📚
OpenRCE
is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.
About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
Piotr
's Blog
Created: Friday, June 1 2007 13:36.31 CDT
Modified: Friday, June 1 2007 13:40.13 CDT
Printer Friendly ...
More on GAARA
Author:
Piotr
# Views:
3498
For those who are interrested, it seems Symantec is the first one to publish full description (more or less), available here: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-060115-3305-99&tabid=1
(hey Pedram, is this URL too long for the "[_url_http=]" thing?? :>)
Kaspersky made a short note about Gaara on theirs
weblog
. And they seems to be the first one to create the detection for it. Well to be honest i never used Kaspersky products, and i'm not using them currently, so i cannot check how the dectection is made. Did they only make a signture, or they wrote new kernel for M68K? Dunno, life is a bet :)
Although they both changed the name to "Tigraa" which is really sad thing, since i liked Gaara :|
- the time is now, it's do or die?
Blog Comments
drew
Posted: Friday, June 1 2007 16:55.38 CDT
Looks like the URL linking works fine for me:
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-060115-3305-99&tabid=1
AbelianGrape
Posted: Saturday, June 2 2007 12:45.31 CDT
Although your virus was non-malicious and targeted a niche platform, in the criminal justice system they call bragging about the computer virus that you released under your real name "a statement against judicial interest". If you lived in the US, this would be all that the government needed to make its prima facie case under the Computer Fraud and Abuse Act (or worse yet, the PATRIOT Act), and send you to jail for at least a year. I realize that you don't live in the US, and I don't know what the laws are like in Poland, but remember that Benny was raided in Czechoslovakia in 2005.
My point is to stay smart -- releasing that virus was not a good idea, and I'm sure that the
163 AVIEN signatories
would like to see you go to prison for this.
Piotr
Posted: Saturday, June 2 2007 14:00.14 CDT
Well,
There different kinds of view. First of all i did is as a proof of concept code, and even though i left the detection marks to make it easily detectable. And after all it was designed for calculator platforms, which are so rare that a mass-reproduction is without of doubt not possible.
If i remember correctly Benny was raided because of Slammer, or that was the main reason the press publicated - not because he did something in POC matter.
Finally, if we consider your way of thinking, publicating any ADVISORIES or EXPLOIT codes should be also considered as a crime. So maybe i should not leave my basement for the end of my days? Moreover i live in Poland, it seems currently this is not prohibited as in .de.
AbelianGrape
Posted: Saturday, June 2 2007 14:03.38 CDT
I wasn't talking about my opinion -- I was talking about criminal law.
Piotr
Posted: Saturday, June 2 2007 14:10.26 CDT
I want you to remember, the first plain infector for calculator viruses was done in the USA, and moreover it source code lays till today on the Washington University server. So how it can be?
Anyway i think u are missing the main point, it is a POC code...
AbelianGrape
Posted: Saturday, June 2 2007 14:21.00 CDT
Tell it to the judge, man :-)
Piotr
Posted: Saturday, June 2 2007 14:22.39 CDT
I've nothing to tell to the judge since my country law is ok with that :) Sorry man :)
AbelianGrape
Posted: Saturday, June 2 2007 14:31.41 CDT
I can't read Polish -- what does article 268.2 of the penal code say?
Piotr
Posted: Saturday, June 2 2007 14:51.45 CDT
Well i'm too lazy to translate it. But it says nothing about computer viruses, and moreover appending to my lawyer friend, it seems even spreading viruses into compiled form is not strictly prohibitted here.
AbelianGrape
Posted: Saturday, June 2 2007 14:52.19 CDT
Translated text of the Penal code
:
Article 268. � 1. Whoever, not being himself authorised to do so, destroys, damages, deletes or alters a record of essential information or otherwise prevents or makes it significantly difficult for an authorised person to obtain knowledge of that information, shall be subject to a fine, the penalty of liberty or the penalty of deprivation of liberty for up to 2 years.
� 2. If the act specified in � 1 concerns the record on an electronic information carrier, the perpetrator shall be subject to the penalty of deprivation of liberty for up to 3 years.
Interpretation according to Polish lawyer Andrzej Adamski
:
"[...] the present wording article 268 � 2 better fits the article 4 of the CoE convention than before. It enables prosecution of any attacks against data integrity, including dissemination of malicious codes, such as viruses and Trojan horses, even if they resulted only in slight modifications of the data. "
So yes, according to this interpretation of the penal code, as a matter of law, and not as a matter of opinion, you have committed a criminal offense. This is despite the fact that your virus is a non-malicious POC. Whether or not you get prosecuted is another story (and it's unlikely), but my original point remains -- stay smart, and stay wary of the laws when publishing under your real name. I am not condemning you, just telling you to stay vigilant.
Piotr
Posted: Saturday, June 2 2007 14:58.06 CDT
Appending to this:
-
http://www.gazeta-it.pl/2,10,736,index.html
-
http://www.prawnik.net.pl/pwi/faqhack.htm
It is not :) Anyway thanks for your words of wisdom, i think this thread should be closed now.
pferrie
Posted: Saturday, June 2 2007 17:15.56 CDT
benny is better than you lol
AbelianGrape
Posted: Saturday, June 2 2007 17:51.24 CDT
"Appending to this:
- http://www.gazeta-it.pl/2,10,736,index.html
- http://www.prawnik.net.pl/pwi/faqhack.htm
It is not :)"
Are you going to take the advice of a hacking FAQ and a magazine article over a respected professor of law? My advice to you is to get a real lawyer (not your friend), now, and have a serious discussion.
