Re: n.runs, Sophos, German laws, and customer safety

[Jerome Athias <jerome.athias () free fr>]

Hi,

it is important to notice this.
The mentioned german law comes after the similar french law called lcLEN 
(aka Fontaines's law).
In 2003-2004, a petition was done against this law, with around 15,000 
signatories...
http://www.iris.sgdg.org/actions/len/petition.html

for nothing...

"A new anti-security law was voted yesterday in France, this law called 
LEN (loi pour la confiance dans l'économie numérique)":
http://www.securityfocus.com/archive/1/359969

And after that we had the Guillermito's story
"Hacker Indicted In France For Publishing Exploits": 
http://slashdot.org/article.pl?sid=04/03/31/1543248
http://constitutionalcode.blogspot.com/2005/01/guillermito-reverse-engineering.html

Good luck to our neighbours from Deutschland...
I salute you!
/JA

Steven M. Christey a écrit :
> The n.runs-SA-2007.027 advisory claims code execution through a UPX
> file.  This claim is inconsistent with the vendor's statement that
> it's only a "theoretical" DoS:
>
>   http://www.sophos.com/support/knowledgebase/article/28407.html
>
>   "A corrupt UPX file causes the virus engine to crash and Sophos
>   Anti-Virus to return 'unrecoverable error. leading to scanning being
>   terminated. It should not be a security threat although repeated
>   files could cause a denial of service."
>
> It is unfortunate that Germany's legal landscape prevents n.runs from
> providing conclusive evidence of their claim.  This directly affects
> Sophos customers who want to know whether it's "just a DoS" or not.
> Many in the research community know about n.runs and might believe
> their claim, but the typical customer does not know who they are
> (which is one reason why I think the Pwnies were a good idea).  So,
> many customers would be more likely to believe the vendor.  If the
> n.runs claim is true, then many customers might be less protected than
> they would if German laws did not have the chilling effect they are
> demonstrating.
>
> It should be noted that in 2000, a veritable Who's Who of computer
> security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias
> Levy, Alan Paller, and other well-known security professionals -
> published a statement of concern about the Council of Europe draft
> treaty on Crime in Cyberspace, which I believe was the predecessor to
> the legal changes that have been happening in Germany:
>
>   http://homes.cerias.purdue.edu/~spaf/coe/TREATY_LETTER.html
>
> Amongst many other things, this letter said:
>
>   "Signatory states passing legislation to implement the treaty may
>   endanger the security of their computer systems, because computer
>   users in those countries will not be able to adequately protect
>   their computer systems... legislation that criminalizes security
>   software development, distribution, and use is counter to that goal,
>   as it would adversely impact security practitioners, researchers,
>   and educators."
>
> If I recall correctly, we were assured by representatives that such an
> outcome would not occur.
>
> - Steve

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature