My Security Planet » Tags » Random and Security

Feeds

10015 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

• Opensourcetesting.org News

10 items tagged "Random and Security"

Related tags: Software [+], republica08, identity, federated, Web, Touchpoints, Tools, Star, SDL, PHNeutral, OWASP, Network, Information, Events, Enterprise, Deepsec, DataCentric, Data, Corporate, Content, Conferences, Computing, Cloud, Chamber, Breaches, Bluehat, Awareness, Application, All, AJAX, 25C3

ha.ckers.org web application security lab

• 

  Happy 900 and RSnakes on a Plane!

  Posted: October 19th, 2009, 2:58pm CDT by RSnake

  Tags:  Random Security   [edit]

  I realized after I posted the last post that ha.ckers.org has finally reached the 900 blog post mark. I honestly didn’t think we’d make it. After how many hornets’ nests we’ve stirred up over the last 5 years that this version of this site has been online, it’s kind of amazing that the site is still going strong. So I decided to do a bit of a fun post. If you are lacking a sense of humor, please move on now. We’ll forgive you. Now, in reference to a recent Twitter post about yours truly:

  @shawnmoyer What no @rsnake’s on a plane joke?

  Speaking of RSnakes on a plane - I was taking a trans-Atlantic flight and I was bored - as an RSnake will tend to be after 2 solid hours of a classic but bad Meg Ryan movie. I realized that they had some games on the in-flight entertainment. Ahh, something to play, this should be amusing. Well, if the games were good, maybe I would have been more interested, but Blackjack sounded good enough for kicks. So I started playing. You start off with $100. Well, after me quickly losing a few hands, I decide that playing like a normal user is getting me nowhere. Let’s try some different tactics. How about betting $100 and then folding? Ah… I end up with a negative integer, somehow. Now what if I bet a huge negative number and fold again - like -200? Ah, I get an even bigger negative integer.

  What happens if I keep doubling my bet? Hmmm… this negative integer thing is getting huge. Oops! Blackjack - huge positive payout: time and a half larger than my bet even! Alas, somewhere around 1,000,000 is when the in flight entertainment crashed on me - and it turns out that clicking the button thousands of times to change your increment of betting from -50,000 to +50,000 in $5 increments is a really crappy way to make a flight go faster. But before all that, here’s the picture I took:

  
  Click here to enlarge

  How many things were wrong here? Input validation errors, logic flaws, and negative integers used for currency… The worst part was I couldn’t even bet someone a free drink that I could get a higher score than them because they offered free drinks in-flight. Alas! Anyway, this story was in case, like Mortman, you were wondering what it’s like to fly with RSnakes on a plane… Moral of the story - stop showing old Meg Ryan movies on airplanes.

• 

  Silver Bullet Metric

  Posted: April 24th, 2009, 12:15pm CDT by RSnake

  Tags:  Random Security   [edit]

  No, I don’t believe there is a silver bullet. But, I came up with an interesting thought exercise while I was at RSAcon that I like to call the silver bullet metric. I asked a number of notable security experts, vendors and analysis and everyone had almost the same reaction, which is that this is worth thinking about, but a hugely complex task to complete. So I thought I’d throw it out there and let the community think about it too. Let’s take a theoretical situation where we looked at any single security vendor out there and give them essentially as much money as they needed to do a complete global deployment of one of their security products. So if it was an anti-virus vendor, you’d give them enough to put AV on every desktop. If it were a firewall, it would be at every endpoint, and so on. Now, the metric is a combination of two scores a) how much is the total cost of ownership and b) what percentage of global online fraud has it decreased. Let’s take a few examples.

  If you put Anti-virus on every desktop in the world, would you stop viruses from existing? I think any reasonable person who understands how viruses work would say no. It will, however, make the bad guys work harder and iterate faster to get by the filters (boutique malware). So there is actually a diminishing return once you get above a certain level of deployment. On the other hand, at the very lowest end, if only a few people had anti-virus they would be pretty well protected, because the virus authors wouldn’t bother trying to figure out a way around it. Of course everyone else who doesn’t have the AV is screwed in that scenario. So the right percentage of deployment for anti-virus isn’t global, it somewhere in the middle in that simple example.

