The Database Countryside Code: Best Practices for BI & SQL Users
Those ‘City Folk’ among you may not be aware but in Rural England we have what is called The Countryside Code, it’s a set of guidelines that everyone should follow in order to keep the countryside clean, tidy and a nice place to visit. You may be asking – what does this have to do with Business Intelligence and Database Administration? Well, I think it’s vital – if we all follow a fairly simple but broad set of guidelines then all classes of database user will have a better experience from Developers to DBAs and Analysts to CIOs. This isn’t really about making your databases perform better, it’s about working better with each-other and taking other people’s perspectives on board. Having been in most of the related roles over the years this is what I’d put into The Database Countryside Code…
1. Enjoy the countryside and respect its life and work
Whether your application is an ‘out of the box’ software suite, a Business Intelligence package that can be tweaked on implementation or a hand-crafted bespoke solution if you’re running against a database maintained by someone else or shared with other applications you need to take heed of this point. Remember that cooperation is key and if you build a good relationship with the DBA and the other key users of the database you’ll have a much better time of things and if there are any critical issues you’ll be included in the remediation process and may even be able to help your own users get back online faster. It’s easy to see DBAs as grouchy, narrowly focused sorts who tend to view all user activity as bothersome (I can say that as I’ve been one myself) but generally speaking if the DBA is aware of user activity at all the chances are that there’s already a problem as it’s the long running, resource intensive activity that will stand out in alerts and performance reports. Before your application goes live you should do some testing, run your designs and SQL statements / stored procedures past the DBA for some advice (but remember, you don’t have to take it) and establish some sort of procedure for reporting issues, and remember that an SLA can work both ways as you may need the DBA’s help as much as they might need yours.
2. Guard against all risk of fire
Security is a huge issue and as exploit frameworks and toolkits become more and more prevalent and feature-rich the likelihood of vulnerabilities being discovered in our applications should be treated more like a certainty. If you’re developing bespoke applications and especially web apps you’ll need to pay close attention to the OWASP Top 10 application security risks but from a database perspective the most notable threat is SQL Injection - the art of passing SQL into an application so that it might be executed by the database (as a good starting point check out OWASP’s SQL Injection Prevention Cheat Sheet). If you’re deploying packaged apps or BI tools don’t think that you’ve gotten away with it, the primary responsibility may be on software developers to avoid exploits but if they’re baked into an application you’re implementing it will affect your users and your business, so…
3. Protect wildlife, plants and trees
The most important security contribution we as implementers can bring to the table is to review and limit the privileges required by our applications. Many install guides and expensive external consultants ask for a ‘dbo’ (database owner) level user and some even ask for ‘sa’ (system administrator) or ‘root’ level privileges but don’t hand these out like candy on halloween. In most cases these high-level privileges are only required during setup and install and can be removed afterwards but often basic read/write access is all that is required (and for BI tools often read-only), it may only be achievable through a few frustrating rounds of trial and error but if you assign your applications the lowest possible permissions you will significantly reduce the risk of compromise in the future. Another important step during implementation is to make sure that your permissions are segregated, where possible have a separate user for each service and an entirely separate user for accessing each database not shared by any other application. Whilst it may seem excessive this setup will allow you to audit any security issues and identify which user was compromised and exactly what they had access to.
4. Fasten all gates
Many Business Intelligence tools include some degree of control over connection management and if you’re developing your own application you’ll have complete control over all database connections, the decision to be made is whether connections are ‘pinned’ open, closed after x minutes or closed at the end of each transaction. The preference will vary depending on the load and the usage, in most Business Intelligence use cases there tend to be a large number of users, not always connecting concurrently and issuing fairly large queries against the database followed by periods of quiet whilst a report is read – in this case there is usually no need to keep the connection open for long. On the other hand if you have users issuing a constant stream of small transactions (e.g. a Point of Sale system) the overhead of creating and dropping connections might actually add load to the database so it would be more effective in this scenario to maintain the connection.
5. Keep your dogs under close control
This applies more to developers and BI architects where your dogs are your users, if you are deploying an application that creates load on somebody else’s database you should do whatever you can to limit each user’s ability to cause long running queries – in some BI tools you are handed an option to let a query time out after x minutes and perhaps limiting the number of rows returned. If you are developing your own application you should include both of these options but make sure that you kill the query at the database level rather than just killing the thread in your application that made the request otherwise it’s equally bad if not worse since the user may simply re-issue the offending query. The actual limits are bound to vary from database to database but that’s where the first point comes in, discuss this with both your users and the DBA.
