zlacker

[parent] [thread] 10 comments
1. zelphi+(OP)[view] [source] 2024-08-12 09:14:49
> If your software is only intended to demonstrate the existence of a security flaw but contains no payload, then it is less obviously criminal. Still technically so, I suppose, but not so obviously that you couldn't make some kind of argument.

I do not see anything criminal at all in writing some malware or exploits. _Applying_ them to a system, where they might cause damage however, that is a completely different matter.

You don't go after the blacksmith or manufacturer of kitchen knifes or guns either. You go after the one using them for the wrong purpose.

replies(3): >>msh+d3 >>jltsir+18 >>ivan_g+49
2. msh+d3[view] [source] 2024-08-12 09:51:27
>>zelphi+(OP)
A knife have legal purposes to be used. Does malware?
replies(2): >>ok_dad+C3 >>layer8+97
◧◩
3. ok_dad+C3[view] [source] [discussion] 2024-08-12 09:55:54
>>msh+d3
Would you prefer only criminals research security issues?
◧◩
4. layer8+97[view] [source] [discussion] 2024-08-12 10:44:34
>>msh+d3
Unlocking bricked systems you own.
replies(1): >>ivan_g+c9
5. jltsir+18[view] [source] 2024-08-12 10:55:56
>>zelphi+(OP)
It's often the intentions that matter. Doing X may not be a crime, but doing it with the intention to commit crime could be. And while outsiders can't know the true intentions, courts are often happy accept the intentions seen by a "reasonable person" as the truth. Which means that if you want to write malware, you should look like a respectable person and not do anything too shady.
6. ivan_g+49[view] [source] 2024-08-12 11:06:53
>>zelphi+(OP)
>I do not see anything criminal at all in writing some malware or exploits.

MaaS (malware-as-a-product) is certainly criminal. There’s no legitimate purpose in writing control servers or admin panels for DDOS or ransomware.

replies(1): >>spwa4+Yc
◧◩◪
7. ivan_g+c9[view] [source] [discussion] 2024-08-12 11:08:06
>>layer8+97
This implies certain user interface that is different from criminal use cases. I.e. certain types of knives are considered weapons rather than kitchen appliances and even carrying them will get you problems in some jurisdictions.
◧◩
8. spwa4+Yc[view] [source] [discussion] 2024-08-12 11:47:42
>>ivan_g+49
Pretty much every such product uses libz, libssl, and these days websocket and javascript libraries. Are they malware? Very often the border between malware and non-malware is not clear. There are many command and control software that have no payload, and no exploits to spread. Are those malware? What about IRC/XMPP servers, webRTC/STUN/servers + proprietary equivalents, name resolution services (from DNS to some company's active directory), DHT, game servers (minecraft, quake) and other public services that often serve as or contribute to command-and-control hubs?

But I'm not really interested in drawing an actual clear line. I'm worried especially what will happen if a local police officer or court judge takes action based on their personal assessment of a cybercrime. And now, with this law, international action. Right now often DNS is sabotaged, usually on a way larger scale than necessary, to achieve a court order. Inconveniencing everyone, often right up to gTLDs.

Usually such a court order then doesn't work because the fact that a court case exists (and the time these things take) serves as ample warning for the malware authors plus you can use encryption to hide the command and control servers beyond the reach of even sabotaging DNS. And even that is assuming the damage isn't completely done by the time a decision is reached.

Actual prevention of malware attacks is the domain of extra-judicial agents working at security companies, and they usually disable malware by injecting their own payloads, something that even currently is highly illegal, and sometimes causes the justice system to go after these individuals.

replies(1): >>ivan_g+qF
◧◩◪
9. ivan_g+qF[view] [source] [discussion] 2024-08-12 14:58:17
>>spwa4+Yc
> Pretty much every such product uses libz, libssl, and these days websocket and javascript libraries. Are they malware?

The answer to this question is obvious and the question doesn’t have to be asked. In what kind of thinking a product considered malware would imply that its generic components are also malware? It is clear logic fallacy. Same with C&C software - I don’t get how do you generalize it to IRC. I do not also see how this generalization can happen in law enforcement or courts.

replies(1): >>spwa4+8V1
◧◩◪◨
10. spwa4+8V1[view] [source] [discussion] 2024-08-12 22:17:54
>>ivan_g+qF
I'm trying to say that:

1) this is on a spectrum. For libssl it's pretty obvious. For DHT? Significantly less obvious, I would say.

IRC gets a mention because it has been used as C&C for a VERY long time, and hasn't changed anything to prevent this from happening.

2) it's not experienced techies that will make this choice. It's uninformed judges or even police officers directly.

replies(1): >>ivan_g+MY1
◧◩◪◨⬒
11. ivan_g+MY1[view] [source] [discussion] 2024-08-12 22:46:19
>>spwa4+8V1
1) when software is developed with legitimate purpose in mind, it is not malware. If a developer of such software is persecuted, it would be easy for their legal defense to demonstrate it _unless_ there’s some other regulation that prohibits such use cases (eg something similar to EU Chat Control proposals).

2) it is very unlikely that police will go after such software. They need to connect it to their case first and that requires technical expertise, so it will likely be a cybercrime unit.

[go to top]