Slashdot Mirror
Analysis Of Symantec's Stance On Censorship
robochan writes "According to this report in the Sydney Morning Herald, Chief Operating Officer of Symantec, John Schwarz, was quoted as 'calling for laws to make it a criminal offense to share information and tools online which could be used by malicious hackers and virus writers.' This article takes a look at the negative affects and also a couple of recent examples of "censorship legislation" backed by the COO of Symantec, and what little effect it has had on criminals, while having a substantial affect on responsible citizens."
GCC has been made illegal.
- Compilers
- API documentation
- Text editors (can be used to write VBScript virii)
- Microsoft Office (macro virii)
Sounds like a really well thought out idea.An important clarification from an article on this subject a few days ago:
6 85 53158.html
http://www.smh.com.au/articles/2003/09/12/10632
Asked whether Schwarz would like to clarify whether he had really meant that full disclosure should be legislated against, Symantec's Asia-Pacific public relations group manager Lindy Yarnold did not directly deal with the query but said: "Symantec fully supports information sharing on threats and vulnerabilities and believes it is an important tool for consumers and IT professionals to gain a measure of early warning of potential attacks."
Those damn virus-helpers over at Symantec, I hope the law skins them alive.
I've found that my posts don't format quite right w/o a sig.
I believe it is illegal in most states to be in possession of 'burglary tools' such as slim-jims, lock picks, and the like unless you are licensed in some way to own them (mechanic, lock smith, etc...).
When (if ever) do 'hacking tools' fall under this category? Obviously any tool can be used with ill-intent, but are there specific pieces of software that could be classified as such?
I think this is the slippery slope defined. Even if it were a good idea to keep these tools away from easy access (I won't reiterate the many arguments why it isn't), it is extremely difficult to know exactly where the line from "general purpose networking tool" to "hacking tool" is drawn.
Considering that virtually any tool can be used to hack, when does something get legislated as illegal? Somebody uses a web browser to hack. Is the web browser now an illegal hacking tool?
Okay, maybe that was too easy. But a packet sniffer?
I think one could easily make an argument that that is a hacking tool. Ultimately, the legal definitions may center around "public perception" as often seems to be the case in technical legalities instead of technical accuracy. This is, unfortunately, because the general public typically doesn't understand technically how things work. Notice most bad press is based around technologies that the average guy doesn't understand.
We're treading on dangerous grounds Symantec...
Slippery Slope...
Sunny
Be my Friend
the article states that they want to criminalize "shar[ing] information and tools online which could be used by malicious hackers and virus writers".
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
this is like that crime in britain: "going equipped to commit arson". ie, having a lighter in yr pocket. it's all about selective enforcement. ie, the law is interpreted by the police officer.
now, extrapolate this situation to something like, say, computing - something that joe average judge-or-cop knows virtually nothing about.
am i the only person who can see this being a bad bad thing?
2 1337 4 u!
If you stick to shrinkwrapped software, and DON'T run ANY other form of executable, then you DON'T need anti-virus software.
So what is this "Norton AntiVirus" for? To help people who download cracked software keep their computers healthy? Sounds like a shady product to me.
In otherwords, if you outlaw the legitimate dissemination of information regarding viruses and how they are made, you just made writing a GPL or BSD licensed antivirus program illegal - obviously anyone involved in such a project would have to break the law to obtain virus samples, disassemblies, and information. This might be good for Symantec, but it sucks for the rest of us.
However, there is a problem. There's a ton of viruses coming out every day, and the internet makes an extremely fertile ground for even a poorly written virus or worm. A simple virus or worm can literally bring a corporation's operations to a halt for a day or two - even if critical machines run moderately secure operating systems, the traffic overload and DDOS'ing from the compromised machines can be hell.
Most virus writers are kids that feel alienated by "the system". I think most studies have shown that the average virus writer ages are between 14 and 24 - meaning when people get older and join society, they generally phase out of virus writing for moral or practical reasons. For several papers on who exactly writes viruses, go here.
So how do we prevent these kids from writing viruses? Outlawing information regarding viruses is a lot like outlawing the purchase of spraypaint - it isn't going to work, and it makes life suck for the rest of us.
