Re: AV companies better hire good lawyers soon.

[Florian Weimer <fw () deneb enyo de>]

* Jason Coombs PivX Solutions:

> I work as an expert witness in addition to being an infosec
> researcher, etc. and you would not believe how terrible the quality of
> computer forensics is in the real world today. To begin with, are you
> aware that people are going to prison in the U.S. for nothing more
> than having a compromised Windows box in their possession?

In this case, there's a fundamental flaw in the U.S. legal system.
Any attempt to fix it with computer software or hardware will fail.

A few years ago, I had similar concerns with German law enforcement,
but then I had the chance to see how they operate, and I was
positively surprised.

> We must put a stop to the rampant deployment of code as though there
> is some sort of 'freedom to innovate' guaranteed to every person who
> can learn how to program.

Well, the market demands exactly that sort of software, at that price,
even from large software companies.

> Anyone who ships code without coordinating with others and joining the
> effort to figure out how to put a stop to the care-free deployment of
> code in the future is literally sending innocent people to prison.

Sorry, even in your flawed logic, this is statement is false, or
remarkable short-sighted.

User install software without any actual knowledge.  My preferred
solution is to make software so hard to set up that once the users get
it remotely working, they know enough about the system to defend
themselves against false complaints.

> It is time to impose licensing requirements for software
> publishers.

And users, of course.

> This is the only way to force compliance with standards of
> practice that have yet to be devised but that must include some
> centralized repository of forensic information and knowledge about all
> licensed programmers and program code.

You're kidding, aren't you?

The customer doesn't want to pay for security.  Most of the time, this
is a sane business decision.  Apart from the free speech issues, you'd
also have to regulate the market so that adopts practices which are
currently considered economic suicide by *all* players.

> The solution is hard. Just explaining the full scope of the problem to
> people is hard.

There's a reason for your troubles: In democratic countries, people
are used to their free speech rights.  In the U.S., companies can even
rely on the protection of commercial speech.

There are methods to improve security by government regulation which
do not come close to Stalinist typewriter registration.  For example,
you could make software companies liable for defects in their
products.

Back to your code registration proposal.  It's remarkably
short-sighted even from a technical perspective.  What do you want to
register?  Source code?  Binaries?  There's a problem with both.
There's injective mapping from source code to binaries, so pure source
code registration doesn't help with forensic analysis.  Even for
binaries, there are legitimate reasons why installed copies can differ
from the official ones: prelinking and other forms of optimizations,
inoculation, applied hotfixes.

Code registration doesn't solve the problem that someone is framed
with the help of malicious software, either.  If your justice system
is broken in the way you described, and there is no unregistered code
on the machine, this will be taken as a proof that any action that was
carried out by the machine was requested by its owner.  As a result, a
code registry would have the opposite effect you intended.
Furthermore, most code that is used for malicious purposes has been
written by completely legitimate software companies, for completely
legitimate reasons.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html