On 14-Sep-08 5:43, John VanSickle wrote:
> Doctor John wrote:
>>
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1

>>
>>
>> Can't make my mind up on this; is the university right in prosecuting 
>> or are they overreacting to cover their own insecure *ssh*les?
>> Right now I'm leaning in the direction of overreacting but I'm willing 
>> to be convinced otherwise
> 
> The university is acting within its rights.  There were other ways of 
> drawing attention to the problem other than breaking the law.  Notifying 
> the security people risk, and then their non-IT bosses, are prudent 
> steps, and I see no indication that the student did this *prior* to his 
> own hacking.
> 
> Granted, you cannot *prove* that the vulnerability is real without 
> making a successful penetration, but that really is beside the point.
> 
> It is not substantively different from a situation where you live in an 
> apartment for which the landlord has failed to install adequate door 
> locks.  You cannot break into other people's apartments in order to 
> demonstrate the inadequacy of the existing security.  You tell the 
> landlord, advise the tenants, and if nothing happens, move out.

It is the same sort of wrong comparison that 'somebody' made. The 
difference is that this vulnerability is known and hacking a system 
often involves a new exploit that is unknown to the owners. A better 
comparison might be a house owner with a large fence around his house 
with spikes on top. One day a guy walks up to him and says: 'You know 
that large tree on your property, that has very long branches reaching 
over the fence. I was walking past that and though it might be a easy 
access to your property. I tried the largest low hanging branch and 
indeed it could easily support me.' After which the house owner calls 
the cops and have him arrested for breaking into his property.

> Consider for a moment the results of allowing people to hack first, and 
> then report the results of their hacking.  People who are hacking for 
> criminal reasons will, if caught, claim that as a defense.

Not necessary, the guy in question apparently had no criminal intentions 
and can prove that by notifying the sysop. If he had been caught in the 
act he would have had a serious problem.

I can understand your position, but I also know that there is a large 
group of systems that is not adequately protected. If the system will be 
hacked mostly third persons will suffer the consequences. Protecting the 
sysops with a law that prohibits hacking will increase the problem. A 
more balanced law would include:
- hacking is illegal
- reporting a hack to the sysop with a full disclosure of the 
vulnerability and a proof that no harm has been done during the hacking 
will result in dropping the case by the prosecution. (I don't know if 
that can be implemented in the US, we have a couple of such 
constructions within the Dutch system).
- prosecuting the sysops that fail to secure their systems. With 
different penalties for systems that can be used as e.g. zombie 
machines, machines containing privacy information, machines with 
financial information.
- prosecuting software companies that knowingly introduce vulnerabilities.

Hmm, this seems to be also the order of likeliness of implementation. 
The first is easy, no objection from large pressure groups, the second 
would imply that you educate judges and lawyers, the third will be 
opposed by small firms and the last one is impossible as that would lead 
to prosecution of MS and SONY, to name a few.

Post a reply to this message