Return-Path: <sentto-279987-4536-1014918677-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 28 Feb 2002 09:54:11 -0800 (PST) Received: (qmail 21261 invoked by uid 510); 28 Feb 2002 17:51:57 -0000 Received: from n22.groups.yahoo.com (216.115.96.72) by all.net with SMTP; 28 Feb 2002 17:51:57 -0000 X-eGroups-Return: sentto-279987-4536-1014918677-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.165] by n22.groups.yahoo.com with NNFMP; 28 Feb 2002 17:51:29 -0000 X-Sender: cpreston@gci.net X-Apparently-To: iwar@yahoogroups.com Received: (EGP: unknown); 28 Feb 2002 17:51:16 -0000 Received: (qmail 89539 invoked from network); 28 Feb 2002 17:51:16 -0000 Received: from unknown (216.115.97.171) by m11.grp.snv.yahoo.com with QMQP; 28 Feb 2002 17:51:16 -0000 Received: from unknown (HELO mta-1.gci.net) (208.138.130.82) by mta3.grp.snv.yahoo.com with SMTP; 28 Feb 2002 17:51:15 -0000 Received: from mmp-1.gci.net ([208.138.130.80]) by mta-1.gci.net (Netscape Messaging Server 4.15) with ESMTP id GS989D01.DKG for <iwar@yahoogroups.com>; Thu, 28 Feb 2002 08:51:13 -0900 Received: from graywolf3 ([24.237.13.96]) by mmp-1.gci.net (Netscape Messaging Server 4.15) with SMTP id GS989C01.H1K for <iwar@yahoogroups.com>; Thu, 28 Feb 2002 08:51:12 -0900 To: <iwar@yahoogroups.com> Message-ID: <OCEDLLJFJEMAFJGHDCLNEEBODCAA.cpreston@gci.net> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-eGroups-From: "Charles Preston" <cpreston@gci.net> From: "Charles Preston" <cpreston@sinbad.net> X-Yahoo-Profile: cpreston_2000 Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 28 Feb 2002 08:50:58 -0900 Subject: [iwar] Impact on public disclosure of vulnerabilities? Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit I may be misinterpreting the Digital Millennium Copyright Act, so anyone who has a better interpretation please comment. It looks like the debate on public release of vulnerabilities in code may not be as important as it seems. The way this Act seems to read, if any binary code is protected by any means, including compression/encryption, it can't be decompiled, disassembled or stepped through with a debugger. Those would seem to be more efficient methods of discovering security related flaws than an infinite amount of testing input, or even carefully chosen input, in many cases. (Anyone more expert please comment). This prohibition would probably even apply to looking for evidence that a certain compiler was used, to establish that certain vulnerabilities are likely to be present. The future availability of decompilers and disassemblers also appears to be in doubt. Microsoft and others may have put themselves under the protection of these provisions by requiring activation of their new products. ``(B) a technological measure `effectively controls access to a work' if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work. There is a security testing exemption for examining code you have the rights to, or for someone who has the rights, but it applies only to notifying that party. In addition, this section seems to impose a duty to use or maintain such information securely, in a way that would prevent enough public disclosure to (a) write an exploit and (b) allow anyone else to test whether their system has, or still has, that vulnerability. The "still has" may be important, because some security patches have been defective in the recent past. Also, the security testing exemption applies to a criminal act with penalties. Can this be treated in the manner of an affirmative defense, meaning they indict you and then you try to prove you fit the exemption? cmp ------------------------ Yahoo! Groups Sponsor ---------------------~--> Tiny Wireless Camera under $80! Order Now! FREE VCR Commander! Click Here - Only 1 Day Left! http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:04 PST