  If we’re talking about firewalls doing proper egress filtering, that would stop some worms from propagating, but it probably wouldn’t solve enough of the problems compared to the other options out there. If we’re talking about whitelisting applications that can run on computers, that would probably solve a much bigger percentage of the problems compared to firewalls, but the total cost of ownership is through the roof - and who is going to monitor and create all those whitelists. Eesh!

  But back to AV for a second - AV has the hidden benefit outside of security that theoretically increases longevity of computers. So AV increases the lifetime of the computer, although the decrease in usability of the computer because of the resources that are being used might offset that number. Anyway, all of that factors into the total cost of ownership. Once we go through that exercise (which is probably best left for the product managers of each product line to do) you come up with a few interesting metrics. The first is the silver bullet metric, and the second is exactly what the maximum level of deployment that product or service should get to before it stops being an effective tool for the money - because TCO might change depending on how widely it is deployed as well (economies of scale, diminishing returns, etc…).

  I’m not at all saying I have the right answer, or that I do believe there is a single best product out there, but to be the devil’s advocate, what if we did find that one product or service had the best silver bullet metric - what then? Why would we back any other technologies at that point? Anyway, it’s a fun thing to think about. Perhaps it’s just another lens by which to look at the security industry through. Of course this exercise has it’s evil twin too - which is the types of exploits that can be performed and their own associated cost benefit analysis.

• 

  Crime and Punishment

  Posted: January 15th, 2009, 2:44pm CST by RSnake

  Tags:  Random Security   [edit]

  This post is meant to be overly controversial, but it’s also meant to make people think. Please take that for what it’s worth. My most recent publisher said that I shouldn’t make excuses before I say something, but in this case, I think it’s warranted because it’s a little out there, but I also think it’s a topic worth discussing. Please bear with me.

  Looking back in American history, there have been a few significant military losses of recent years. We could easily call Korea a loss, and Vietnam was the worst “police action” in American history. Afghanistan is a tossup, and only time will tell. However, I think there is a perception that there is no way the United States could ever have won those wars. That’s just not true.

  The United States has a wide variety of unconventional weapon options and military tactics that it never used. For instance, we never ventured north of a certain line in Vietnam, but only for political reasons. We also never used nuclear, or non-nuclear WMD’s. The United States stockpile of biological, radiological and chemical weapons is unrivaled by any country it has ever gone to war with since WWII. But it never chose to unleash those weapons or pursue those tactics, and ultimately the US lost. But more interestingly, the US chose to lose.

  I think this analogy speaks nicely to a computer security problem regarding crime in general. There are a set of options that we as computer security practitioners have at our disposal but we also have chosen not to use them. I would say that in well over three quarters of the attacks that I am aware of, it is trivial to find the person who is responsible for them. Sure, that could change and yes, it’s easy to frame people for crimes they did not commit, but for the moment, let’s just pretend that that statistic was valid.

  There are two ends of the spectrum of punishment. On one end we have capital punishment - the ultimate result. It’s pretty much a guarantee that their life of crime is concluded upon their death (barring time delay attacks which are incredibly rare). Most people don’t believe in capital punishment for any purpose other than extreme cases and still I would say there is no clear consensus about when it should be used. However, there is no debate about the finality and clear effects of capital punishment.

  On the other end of the extreme we can do absolutely nothing, or worse yet, reward the attacker for their actions in some way. I would argue that more often than not the second is the option we as a security community take. When we are aware of a problem we either do nothing at all because we believe it won’t actually work against our systems, or we block the attackers, under the false premise that that will stop them. In reality it only makes them stronger because they now know how our defenses work, which they can either try to circumvent later or use as knowledge against other targets elsewhere.

  Only in the most extreme cases do we actually bother to track down, locate, arrest and prosecute attackers. And even then the penalties are usually only a few years in jail. Most experts believe that jail is not an effective rehabilitation habitat. While it’s admittedly unclear what the effect is on computer criminals, it’s certain that it is not an effective deterrent given how much computer crime occurs.

