Analysis Of Symantec's Stance On Censorship 273
robochan writes "According to this report in the Sydney Morning Herald, Chief Operating Officer of Symantec, John Schwarz, was quoted as 'calling for laws to make it a criminal offense to share information and tools online which could be used by malicious hackers and virus writers.' This article takes a look at the negative affects and also a couple of recent examples of "censorship legislation" backed by the COO of Symantec, and what little effect it has had on criminals, while having a substantial affect on responsible citizens."
It's obviously anti-First Amendment (Score:2, Interesting)
Speech is not 100% protected. There are types of speech which have been declared illegal: obscenity, fighting words, etc. Perhaps it is time to take the fight to virus writers.
Re:It's obviously anti-First Amendment (Score:2, Insightful)
You can say whatever you want, but what happens afterwards is another thing.
Re:It's obviously anti-First Amendment (Score:5, Insightful)
the article states that they want to criminalize "shar[ing] information and tools online which could be used by malicious hackers and virus writers".
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
this is like that crime in britain: "going equipped to commit arson". ie, having a lighter in yr pocket. it's all about selective enforcement. ie, the law is interpreted by the police officer.
now, extrapolate this situation to something like, say, computing - something that joe average judge-or-cop knows virtually nothing about.
am i the only person who can see this being a bad bad thing?
Re:It's obviously anti-First Amendment (Score:5, Insightful)
Or, to take it to an extreme, Notepad/vi/emacs.
After all, the most basic tool required for writing a virus (or any piece of code) is your bog-standard Text Editor.
Re:It's obviously anti-First Amendment (Score:3, Funny)
Re:It's obviously anti-First Amendment (Score:3, Funny)
no really i would
Re:It's obviously anti-First Amendment (Score:4, Insightful)
Or, to take it to an extreme, Notepad/vi/emacs.
No, take it to the logical ironic extreme, Norton AntiVirus 2004 is the best way to QA your virus to make sure it will get by anti-virus software. So, really we need to make sure that virus writers don't get access to such a powerful debugging tools. We obviously need to ban anti-virus software in in order to stop viruses from being written.
Sometimes the simple solutions are the most effective.
My thoughts as well (Score:5, Insightful)
Pretty much what I thought. There isn't a lot that you can really ban that would stop a virus writer without negatively affecting regular ol' developers, much less people who work in the security field.
Frankly, I find all this silly. Most people that are handing around information on how to produce viruses will also hand around copyrighted software as well. That's illegal, but it really doesn't seem to stop them.
The right solution is to harden hosts against viruses and worms. Outlook is a huge vector, because it has traditionally made embedding active content and executing attachments very easy. Outlook should go away. The macro system in Word is inappropriate for a format frequently used for general document distribution. Permissions should be tightened up -- there's a reason the UNIX world doesn't run into viruses.
Re:It's obviously anti-First Amendment (Score:4, Funny)
Outlook Express
Re:It's obviously anti-First Amendment (Score:2, Insightful)
Re:It's obviously anti-First Amendment (Score:5, Insightful)
Re:It's obviously anti-First Amendment (Score:5, Interesting)
Freedom of speech is absolute. No exceptions.
Obscenity is not illegal, but you can be held accountable for any harm it may cause others (including mental anguish). The FCC has obscenity guidelines for the public airwaves that TV and Radio stations must follow. The on-air personalities can say whatever they want, and their words are not illegal. The FCC can however mandate that the corporations using the public airwaves do not broadcast obscenities, and that they either bleep them or silence them, at the risk of being fined (stipulations of using the public airwaves for free).
Fighting words are not illegal either, but you could get in trouble if you incite violence, which IS illegal.
Yelling "FIRE!" in a crowded theatre is actually not illegal either, but you will most definitely get in trouble for endangering the public if you do it.
There is a distinction here you have to make.
Words by themselves are not and cannot be illegal, nor can the usage of those words be deemed illegal. The first amendment garantees that.
The results of what happens because you spoke your words of choice, however, CAN be held against you.
If you say in a public place "I wish he were dead" (about anyone) you have the right to do so.
However, if you were to say "Go kill this guy", and someone who heard you went out and did just that because of what you said, then you would absolutely be held accountable for saying it.