6. Keep to public paths across farmland / Use gates and stiles to cross fences, hedges and walls
When it comes to solving problems try to stick within the basic and simple boundaries of an ordinary user, avoid using undocumented stored procedures, excessive use of user defined functions, custom data types, plugins and extended stored procedures or anything else that strays too far from a standard install of the database platform. Obviously you’ve got an app to deploy and you want to solve your problems in whatever way is best for your users but the further you are from a standard deployment the more issues you’re likely to encounter, both you and the DBA might be fully aware of this amazing new setting you tweaked to make things run better but a couple of years down the line during a disaster recovery will it all come flooding back quite as easily? What if one or both of you that setup the application have moved on to other roles? Thinking outside the box is great but be conscious of introducing risk and if you do feel that it is necessary then make sure that it’s well documented in the Run Book or the corporate wiki.
7. Leave livestock, crops and machinery alone
Since you may already have elevated privileges on your own database, a shared database or even the server you may be tempted from time to time to perform maintenance tasks or make minor ‘improvements’ to indexes or configuration settings – do not do so without the DBA’s blessing. If you’re following the rules above you’ll probably have a fairly good rapport with the DBA already so it’s likely that you’ll be granted some level of trust not to mess things up but be careful not to overreach, the DBA will be ‘in the loop’ of many changes and other requirements (e.g. critical deadlines, disaster recovery tests, unplanned maintenance) whereas you may not be aware of them so before you make any changes run them past the DBA – just in case.
8. Take your litter home / Help to keep all water clean
If you’ve ever been a DBA you’ll have seen, on more than one occasion, tables popping up called tmpSomethingorOther, tblToBeDeleted or TableName_bak but when it comes to the key questions (How long have these been around? Are they still required?) nobody seems to have a straight answer. I know myself that whilst I’ve been developing data warehouses I’ve created these sorts of tables and subsequently forgotten what they were used for, not too much of a problem if you’re ‘the guy’ but in a large team or with personnel changes over time it can be hard to know what is required and what isn’t – I came to a database once with temporary tables over five years old which had not been deleted out of fear that they were important. The moral here is an obvious one, clean up after yourself or if the table must exist for some short period of time put a note in your diary to come back and cull it.
9. Make no unnecessary noise
Be mindful of what errors you raise and what you write to public logs, if your application causes a large amount of data to be written to database or other centrally collated logs you may inadvertently make it harder to detect genuine issues which will hurt both you and and other users of the database. If you do occasionally need exhaustive logs consider adding a ‘debug mode’ into your application which can be turned on or off via a configuration setting, that way you can turn it on whilst you’re tracing a fault and need more verbose logging then turn it off when you’re done.
10. Take special care on country roads
There can be plenty of unexpected hazards on country roads so don’t always rush around everywhere at 60mph, acknowledge that whist you might want everything to go as fast as possible you could be causing some other critical process to slow or stop. Driving at night can be treacherous too as you might come across an unexpected backup window or import/export process, talk to your DBA and coordinate the major tasks. If it’s a shared server make sure you have access to the task list so that you know where to slot in your jobs and that those jobs get put back into the master list.
Really it comes down to one thing, as the great and wise Jerry Springer oft said, “take care of yourselves, and each other”.
Categories: Business Intelligence, DBA Tags: BI, DBA, logging, performance, Security, sql
Rootkit Hidden in Network Card Firmware
I just read a scary post by Guillaume Delugré following-up from his presentation (slides) made at the hack.lu conference in October. Essentially he reverse-engineered the Broadcom NetExtreme Network Interface Card and replaced the device’s standard firmware with modified code capable of intercepting network packets and hiding them from the OS – even when the OS registers the card as disabled.
The ultimate goal of the project is to build a rootkit that would reside in the NIC’s firmware and be capable of performing all sorts of nefarious tasks and once installed it could implement a range of countermeasures to avoid detection. One problem for the would-be malware writer is the limited memory available on the NIC, perhaps instead of acting as the primary payload the NIC rootkit could act as a wingman to a larger malware toolkit and even persist in the event that the OS infection was removed.
