Meanwhile, Apple QuickTime versions prior to 7.0.3 for both Windows and OS X platforms contain a critical remote code execution and denial of service threat due to two integer overflow vulnerabilities: a flaw in NULL pointer dereference code and a memory corruption error when dealing with compressed PICT image files. Apple recommends immediately upgrading to QuickTime version 7.0.3.
Final word
Only last week, I pointed out the difficulty of developing strict
definitions for relatively new security terms and I mentioned how this
could negatively affect the creation of strong, enforceable laws
related to high-tech threats. In those seven days, a real-world example
has cropped up that further highlights my point.
London's Wimbledon Magistrates Court recently ruled that a teenager accused of sending five million e-mails to an ex-employer with the probable aim of crashing the company's e-mail server — which it did — had not violated the UK's 1990 Computer Misuse Act (CMA)— even if he actually did it and it was his intent. The defendant's attorney argued that, since the purpose of an e-mail server is to process e-mail, simply flooding it with an excessive number of messages doesn't constitute a crime.
While similar problems have arisen in the prosecution of other cases in other countries, this is a serious blow to British prosecutors and security specialists alike. That's because there was never any adjudication of whether the actual attack took place or caused any damage — the court ruled that an e-mail flood denial of service attack simply isn't illegal in the first place.
While the CMA explicitly outlaws unauthorised access or unauthorised modification of electronic data, it does not address some very common and easy to implement attacks. Of course, the problem is that much has changed since 1990.
In an attempt to avoid having to prove actual damages, many computer-related laws instead make specific activities illegal. However, that means you must update the legal language almost monthly to keep up with all the possible new attack vectors to keep the law current.
Talkback
Sure, update the CMA. And before you know it someone goes to jail because his malfunctioning network card caused something a laywer might explain as a DDoS attack on some ISP router or whatever else that can go wrong in this free-from-liability IT world.
How about updating the CMA so that companies can no longer hide their underfunded and poor security (partially subset of availability) company policies behind laws written by the technical clueless of real-life problems?
Security 101: "anything not explicitly allowed is explicitly forbidden".
Is it allowed to flood the company mail server? No? Then put some technology to use and make it impossible to flood the mail server because that's more likely to happen then a fire breaking out and since you do have a fire insurance why don't you have a mail flood insurance? If your mail server isn't protected against mail floods then either you're missing something, you made the wrong choice or YOU are taking risks.
Is it allowed to flood the company Internet router? No? Can it be expected? Yes. Could it happen by criminal intent? Yes. Could it happen by some failure somewhere? Yes. Then what's keeping you from preventing it becoming a (big) problem once it happens in the first place?
I am hoping to receive a bit more reactions on my comments since I do think they do concern matters that need to be discussed in the open. So, what's your point of view?