Anything you say is legal, regardless of content.
The consequences of what you say is another matter entirely.
Fighting virus writers by banning the words they write is absurd and stupid. It is a slippery slope we do not want to enter. It sets a dangerous precedent that can and will be abused. If you ban one use of language, it's very easy to ban another. Next we'll be banning negative movie reviews because they can hurt the movie's business and thus must be banned. Or perhaps we'll start calling people traitors if they criticize the President. Oh, wait, Ann Coulter already is doing that. But of course she has the right to say that too...
Re:It's obviously anti-First Amendment (Score:3, Interesting)
Nope. Freedom of EXPRESSION is. Freedom of speech is far from absolute, and you listed many examples why.
Subtle difference, but there are many things that you can face charges for saying. Libel, Slander, the list goes on and on. But no one can arrest you for expressing an opinion.
In other words (Score:5, Funny)
Re:In other words (Score:2)
Re:In other words (Score:2)
Informtion and tools (Score:5, Insightful)
- Compilers
- API documentation
- Text editors (can be used to write VBScript virii)
- Microsoft Office (macro virii)
Sounds like a really well thought out idea.Re:Informtion and tools (Score:3, Insightful)
Re:No, idiot (Score:5, Insightful)
Well, you're quite right. It would make virus building kits illegal.
But Schwarz also wants "to make it a criminal offense to share information". This means that indentifying a security vulnerability could also be prosecuted.
Now, Symantec won't be prosecuted, because they'll keep vulnerability information close to their corporate chest, as "proprietary trade secrets"; they don't benefit from revealing the information. And they'll make sure to make the right bi-partisan contributions, so everybody will know they are good upstanding citizens.
But if you, or I, or Willie White-Hat Hacker publicizes the information, we'll be facing one of Mr. Ashcroft's boys. One of his prosecuters with the unlimited budget, the Federal warrant, and the granite-faced gentlemen who are paid to carry guns.
That this just happens to scare off any upstart competitor to Symantec and MacAfee's control of their market, is, I'm sure, a purely unintended consequence of the fight against terrorism and the terrible threat to our nation of a haxored box adding a few hundred more spam emails to the torrent already flowing in from China.
Re:No, idiot (Score:2)
A clarification (Score:5, Informative)
http://www.smh.com.au/articles/2003/09/12/10632
Asked whether Schwarz would like to clarify whether he had really meant that full disclosure should be legislated against, Symantec's Asia-Pacific public relations group manager Lindy Yarnold did not directly deal with the query but said: "Symantec fully supports information sharing on threats and vulnerabilities and believes it is an important tool for consumers and IT professionals to gain a measure of early warning of potential attacks."
motive (Score:5, Insightful)
Re:motive (Score:5, Insightful)
Yes, but he doesn't want people to be able to clean them up themselves. Hence, he wants to limit the free dissemination of information to all, knowing full well that the black hats does not rely on official security bulletins to plot their next move.
Obvious (Score:5, Insightful)
Well, there will always be virus authors, it's like banning weapons: you're only taking away from those who get things through legitimate means.
Think what this would ban: bug tracking and security lists, compilers, assemblers, debuggers, hex editors, etc. These are how viruses get written.
However, if the public doesn't have access to any of this (particularly security tracking lists), then antivirus companies become the one and only legal source for fixes. Presto, huge demand created, which means more legislated profit.
There's your paranoia for the evening.
Re:Obvious (Score:3, Insightful)
Not true at all. In Europe, I don't think that most people, criminals or not, can get hold of weapons easily. There are better things to compare it to than banning weapons!
Think what this would ban: bug tracking and security lists, compilers, assemblers, debuggers, hex editors, etc. These are how viruses get written.
Apart from the first two, NO!
He didn't
Re:motive (Score:5, Interesting)
But if the number of viruses and worms goes down, I'm sure Symantec would be happy to write a few more to keep their profits up.
Re:motive (Score:3, Insightful)
Smokin' Crack (Score:3, Funny)
In conclusion, whether or not Symantec's COO is just smokin' crack or understands what is at risk, any attempt to censor these critical security tools, including exploit code, from the Internet will result in a constitutional travesty followed by a significant market downturn, a degraded security community, and the commercialization of vulnerabilities where the market is driven by the criminals we are trying to "stop".
