On Fri, 2004-05-14 at 17:23, Konstantin Gavrilenko wrote: > Tobias, following your logic, the people who found and disclosed the > vulnerability that Sasser was abusing should be prosecuted together with > the author of the viral code.
Why is that? Did they break German law? Are they responsible by their actions that third parties sustained damages? Did *they* attack by direct or indirect means the systems of third parties? The answer is no. Releasing an advisory in full-disclosure manner is something totally different than writing a virus and spreading it. Say, why do I have to explain these things anyway?! Do you guys have no moral perception at all?! > What is the next stage? Jalining people who write "proof of concept" > exploit code? If a "proof of concept" exploit is released and it illegally manipulates data on third party computers, spreads autonomously and "proves an exploit" against the permission of third parties on their systems, this is an illegal activity and as such should be prosecuted and prosecuted hard. > Punish Fyodor for writing nmap or maybe prosecute the > nessus team? Now you're being irrational. Comparing Sasser to nmap or nessus is a bit far fetched, won't you say? And don't tell me there is no sharp boundary between those two, because nobody ain't going to believe it. > If the guy wrote the code and intentionally released the worm and > infected half of the Internet then he is guilty, He already confessed that at the instant the police searched his house. > but that remains to be > proven. The police has already confiscated and verified that he is the author of Sasser. The police is also investigating leads that friends helped him spread the virus. > Nobody has cancelled the presumtion of innocence yet! Well, a made confession isn't exactly a very strong presumption of innocence, is it? > My personal opinion is that more blame should be put on M$. The company is called Microsoft or MS in short. Why don't you use its proper name? And why should blame be put on MS when they released a patch and advised their customers to install the patch two weeks prior to the release of Sasser? There is no law against bad code or bad products but there is law against the abuse and sabotage of computers. Let me get this right for you again: the Sasser author is the bad guy here. He is the reason I have to stay informed about bugs because *he* is exploiting them and not MS. MS doesn't break my computer, it's him and his creation Sasser (Actually this is somehow wrong because I don't have a MS system anymore, but the point is still the same). > But where > would the security industry be if not for Microsoft's products :) Did you know that the Sasser author's mother runs a little IT consultant company? Now you can talk about self-interest... Tobias _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