The rootkit could monitor outbound traffic to sense when it’s primary payload had been deactivated, report back to the command & control servers and wait to be notified of a hardened upgrade that could then be installed by exploiting communication with the driver layer via Direct Memory Access. Alternatively it could be used to thwart detection by network scanners like Nessus or perform port scans on the rest of the network, again – all without the knowledge of the host OS.
This may seem somewhat speculative but to me it’s the way of the future, many devices connected to your PC have flashable firmware and I imagine that within the next couple of years an example of exactly this kind of attack will be found in the wild – until then, stay tuned to the big conferences like Black Hat, Defcon and Hope.
SQLBits 7 – Saturday Conference Rundown
Starting my third day at SQLBits with a hat-trick of talks on technologies I’m unfamiliar with was a bit of a head-bender but an enjoyable one nonetheless. The first talk I chose was a great overview of how to use completely free tools (SQL Server Express 2008 R2, among others) with completely free spacial data (Ordnance Survey’s Open Data) to create spatial reports in Reporting Services. Since it’s not an area I’m working in at the moment I didn’t get any major take-aways but I do have an understanding of what’s possible and how to go about it – if you’re in the same boat you should check out FWTools, Shape2SQL and Grid InQuest.
The second talk was Matt Whitfield‘s ‘CLR Demystified’ and not being a developer I’ll admit that much of it went over my head but I get the basic principles and most importantly I know what’s possible and where I might make use of CLR. The most interesting avenues for me are the ability to write custom aggregate functions and define custom data types – I was also impressed with the opportunity to increase performance in certain text processing / forward log parsing situations.
The next talk I attended was a gentle introduction to PowerShell and James Boother did a good job of showing where it might be useful for admin tasks, in particular the example of purging old backup/log files based on age lit my eyes up. There was also a demo of PowerShell authenticating with Twitter and posting tweets as admin alerts, alas the demo failed but that could well have been a timeout on the Uni’s WiFi network or just plain old demo-gremlins. I must say thou that I still can’t view PowerShell with some sense of disappointment because with all it’s flexibility and power it’s so damned wordy and many of the tasks it performs could be achieved with less code that a good old Bash script.
As with Friday I attended Quest‘s lunchtime session run by Kevin Kline, Ian Kick, Brent Ozar and Buck Woody – they’re some of the most experienced guys in the SQL community and when you get them together they’re funny as he’ll too so I was both entertained and informed in their myth-busting quiz.
My first afternoon talk was Gary Short’s session on NoSQL which predictably sparked a few polite but irate rebuttals from argumentative DBAs but the session itself was an excellent whistle-stop tour of the predominant NoSQL technologies and use cases. I was encouraged to hear from someone experienced in the field that nobody has quite put together all the pieces to hook up BI tools (that traditionally expect relational/dimensional models or OLAP sources) to the NoSQL back-ends, it’s a shame since I might need to do so pretty soon – I guess I’m going to have to get my hands dirty then!
The final talk was from Kevin Kline of Quest who covered SQL Injection, it was an informative talk that gave me pause for thought about a couple ‘best practices’ that I probably ought to harden a little. Kevin recommended a few tools that I’ll definitely be checking out at some point, notably:
- HP Scrawlr
- URLScan
- Source Code Analyser for SQL Injection
- Assessment and Planning Tool
- Discovery Wizard
And a few handy sites/articles:
Once more it was a great conference and the free day was every bit as good as the paid day, I can honestly say that I walked out of the event already looking forward to the next one.
Categories: Events, Microsoft SQL Server, NoSQL, Open Data, Security Tags: CLR, Microsoft SQL Server, NoSQL, Open Data, PowerShell, Security, Spatial, SQL Injection, SQL Server, SQLBits
The Next Hope Talk Schedule Announced
From July 16th – 18th 2010 in New York City the guys behind 2600 Magazine will be hosting The Next Hope, a conference for hackers of all types: amateurs, hobbyists, professionals and the generally curious.
Topics are wide and vary from IPv6 to Phone Phreaking, Disaster Relief to Graphic Novels and Cooking to DNS Sec – here’s the full talk schedule announced Monday (see table with abstracts here)…
Friday 16th
| Time | Tesla | Lovelace | Bell |
|---|---|---|---|
| 10:00 | IPv6 Playground: New Hope Update
Joe Klein |
GPS – It’s Not the Satellites That Know Where You Are
The Cheshire Catalyst |
|
| 11:00 | The State of Global Intelligence
Robert Steele |
Locational Privacy and Wholesale Surveillance via Photo Services
Ben Jackson |
Light, Color, and Perception
Jonathan Foote |
| 12:00 | Wireless Security: Killing Livers, Making Enemies
Dragorn, RenderMan |
Content of the Future
Greg Newby, Michael S. Hart |
SHODAN for Penetration Testers
Michael ‘theprez98′ Schearer |
| 13:00 | Keynote Address
Dan Kaminsky |
||
| 14:00 | (2 hours) | Digital: A Love Story
Christine Love, Jason Scott |
Examining Costs, Benefits, and Economics in Malware and Carding Markets
Dr. Thomas J. Holt |
| 15:00 | Arse Elektronika: Sex, Tech, and the Future of Screw-It-Yourself
Johannes Grenzfurthner |
Botnet Resistant Coding: Protecting Your Users from Script Kiddies
Fabian Rothschild, Peter Greko |
Electronic Take Back
John McNabb |
| 16:00 | Own Your Phone
TProphet |
Sita Sings the Blues: A Free Culture Success Story
Nina Paley |
Cooking for Geeks
Jeff Potter |
| 17:00 | Keeping Your Job While Being a Hacker
Alex Muentz |
“Brilliants Exploits” – A Look at the Vancouver 2010 Olympics
Colin Keigher |
Design of a Wireless EMG
Konstantin Avdashchenko |
| 18:00 | Tor and Internet Censorship
Jacob Appelbaum, Seth Schoen |
The OpenAMD Project
Aestetix, cpfr, Echo, Far McKon, Mitch Altman, Travis Goodspeed |
Lisp, The Oldest Language of the Future
Adam Tannir |
| 19:00 | Extreme Lockpicking
Barry Wels, Han Fey |
Easy Hacks on Telephone Entry Systems
Davi Ottenheimer |
Buying Privacy in Digitized Cities
Eleanor Saitta |
| 20:00 | Build Robots and See the World
Jonathan Foote |
Towards Open Libraries and Schools
Ellen Meier, Gillian ‘Gus’ Andrews, Jessamyn West |
Monkeysphere: Fixing Authentication on the Net
Daniel Kahn Gillmor, Jameson Rollins |
| 21:00 | Hackerspaces Forever: A Panel
Hackerspaces.org |
Introduction to the Chip Scene: Low Bit Music and Visuals
Don Miller, Joey Mariano, Peter Swimm |
Risk Analysis for Dummies
Nick Leghorn |
| 22:00 | (2 hours) | Electronic Waste: What’s Here and What’s Next
Stephanie Alarcon |
Detecting and Defending Your Network from Malware Using Nepenthes
Marco Figueroa |
| 23:00 | Get Lamp Screening and Discussion
Jason Scott |
Interaction with Sensors, Receivers, Haptics, and Augmented Reality (90 minutes)
Elle Mehrmand, Micha Cardenas / Azdel Slade, Pan, Ryan O’Horo, TradeMark G. |
Injecting Electromagnetic Pulses into Digital Devices
Paul F. Renda |
Saturday 17th
| Time | Tesla | Lovelace | Bell |
|---|---|---|---|
| 10:00 | How to Run an Open Source Hardware Company
Limor ‘Ladyada’ Fried, Phillip Torrone |
T+40: The Three Greatest Hacks of Apollo
Stephen Cass |
False Domain Name Billing and Other Scams
The Cheshire Catalyst |
| 11:00 | Video Surveillance, Society, and Your Face
Joshua Marpet |
Behind the Padlock: HTTPS Ubiquitous and Fragile
Seth Schoen |
Hacking Out a Graphic Novel
Ed Piskor |
| 12:00 | Grand Theft Lazlow – How Hacking is Both the Death and Future of Traditional and Interactive Publishing, Journalism, and the Media
Lazlow |
Vintage Computing
Bill Degnan, Evan Koblentz |
For Its Own Sake and to Build Something Better: A Primer on Neuroscience, Bat Echolocation, and Hacker Bio-inspiration
Scott Livingston |
| 13:00 | Keynote Address
Julian Assange |
||
| 14:00 | (2 hours) | A Red Team Exercise
Tom Brennan |
No Free Lunch: Privacy Risks and Issues in Online Gaming
