Re: Civil Disobedience

[Chris Ess <azarin () tokimi net>]

> In case you have been living under a rock the past few weeks. You should
> know that our civil liberties are under attack. Kevin Poulsen wrote:
> "Hackers, virus-writers and web site defacers would face life imprisonment
> without the possibility of parole under legislation proposed by the Bush
> Administration that would classify most computer crimes as acts of
> terrorism."

> Perhaps you think this could not happen to you. Well I would suggest you
> read the story on Jerome Heckenkamp ( http://www.freesk8.org/ ). I
> contributor to BugTraq who wrote a exploit for qpop who is now facing 16
> counts of computer crimes, a maximum sentence of 85 years, and up to $4
> million in fines. After Qualcomm reported him to the FBI. This case is harsh
> now, just imagine if this happen under the 'Anti-Terrorism' bill. This could
> happen to you.

This may or may not be the valid place to discuss this, but I think this
raises an interesting point.

Look at these two excerpts...

What is 'hacking'?  What is not?

More importantly... what does this mean about full disclosure?  For
instance, eEye released exploit code when they discovered the .IDA buffer
overflow that the Code Red worm and its kin used to compromise a good
number of Windows machines.  Many have criticized eEye for this, saying
that their exploit code led to the development of the worms.

Would this new law make the release of exploits illegal since one
(most likely someone not familiar with our work) could say that releasing
the exploit is like arming a terrorist?

To take things to an extreme, could this make vulnerability scanners
quasi-legal... or illegal?  After all, a "computer terrorist" could use
such a thing... even nmap... to determine if a machine is vulnerable.  To
'case out the target', so to speak.

If this does become the case... wouldn't that make security professionals,
such as ourselves, guilty under this same law that is supposed to catch
those we oppose?

This new movement in Washington, DC, troubles me deeply, as it should all
of us.  I believe we should all oppose this as well...

Some script kiddie who runs a DoS against my machine is annoying
(extremely annoying at times), but he's not a 'terrorist'.  Why should he
be considered as such?

And, more importantly, we should oppose this lest, by our inaction, we
become ensnared in it.

(You may think I'm predicting an excessive amount of doom and gloom and
that this will never come to pass.  I hope you're right.)


-- Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)