Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: House approves spyware legislation
From: "Simon" <simon () xhz ca>
Date: Thu, 7 Oct 2004 10:39:03 -0400

I work for an ISP as a tech support agent, and some customers often call 
because they had spy/ad/malwarez in their computers.

Some of them need the internet to work, and as any business man knows time 
is money.  These folks take it very seriously and if they can't access 
important information because their browser is not functionning properly (or 
as usual) they loose time and money.

This is called sabotage.  And there should be charges against saboteurs (I'm 
not saying it can be done, or that it's possible, just that it is a sort of 
damage).

Of course, if they are able to browse the internet for a bit, I (the tech 
guy) can help them so they can download an anti-malwarez such as ad-aware.  
But sometimes, they have browser hi-jackers and can't browse at all, all 
they get is "some Super-ultra-search could not be found." all the time.  And 
if that is the case, all I can do is refer them to computer specialists that 
can reinstall windows and backup their files, charging them 70$ for it and 
taking a whole day or more for it!

On the other hand, I am also a hacker, and I finally understood the good in 
all this.  The best thing a virus or a malwarez can do is force the user to 
go to a computer shop for a complete reinstall and 70$ charge.  This way 
they learn.  Learning the hard way is not the best way, but it is 
efficient.  I remember seeing on Symantec.com, a string that was found in a 
certain virus (beagle??), symantec said the string was never displayed but 
was found inside the virus, the string was something like "Love sarah.  
Billy gates fix your software".  This is an example of very good virus.  The 
worst damage it can do is cost you some time and money.  But it does not 
Destroy anything.

The best thing we could do is make a petition against ActiveX, to remove 
that product from the market, that would certainly solve A LOT of troubles!

That was my 2c.

Simon

On Wed, 6 Oct 2004 23:18:12 -0400, Bankim J. Tejani wrote
While good in principle, this legislation is hopelessly 
unenforceable and is almost certainly just election year politics. 
 Somebody knows this and is probably the 1 vote against it.  Think 
about it:

Say that this was a law and someone does what you say and changes 
your homepage or something similar with some spyware.  Here are 
somethings that any prosecutor or civil attorney would have to 
consider before pressing charges:

1) How can you prove what the setting was before?  It's one thing 
for you to know what it was, but another to prove it in a court of 
law.  Otherwise it's your word versus theirs.

2) How can you find out who exactly was the person or company that 
took this action?  You're talking about a massive time undertaking 
to trace the packet data through every router between you and the accused.

3) Was their machine used by some hacker?  This, unfortunately (or 
fortunately, depending on how you see it), has been used in court 
and proved to be a successful defense.

4) What was the motive for changing your computer specifically?

5) What type of crime is appropriate?  Is it theft?  trespassing?  
moving your plant from your front yard to your back yard?

6) What is an appropriate sentence?  The five minutes you lost 
changing it back paid at your current salary?  A fine?   jail time?

I am not a lawyer, but only a little common sense about the law is 
needed here.  Some of these issues apply not only to this law, but 
all forms of cyber-related law.  Few organizations have successfully 
prosecuted under any form of cyber law.  The most notable so far has 
been the RIAA, whose cases were never tested in court, but used to 
torque people into paying fines rather than facing legal bills that 
would bankrupt them.

If we keep passing unenforceable legislation, all we'll end up with 
is a tomb of law with hundreds of thousands of lawyers looking 
through it and an internet that's just as lawless as it is right 
now.  On second thought, keep passing those laws.  <<searching for 
LSAT book>>

--Bankim

On 06 Oct, 2004, at 19:09, RandallM wrote:




<|>On Wed, 6 Oct 2004 05:03:45 -0700, Gregory Gilliss
<|><ggilliss () netpublishing com> wrote:
<|>> Great, Not that I'm any fan of spyware, but this is just
<|>another law
<|>> against hacking. Think - what's the difference between this and
<|>> someone using XSS to "take control" of a computer? If you
<|>r00t a box
<|>> and deface the home page, then you've broken this law.
<|>>
<|>> <sigh> Instead of fixing the problem (poor software
<|>security) we pass
<|>> laws to punish the people who do the things that
<|>illustrate the problem.
<|>> Basic philosophical differences, blah blah blah ...
<|>>
<|>> Worst of all, do you really think that the spyware rackets
<|>will slow
<|>> down or cease because of this? Nope - they'll just migrate
<|>out of the jurisdiction.
<|>>
<|>> -- Greg
<|>End of Full-Disclosure Digest
<|>


I guess one has to decide if browser hijacking is not the taking of 
personal
property. I for one do not fine it amusing to open my browser and it 
has
been redirected to a hijacked page as my new Homepage!
If this law would allow me...the user to bring down hell upon these 
people
then I'm all for it.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


--
Simon Lemieux (Simon () Xhz ca)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault