|
|
On 14-Sep-08 5:43, John VanSickle wrote:
> Doctor John wrote:
>>
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
>>
>>
>> Can't make my mind up on this; is the university right in prosecuting
>> or are they overreacting to cover their own insecure *ssh*les?
>> Right now I'm leaning in the direction of overreacting but I'm willing
>> to be convinced otherwise
>
> The university is acting within its rights. There were other ways of
> drawing attention to the problem other than breaking the law. Notifying
> the security people risk, and then their non-IT bosses, are prudent
> steps, and I see no indication that the student did this *prior* to his
> own hacking.
>
> Granted, you cannot *prove* that the vulnerability is real without
> making a successful penetration, but that really is beside the point.
>
> It is not substantively different from a situation where you live in an
> apartment for which the landlord has failed to install adequate door
> locks. You cannot break into other people's apartments in order to
> demonstrate the inadequacy of the existing security. You tell the
> landlord, advise the tenants, and if nothing happens, move out.
It is the same sort of wrong comparison that 'somebody' made. The
difference is that this vulnerability is known and hacking a system
often involves a new exploit that is unknown to the owners. A better
comparison might be a house owner with a large fence around his house
with spikes on top. One day a guy walks up to him and says: 'You know
that large tree on your property, that has very long branches reaching
over the fence. I was walking past that and though it might be a easy
access to your property. I tried the largest low hanging branch and
indeed it could easily support me.' After which the house owner calls
the cops and have him arrested for breaking into his property.
> Consider for a moment the results of allowing people to hack first, and
> then report the results of their hacking. People who are hacking for
> criminal reasons will, if caught, claim that as a defense.
Not necessary, the guy in question apparently had no criminal intentions
and can prove that by notifying the sysop. If he had been caught in the
act he would have had a serious problem.
I can understand your position, but I also know that there is a large
group of systems that is not adequately protected. If the system will be
hacked mostly third persons will suffer the consequences. Protecting the
sysops with a law that prohibits hacking will increase the problem. A
more balanced law would include:
- hacking is illegal
- reporting a hack to the sysop with a full disclosure of the
vulnerability and a proof that no harm has been done during the hacking
will result in dropping the case by the prosecution. (I don't know if
that can be implemented in the US, we have a couple of such
constructions within the Dutch system).
- prosecuting the sysops that fail to secure their systems. With
different penalties for systems that can be used as e.g. zombie
machines, machines containing privacy information, machines with
financial information.
- prosecuting software companies that knowingly introduce vulnerabilities.
Hmm, this seems to be also the order of likeliness of implementation.
The first is easy, no objection from large pressure groups, the second
would imply that you educate judges and lawyers, the third will be
opposed by small firms and the last one is impossible as that would lead
to prosecution of MS and SONY, to name a few.
Post a reply to this message
|
|