Re:Smokin' Crack (Score:5, Funny)
Just wanted to say that this is the longest run-on sentence I've ever read that includes the words "smokin' crack".
Re:Smokin' Crack (Score:2)
Not a run-on sentence (Score:2)
Re:Smokin' Crack (Score:2)
So Symtantec's anti-virus software will be illegal (Score:5, Funny)
Those damn virus-helpers over at Symantec, I hope the law skins them alive.
Symantec? (Score:4, Insightful)
Re:Symantec? (Score:2)
So of course the law would not apply to them, they're the good guys.
doesn't want competition? (Score:5, Insightful)
Re:doesn't want competition? (Score:2)
For example the management at Symantech may truly and honestly believe that if reporting bugs were illegal then all hacking would stop. Hackers would not trade information and the world would be virus free.
Trust me PHBs are really THAT stupid.
Re:doesn't want competition? (Score:5, Insightful)
Burglary Tools (Score:5, Interesting)
When (if ever) do 'hacking tools' fall under this category? Obviously any tool can be used with ill-intent, but are there specific pieces of software that could be classified as such?
Re:Burglary Tools (Score:3, Interesting)
Just an ordinary screw driver. Not modified in any way.
The really funny part is that was actually part of what he stole, and as he left the house to boot.
Was not the legitimate owner than also guilty of possession on a burglery tool? He even kept it in a toolbox on his back porch where burglers could get ahold of it ( as evidenced by the fact that one did).
"Ok, now to see if the server is respo
Re:Burglary Tools (Score:5, Insightful)
In the places where it is trouble to carry lockpicks et al., you can't get busted for possession or ownership of the devices in the same way that you can get busted for possessing, say, pot or cocaine. Instead, the possession of those kinds of tools, WITHOUT a reasonable excuse, is considered prima facie evidence of an intent to commit wrongdoing. So if a cop catches you with lockpicks in one of these states, he can bust you for conspiring to commit a burgalary.
But remember, prima facie evidence only means anything in the absence of a countervailing explanation. If you're a locksmith on the way to a house call, you're obviously not planning to commit a crime, and so the cop can't assume that you have intent. Well, he could, but a good lawyer could get the whole beef thrown out in pretrial.
More to the point--I think this comparison fails because information and tools relating to virus/worm manufacture are even more "dual-use" than lockpicks. Lockpicks are for opening locks--the only question is whether you have permission to be opening those locks. Tools and information that could POTENTIALLY be used to code malware would include every CS textbook, compiler, and PC ever made. And my lecture notes from Data Structures in Java (which are already pretty criminal on the basis of the handwriting).
Even exploit code has a legit purpose. Am I going to take offline/patch every sshd in my organization because of a crappy rumor that there's a remote DOS overflow? Hells, no! I ain't gonna patch shit until somebody shows up with an actual, working exploit--you have to manage these risks based on the liklihood that a threat exists (potential threates get patched tomorrow morning, actual exploits get patched tonight) and the amount of shit required to fix it (will this break remote access to all my servers? Do I have the manpower to test and deploy the patch right now, when I'm still fucking around with Windows RPC stuff?).
Re:Burglary Tools (Score:3, Funny)
Mind if I ask where you're working, name/address or ip will suffice. TY.
Re:Burglary Tools (Score:3, Interesting)
It's kinda like Thought Police, isn't it? To
Not quite. (Score:5, Insightful)
It's illegal to be in possession of burglary tools while committing a burglary, under the theory that bringing burglary tools to a burglary shows that you approached the burglary with premeditation and planning. Premeditated, thought-out-in-advance crimes are almost always punished more severely than "amateur night" or heat-of-the-moment crimes.
E.g.., if I use a rock to break a car window, reach inside and pull out the stereo... maybe I'm a career criminal, or maybe I'm just someone who made a really stupid choice.
But if I've picked the lock on the door with a SlimJim, brought open specialized tools to crack the dash and remove the radio in 15 seconds flat, then it's a pretty good bet I've done this crime before and I'll continue to do it in the future--both of which make me a more serious criminal in the eyes of the law.
