Nuclear Elephant: Analysis of Symantec's Stance on Censorship

Papers

Analysis of Symantec's Stance on Censorship
Last Update: Saturday, February 17 2004
Please notify me of any corrections or suggested additions

Jonathan A. Zdziarski
jonathan@nuclearelephant.com

According to this report in the Sydney Morning Herald, Chief Operating Officer of Symantec, John Schwarz, was quoted as "calling for laws to make it a criminal offense to share information and tools online which could be used by malicious hackers and virus writers". If this is the official stance from Symantec, then I must say I am convinced John Schwarz is smoking crack. Our country has a history of censorship blunders and what I call "censorship legislation" that has mucked up our legal system long enough and crippled the responsible citizens with little-to-no effect on actual crime. What's even scarier is that a VP from Symantec was recently named the Dept. of Homeland Defense's Cybersecurity director, putting friends of Symantec in high places where this legislation could actually become a reality. This short article will take a look at the negative effects of the censorship legislation backed by the COO of Symantec and also a couple of recent examples of "censorship legislation" ... and what little effect it has had on criminals, while having a substantial effect on responsible citizens. I can only draw one of two conclusions about Mr. Schwarz based on this stance. In my opinion, he is either completely ignorant of the effects of this type of legislation, or he is an avid supporter of weakening American infrastructure, American jobs, and the US Constitution.

In short, this article submits that the effect censorship would have on security professionals is enormous. Imagine being at the mercy of software patches distributed by vendors (which usually lag 2-3 months behind), and being unable to identity, test, and patch any of your own code or to even test your systems to see if you are susceptible to a particular vulnerability. Imagine the bad guys in black hats, and anybody else outside of the United States having all the keys to your system, keys which it is illegal for you to own. If this information and tools are banned from circulation, this is exactly what can happen as a result. On top of this, professionals will be unable to verify any information that is legal to release, leaving them in constant fear of their infrastructure's security (several bogus vulnerabilities have been published for years now, and the only way they have been debunked is with exploit code and other tools). This is just the beginning of the types of negative effects this type of legislation will bring. Now we'll look at some issues surrounding Mr. Schwarz's pro-censorship stance and why it is completely un-American. Lets call them the top 10 reasons to suspect John Schwarz is on crack.

Reason 1: It is already illegal to hack machines
Advocates of the censorship party argue that if it were illegal to distribute exploit tools and code, that it would prevent a significant number of hackers from being enabled to hack machines. If legislation worked, why are machines still being hacked in the first place? Why do these hackers not realize that it's illegal to access unauthorized machines, and allow their respect for our laws to enlighten their judgement? Because criminals are criminals, and criminals are called criminals because they break the law. Passing "censorship legislation" will only result in tools and code being made unavailable to the private and government sectors, while remaining readily available on underground sites for criminals to use.

Reason 2: Censorship would weaken the United States' Security Sector and Strengthen International Sectors
Since American laws only apply to those in the United States, the type of legislation Mr. Schwarz is supporting would give birth to several non-US-based security lists, while at the same time restricting Americans from having access to this same information. As a result, countries such as England and Germany will end up with stronger, better equipped security sectors leaving professionals in the United States ignorant to the information they need to do their job. This ultimately will touch the US Government, leaving government networks more susceptible to attacks they can't fix because they don't have the right tools (not that I expect the government to pay attention to the law, but rather because the pool of support within the security community will have dwindled, the information may not be readily available in the US). It appears that Mr. Schwarz is also an advocate of moving jobs overseas as this is the effect his suggested legislation would have as a result. Why hire Americans when you can hire better-equipped Germans or Indians? Americans will be punished by this legislation; foreigners and criminals will not.

Reason 3: The Digital Millenium Copyright Act was a Failure
The DMCA, the last brain child of technology censorship, set out to do exactly what Mr. Schwarz is advocating, only for cracking copyrighted material. As a result of the DMCA, it is an offense to distribute code that evades copy protection or licensing mechanisms in copyrighted software. American tax dollars paid for the DMCA, and yet this law has had almost zero effect on the number of cracked software titles on the market today. The latest games, applications, and utilities are still cracked within hours of their release. Everything from Windows XP to Unreal Tournament 2003, you can find a crack on any IRC channel, underground FTP site, or P2P file sharing network. Why haven't criminals stopped doing this since the DMCA was passed? Because then they wouldn't be criminals - CRIMINALS BREAK THE LAW. Censorship legislation will only result in an ignorant American security sector.

Reason 4: It is unconstitutional
Many will argue that the freedom of speech does not cover releasing information about a particular vulnerability (such as exploit code). It is easy to speculate on what the founding fathers valued when their technology was so limited in the 1700s. If we look to some original quotes from the founders, however, we see that it was not their intent to ever pass legislation that would take away the rights of the people. In fact, this country's freedom was more important to the fathers than their own lives, proven as they took up arms against their own government and gave orders to bomb their own houses when they were being used by the British - yet we have the arrogance to suggest that we should take away some of these rights over the potential cost of repairing hacks. A shining example of the importance of freedom is made in the following quote with regards to the second amendment (right to beaer arms):

"Laws that forbid the carrying of arms...disarm only those who are neither inclined nor determined to commit crimes...Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than to prevent homicides, for an unarmed man may be attacked with greater confidence than an armed man." -Thomas Jefferson, quoting Cesare Beccaria

Are exploit tools and code legislation to be taken more seriously than firearm legislation? If we were to paraphrase this and apply it to Mr. Schwarz's argument, it would read something like:

"Laws that forbid the unrestricted distribution of information...make ignorant only those who are neither inclined nor determined to commit crimes...Such laws make things worse for the victim and better for the criminal; they serve rather to encourage than to prevent unauthorized access to computer systems, for an insecure system may be attacked with greater confidence and ease than a secure system."

