use something else if it were made unavailable to them. I guess I'd rather have them carrying these hammers than a hatchett. Of course, I would rather see the crook in jail where he would have neither.
Every advisory sent by a company to the public would therefore be considered criminal. I've read the jokes about notepad, vi, etc and yes they are funny. But in my line of work we find security holes all the time. And we publish enough details that one who is intelligent enough could reconstruct our work.
This kind of assinine law would essentially shut down all major security vendors (ISS, eEye, Foundstone, etc).
This may be to Symantec's liking since they have been aching to get into that market (after purchasing a small company called SecurityFocus). Oh wait they might have forgotten about that purchase. Because bugtraq DOES distribute that info.