Slim Jims? (Score:3, Funny)
Slippery Slope (Score:5, Insightful)
Considering that virtually any tool can be used to hack, when does something get legislated as illegal? Somebody uses a web browser to hack. Is the web browser now an illegal hacking tool?
Okay, maybe that was too easy. But a packet sniffer?
I think one could easily make an argument that that is a hacking tool. Ultimately, the legal definitions may center around "public perception" as often seems to be the case in technical legalities instead of technical accuracy. This is, unfortunately, because the general public typically doesn't understand technically how things work. Notice most bad press is based around technologies that the average guy doesn't understand.
We're treading on dangerous grounds Symantec...
Slippery Slope...
Re:Slippery Slope (Score:5, Insightful)
Re:Slippery Slope (Score:2, Interesting)
Crack down on those dirty scientists! (Score:2, Interesting)
Re:Crack down on those dirty scientists! (Score:2)
Whee. (Score:4, Insightful)
anti-virus software, tool of the pirate (Score:5, Funny)
So what is this "Norton AntiVirus" for? To help people who download cracked software keep their computers healthy? Sounds like a shady product to me.
Re:anti-virus software, tool of the pirate (Score:2, Funny)
You sir, are wrong. There is a product on the market that comes shrink wrapped, and is by far one of the worst viruses ever made. They seem to have a legitimate business operation, but innocent users fall victim to their faulty coding every single day.
More information is available here. [microsoft.com]
Alternative Policy Applications? (Score:2, Interesting)
On the positive side, couldn't this also be applied to Windows, IE, and Outlook? Ignoring the buffer overflows (which all software has) these programs have been developing, promoting, and expanding the viral capabilities since at least 1998.
After all, there's more documentable evidence of Microsoft staunchly keeping an "open" envrionment to incubate and inspire malicious hackers mu
Well... (Score:3, Insightful)
The real question is, why wont symantec create software that will deal woth these issue as they arrise. It seems like someone is trying to take the load off the company. It would be like Ford trying to make the speed limits of all roads 10mph. Now, they dont have to worry soo much about making a safe car, as accidents are less likely to occur.
Obtaining power (Score:4, Interesting)
As Shaw said, patriotism is the last refuge of the scoundrel. Applied judiciously, it can also be very profitable.
This makes perfect sense, though (Score:4, Insightful)
But it's NOT true that a law like this would diminish incidents of new viruses and worms. Like the article says, it's already illegal to hack, and yet we still have hackers. Why?
1) 99.9% (or some similar ridiculous figure) of damaging incidents never lead to a prosecution--too little monetary loss to justify law enforcement attention.
2) Lack of willingness by private sector companies to report (and therefore allow legal penalties to accrue) computer security incidents--they don't want the bad publicity.
The existing laws don't work because they're not enforced often enough when violations exist, either because the violators aren't caught or because prosecution/investigation isn't done. So a new law will do WONDERS, I'm sure, to further intimidate those script kiddies.
It's obvious, though, just how much Symantec could gain from this--goodbye non-commercial security clearinghouses! You'd violate the law to post to an open forum, so nobody will bother (I'm sure Synamtec would contribute resources to policing that aspect), and so there won't be any good open, public security resources. That gives Symantec the perfect market opportunity to fill the vacuum with a new pay-for-info service on pending bugs. The creation of a commercial relationship with subscribers gets them a free pass on the new law (it's not really public, more like those $1500 Gartner reports). And we all get fucked in the meantime.
This is so fucking transparent. I hope that boycott idead gets off the ground--I'd start it, but me and mine are all off Symantec, anyway.
1st Amendment (Score:2)
How many laws would we have today if they were checked before they were put into action by the high court of the land. Just even for that nasty bill of rights kinda deal.
Talk about checks and balances.
Re:1st Amendment (Score:2)
I assume you are referring to laws passed in the United States. If so, it is a long-established principle of constitutional law that the Supreme Court (and the inferior federal courts) do not issue advisory opinions. "The province of the court is solely to decide the rights of individuals." Marbury v. Madison.