  Now let’s imagine for a moment that we were decide that capital punishment were a reasonable solution to a problem, because it was an actual deterrent. I know people who care a lot more about their life than they do about jail time, so it’s not an unrealistic assumption. Let’s take a small slice of computer crime, that’s considered by almost everyone to be a minimal offense but also highly annoying - spam.

  A few years ago a spammer was killed with a hammer. Now let’s say whether by vigilante justice or state sponsorship, once a week a spammer was killed in the same way, as a symbol to all other spammers everywhere - keep it up and you’re going to end up like this. It’s a terrible fiction I’m spinning here, I know, but I honestly believe it would reduce the amount of spam far more than the amount that was generated by the deceased spammers alone. It would actually have the effect most punishment is designed to have - it would be a deterrent. Although, admittedly it’s gruesome and unrealistic.

  So on one end of the spectrum we have nothing which is what we are primarily doing now, and on the other a punishment that outweighs the crime. (Technically, we actually are doing something - we are making it less financially viable for the attack to be profitable by reducing the amount of spam that gets through, but we are a long way from succeeding, unfortunately). In the same way that the US wasn’t about to start using thermonuclear weapons in Vietnam and Korea and most likely won’t in Afghanistan either, we as a society aren’t going to start killing spammers at any rate necessary to act as a proper deterrent. Now I told you all of that so that I could get to the real meat of the matter. What is the proper proportionate response to computer crime to act as a deterrent?

  There was an interesting section of a book (the title is escaping me as I write this) that described things that were off limits in a pen test. Things like rubber hose cryptanalysis are apparently not allowed during a pen test (although if anyone wants me to beat them up to see if I can get their password out of them, just let me know - I’ll give you a discount too). It’s funny but it’s also true. In the real world that is an option, just not one that many people use.

  So things that are typically off the table that we don’t talk about as a real option are things like kidnapping loved ones, extortion, torture, and of course capital punishment. While all real actual options, we have tied our own hands and said we aren’t allowed to use them. We also take other options off the table, like hacking into people who hack into us, DoSing them and so on. We aren’t even allowed to fight back! So the real heart of the matter is what is the right response to a packet bound for your network that intends to do you harm? Should we keep ignoring it or should we instead track the originator to the ends of the planet and enact a gruesome deterrent for the greater good of all humanity?

  No, put your gun down, I’m not saying we should go on a spammer killing spree, although I’d be plenty happy to use my rubber hose on them every once in a while. Perhaps instead of killing people we should make it a priority to actually pursue attackers instead of defending ourselves in a reactionary manner. My friend Mike Rothman is fond of saying “REACT FASTER”, but maybe reacting isn’t enough. Maybe we as a society are missing the most important dimension of this whole thing by focusing on reacting instead of going on the offensive.

  We actually pursue shoplifters and put them in handcuffs, which in terms of monetary loss can pale in comparison to a computer criminal’s potential. Shoplifting is a relatively petty crime too, yet the consequences are so severe compared to the crime itself and with the wide proliferation of modern loss prevention technology most people don’t shoplift. Maybe if more people were actually forced to face the consequences of their computer crimes all over the world, it would have the effect the laws were intended to have - which is to limit the breadth and scale of the crime itself.

  Until something like that happens, I find it difficult to believe we will ever see a real decline in computer crime. I know one thing for certain - what we’re doing now isn’t working.

• 

  Security Expert Rehabilitation

  Posted: October 22nd, 2008, 4:18pm CDT by RSnake

  Tags:  Random Security   [edit]

  In light of my last gloom and doom post, I wanted to turn the tables and add some humor. A while back a bunch of us came up with the concept of a security expert rehabilitation program. Once we give up security and go back to manual labor we need to re-acclimate ourselves to the rest of society. So, in no particular order, here’s what the rehabilitation program might look like:

  Step 1: Sign up for a MySpace account. Facebook is fine too. Actually why not all of the social networking platforms? It’s easier to keep in contact with everyone if you do. Make sure to fill out each form field completely and accurately!

