Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[Fwd: A FINFlash from the Freedom to Innovate Network]
From: Jason Coombs <jasonc () science org>
Date: Thu, 08 Jul 2004 22:06:29 -1000

> Online snooping and deceptive advertising practices should be stopped.
> But Congress is now considering a bill, H.R. 2929, "Securely Protect
> Yourself Against Cyber Trespass Act" (the "SPY ACT"), that could block
> legitimate software operations and thwart innovation.
> Read more <http://go.microsoft.com/?linkid=698586 >

This is related inversely to the recent appeals court decision that extends the Steve Jackson Games precedent excluding "stored electronic communications" from the Wiretap Act to not just hard drives, as were dealt with explicitly in the Steve Jackson Games case, but RAM and any other data storage device as well.

Microsoft and others are opposed to criminalizing the installation of software without user consent.

However, when you consider the legal impact of the installation of software on the rights of the computer owner there really can be no other conclusion than that unauthorized software installation must be made a crime.

Software installed on a box has access to RAM, hard drives, and other storage in which "stored electronic communications" may exist as defined by the Wiretap Act. Pursuant to the U.S. v. Councilman appeals court ruling, software that intercepts electronic communications is by definition not intercepting "electronic communications" but rather is intercepting "stored electronic communications" as the software accesses those communications by way of RAM not by way of direct physical tap of a wire that is transmitting "electronic communications."


Because of this new ruling, software can now be given features that allow access to any "stored electronic communications" that it can find, and there will not be any criminal prosecution possible of the persons responsible for harm that such software is used in order to cause.

There are many ways for attackers to get code executing on our boxes without our consent, and in the past it was presumed that planting of malware was usually, if not always, a criminal act in violation of various computer crime statutes.

Now, however, it appears that all one need do to successfully avoid prosecution is claim that software was not malicious because it didn't cause harm to the box it infected, that all it did was intercept "stored electronic communications" and give remote access to it, or variations on that theme, and because it was not a crime to install the software in the first place, it was not a crime to intercept the communications, and the software did no damage to the computer there can be, by definition, no criminal act.

Unless perhaps a remote exploitable vulnerability is used to plant the malware? Windows users authorized Windows to be installed, along with all of its default vulnerable ActiveX Controls and Internet Explorer -- how can a little bit of HTML, an OBJECT tag, a GUID, and some script, all of which make use of only those features of the authorized software present on the box through consent and willing participation on behalf of the box owner, be a criminal act? We're not talking about overflowing buffers here, we're just talking about asking IE to do what it was designed to do: allow unauthorized installation and execution of software.

This is all very strange, but very real.

Criminalize unauthorized software installation now!

And, criminalize unauthorized software installation that is enabled by another program that was previously authorized. It should be a crime to install software with authorization that then installs software without authorization.

Precisely where software starts and stops, whether updates to a single program are allowed without consent, whether a single "program" can grow to include new features without consent, and so forth, are difficult issues that now need to be figured out and factored in to legislation.

Particularly since there are new legal loopholes that allow software to do what it pleases without consequences for those responsible.

Without the voice of information security professionals in this process, we are all going to regret the outcome.


Jason Coombs
jasonc () science org

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • [Fwd: A FINFlash from the Freedom to Innovate Network] Jason Coombs (Jul 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]