Re: Re (badware vs. "goodware"): SearchSecurity: Badware versus malware

["Goertzel, Karen [USA]" <goertzel_karen () bah com>]

Agent software is all well and good. 

But if you secretly implant the agents, and design them to be undetectable, and do not inform the intended user of the 
system that they are there, they are spyware - and at best, unethical. And, by my definition at least, unethical = bad. 


===
Karen Mercedes Goertzel, CISSP
Lead Associate
Booz Allen Hamilton
703.698.7454
goertzel_karen () bah com

"I love deadlines. I like the whooshing sound they make as they fly by."
- Douglas Adams

________________________________________
From: brunnste () informatik uni-hamburg de [brunnste () informatik uni-hamburg de]
Sent: 13 May 2012 04:17
To: sc-l () securecoding org
Cc: Goertzel, Karen [USA]; Peter G. Neumann; Gary McGraw
Subject: Re (badware vs. "goodware"): [SC-L] SearchSecurity: Badware versus     malware

Karen, whereas "flaws and defects" can hardly be argued to have possibly
some "good" affects, there have been many controversial arguments whether
some "malware" (aka viruses) may have "beneficial" effects and may
therefore be regarded as sort of "goodware". Indeed, I vividly remember a
controversial debate with Fred Cohen at a MITI-invited conference in
Tokyo (in the 1990s) whether viruses may be used for beneficial purposes
(e.g. implanting automagically some security measures). My counter
argument that good intentions of authors must be explicitly communicated
to users (aka "usees" as their system is used without their knowledge
and agreement) was not shared by the esteemed colleague, and I also
remember controversial discussions at our lab (VTC of Hamburg university)
with Vesselin Bontchev about aspects of "good viruses" :-)

My 2 cents: nobody will (hopefully) doubt that "badware" is bad, whereas
some may regard some "badware" to have "good" (aka beneficial) effects.

Best wishes: Klaus (May 13, 2012)

Zitat von "Goertzel, Karen [USA]" <goertzel_karen () bah com>:

> In other words, flaws and defects caused through developer error,
> ignorance, negligence etc. can be exploited to cause harm. So even
> if one could prevent actual intentional malicious inclusions in
> software, one hasn't eliminated the problem of exploitable flawed
> logic.
>
> The megachallenge, of course, is looking for what one doesn't
> actually know is there. Which is why software security testing is so
>  hard.
>
> ===
> Karen Mercedes Goertzel, CISSP
> Lead Associate
> Booz Allen Hamilton
> 703.698.7454
> goertzel_karen () bah com
>
> "I love deadlines. I like the whooshing sound they make as they fly by."
> - Douglas Adams
>
> ________________________________________
> From: sc-l-bounces () securecoding org [sc-l-bounces () securecoding org]
> on behalf of Peter G. Neumann [neumann () csl sri com]
> Sent: 08 May 2012 11:30
> To: Gary McGraw
> Cc: Secure Code Mailing List
> Subject: Re: [SC-L] SearchSecurity: Badware versus malware
>
> The differences are marginal.
> > What's worse, bad software or malicious software? ...
>
> My book has a pervasive theme:
>   Many things that could happen accidentally could be triggered
> intentionally.
>   Many things that happen intentionally could be triggered accidentally.
>
> Trying to reduce one without the other may be foolhardy in most realistic
> threat models.
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L () securecoding org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L () securecoding org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________




_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________