Don Tobin, Lyndsey Brown |
| 15:00 | How to Bring Your Project from Idea to Reality: Make a Living Doing What You Love
Mitch Altman |
Geo-Tagging: Opting-In to Total Surveillance
Paul V |
Modern CrimeWare Tools and Techniques: An Analysis of Underground Resources
Alexander Heid |
| 16:00 | Snatch Those Waves: Prometheus Radio and the Fight for Popular Communications
Maggie Avener, Pete Tridish |
Memory Fun 101 – Memory Training for Everyone
Chester Santos |
Surf’s Up! Exploring Cross Site Request Forgery (CSRF) through Social Network Exploitation
Daniel McCarney |
| 17:00 | Privacy is Dead – Get Over It
Steven Rambam |
Smartphone Ownage: The State of Mobile Botnets and Rootkits
Jimmy Shah |
Much Ado About Randomness
Dr. Aleksandr Yampolskiy |
| 18:00 | (3 hours) | Free Software: Why We Need a Big Tent
Deb Nicholson |
Why You Should Be an Amateur
Ben Jackson |
| 19:00 | (3 hours) | Reach Out And Touch Face: A Rant About Failing
Johannes Grenzfurthner |
Hackers for Human Rights
Adrian Hong |
| 20:00 | Rummaging in the Government’s Attic: Lessons Learned from More Than 1,000 Freedom of Information Act Requests
Michael Ravnitzky, Phil Lapsley |
Hey, Don’t Call That Guy A Noob: Toward a More Welcoming Hacker Community
Nicolle (‘Rogueclown’) Neulist |
The Telephone Pioneers of America
Kyle Drosdick |
| 21:00 | Social Engineering
Emmanuel Goldstein |
Circuitbending
Jimmie Rodgers |
|
| 22:00 | Building and Breaking the Next HOPE Badge
Travis Goodspeed |
2600 Meetings: Yesterday, Today, and Tomorrow
Gonzo, Grey Frequency, Rob T Firefly |
PSTN-based Cartography
Da Beave, JFalcon |
| 23:00 | Net Wars Over Free Speech, Freedom, and Secrecy or How to Understand the Hacker and Lulz Battle Against the Church of Scientology
Finn Brunton, Gabriella Coleman |
Hacking Our Biochemistry: Pharmacy and the Hacker Perspective
Jennifer Ortiz |
Radio Reconnaissance in Penetration Testing – All Your RF Are Belong to Us
Matt Neely |
| 00:00 | Saturday Night Hacker Cinema | Spy Improv on Steroids – Steele Uncensored – Anything Goes
Robert Steele |
Sunday 18th
| Time | Tesla | Lovelace | Bell |
|---|---|---|---|
| 10:00 | The Need for a Computer Crime Innocence Project
Alex Muentz, Joe Cicero, Seth Schoen |
Hacking Your GPS
Cass Lewart |
Hacking Terrorist Networks Logically and Emotionally
Hat Trick, Mudsplatter |
| 11:00 | From Indymedia to Demand Media: Participation, Surveillance, and the Transformation of Journalism
Chris Anderson |
Hacking for an Audience: Technology Backstage at Live Shows
John Huntington |
Lock Bypass without Lockpicks
Dan Crowley |
| 12:00 | Cats and Mice: The Phone Company, the FBI, and the Phone Phreaks
Phil Lapsley |
Simpsons Already Did It – Where Do You Think the Name “Trojan” Came From Anyway?
Bill Cheswick, Matt Blaze, Sandy Clark (Mouse) |
Burning and Building Bridges: A Primer to Hacking the Education System
Christina ‘fabulous’ Pei |
| 13:00 | The DMCA and ACTA vs. Academic and Professional Research: How Misuse of This Intellectual Property Legislation Chills Research, Disclosure, and Innovation
Chris Mooney, Tiffany Rad |
American Bombe: How the U.S. Shattered the Enigma Code
Shalom Silbermintz |
TrackMeNot: Injecting Reasonable Doubt in Everyone’s Queries
Vincent Toubiana |
| 14:00 | Informants: Villains or Heroes? (90 minutes) | Into the Black: DPRK Exploration
Michael Kemp |
The Freedom Box: How to Reclaim Privacy on the Web
James Vasile |
| 15:00 | Hacking the Food Genome (15:30)
Gweeds |
CV Dazzle: Face Deception
Adam Harvey |
Bakeca.it DDoS – How Evil Forces Have Been Defeated
Alessio ‘mayhem’ Pennasilico |
| 16:00 | Hackers without Borders: Disaster Relief and Technology
Dennison Williams, Elena, Smokey |
The Black Suit Plan Isn’t Working – Now What?