I can respect that but! (Score:2)
Re:I can respect that but! (Score:3, Insightful)
The Court's statement signifies that it only settles disputes that arise between parties (i.e., individuals in most circumstances). These disputes have to satisfy the "case or controversy" requirement of Article III of the Constitution. To establish a case or controversy the plaintiff
Ok, post jurance got it but again... (Score:3, Interesting)
Ok, right. So what we are saying here is that, its ok to pass laws that aren't legal until the wrong someone. And then when they get wronged they have to go though the *whole* court system before they finally get ruled on and then maybe if your lucky the high court
Re:Ok, post jurance got it but again... (Score:3, Insightful)
Here's the thing: Legislatures don't typically pass blatantly unconstitutional laws (folks in the peanut gallery please save your PATRIOT Act jokes). So, courts rely on sufficiently interested parties (and injury in-fact is usually a good proxy for interest) to provide them with
Heh, I'll see your PATRIOT Act and raise you... (Score:3, Funny)
Re:I can respect that but! (Score:3, Informative)
Conservatives (and liberals) can "demand the resignation o
How coincidental is this really... (Score:5, Insightful)
I've said it before, and I will say it again, hiring Yoran is going to produce a huge conflict of interest, and it seems it has already started. Personally I think this comment was made solely to gain a favorite view in the government's eyes. Remember government spends millions on pork barrel garbage, and I'm sure Symantec is looking forward to riding the gravy train back and forth.
All aboard!
...and the moment has come (Score:2, Interesting)
why is it that... (Score:2, Insightful)
"Laws that forbid the unrestricted distribution of information...make ignorant only those who are neither inclined nor determined to commit crimes...Such laws make things worse for the victim and better for the criminal; they serve rather to encourage than to prevent unauthorized access to computer systems, for an insecure system may be attacked with greater confidence and ease than a secure system."
The other side is that
Obviously bad, but for an alternative... (Score:5, Insightful)
In otherwords, if you outlaw the legitimate dissemination of information regarding viruses and how they are made, you just made writing a GPL or BSD licensed antivirus program illegal - obviously anyone involved in such a project would have to break the law to obtain virus samples, disassemblies, and information. This might be good for Symantec, but it sucks for the rest of us.
However, there is a problem. There's a ton of viruses coming out every day, and the internet makes an extremely fertile ground for even a poorly written virus or worm. A simple virus or worm can literally bring a corporation's operations to a halt for a day or two - even if critical machines run moderately secure operating systems, the traffic overload and DDOS'ing from the compromised machines can be hell.
Most virus writers are kids that feel alienated by "the system". I think most studies have shown that the average virus writer ages are between 14 and 24 - meaning when people get older and join society, they generally phase out of virus writing for moral or practical reasons. For several papers on who exactly writes viruses, go here. [badguys.org]
So how do we prevent these kids from writing viruses? Outlawing information regarding viruses is a lot like outlawing the purchase of spraypaint - it isn't going to work, and it makes life suck for the rest of us.
But could we find ways to engage kids within risk groups and help them find useful outlets for their talent, so they could receive positive feedback and recognition for their work instead of getting their kicks unleashing their work on the world? I bet if you got a teenager that otherwise felt the world was against him or her involved in an open-source project they got excited about, where they were tutored and provided with positive feedback by more experienced mentors - they wouldn't have the time or the inclination to write viruses and will learn some very valueable skills that will be useful to them.
So how about this - start something similar to SourceForge for teens, and find programmers willing to donate their time mentoring these kids and helping them take their skills to the next level while teaching them the ethics and responsibilities of a first-rate programmer? Obviously such a system would need to be watched for abusive adults and any found would need to be banned and/or prosecuted, but if a bunch of good coders that gave a shit about kids did it I think it could seriously make a dent in the growth of the virus problem.
The other solution would be to make apprenticeships mandatory for budding programmers :)
Alternatives with unforseen consequences? (Score:2)
Something occurred to me when reading this. What if we need these kiddie's to do what they do today? These recent news makers are relatively harmless compared to the worst that can happen. If you've read
Re:Alternatives with unforseen consequences? (Score:3, Insightful)
Personally, I'd rather not throw kids in jail [computerweekly.com] and ban them from computer usage once they get out - that's a good way to create a hardened criminal or a very bitter and suicidal geek.
