Re: It takes two to tango

["Derek D. Martin" <ddm () pizzashack org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At some point hitherto, Riad S. Wahby hath spake thusly:
> Two weeks later, a story breaks in the national news that a psychopath
> has taken it upon himself to rear-end all Ford cars on rainy moonlit
> nights.  So far, five people have died.
>
> Who is responsible, Ford or Consumer Reports?  Do you think Ford could
> successfully prosecute a lawsuit against Consumer Reports?

How about the psychopath?  Certainly Ford's negligence contributes, in
that it allows the opportunity for the psychopath's mission...  But,
as I think often happens in security circles, people are often wont to
overlook the responsibility of the misguided, perhaps unknown
individual who is actually committing these acts, in favor of the
obvious easy target with deep pockets.  People who commit computer
crime should be tracked down and punished according to the severity of
their crime.

OTOH, recent trends here in the United States suggest that
legislatures are passing, and judical systems all too quick to make
use of very stiff penalties for crimes which often amount to
tresspassing or vandalism.  Today's political climate seems to be
becoming one where it's not unlikely that someone will be sentenced to
life in prison for actions which largely amount to throwing a rock
through someone's window -- a crime whose penalty would itself likely
amount to some official court person admonishing the convicted to
"don't do that again."

Software vendors seem quite happy with this development.  It points
the blame at someone besides themselves, and relieves them again of
their duty to write good software that doesn't break when you sneeze
in its general direction.  The possible case of HP v. SnoSoft
highlights this issue.  Evidently writing good software is too hard or
too costly for many vendors, so they'd rather just prosecute people
who make them look bad.  It's cheaper, and it cuts down on the number
of people willing to do the kind of research and publish the results
that make the Bugtraq mailing list worth reading.

Despite all the work that has been done by the security community,
full disclosure seems only to have angered the software giants into
using their financial resources NOT to actually fix the problems with
their software, as a responsible corporate citizen would do, but
instead to keep people like you from exposing them and complaining
about them publicly, essentially making it illegal to do so.  And
through their most generous campaign donations, they have bought the
support of the legislature for such atrocities as the DMCA and other
similar legislation, which effectively squash your 1st Amendment right
to free speech.  We have wonderful agencies like the EFF and others,
who take on the challenges of combating these offensive laws and their
misuses, but they appear to be fighting a losing battle.  We vote in
public elections, and nothing happens.  So I ask the Bugtraq
community, what aren't we doing, that we can do to keep the corporate
giants from squashing our voices, and put technology back in the hands
of the people, where it belongs?


- -- 
Derek Martin               ddm () pizzashack org    
- ---------------------------------------------
I prefer mail encrypted with PGP/GPG!
GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
Learn more about it at http://www.gnupg.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9SGAidjdlQoHP510RAur7AJ9lMgLl1chF4uXQ5c9fOSsbuescBQCfUH6P
8jWfj3hjxE3UiIRWW2WQeA8=
=r89C
-----END PGP SIGNATURE-----