  Step 2: Pick a password that is easy to remember and make sure to write it down on a sticky note. Feel free to tell your friends in case they want to use your account too. Better yet, make a list of all your passwords and change them all - to “password”. If someone is annoying and makes you use a number, “password1″. An upper case, a number and a special character use “Password+1″. Now tear up that pesky list you just made. You’re living easy now aren’t you?

  Step 3: Download every third party widget, gadget, movie, game you can think of onto your social networking profile. Cuz that’s fun. And make sure to put every gory detail about who you are, where you live, what your birthday is, what your mother’s maiden name is, what you like and dislike, etc…. And feel free to update it regularly with any and all personal information that may have changed. That way people can get to know you better.

  Step 4: Log into your newly created webmail account and email all your friends your likes and dislikes. Don’t forget to enable HTML rendering so you can see all the neato pictures! And don’t feel afraid of hitting reply to those spam emails. That’ll help them know that you’re not interested.

  Step 5: Start downloading toolbars and desktop applications galore so that you can get your real time stock quotes, shop for beanie babies and know what the weather is like in Iceland at all times.

  Step 6: Go ahead and remove all that anti-spyware and anti-malware junk. It makes your computer so much faster if you do! Plus, who wants to keep hitting “Ok” and “Allow” to every security warning? Turn `em off!

  Step 7: Go ahead and plug that laptop right into the Internet. No need to use a firewall. Those are just complicated anyway. Or better yet, just go to the local cafe and use their public wifi. Hey, cute girls hang out there - that’s what normal people do: they hit on cute girls who are using open wifi. You want to be normal too, don’t you?

  Step 8: Don’t bother to lock your computer when you go to the bathroom at your cafe. Let the police worry about crime - it’s not your job anymore.

  Step 9: Open all the attachments you get in emails. Hey, they might be important, and you don’t want to be rude to whomever sent them to you, now do you? That’s not what normal people do.

  Step 10: And finally, start clicking on all ads everywhere. They wouldn’t give a “special offer” to just anyone!

  If I don’t post before then, have a great week and a good Halloween for those of you who celebrate the more pagan of holidays!

• 

  Flying Woes

  Posted: June 2nd, 2008, 9:01am CDT by RSnake

  Tags:  Random Security   [edit]

  I’m with Bruce Schneier. I never really spent enough time on airplanes to be particularly annoyed by the entire process until last year. I actually wrote the majority of this on a flight to Las Vegas for the SANS conference today as a matter of fact. While cumbersome and obnoxious in many ways, I’ve managed to isolate myself from the majority of those annoyances with things like off line email (won’t off line enabled JS apps rock your world - you’ll be able to hack as you fly!), mp3s and noise canceling headphones. Further, packing light (see onebag.com) makes my life just a lot easier.

  But, and here comes the big but, why in this day and age are we still turning off portable electronic devices as we take off and land? The stewardess was making a joke that that includes wristwatches, pace makers and hearing aids. I’ve inadvertantly left my cell phone on during a flight last year, we must have narrowly escaped our death on that one. Somehow the terrorists haven’t figured out this critical weakness in our security yet though, thankfully. Anyway sarcasm aside, I’m with Bruce.

  Some of these rules and security precautions are just complete nonsense. A knife that’s 3 1/2 inches is fine, but four inches and you’re a terrorist! Thankfully, I don’t really look like a trouble maker, if you could even articulate what a trouble maker did look like. So in all but one occasion I have managed to escape the involuntary TSA rub-down. All they’re missing is the oil and the sleazy seventies music!

  Anyway, I’m speaking at SANS in Vegas then flying to Orlando for GFIRST/US-CERT and then to Denver for OWASP. I’ll get plenty of chances to be annoyed by the safety threat that I present by using noise canceling headphones between now and then I’m sure.