There will always be someone writing viruses - whether for misguided political motivations, as a last gesture from a di
Re:Obviously bad, but for an alternative... (Score:3)
If a place was set up specifically for young programmers just learning the trade, I think it would have a better effect. In addition, I suspect you could get more sponsorship benefits in such an environment. Here I'm thinking Apple, Microsoft, RedHat, CodeWarrior,
freenet (Score:4, Insightful)
In a nation where ..... (Score:3, Insightful)
Hacker tools - Ban them, put anyone who writes or shares them behind bars??
File Sharing tools - Ban them, put anyone who uses file sharing behind bars??
And in more news... (Score:3, Insightful)
Symantec make their money from viruses. Why on earth should we take their pronouncements in any other light? Their dream world is one in which only the criminals and the megacorporations have access to the technology, so that the citizenry squashed between the two can pay a jolly penny.
It's ridiculous. The only defense against malware is transparency, competition, and the evolution of something approaching a natural defense system. Not suppression of the tools people need in order to develop their defenses.
A reply from Symantec on Bugtraq (Score:5, Informative)
He must be hangin' out with Darl McBride... (Score:5, Interesting)
He's stating that "Only the information security elite should ever have access to information security issues." Or if Bill Gates stated: "Only large enterprises should write operating system software. Linux should be outlawed." This means we'd all be forced to eat Microsoft's or Symantec's 'dog food'.
I ask you this: When was the last time Symantec wrote a signature for Snort? How about a nessus plugin? They want to get rid of the open source security model because they can't profit from it!
As an information security professional, I don't even listen to Symantec as their information is generally 2-3 weeks too late. Its like waiting for the Sunday paper to read about the double homicide that's taking place right now on your front lawn. All their info is being published after the fact! If they successfully cut off all access to information that is happening in the security community, then they make everyone reactive rather than proactive.
It doesn't matter how much detail Symantec offers about a virus or bug. I want to be able to take an exploit, compile it and run it against a test server on a test network. Capture the packets transmitted and analyze them. I want to dissect the 'worm' or 'virus' and develop an IDS signature as well as produce a Nessus plugin to scan other servers. If I use other tools, I want to have enough knowledge to look into their signature files to realize that they're looking for the wrong stuff and thereby giving false positives (or false negatives).
It's called FULL DISCLOSURE
Symantec is trying to tell us that I can do all this with a really descriptive set of documentation? Or maybe I should just turn my entire enterprise security model over to Symantec. Uh huh, sure... I don't think so. Gimme the code for the exploit.
Allow me to digress for a moment, stick with me though -- it's not too OT...
Lets talk for a moment about the MS03-039 exploit; the brother to MS Blaster. It's a really nasty bugger. Once it exploits a machine, it creates a user account of "e" with a password of "abc#321". Oh yeah, and the new user has admin rights.
This means the worm could use the newly created account to create other accounts, escalate privileges on existing accounts or just change everyone's password to a random string of garbage.
The price we could pay by not patching every single server and workstation this time around could exceed the damage done by blaster by a thousandfold. All it has to do is successfully nail just one Active Directory controller. Imagine if every single user on your entire network had their password changed on them, at the same time.
When blaster hit, it crashed the RPC service which forced the machine to reboot 60 seconds after the RPC service came crashing down. Imagine now that in the infection process changes admin and user passwords, revokes privileges, then reboots the machine... Your network is now down, and you can't even get back in. You are screwed.
So, how do I know this info? Well, it just so happens that I've got the source code to the worm sitting on my machine right now! I'm not contributing to the project, but I'm sure as hell monitoring what is going on, and I sure as hell didn't get ANY of this information from Symantec.
The only info I'll get from Symantec is the day after the worm's release when they announce that blaster.b is in the wild and that I should have patched my boxes, and they're very sorry but there is no cleanup file available if it compromised your AD controller and changed all the admin passwords. Symantec also recommends you have current tape backups. That's like telling the car accident victim to buckle up. Just a little late there, Jack.
We are going to continue down the road of Full Disclosure debate until M$ et al. starts writing secure code.
We need a firebell in the night (Score:3, Interesting)
I'll tell you: just what we did to Intuit: kick Symantec where it hurts, in the pocketbook, until Symantec is ready to disavow Chris Schwarz and his attempts to limit free speech and free inquiry in the name of profit.
I've always had a soft spot for Symantec because of that awesome DOS product, Norton Utilities. And I still have a copy of Peter Norton's 8086 assembler tutorial. Just saw it yesterday, but now I can't recall which bookcase it's in.