But could we find ways to engage kids within risk groups and help them find useful outlets for their talent, so they could receive positive feedback and recognition for their work instead of getting their kicks unleashing their work on the world? I bet if you got a teenager that otherwise felt the world was against him or her involved in an open-source project they got excited about, where they were tutored and provided with positive feedback by more experienced mentors - they wouldn't have the time or the inclination to write viruses and will learn some very valueable skills that will be useful to them.
So how about this - start something similar to SourceForge for teens, and find programmers willing to donate their time mentoring these kids and helping them take their skills to the next level while teaching them the ethics and responsibilities of a first-rate programmer? Obviously such a system would need to be watched for abusive adults and any found would need to be banned and/or prosecuted, but if a bunch of good coders that gave a shit about kids did it I think it could seriously make a dent in the growth of the virus problem.
The other solution would be to make apprenticeships mandatory for budding programmers :)
I write code.
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
Or, to take it to an extreme, Notepad/vi/emacs.
After all, the most basic tool required for writing a virus (or any piece of code) is your bog-standard Text Editor.
Tiggs
"120 chars should be enough for everyone..."
It would make things like "Build your own virus" kits illegal. It's how the majority of virus writers formulate their viruses. They sure as hell couldn't write their own code.
Well, you're quite right. It would make virus building kits illegal.
But Schwarz also wants "to make it a criminal offense to share information". This means that indentifying a security vulnerability could also be prosecuted.
Now, Symantec won't be prosecuted, because they'll keep vulnerability information close to their corporate chest, as "proprietary trade secrets"; they don't benefit from revealing the information. And they'll make sure to make the right bi-partisan contributions, so everybody will know they are good upstanding citizens.
But if you, or I, or Willie White-Hat Hacker publicizes the information, we'll be facing one of Mr. Ashcroft's boys. One of his prosecuters with the unlimited budget, the Federal warrant, and the granite-faced gentlemen who are paid to carry guns.
That this just happens to scare off any upstart competitor to Symantec and MacAfee's control of their market, is, I'm sure, a purely unintended consequence of the fight against terrorism and the terrible threat to our nation of a haxored box adding a few hundred more spam emails to the torrent already flowing in from China.
Opinions on the Twiddler2 hand-held keyboard?
He's stating that "Only the information security elite should ever have access to information security issues." Or if Bill Gates stated: "Only large enterprises should write operating system software. Linux should be outlawed." This means we'd all be forced to eat Microsoft's or Symantec's 'dog food'.
I ask you this: When was the last time Symantec wrote a signature for Snort? How about a nessus plugin? They want to get rid of the open source security model because they can't profit from it!
As an information security professional, I don't even listen to Symantec as their information is generally 2-3 weeks too late. Its like waiting for the Sunday paper to read about the double homicide that's taking place right now on your front lawn. All their info is being published after the fact! If they successfully cut off all access to information that is happening in the security community, then they make everyone reactive rather than proactive.
It doesn't matter how much detail Symantec offers about a virus or bug. I want to be able to take an exploit, compile it and run it against a test server on a test network. Capture the packets transmitted and analyze them. I want to dissect the 'worm' or 'virus' and develop an IDS signature as well as produce a Nessus plugin to scan other servers. If I use other tools, I want to have enough knowledge to look into their signature files to realize that they're looking for the wrong stuff and thereby giving false positives (or false negatives).
It's called FULL DISCLOSURE
Symantec is trying to tell us that I can do all this with a really descriptive set of documentation? Or maybe I should just turn my entire enterprise security model over to Symantec. Uh huh, sure... I don't think so. Gimme the code for the exploit.
Allow me to digress for a moment, stick with me though -- it's not too OT...
Lets talk for a moment about the MS03-039 exploit; the brother to MS Blaster. It's a really nasty bugger. Once it exploits a machine, it creates a user account of "e" with a password of "abc#321". Oh yeah, and the new user has admin rights.
This means the worm could use the newly created account to create other accounts, escalate privileges on existing accounts or just change everyone's password to a random string of garbage.
The price we could pay by not patching every single server and workstation this time around could exceed the damage done by blaster by a thousandfold. All it has to do is successfully nail just one Active Directory controller. Imagine if every single user on your entire network had their password changed on them, at the same time.
