Re: Support the Sasser-author fund started

[Tobias Weisserth <tobias () weisserth de>]

On Fri, 2004-05-14 at 17:23, Konstantin Gavrilenko wrote:
> Tobias, following your logic, the people who found and disclosed the 
> vulnerability that Sasser was abusing should be prosecuted together with 
> the author of the viral code.

Why is that? Did they break German law? Are they responsible by their
actions that third parties sustained damages? Did *they* attack by
direct or indirect means the systems of third parties?

The answer is no. Releasing an advisory in full-disclosure manner is
something totally different than writing a virus and spreading it.

Say, why do I have to explain these things anyway?! Do you guys have no
moral perception at all?!

> What is the next stage? Jalining people who write "proof of concept" 
> exploit code?

If a "proof of concept" exploit is released and it illegally manipulates
data on third party computers, spreads autonomously and "proves an
exploit" against the permission of third parties on their systems, this
is an illegal activity and as such should be prosecuted and prosecuted
hard.

>  Punish Fyodor for writing  nmap or maybe prosecute the 
> nessus team?

Now you're being irrational. Comparing Sasser to nmap or nessus is a bit
far fetched, won't you say? And don't tell me there is no sharp boundary
between those two, because nobody ain't going to believe it.

> If the guy wrote the code and intentionally released the worm and 
> infected half of the Internet then he is guilty,

He already confessed that at the instant the police searched his house.

>  but that remains to be 
> proven.

The police has already confiscated and verified that he is the author of
Sasser. The police is also investigating leads that friends helped him
spread the virus.

>  Nobody has cancelled the presumtion of innocence yet!

Well, a made confession isn't exactly a very strong presumption of
innocence, is it?

> My personal opinion is that more blame should be put on M$.

The company is called Microsoft or MS in short. Why don't you use its
proper name?

And why should blame be put on MS when they released a patch and advised
their customers to install the patch two weeks prior to the release of
Sasser? There is no law against bad code or bad products but there is
law against the abuse and sabotage of computers.

Let me get this right for you again: the Sasser author is the bad guy
here. He is the reason I have to stay informed about bugs because *he*
is exploiting them and not MS. MS doesn't break my computer, it's him
and his creation Sasser (Actually this is somehow wrong because I don't
have a MS system anymore, but the point is still the same).

> But where 
> would the security industry be if not for Microsoft's products :)

Did you know that the Sasser author's mother runs a little IT consultant
company? Now you can talk about self-interest...

Tobias

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html