But no more. I'm afraid this uses up my good will, and my willingness to see Symantec as the "good guys".
First, let's let Symantec know how we feel. The main switchboard number in the US is (541) 335-5000. The worldwide headquarters number is (408) 517-8000. Tell them you're a computer professional or enthusiast, that many non-specialists rely on you for advice, and that you won't be recommending their products again. And tell them why: because Chris Schwarz whats to criminalize people like you for warning other people about security vulnerabilities.
And then let's do what we said we'd do:
The right to bear arms... (Score:2, Insightful)
Such a Law would destroy their market (Score:2)
Lets face it most virus propagation occurs because people don't know better or don't care because its not their problem. The real tool of virus writers is the willfull ignorance of the userbase. The truly sad thing about this law is it will tend to extinguish pockets of understanding.
Oh well one more Eye fo
What about compilers? (Score:2, Interesting)
Anyway, why should paid for tools be any different?
Obligatory Microsoft Bashing (Score:3, Funny)
Since it would kill BSD and GPL'd alternatives.... (Score:3, Interesting)
I might be willing to lend a hand if anyone has such a project and needs a coder. I bet you could reduce the money available to lobby for such stupid laws by commoditizing the market and destroying the profit in creating such laws - and such a product, if done well, would benefit the net as a whole.
I'm aware of Clam AV, but since it's POSIX oriented, it's not really a replacement. I'm thinking of something that supports modern AV features under Windows - e.g. real-time scanning, prevention of execution, modern heuristics, auto-updates, etc.
Of course, for corporations, the best solution would probably be something more along the lines of an access control program that disallowed use of any products that weren't officially sanctioned.
Legitimate uses (Score:2, Insightful)
information [...]which could be used by malicious hackers and virus writers
This is exactly the same information that's used to prevent and disable viruses.
Gruff marketing fluff (Score:5, Insightful)
He was being interviewed by Wired, and wanted to make gruff noises about the virus issue. He's a COO, so obviously he isn't technical enough to know what he's talking about. The danger, of course, is that because he's a COO, some dimwit doesn't realise that COOs don't know anything, might take him seriously.
If this did ever happen, it would be disastrous for Symantec and the whole antivirus industry. Not because there would be fewer viruses - that would be almost unchanged.
The disaster happens in the sharing of specimens of viruses. In order to code up detection, identification and repair, you have to have one of the things youj're trying to handle. So, where do antivirus companies get specimens?
Two sources. 1) from their customers. This legislation would make it illegal for customers to send speciments to the AV companies using email or whatever. So what you gonna do, copy it onto a floppy disk and put it in the post? Not likely.
2) From the other AV companies. There's been an agreement in place for a great many years between the techies of the AV companies, that specimens get shared, so that when a new thing surfaces, customers aren't forced to buy an AV from any one source, customers still have choice. That specimen sharing would become criminalised.
I've just written to some people to explain that if they really want people like me (and you and you and you) to send them specimens of things that turn up, then they mustn't criminalise that.
Re:Gruff marketing fluff (Score:3, Interesting)
I'm curious - what do you think of my suggestion [slashdot.org] for reducing the number of kids in virus writing? I know it would be very ambitious, and woul
Criminalizing tools? (Score:3, Funny)
I guess that makes MS Visual Studio and MSDN illegal?
I was in Sears the other day... (Score:3, Redundant)
I noticed you can still go into the hardware (screw drivers, power tools, etc.) section of Sears and buy bolt cutters. Bolt cutters have a legitimate use, even when used for cutting pad locks. However, I am sure that some have used them to gain illegal access, somewhere! Quickly, someone tell the government so we can make them illegal!
Of course, if Symantec has their way, they'll also make security testing illegal too. Idiots.
The Corporate Club? (Score:3, Insightful)
So, I guess the MS.Blaster worm was only propagated by corporate - and most often firewalled - networks? It wasn't caused by the vast numbers of broadband customers with entirely open computers on countless networks? Hmm.
