Secure Coding mailing list archives
Re: Re (badware vs. "goodware"): SearchSecurity: Badware versus malware
From: "Goertzel, Karen [USA]" <goertzel_karen () bah com>
Date: Mon, 14 May 2012 13:21:02 +0000
Agent software is all well and good. But if you secretly implant the agents, and design them to be undetectable, and do not inform the intended user of the system that they are there, they are spyware - and at best, unethical. And, by my definition at least, unethical = bad. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_karen () bah com "I love deadlines. I like the whooshing sound they make as they fly by." - Douglas Adams ________________________________________ From: brunnste () informatik uni-hamburg de [brunnste () informatik uni-hamburg de] Sent: 13 May 2012 04:17 To: sc-l () securecoding org Cc: Goertzel, Karen [USA]; Peter G. Neumann; Gary McGraw Subject: Re (badware vs. "goodware"): [SC-L] SearchSecurity: Badware versus malware Karen, whereas "flaws and defects" can hardly be argued to have possibly some "good" affects, there have been many controversial arguments whether some "malware" (aka viruses) may have "beneficial" effects and may therefore be regarded as sort of "goodware". Indeed, I vividly remember a controversial debate with Fred Cohen at a MITI-invited conference in Tokyo (in the 1990s) whether viruses may be used for beneficial purposes (e.g. implanting automagically some security measures). My counter argument that good intentions of authors must be explicitly communicated to users (aka "usees" as their system is used without their knowledge and agreement) was not shared by the esteemed colleague, and I also remember controversial discussions at our lab (VTC of Hamburg university) with Vesselin Bontchev about aspects of "good viruses" :-) My 2 cents: nobody will (hopefully) doubt that "badware" is bad, whereas some may regard some "badware" to have "good" (aka beneficial) effects. Best wishes: Klaus (May 13, 2012) Zitat von "Goertzel, Karen [USA]" <goertzel_karen () bah com>:
In other words, flaws and defects caused through developer error, ignorance, negligence etc. can be exploited to cause harm. So even if one could prevent actual intentional malicious inclusions in software, one hasn't eliminated the problem of exploitable flawed logic. The megachallenge, of course, is looking for what one doesn't actually know is there. Which is why software security testing is so hard. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_karen () bah com "I love deadlines. I like the whooshing sound they make as they fly by." - Douglas Adams ________________________________________ From: sc-l-bounces () securecoding org [sc-l-bounces () securecoding org] on behalf of Peter G. Neumann [neumann () csl sri com] Sent: 08 May 2012 11:30 To: Gary McGraw Cc: Secure Code Mailing List Subject: Re: [SC-L] SearchSecurity: Badware versus malware The differences are marginal.What's worse, bad software or malicious software? ...My book has a pervasive theme: Many things that could happen accidentally could be triggered intentionally. Many things that happen intentionally could be triggered accidentally. Trying to reduce one without the other may be foolhardy in most realistic threat models. _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Re: Re (badware vs. "goodware"): SearchSecurity: Badware versus malware Goertzel, Karen [USA] (May 14)