Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: House approves spyware legislation
From: James Tucker <jftucker () gmail com>
Date: Wed, 6 Oct 2004 16:53:36 +0100

On Wed, 6 Oct 2004 08:07:38 -0500, Todd Towles
<toddtowles () brookshires com> wrote:
Why make more computer laws...when the current computer laws can not be
enforced correctl? We all know that the CAN-SPAM Act really cut the spam
out of our e-mails *sigh* 

There is clearly allot of computer related crime that cannot be
enforced, but this is not dissimilar from the physical crime that is
carried out all over the world undetected (fights, drugs, fraud,
(war?), you name it). The difference is scale (or is it really that
different? maybe not). When a physical law is broken and it has been
brought to the attention of the authorities they can prosecute because
the law exists. Many physical offences also go unnoticed as with the
digital world. If the laws don't exist in either world, then in both
the result is the same -> you can't prosecute. While this law may not
be a solution to the problem, it does mean that people can be
prosecuted when they are found. It is clear that it is significantly
easier to prove this law has been broken than it is to prove that an
offence has been committed under older laws. This also includes the
ability to target the developers as well as the middle men
(distributors).

Then the INDUCE act will make half the stuff
in a normal person's house illegal.

This should fall under "proper authorisation" and some companies may
need to make changes to their software licenses and install routines
in order to comply.

Making laws is just playing around...paper on top of paper doesn't stop
anything.

It does put a significant brake on those who are prosecuted as a
result of its existence.

It all falls back to the old saying - Action speaks louder
than words.

Any proposals as to how it could be done properly, without breaching
privacy laws?
Should we be requesting ISP's to deny all addresses which are housing
malware? could they ever afford to manage such a task? Should the
government subsidise security systems? Again, could they afford to?
What about the millions of ways around the protections, proxies,
tunnels, bouncers, undiscovered regions, de-centralised connection
mechanisms?

This is a multinational issue and it is very true that one country can
only regulate so much. The underlying infrastructure of the Internet
(in particular its protocols and connectedness) is built to withstand
outside influence (such as a connection orientated attack of the
malware) and to successfully provide communication even in 'bad'
scenarios, as a result it will always be subject to the ability for
people to 'hide under' and 'go around' most of the technological
challenges that are put in front of them, at very least in terms of
communications. This means it is hard to fight this battle from the
technology side unless you can impact a significant proportion of the
world (like making changes to the functionality of a common operating
system for example; but even this takes significant time to spread).

Given the above, I suppose all I can say is "every little helps".

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]