Imagine this scenario: a judicious young prosecutor, perhaps bowing to political demands to do something about the state of computer security in Poland, decides to make an example out of you to deter other would-be virus authors. By sending you to jail for the maximum term, they send the message to Polish citizens that you can not get away with virus authorship, even if it's "proof of concept" for obscure platforms, and they also send the message to the international community that they take cybercrime seriously. It's win-win for them, especially with such a slam-dunk case, so don't count on them not doing it.
"i think this thread should be closed now."
Quite the contrary; there is a broader issue at play here. I think that we (the professional or aspiring reverse engineering/security community) finally need to sit down and decide amongst ourselves what is and is not appropriate behavior. Regional laws notwithstanding, we need to establish a professional code of conduct, and I think this thread is just the place to do it.
Piotr
Posted: Saturday, June 2 2007 23:59.50 CDT
>Are you going to take the advice of a hacking FAQ and a ...
First of all, "PRAWNIK.NET.PL" is a lawyer service, if you would be enough clever to check the main website you will know that too.
I'm not a law guy, saying about appropriate behavior? What is that? Is Greg Hoglund with this "dark magic books" also below the border?
Anyway i'm tired of this "law" discussion, and i will not reply to this thread anymore. Sorry.
AbelianGrape
Posted: Sunday, June 3 2007 11:47.06 CDT
Orr
Posted: Monday, June 4 2007 01:13.28 CDT
AbelianGrape, it would be nice if you sticked to reverse engineering instead of trying to set ethic rules for the "community".
this virus isn't destructive nor mass spreading - it's perfectly ok. also, next time you open up your kid's toy when it's broken, try to think about the legal implications of your act of reverse engineering.
Sellmi
Posted: Monday, June 4 2007 02:55.13 CDT
At my point of view is this a interesting discussion. Try to find a job in a anti-virus company(in Germany) after you released an non destructive nor mass spreading virus for research.
AbelianGrape
Posted: Monday, June 4 2007 03:38.35 CDT
I do not want to personally set the code of ethics for the community. I wish for the community to be open and honest enough with itself to set its own rules, after reasoned discussion. I can only hope that I play a part.
Orr
Posted: Monday, June 4 2007 07:34.05 CDT
well then, let me tell you a little secret - there is no such thing as an RCE community, due to the small fact that anybody has his own interests, and that the common ground for all the people here is purely technical.
how can you expect some teenage hackers (who spend their _free_ time on stuff they _love_) to agree with avien sorta crap?
and i don't even want to start the debate on who are more productive on the long run, the 'hackers' or the 'pros', but the fact is that writing non-malicious, POC viruses have proven in the long run to be one of the aspects that may enlighten you the most on a particular subject. If you want to _know_ how the PE file format works, go read LUEVELSMEYR. if you you want to _understand_ how it works, go read CABANAS. that's the difference, and this is why viruses are sometimes the an only tool for deep exploration.
you have to start seeing things differently. even God cannot hide his info forever. as time passes, more and more aspects of his creation are known to us. fact is, that if you write a software (or anything else for that matter), don't get the illusion that your product is a black box. It is quite possible, and sometimes even very easy for anyone with minimal understanding of code to read and understand it. compiled binary code is the same as a printed circuit or a clock, for that matter.
after this, all the rest is pure, black and white, real-life ethics. the ten commandments work best for me. other people can use the google motto ("Do No Evil") :)
AbelianGrape
Posted: Monday, June 4 2007 15:00.42 CDT
AbelianGrape
Posted: Monday, June 4 2007 15:12.17 CDT
It occurs to me at this point that this discussion is broad enough that it merits its own forum. Pedram, would you mind please creating a combination legal/ethics forum?
dennis
Posted: Monday, June 4 2007 16:02.56 CDT
Hey what about this:
you go and make your own blog, just as piotr did.
you both had your few minutes of attention.
the rest can continue doing what they were doing until now.
I don't think anyone wants/needs any upholder of moral standards. If people don't know what they're doing, they'll be doing so by self-awareness. did you always do what your parents told you?
If something isn't ok, I think the admins are going to take necessary steps.
Don't get me wrong, I'm not taking anyone's part here, but I'm fed up with this blahblah here.
AbelianGrape
Posted: Monday, June 4 2007 16:12.52 CDT
Fair enough, Dennis. It wasn't my intention to play the part of the police. I honestly think ethics is something that merits specific attention in the computer security community (in addition to being fascinating on its own), and I hoped that it would be a subject that other people would like to discuss. But you're the moderator here; if I'm belaboring my lonely opinion, then I'll simply shut up and everyone has my apologies.
dennis
Posted: Monday, June 4 2007 16:23.27 CDT
Exactly. It is an opinion. And btw, I'm not abusing my status as a moderator here, feel free to say whatever you want. But *my* opinion is, this has gone a bit too far and off topic.
Orr
Posted: Tuesday, June 5 2007 00:52.00 CDT
dennis:
you sellout :p
Add New Comment
Comment:
There are
31,328
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}