Or perhaps Ben Franklin summed it up pretty well when he said the following statement, which I believe also speaks volumes to what Americans are struggling with today in respect to REAL problems like Terrorism:

"They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania

Reason 5: Symantec appears to have ulterior motives
Some would argue that Symantec's "noble stance" on this subject is really an attempt to carry out a private agenda. Symantec purchased SecurityFocus for $75 Million a few years back. Since the acquisision of SecurityFocus, many alternative lists have popped up and are growing in popularity, with the most prominent being the full-disclosure list. It could be speculated that passing legislation such as this would in-effect shutdown lists such as full-disclosure restoring the SecurityFocus list (which many have criticized for their pro-censorship stance on information) as the "defacto standard" for security information. This also would put Symantec in an interesting position of being in control of a majority of security-related information inside the US, giving Symantec the ability to charge service fees to have access to this information, which may have been snuffed out of commission elsewhere, or open to legal attacks they cannot afford to maintain such a list. With total control over this information, there's no telling what a corporation could do with it. Absolute power corrupts absolutely, and it may only take one creative political move to put Symantec in a position of power.

Reason 6: Shellcode and Vulnerability Disclosure could become commercialized leading to exploitation
Should shellcode be censored for distribution, the development of this code and disclosure of information to the software manufacturer could easily become a commercial endeavor rather than a free, community-supported exercise for a better infrastructure. Large companies with security experts could easily develop shellcode in-house and then sell it at exhorbitant prices to the victim software manufacturers, who must either pay the fee or risk a significant exploit being distributed in their code - and possible liability of affected customers. This cost would naturally get passed onto the consumer forcing them to pay for the secure software they would have otherwise had at a reasonable price if they were legally permitted to test. Fixing security holes could easily turn into a cash cow, and who better to develop in-house shellcode for commercial gain than a company with a team of security experts already in place? Whether it be Symantec, McAfee, ISS, or some other firm that touches this sector, the commercialization of vulnerability and exploit code disclosure could easily lead to a general degradation of the critical infrastructure software we rely on today.

Reason 7: Virus Writers and Hackers would then become critical to business
They already are to some degree. Incase Mr. Schwarz doesn't realize what it is his company does for a profit, they make anti-virus software (among other things). Symantec is already dependent on the virus writers and hackers in this world to keep them in business. Should vulnerablity disclosure become a commercial product for only "elite security teams" as Mr. Schwarz puts it, this will create a paradox: a market that was created out of the desire to stop hackers and virus writers, that ultimately depends on these same hackers and virus writers to continue hacking and virus writing.

Reason 8: Loosely written laws could allow for selective enforcement
(This elaborates on one of Frymaster's posts on Slashdot)
Should a law like this pass some day, it will most likely be incomplete in its wording, just as most legislation is. As a result, enforcement agencies will be able to arrest and press charges selectively depending on their own personal motivation...similar to how the DMCA is presently being perverted for commercial gain. For example, if "tools used specifically for the purpose of forcing unauthorized access into a computer system" are illegal, who is going to tell the district attorney that your network diagnostic tools are not intended for that purpose? What about a web browser, as a browser can be used to exploit some vulnerabilities. All the media will hear will be, "the individual was arrested while in posession of tools that can be used to force unauthorized access into a computer system"...which really means they had a web browser. Social engineering is still the largest type of "hacking" performed today. Would this law enable the police to raid your house selectively for owning a telephone? So long as the issue remains a gray area, professionals in the field can easily be abused by law enforcement if the men in the suits have a "bad feeling" about them (circumventing all constitutional guarantees of "innocent until proven guilty").

Reason 9: The real elite security teams are the open community
Mr. Schwatz's is quoted as believing that such sensitive tools and information belong in the hands of "elite security" teams such as his own company. If you take a look at history, however, the major leaps in secure networking has been a direct result of the open community and NOT Symantec. Large corporations rarely ever play a contributing role in the many freely available tools or rules. In fact, a majority of vulnerabilities reported and patched today come directly from the community. If there was one good thing about legislation such as this, it would be to expose companies that claim to be the leaders and experts in this field for their lack of contribution and illusion of general usefulness.

Reason 10: Symantec is a commercial entity and this is obviously a political move
Do you really think Symantec, or any large corporation for that matter, really has the best interests of the public in mind? Lets get real here. They write anti-virus software, they want an edge on the market, and a law like this would benefit them more than anyone else by making us dependent on them. It's a bit difficult to swallow the good-will-toward-man facade trying to be sold here. In my experience, large commercial entities making political statements have only one thing in mind and it isn't the American people, but their own bottom line.

Conclusion
In conclusion, whether or not Symantec's COO is just smokin' crack or understands what is at risk, any attempt to censor these critical security tools, including exploit code, from the Internet will result in a constitutional travesty followed by a significant market downturn, a degraded security community, and the commercialization of vulnerabilities where the market is driven by the criminals we are trying to "stop".

References:

http://www.epub.org.br/cm/n08/doencas/drugs/anim1_i.htm
http://mitosyfraudes.8k.com/INGLES-2/Mari.html
http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?holding=npg&cmd=Retrieve&db=PubMed&list_uids=9331351&dopt=Abstract
http://www.smh.com.au/articles/2003/09/12/1063268553158.html

Reproduction prohibited without permission