When blaster hit, it crashed the RPC service which forced the machine to reboot 60 seconds after the RPC service came crashing down. Imagine now that in the infection process changes admin and user passwords, revokes privileges, then reboots the machine... Your network is now down, and you can't even get back in. You are screwed.
So, how do I know this info? Well, it just so happens that I've got the source code to the worm sitting on my machine right now! I'm not contributing to the project, but I'm sure as hell monitoring what is going on, and I sure as hell didn't get ANY of this information from Symantec.
The only info I'll get from Symantec is the day after the worm's release when they announce that blaster.b is in the wild and that I should have patched my boxes, and they're very sorry but there is no cleanup file available if it compromised your AD controller and changed all the admin passwords. Symantec also recommends you have current tape backups. That's like telling the car accident victim to buckle up. Just a little late there, Jack.
We are going to continue down the road of Full Disclosure debate until M$ et al. starts writing secure code.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
Pretty much what I thought. There isn't a lot that you can really ban that would stop a virus writer without negatively affecting regular ol' developers, much less people who work in the security field.
Frankly, I find all this silly. Most people that are handing around information on how to produce viruses will also hand around copyrighted software as well. That's illegal, but it really doesn't seem to stop them.
The right solution is to harden hosts against viruses and worms. Outlook is a huge vector, because it has traditionally made embedding active content and executing attachments very easy. Outlook should go away. The macro system in Word is inappropriate for a format frequently used for general document distribution. Permissions should be tightened up -- there's a reason the UNIX world doesn't run into viruses.
May we never see th
That's absolutely incorrect.
Freedom of speech is absolute. No exceptions.
Obscenity is not illegal, but you can be held accountable for any harm it may cause others (including mental anguish). The FCC has obscenity guidelines for the public airwaves that TV and Radio stations must follow. The on-air personalities can say whatever they want, and their words are not illegal. The FCC can however mandate that the corporations using the public airwaves do not broadcast obscenities, and that they either bleep them or silence them, at the risk of being fined (stipulations of using the public airwaves for free).
Fighting words are not illegal either, but you could get in trouble if you incite violence, which IS illegal.
Yelling "FIRE!" in a crowded theatre is actually not illegal either, but you will most definitely get in trouble for endangering the public if you do it.
There is a distinction here you have to make.
Words by themselves are not and cannot be illegal, nor can the usage of those words be deemed illegal. The first amendment garantees that.
The results of what happens because you spoke your words of choice, however, CAN be held against you.
If you say in a public place "I wish he were dead" (about anyone) you have the right to do so.
However, if you were to say "Go kill this guy", and someone who heard you went out and did just that because of what you said, then you would absolutely be held accountable for saying it.
Anything you say is legal, regardless of content.
The consequences of what you say is another matter entirely.
Fighting virus writers by banning the words they write is absurd and stupid. It is a slippery slope we do not want to enter. It sets a dangerous precedent that can and will be abused. If you ban one use of language, it's very easy to ban another. Next we'll be banning negative movie reviews because they can hurt the movie's business and thus must be banned. Or perhaps we'll start calling people traitors if they criticize the President. Oh, wait, Ann Coulter already is doing that. But of course she has the right to say that too...
-- This sig for rent.
This is just marketing fluff. I've seen this so many times.
He was being interviewed by Wired, and wanted to make gruff noises about the virus issue. He's a COO, so obviously he isn't technical enough to know what he's talking about. The danger, of course, is that because he's a COO, some dimwit doesn't realise that COOs don't know anything, might take him seriously.
If this did ever happen, it would be disastrous for Symantec and the whole antivirus industry. Not because there would be fewer viruses - that would be almost unchanged.
The disaster happens in the sharing of specimens of viruses. In order to code up detection, identification and repair, you have to have one of the things youj're trying to handle. So, where do antivirus companies get specimens?
Two sources. 1) from their customers. This legislation would make it illegal for customers to send speciments to the AV companies using email or whatever. So what you gonna do, copy it onto a floppy disk and put it in the post? Not likely.
2) From the other AV companies. There's been an agreement in place for a great many years between the techies of the AV companies, that specimens get shared, so that when a new thing surfaces, customers aren't forced to buy an AV from any one source, customers still have choice. That specimen sharing would become criminalised.
I've just written to some people to explain that if they really want people like me (and you and you and you) to send them specimens of things that turn up, then they mustn't criminalise that.