[iwar] Impact on public disclosure of vulnerabilities?

From: Charles Preston (cpreston@sinbad.net)
Date: 2002-02-28 09:50:58


Return-Path: <sentto-279987-4536-1014918677-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 28 Feb 2002 09:54:11 -0800 (PST)
Received: (qmail 21261 invoked by uid 510); 28 Feb 2002 17:51:57 -0000
Received: from n22.groups.yahoo.com (216.115.96.72) by all.net with SMTP; 28 Feb 2002 17:51:57 -0000
X-eGroups-Return: sentto-279987-4536-1014918677-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.165] by n22.groups.yahoo.com with NNFMP; 28 Feb 2002 17:51:29 -0000
X-Sender: cpreston@gci.net
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: unknown); 28 Feb 2002 17:51:16 -0000
Received: (qmail 89539 invoked from network); 28 Feb 2002 17:51:16 -0000
Received: from unknown (216.115.97.171) by m11.grp.snv.yahoo.com with QMQP; 28 Feb 2002 17:51:16 -0000
Received: from unknown (HELO mta-1.gci.net) (208.138.130.82) by mta3.grp.snv.yahoo.com with SMTP; 28 Feb 2002 17:51:15 -0000
Received: from mmp-1.gci.net ([208.138.130.80]) by mta-1.gci.net (Netscape Messaging Server 4.15) with ESMTP id GS989D01.DKG for <iwar@yahoogroups.com>; Thu, 28 Feb 2002 08:51:13 -0900 
Received: from graywolf3 ([24.237.13.96]) by mmp-1.gci.net (Netscape Messaging Server 4.15) with SMTP id GS989C01.H1K for <iwar@yahoogroups.com>; Thu, 28 Feb 2002 08:51:12 -0900 
To: <iwar@yahoogroups.com>
Message-ID: <OCEDLLJFJEMAFJGHDCLNEEBODCAA.cpreston@gci.net>
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-eGroups-From: "Charles Preston" <cpreston@gci.net>
From: "Charles Preston" <cpreston@sinbad.net>
X-Yahoo-Profile: cpreston_2000
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 28 Feb 2002 08:50:58 -0900
Subject: [iwar] Impact on public disclosure of vulnerabilities?
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

I may be misinterpreting the Digital Millennium Copyright Act, so anyone who
has a better interpretation please comment.

It looks like the debate on public release of vulnerabilities in code may
not be as important as it seems.  The way this Act seems to read, if any
binary code is protected by any means, including compression/encryption, it
can't be decompiled, disassembled or stepped through with a debugger.  Those
would seem to be more efficient methods of discovering security related
flaws than an infinite amount of testing input, or even carefully chosen
input, in many cases. (Anyone more expert please comment).  This prohibition
would probably even apply to looking for evidence that a certain compiler
was used, to establish that certain vulnerabilities are likely to be
present. The future availability of decompilers and disassemblers also
appears to be in doubt.

Microsoft and others may have put themselves under the protection of these
provisions by requiring activation of their new products.

      ``(B) a technological measure `effectively controls access
        to a work' if the measure, in the ordinary course of its
        operation, requires the application of information, or a process
        or a treatment, with the authority of the copyright owner, to
        gain access to the work.

There is a security testing exemption for examining code you have the rights
to, or for someone who has the rights, but it applies only to notifying that
party.  In addition, this section seems to impose a duty to use or maintain
such information securely, in a way that would prevent enough public
disclosure to (a) write an exploit and (b) allow anyone else to test whether
their system has, or still has, that vulnerability.  The "still has" may be
important, because some security patches have been defective in the recent
past.

Also, the security testing exemption applies to a criminal act with
penalties.  Can this be treated in the manner of an affirmative defense,
meaning they indict you and then you try to prove you fit the exemption?

cmp


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:04 PST