The remarks that this statement targets (it was a statement made against Symantec) are uderly rediculous. The way to get things done is not to remain hush hush. NTBugTraq often forced Microsoft (et. al.)'s hand to fix a bug that was proven in concept but, perhaps, not yet exploited. It was only a matter of time before the hole would be exploited. If Symantec is turning their efforts of keeping machines "safe" to the "corporate machine", they aren't getting my or my company's business anymore. We need someone that will push to get bugs fixed and viri stopped at all costs - even if it means putting pressure on the publisher.
Besides, almost any post-back news site and development community on the 'net would be liable if such a law was passed. My email address is obtainable from this site and many others (SPAM-proofing aside, which isn't always hard to break if the crawlers look for common patterns). They're sharing my email address and, perhaps, other information.
If it's community backlash they're merely trying to avoid, then it's community backlash they deserve.
Apparent Misquote (Score:3, Informative)
I didn't even read the article (Score:3, Interesting)
I know this is outlandish but I propose we outlaw knives because they can be used to kill someone. History shows us how dangerous the knife is; For generations, the knife in various forms has been used to kill and maim people. Therefore, I think we should outlaw it. While we are at it, lets outlaw hammers, candle sticks, and rope since they have all been used to kill people.
My point is that tools sometimes have to be dangerous in order to do their jobs. It is not the hammers fault if someone decides to use it to bash someone's head in! The same is true for the knife. Software "hacker's tools" are tools, just like hammers and knives. They can be used for good (and usually are) or bad (and sometimes are) but that does not mean they should be outlawed.
You know those "emergency hammers" that they sell to break car windows with? My guess is that more of them are sold to car-burgulars than are sold for their legitimate purpose. They are easy to conceal and break windows with a minimum of noise and fuss. Crooks use them every day. Why hasn't there been a cry to have those things outlawed, regulated, or controlled? It is because they are a tool, that the tool has a legitimate purpose, and that the crooks would simply use something else if it were made unavailable to them. I guess I'd rather have them carrying these hammers than a hatchett. Of course, I would rather see the crook in jail where he would have neither.
Why they are saying that... (Score:4, Insightful)
Of course, making anti-pick devices (exploit tools) illegal won't interfer with the activities of the criminal class any more than making firearms illegal has bothered them. This CEO is just another in the class of people who just can't seem to grasp the fact that lawbreakers don't care about laws.
The tools that create exploits are the tools the create software: lanugages and compilers for them. A case can be made that the Corporations real agenda is to gain control of the tools for making software. If your product isn't needed by the Linux platform then the Linux platform is your enemy. If they get compilers outlawed only outlaws will use them. It won't stop the flood of WinXX infectors, as if Symantec wanted that flood to stop their only income stream, but it will stop folks from migrating away from WinXX to a platform that doesn't need their Symantec's software.
Re:Well I for one.. (Score:4, Funny)
Don't look at me (Score:4, Funny)
Re:there does need to be something like this.. (Score:2, Insightful)
What about the programmers who were stupid enough to create a hole for the vulnerability? I know its hard to error check code, but some holes are just that...stupid. As for your blaster worm comments, I dont think the code was released. You obviously have not programmed anything, it is not as easy as copy and pasting code.
Re:there does need to be something like this.. (Score:2)
KFG
What is "insightful" about this? (Score:3, Insightful)
This is the same mentality that would ban baking soda because it could be used to make crack, hunting rifles because "guns" are used in crimes, and information about making black powder because it could be used for explosives.
If the software provider has been warned about the issue and provided a copy of the exploit code for testing their fixes, I have absolutely NO sympathy for a vendor which doesn't provide a fix.
Nor do I subscribe to the asinine american penchant for blaming everyone else for the st
Re:What is "insightful" about this? (Score:2, Insightful)
It's still indicative of the American (and now British, too...) knee-jerk "compensation culture" that is becoming evermore prevalent. And the McDonalds case could be (and probably has been/will be) used as a precedent when something happens to a much lesser scale.
Re:What is "insightful" about this? (Score:3, Insightful)
I don't agree at all. People make rational risk assessments based on reasonable expectations.
I expect the water in a hotel shower to be hot. So before I step in, I wave my hand under the stream. If the water is so hot that doing that causes the skin on my hand to blister, I am going to hold the hotel responsible - even though I "expected" it "to be hot". I didn't exp
Re:What good is a law like this (Score:2)