  I’m not exactly sure why, but this reminds me of when I was doing a speech for the OWASP chapter in Minnesota. It was on a University campus. Being nice enough to host the event they also gave us an AV person. The AV person decided that I was an idiot upon only looking at me and made it clear that I shouldn’t touch her computers, yet she didn’t have anything installed despite the fact that she said she had MS office, the projector was having problems and it was clear she was pretty clueless. Yet she was still obviously annoyed at my gentle questioning. My friend was ready to rip her head off and was surprised I didn’t tell her who I was and where to shove her attitude. Sometimes it’s better to let people think they know what they are doing until they prove it to themselves that they don’t. She eventually gave up and let me do it myself (my own laptop and a non faulty cable later and we were up and running). I’m still waiting on the airline industry to come to the same conclusion as our beloved AV maiden.

• 

  Lifelock CEO Gets Identity Stolen

  Posted: May 23rd, 2008, 5:54pm CDT by RSnake

  Tags:  Random Security   [edit]

  I got sent this link today and I actually laughed out loud when I saw it - Todd Davis (CEO of LifeLock) had his identity stolen. I completely understand and can feel for the poor CEO who probably genuinely thought that his company could protect from all forms of identity theft, but the harsh reality is it didn’t. My favorite quote from the article:

  “There’s nothing to indicate my identity has been successfully compromised other than the one instance.”

  Other than the one instance, that is, but it was just that once. Annnyway, the biggest problem I have is with the $1,000,000 protection they have, which, unfortunately has absolutely nothing to do with the kind of thing that Davis faced. It has to do with technology breakdowns in the system - a far less likely occurrence.

  Our service guarantee is simple, but it is limited. We will pay up to $1,000,000 to cure the failure or defect in our service…

  Not only that but on their site it’s highly deceptive:

  What LifeLock doesn’t stop, they fix at their expense up to $1,000,000.

  Nooo… what Lifelock doesn’t stop you are on your own for. It’s too bad, because I really wish this company were squeaky clean. There are so many people who actually could benefit from it. Maybe if Davis just hadn’t plastered his information all over the place…

Justice League

• 

  Security And Market Forces

  Posted: March 6th, 2008, 5:04pm CST by jOHN

  Tags:  Software Security Software Security   [edit]

  Gunnar Peterson wrote an excellent post lamenting the lack of market forces in the security space.

  I don’t know when we’ll see such market forces affecting companies but do agree they would have a positive impact. Certainly, I get why the security space hasn’t been subject to market forces yet though:

  • People haven’t historically been ready to pay for it
  • Companies haven’t entered the market with something valuable enough to invest in

  First: what people are willing to pay for. Simple question: if a development team has a $10M budget, how much does it, say, spend on quality? 10-40%? OK. How much does it spend on software security?

  Second: The security space, at least with respect to Software or Application Security, has indeed moved beyond its purely missionary roots: people know they face a problem. People do not, however, know what to do about it.

  Lack of direction hasn’t resulted from the vendors’ failed productization of a tool set or services though. No, it’s resulted from the lack of mature solutions in the space. Penetration testing companies were gobbled up last year but my experience has been that, for the most part, customers haven’t been willing to invest in these tools far beyond their initial purchases and the smallest amount of shepherding.

  In fact, most organizations I’m working with have seen either a reduction in reliance on or an outright backlash towards penetration testing. Use of static analysis tools and code review, while on the rise, has not reached ubiquity in response (We’ve yet to see what will happen in a broader context, having only completed what I consider to be the early-adopter phase).

  What do we do about it? Partnering more closely with customers has been something I’ve felt very strongly about. Listening more closely to them remains crucial. Even involvement at this level can be tricky to fund at all but the most interested customers.

  There’s work to do as vendors too. Because, while we’re through the missionary phase, we’re not through the education phase in security. We must spend more time helping clients understand what attainable next steps look like for them. Moreover, I think we have to work with them to solve some of the problems we’ve avoided: we need to clarify salient next steps ;-)

  How are we really going to get enough security knowledge in the hands of developers to change their behavior in a sustainable way? How are we going to scale code analysis so that it has some of depth of expertise, manually applied, but all of the consistency and speed of automation?

