Full Disclosure mailing list archives
Re: AV companies better hire good lawyers soon.
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 14 Sep 2004 13:38:07 +0200
* Jason Coombs PivX Solutions:
I work as an expert witness in addition to being an infosec researcher, etc. and you would not believe how terrible the quality of computer forensics is in the real world today. To begin with, are you aware that people are going to prison in the U.S. for nothing more than having a compromised Windows box in their possession?
In this case, there's a fundamental flaw in the U.S. legal system. Any attempt to fix it with computer software or hardware will fail. A few years ago, I had similar concerns with German law enforcement, but then I had the chance to see how they operate, and I was positively surprised.
We must put a stop to the rampant deployment of code as though there is some sort of 'freedom to innovate' guaranteed to every person who can learn how to program.
Well, the market demands exactly that sort of software, at that price, even from large software companies.
Anyone who ships code without coordinating with others and joining the effort to figure out how to put a stop to the care-free deployment of code in the future is literally sending innocent people to prison.
Sorry, even in your flawed logic, this is statement is false, or remarkable short-sighted. User install software without any actual knowledge. My preferred solution is to make software so hard to set up that once the users get it remotely working, they know enough about the system to defend themselves against false complaints.
It is time to impose licensing requirements for software publishers.
And users, of course.
This is the only way to force compliance with standards of practice that have yet to be devised but that must include some centralized repository of forensic information and knowledge about all licensed programmers and program code.
You're kidding, aren't you? The customer doesn't want to pay for security. Most of the time, this is a sane business decision. Apart from the free speech issues, you'd also have to regulate the market so that adopts practices which are currently considered economic suicide by *all* players.
The solution is hard. Just explaining the full scope of the problem to people is hard.
There's a reason for your troubles: In democratic countries, people are used to their free speech rights. In the U.S., companies can even rely on the protection of commercial speech. There are methods to improve security by government regulation which do not come close to Stalinist typewriter registration. For example, you could make software companies liable for defects in their products. Back to your code registration proposal. It's remarkably short-sighted even from a technical perspective. What do you want to register? Source code? Binaries? There's a problem with both. There's injective mapping from source code to binaries, so pure source code registration doesn't help with forensic analysis. Even for binaries, there are legitimate reasons why installed copies can differ from the official ones: prelinking and other forms of optimizations, inoculation, applied hotfixes. Code registration doesn't solve the problem that someone is framed with the help of malicious software, either. If your justice system is broken in the way you described, and there is no unregistered code on the machine, this will be taken as a proof that any action that was carried out by the machine was requested by its owner. As a result, a code registry would have the opposite effect you intended. Furthermore, most code that is used for malicious purposes has been written by completely legitimate software companies, for completely legitimate reasons. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: AV companies better hire good lawyers soon., (continued)
- Re: AV companies better hire good lawyers soon. Barry Fitzgerald (Sep 14)
- Re: AV companies better hire good lawyers soon. Mister Coffee (Sep 14)
- Re: AV companies better hire good lawyers soon. gadgeteer (Sep 14)
- Re: AV companies better hire good lawyers soon. Micheal Espinola Jr (Sep 14)
- Re: AV companies better hire good lawyers soon. Frank Knobbe (Sep 14)
- Re: AV companies better hire good lawyers soon. Valdis . Kletnieks (Sep 14)
- Re: AV companies better hire good lawyers soon. Frank Knobbe (Sep 14)
- Re: AV companies better hire good lawyers soon. Nick FitzGerald (Sep 14)
- RE: AV companies better hire good lawyers soon. Jean Gruneberg (Sep 13)
- Re: AV companies better hire good lawyers soon. Frank Knobbe (Sep 14)
- Re: AV companies better hire good lawyers soon. Michael Simpson (Sep 15)
- Re: AV companies better hire good lawyers soon. Florian Weimer (Sep 14)
- Re: AV companies better hire good lawyers soon. gadgeteer (Sep 14)
- Re: Re: AV companies better hire good lawyers soon. James Tucker (Sep 14)
- Re: Re: AV companies better hire good lawyers soon. Florian Weimer (Sep 14)