Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : White hat? Black Hat? : Re: White hat? Black Hat? Server Time
10 Oct 2024 01:40:48 EDT (-0400)
  Re: White hat? Black Hat?  
From: Doctor John
Date: 13 Sep 2008 10:57:24
Message: <48cbd4d4$1@news.povray.org>
 
Orchid XP v8 wrote:
> Warp wrote:
> 
>>   No good deed goes unpunished. (Although this is certainly not the worst
>> case of someone reporting security weaknesses to some company and getting
>> sued for it.)

Agreed, the "shoot-the-messenger" mind-set seems to be endemic

> The trouble is, if you say "hey, your security is really weak, you 
> should fix it", people tend to not believe you. And if you walk up and 
> say "hey, your security is really weak, I just hacked all your systems", 
> they go "OMG, you're a hacker! DIE!!!"
> 
> There seems to be no way to win.
> 
> Of course, from the other side, *anybody* can walk up and claim that a 
> system is insecure. That doesn't necessarily mean they know what the 
> hell they're talking about. And if somebody breaks into your system, you 
> can either enjoy the bad publicity of having "poor security", or you can 
> sue the person, which makes them look like the bad guy, not you.
> 
> It's easier and cheaper to scapegoat somebody else than fix the problem...
> 
My problem here is that the young hacker in question seems to have been 
naive rather than malicious.
	1. Hacking the system without permission is not legal.
	2. Pointing out the vulnerabilities (and taking the time
	   to compile a report) is helpful.
	3. Actually producing and printing out the list of user
	   passwords was probably overkill.
IMO what the lad should have done was to offer to demonstrate the 
vulnerabilities whilst their techies were present.
Of course, he may have already tried going down that route but was 
turned down in which case he turned to the course of hacking the system 
to get attention. I suppose that will presented in his defence if the 
case actually gets to court.
My advice to Carleton, drop the charges and talk to the student. Point 
out the error of hacking a system without permission but thank him for 
helping to ensure the system is now secured. (I assume they have patched 
the holes :-) )
BTW Look at the guy's name. I trust this is not another "war-on-terror" 
overreaction.

John

-- 
"Eppur si muove" - Galileo Galilei


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.