Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 09 Oct 2014 16:45:29 -0500
From: dmc <dmc.osssec@...udsession.com>
To: oss-security@...ts.openwall.com
Subject: Re: liability

Disclaimer: My first post to the list.  That said I'd like to highlight 
some 'tinfoil hat' angles to the otherwise insightful comments from Solar-

On 10/09/2014 03:12 PM, Solar Designer wrote:
> I ended up writing a lengthy message (this one), but I am unsure if it's
> a good idea to have this topic discussed once again (such discussions
> had already occurred on other mailing lists years ago).  In fact, that's
> the main point I am making - while I've just spent/wasted some time on
> writing the below, maybe we should stop right here?  So if anyone has
> something new or some important historical references to add, please feel
> free to post, but I'd rather not see us digress into (I think) mostly
> irrelevant analogies in financial markets, with even more irrelevant
> detail on the French trader (referring to Sven's other posting here).
>
> I mention some paywalled articles below.  If anyone has URLs to free
> copies of those, please post.
>
> On Thu, Oct 09, 2014 at 11:11:34AM +0200, Sven Kieske wrote:
>> so at least when you're making money of software you should
>> be responsible for this software.
>
> That's tricky.  Is an Open Source project that accepts donations, sells
> CDs/DVDs, or/and runs ads on the website "making money"?  What if they
> also offer related paid services or even occasionally sell commercial
> licenses to the same software?  Would they be liable e.g. for up to all
> payments they ever received (or more?), even if 99.9% of the users never
> paid anything?  That may easily put them "out of business", or
> discourage them from starting the project in the first place.
>
> Of course, you can hope to reduce undesired effects of a new law by
> careful wording, listing categories of software it does or/and does not
> apply to, etc.  However, getting the legal system involved at all is a
> huge risk... yet you'd like to use it to reduce risk elsewhere?  The
> legal system is already akin to an over-engineered software program, and
> you're proposing to make it even more complex (more buggy, and requiring
> more resources to run).  What's worse, you don't get to write that
> "program", and you can't replace it on your "computer" with some
> alternative (short of moving to another jurisdiction, and even that
> option might disappear if the law becomes universally accepted).  You
> can request a "feature", and if the powers that be listen, they'll
> implement that "feature" in some arbitrary way that you might not like,
> yet all of us would be stuck with it.  In my opinion, this is extreme
> danger, possibly way beyond the risk from software vulnerabilities (to
> the extent that risk could be reduced by such measures).  Indeed, these
> are different types of risks, so a direct comparison of this sort may
> only make sense in specific contexts (e.g., effect on a country's
> economy or on people's quality of life analyzed in some specific way).
>
> I am not saying I am strictly against this approach, although that is my
> current stance given the (frankly) rather limited impact that software
> vulnerabilities actually have on us so far despite of being widespread.

Here is where a tinfoil hatter like myself has to disagree.  No, as a TH 
I have no 'proof' of the widespread impact I believe exists.  But 
neither did any us about the the fears that Snowden gave 'proof' of 
years after much rational distrust and reasoned threat assessments by 
THs like myself.

I 'believe' (call it a cyber religious belief) that the impact of 
software vulnerabilities on us is hardly 'limited' in the sense you 
suggest.  I 'believe' that organized criminal groups, including the CIA, 
the NSA, the Mafia, the Triads, and others have already used these 
software vulnerabilities to collect a Kompromat database on everyone in 
the world.  I 'believe' this because I have a degree in computer 
engineering, and I've smoked a lot of cannabis, and I have a deviously 
creative mind.  For years prior to Snowden, I was certain the sorts of 
shenanigans that Snowden revealed were taking place.  My only evidence 
was my own knowledge of the sorts of things that were technically 
possible, and a view of the sorts of things the human race was known to 
have done repeatedly in the past.  (and some exposure to the culture of 
silicon valley)

Even today, there are nuanced aspects of how the Snowden thing is 
playing out that lead me to be ever more certain that more nefarious 
things are going on (read: Kompromat based control of global and local 
politics).  Just the way certain stories are more and less covered and 
how they are covered.  Certain things don't make sense to me outside the 
possibility that key elements are still being withheld from the public 
discourse for no other reason I can imagine than threats of violence or 
economic persecution against those that would elevate them in the public 
discussion.  Go read a timeline of snowden in 20 years akin to the 
shellshock timeline recently discussed here.  There are things that make 
no _reasonable_ sense.  There is some heinously big shit going on here. 
  I.e. I strongly believe that despite all the rhetoric, the U.S. 
government has, and continues to _shield_ the citizenry of the world 
from the extent of (tying back into topic) "the (not so limited) impact 
of software vulnerabilities".

The idea that organized criminal outfits, in league with, or under the 
moniker of the NSA/CIA/FBI might already be controlling US politics with 
a Kompromat database of dirty laundry intercepts, is something that you 
aren't going to hear about in a presidential debate or on the pages of 
the NYT.

Again, I have no proof of this.  I just have a mother that grew up in 
and around Berlin throughout WW2, and a knowledge of the history of the 
East German Stasi.  And COINTELPRO, SNOWDEN, COTTONMOUTH, etc, etc, etc.

Anyway, TL;DR, tinfoil hat, whatever.  I just felt the need to vent, 
because I agreed with the overall insightfulness of the rest of the 
comments.  But a difference in perception on the limited issue of how 
software vulnerabilities have really impacted global human life, can 
make a lot of difference to how you look at things.

Take BadUSB for instance.  I have no evidence that 
NSA/CIA/FBI/Mafia/Triads are crawling around my firmwares.  I just know 
the sorts of things they could accomplish with a few key bribes and 
threats to employees of tech firms, and the tech firms whose tech the 
other tech firms use to develop and deploy their tech.  And what they 
could do with the ability to record from the microphones of every wifi 
connected laptop with a built in mic, and mobile phone.  Even if they 
lacked the storage requirements to collect an en-masse Kompromat 
database that includes my own privacy being violated, the fact that they 
can leverage privacy violations against today's 14 year old boys and 
girls who will become the mayors and senators of the next generation... 
scares the living shit out of me.  I pretty much assume it was already 
done to past generations, and is responsible for much of the shape of 
the current world structure.  The current world structure which leads to 
issues like security vulnerabilities from closed source firmwares being 
swept under the rug, and assured as not having a serious impact on our 
lives.  So that we don't decide to fundamentally reevaluate the big 
picture in a way that will actually cause any meaningful change.


> (I think the negative impact of introducing liability for software
> vulnerabilities might well be broader.)  What I am saying is that it's a
> really tough tradeoff, and that in my opinion anyone who feels confident
> about it is either wrong in being so confident or has values different
> from mine.

Wise words.  In some sense as I get older, I get less confident in my 
paranoid conspiracy theories.  On the other hand- 
Snowden/PRISM/ParallelConstruction/Stasi/etc...

$0.02... Don't kill the messenger...

-dmc

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.