  Technorati Tags: software security

ha.ckers.org web application security lab

• 

  Self Incrimination or Privacy

  Posted: January 27th, 2008, 4:32pm CST by RSnake

  Tags:  Random Security   [edit]

  There’s a really interesting case being talked about over at the Washinton Post regarding a man who is accused of having downloaded child pornography on his computer and then encrypting it using PGP. This actually has some pretty interesting and wide-reaching implications for citizens in the US. Either a) he has to release the password and self-implicate (assuming he is guilty) b) lie under oath or c) find himself under contempt. This is a tough one.

  Personally, I’d feel very uncomfortable holding up freedoms to save a pedophile, but at the same time, there are all kinds of legitimate reasons I may want to encrypt data (I do it all the time for customers, for instance). But maybe a guy has cheated on his wife and doesn’t want anyone to know about it. Or maybe he has a furry fetish and has hopes for a political campaign some day. I’m pretty torn on this issue, unfortunately because regardless of the outcome it can end up being a bad thing. I wish I could call this one a cut and dry case. But either way the outcome will be worth finding out about because either it will be a matter of imprisonment for contempt or a safe haven for anyone doing anything illegal. This will be a landmark case for our industry in many ways, for good or for bad.

  Ugh… either way this one leaves a bad taste in my mouth.

• 

  Facebook Privacy Issues

  Posted: January 6th, 2008, 8:05pm CST by RSnake

  Tags:  Random Security   [edit]

  This actually comes a few months late, but I’ve read enough about it that I think it’s worth talking about. There’s an article on the Silicon Insider talking about the newest integration between Facebook and Blockbuster, Fandago and others. Had I not already heard all the details and fallout I probably would have said, “Sounds like a complicated threat model. I hope someone did their homework.” Alas, they did not.

  What’s fallen out from this is a privacy issue that’s complex and fascinating. Firstly, the title of the Silicon Insider article is pretty telling, “Do You Want Your Grandmother to Know You Bought Porn? Well Learn to Opt Out” Facebook has taken an interesting stance towards your privacy. You can opt out of them giving it to people you are friends with. The opt out process is in question as is the concept in general. One of the best examples of why this was a problem I’ve heard is that it ruined people’s x-mas presents, because it was displayed on their friend’s Facebook profile.

  It’s clear that this is just another way to monetize their users, and not a use feature that consumers typically feel comfortable with. Of course, if you aren’t buying anything bad, you have nothing to worry about. But even still, do you really feel comfortable with your friends knowing everything you’re buying? Do we have any privacy anymore? This is getting to be a pretty voyeuristic society - because it’s easy to monetize people’s privacy by taking it away from them.

  I’m not particularly upset with Facebook, in particular - they are hardly the first company to forsake people’s private information for monetary gain. But I think this sort of behavior is only making people distrust social networking. It should be noted that some of the people who built some of the largest social networking sites in the world are also data mining experts - it’s not a leap to figure out why those two are a dangerous combination for privacy. So while I’m not upset with Facebook - you won’t find me building a profile there anytime soon.

• 

  New Ban Proposed In UK Against Hacker Tools

  Posted: January 3rd, 2008, 12:54pm CST by RSnake

  Tags:  Random Security   [edit]

  There is some interesting commentary on The Register and even better detail on ">Light Blue Touch Paper about a proposed ban in the UK against dissemination and the eventual use of hacking tools. So if you run a site out of the UK with worm code on your site, that can be used to commit a crime, you should pay attention to whether this law is passed or not.

  I suppose it’s not dissimilar from putting a handgun in a schoolyard although it’s really hard to tell intent in either case. Often times the research done on this site and others of it’s kind are academic and are helping to solve the problems. Granted that same information can empower less scrupulous types, so that’s at least partially the intent of the law. However, I would bet money that this does little, if anything, to stop the proliferation of exploitation materials. This will no doubt simply force hackers to move their equipment offshore or go more underground - which could be bad for investigators, and for researchers alike.

TOP RSS Gregarius 0.5.4 Tentatively valid XHTML1.0, CSS2.0 Last update: Thu Mar 11 14:26:46 2010