April 06, 2010

Some thoughts on this TJX matter...

Last week, I read an article on thesentencing of Jeramey Jethro for sellingAlbert Gonzales, the 'TJX hacker'an IE zero day exploit. I have a fond love for reading media articles on this subject because I find so much fault in it. I am not a journalist, reporter, or writer, should I be one to judge in someone else's work? In this article Jeremy Jethro pleaded guilty and  sentenced to a few years probation and fined over the conspiracy charge. His lawyer admits that the zero-day was a dud and didn't even really work. This is the part of the article I find the most interesting. What this does is set precedence that the mere sale of a potential exploit, not even a working one, can lead to a full arrest and conviction. 

My questions revolve around how as an industry can we solve the issue of not only responsible disclosure but better software security without penalty of laws. I was very disappointed with a few previous laws such as the DMCA (Digital Millennium Copyright Act) which freaked out most Reverse Engineers. These guys who potentially are looking for bugs in software and not the theft of intellectual property where totally stunned by the potential affect of this law.I was as upset about that law, as that I was in this particular court case. I understand that this person did something less than satisfactory in selling a potential exploit to a person who could use it for the wrong reasons. What I do not wish to happen is an open ticket for abuse of the precedence this case brings.

Prosecutors need to start making examples out of everyone that they can actually catch. People like Albert Gonzales are going to be made examples of, he will be serving the maximum amount of time. But if there are no others to be caught right away, and if the problem becomes worse, will the prosecutors start going after researchers selling bugs in a less than responsible way? Will they go after people releasing bugs to sites like the Exploit DB? Responsible disclosure can be so difficult most researchers would probably forgo releasing of the information all together at times, or partial disclosure. I am not sure what this will imply, but I will say, we need a better way of releasing the information.

I just find it funny that this guy is arrested for selling a dud zero-day. That even more sad.

Apr 6, 2010 11:37:10 AM

The comments to this entry are closed.

NEXT POST
This is my Boom-stick! always found myself a believer in the magic. I want Boomstickto believe that it is magic. The further I take my career, the more I realize; it is really not magic. Arthur Clarke has his three laws of prediction. Law #3 states: any sufficientlyy advanced technology is indistinguishable from magic.
PREVIOUS POST
Todays reason. The way you giggle with me. I really enjoy it laughing with you...

mOsesRenegade

I am an information security professional for the last decate. I do great things with computers and networks.

elsiecake
TheScenestar
Lisa Sabin-Wilson

Search

My Other Accounts

Recent Comments