James Arlen |
|
| 17:00 | The HOPE Network | Sniper Forensics – Changing the Landscape of Modern Forensics and Incident Response
Chris Pogue |
|
| 18:00 | Closing Ceremonies |
Privacy Tool: Disposable Email Address
From time to time I find myself forced to provide an email address to register on a website to get some content (a solution to a problem, a whitepaper, etc.), generally I’m loath to spread my email address around because (a) it’s a personal identifier and (b) I’m likely to end up with even more SPAM than I have now.
Well, there’s a great solution – you can use a temporary email address. There are several sites out there that will randomly generate an email address that become valid for a fixed period of time before the account (and all of the mail) is deleted. One thing that you should know is that the content of the emails themselves should not be personal since there there is often no authentication, it’s really just a quick and easy solution and is not secure in itself.
The site I tend to use if Guerrilla Mail, their temporary addresses last for 60 minutes but can be extended and they also let you pick your own address or take a randomly generated one. There are other sites out there but the only one I’ve had any experience with is 10 Minute Mail, I’m sure some quick googling will bring up a load of alternatives.
Boot Kit Renders Windows + Truecrypt Entirely Vulnerable
Having been using PCs for at least twenty years and having been an IT Professional for the last eight it’s a rare occasion for me to be blown-away by a piece of technology but the Stoned Bootkit, presented by the author Peter Kleissner at HAR 2009, literally blows my mind. You can find the video here or the presentation here.
Essentially a bootkit is a small piece of code that can be inserted into the Master Boot Record of a PC’s main boot drive, this code is then executed every time the PC is switched on and executes before the operating system loads. This is effectively a variant of more traditional rootkits which tend to install themselves as low-level drivers as part of the operating system and they are both equally dangerous in that once a system has been compromised the writer of the rootkit/bootkit can effectively do whatever they like. This may range from logging and transmitting keystrokes and capturing bank details to bypassing product activation or enabling law enforcement to gain access to allow forensic analysis.
The Stoned Bootkit is effectively a technical demo and whilst it is entirely effective I am not aware that it has been put to any nefarious purpose, in fact it was released by Peter Kleissner at the Black Hat security conference in 2009 to an audience of security professionals and I believe intended by the author as an ‘eye opener’ for the industry. Notably, Stoned is the first bootkit that has been tested an verified on Windows 2000, Windows XP, Server 2003, Server 2008 and Windows 7.
So why does this blow my mind? It’s not that the technology is brand new – MBR viruses have been around for decades which is something which Kleissner acknowledges himself by naming his boot-kit after one of the earliest examples: the Stoned Virus from 1987 (I remember encountering the variants Manitoba and Zapper in the early nineties). The reason that I was so awed by Kleissner’s presentation is the comprehensive list of attack scenarios he presents, the ease with which this is possible and the fact that it can be used to entirely bypass whole-disk encryption (tested against Truecrypt and DiskCryptor). The bootkit is available for download as an ‘infected PDF’ or even as Live CD that can be used to boot and infect any PC to which you can gain physical access.
There has been some debate between Kleissner and Truecrypt about whether this constitutes a ‘valid’ attack, the debate is fairly academic since Truecrypt themselves acknowledge that the attack is effective provided that the attacker has administrator privileges (most non-technical users run this this way), that administrator privileges can be gained (most likely by other exploits) or through physical access to the machine. I’ll concede that Stoned isn’t a valid attack against Truecrypt itself but it is a valid attack against the PC and a such can still be used to entirely bypass Truecrypt which still allows an attacker to achieve the same aim.
As a footnote, it appears that Peter Kleissner is being sued by his former employer, Ikarus Security Software GmbH, for an alleged intellectual property violation (source code theft), given that he is only 18 years old I sincerely hope that this does not harm or curtail Peter’s future career and potential. Alarmingly there are reports (English here) that Ikarus and Kaspersky are attempting to build a criminal case agains Kleissner on charges including “distributing malicious code”, if this sticks it could be worrisome for all security researchers (particularly hobbyist hackers with no money for a good legal defence) who often write code that could be classified as malicious whether they intended it or not – all security flaws could be exploited, does that make it wrong to point them out?
