Friday, 2 June 2006

Interesting comments to When Security Exploits Have Exploits

Techdirt has this piece today:

A popular scam these days among some script kiddies is to lock up important data on someone's computer unless they pay an extortion fee to release the data. Of course, it should come as no surprise that these exploits have exploits of their own... as one security firm discovered this week, releasing the universal password that will unlock your data should you happen to get caught by one of these scams. Apparently, all you need to know is: mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw. Of course, it's not surprising to find out the a script kiddie scam has exploits, but it does suggest a different kind of race for some security companies. Instead of just focusing on patches, look for ways to break the scam software itself. [my emphasis]

The commenter agreed with my emphasis (or I just highlighted what they have commented!)

I thought it was illegal and against the DCMA to reverse engineer software?

The script kiddies could sue the security firm for this!

This would kinda be like saying "I was robbing a bank, and the security guard hit me on my way out, I'd like to sue him."

apparently if a burglar trips over your couch and breaks his ankle, he can sue you for damages in the U.S.

I know a guy in PA that shot a burglar in his home. The burglar fell down the stairs after he was shot and broke his leg. He sued the guy for medical costs, pain and suffering and emotional distress and the burglar won.
Messed up legal system? YES

The right to sue - Priceless

who wants to guess how long it is before Techdirt is reporting the story of the ransomware creators suing under the DCMA?

A man was on the roof of a school in California (25+ yrs ago), in the progress of committing burglery. The roof's access ladders were protected by "Authorized personnel only" signs. He tripped over, and fell through, a skylight in the dark, landing in the building below - breaking his back. He sued, saying that the school district should have placed warning signs to alert persons on the roof to the presence of the skylight. Not only did he win, but his case went all the way to the Supreme Court, AND WAS UPHELD!!

A security guard hitting a bank robber is well within his legal rights, and it's *mostly* ethical (it's his job and what general society expects him to do). To me, reverse engineering software (even malware) is not within anyone's legal rights, even though it may be considered ethical.

It seems that the opinion is divided whether the Ramsonware writer can/should sue the security company under the DCMA law in USA. Another angle is to look at the business case. If the ramsonware writers can gather a sufficient political power (like the record companies), they can lobby the USA government to pass a law to protect their business model - Ramson collection! OK, they should agree to pay the tax first!

No comments: