 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp wrote:
> somebody <x### [at] y com> wrote:
>> The question you should be asking is, did anyone ask you to fix their
>> security in the first place? Spend your time and energy on things that there
>> is a demand for, not on things that you are unwelcome to do.
>
> It's exactly that kind of bastard mentality that causes all the
> ridiculous lawsuits.
Indeed. And, um, isn't this a *student* we're talking about? Presumably
he wanted his uni to fix their security so his own details didn't get
stolen? I know *I* would!
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody wrote:
> So it would be a good deed for me to break into neighbourhood houses (which
> would be trivial, as practically all have unprotected ground level glass
> windows) when the owner is away and place a note on the coffee table to tell
> them their house is insecure.
Well, no, because fixing a broken window costs money.
You can "break into" a computer system without causing damage that has
to be repaired.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbd6b6@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > *Reporting* a security weakness is a good deed. *Exploiting* a security
> > weaknes is a bad deed, even if followed by reporting.
> Now please explain to us the exact means by which you will know the
> security weakness without actually testing it. You will consult a
> psychic? Or read it from tarot cards? Maybe you will see a vision
> while you are on an LSD trip. Or perhaps you will use telepathy to
> read the minds of the programmers who created the system, study their
> code and then find the weakness. Yeah, that will work.
Do you break into your neighbour's houses to "test" their security
weaknesses? To answer your question, that's so easy that I'm surprised you
cannot see the solution: You get permission (and probably supervision)
before testing other people's systems security flaws. You don't go around
breaking into other people's systems to prove your machismo, and more than
you go around breaking into other people's homes.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody wrote:
> And one more thing to say on the subject: Why is it that people think the
> ease by which one can commit a cybercrime justifies it?
I don't think anybody does.
> No shop owner is required to keep their
> wares under lock in all times in order to be able to charge a thief.
No, but you know what? Their wares usually have somebody standing over
them to protect them. I rather suspect that if you just took some stuff
and left it unattended in the middle of the street and then tried to
prosecute the guy who stole it, you wouldn't get very far.
It's not that you have to make theft "impossible", but you have to make
*some* kind of effort.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbd79c@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > And one more thing to say on the subject: Why is it that people think
the
> > ease by which one can commit a cybercrime justifies it?
> Finding a security weakness and then *not* exploiting it for your own
> selfish purposes but instead reporting the weakness so that they will
> patch it justifies it.
If the end justifies the means, am I to assume you also agree that breaking
into people's homes to expose their security flaws and pretend-robbing
people at gunpoint to expose their unprotectedness are also just dandy, and
moreover a good deed, provided you don't actually steal anything?
> The other alternative is that you will not report it (for the fear of
> a lawsuit) and then a malicious hacker will find it and exploit it for
> malicious purposes. And then everyone is happy?
Then, the alternative to above scenarios is that a psycho will find about
the lack of secutiry in a home and slaughert all the family, and that a gun
wielding coke addict will shoot the person in the head to steal his wallet.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Orchid XP v8" <voi### [at] devnull> wrote in message
news:48cbdc9b$1@news.povray.org...
> somebody wrote:
> > So it would be a good deed for me to break into neighbourhood houses
(which
> > would be trivial, as practically all have unprotected ground level glass
> > windows) when the owner is away and place a note on the coffee table to
tell
> > them their house is insecure.
> Well, no, because fixing a broken window costs money.
And it doesn't cost money to fix a compromised system?
> You can "break into" a computer system without causing damage that has
> to be repaired.
OK, assume I only go into houses that have windows that are ajar, or that I
leave money for the window repair, or that I pick the lock instead... etc.
You are objecting to irrelevant non-issues.
What about the pretend-robbery on the street? That doesn't cost any money.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Orchid XP v8" <voi### [at] devnull> wrote in message
news:48cbdeca@news.povray.org...
> somebody wrote:
> > And one more thing to say on the subject: Why is it that people think
the
> > ease by which one can commit a cybercrime justifies it?
> I don't think anybody does.
I do think many do.
> > No shop owner is required to keep their
> > wares under lock in all times in order to be able to charge a thief.
> No, but you know what? Their wares usually have somebody standing over
> them to protect them.
No, not really. There's a whole bunch of clothes, shoes, ... etc sitting on
racks on the outside of the store by the door. All the salespeople are
inside and none of them can see the street. They are completely unprotected
and insecure. I think I'll help myself to a new outfit.
> I rather suspect that if you just took some stuff
> and left it unattended in the middle of the street and then tried to
> prosecute the guy who stole it, you wouldn't get very far.
University system is hardly "the middle of the street". It's obviously not
abandoned or refuse. There's no question whatsoever about who owns the
system or the data.
> It's not that you have to make theft "impossible", but you have to make
> *some* kind of effort.
That he used a keylogger means the university did make some kind of an
effort. Any security system can be compromised if you try hard enough. At
worst, you pay $4.95 and a packet of bubble gum to a user (I don't remember
the link now but there was a study on how alarmingly willing employees were
in exposing confidential business information, passwords... etc). But
bribing itself is still a crime, no matter how little of a bribe you were
able to get away with.
Again, the point is, if you break the law, you are a criminal, regardless of
how easy it was to break the law. I can go to a random person on the street
and punch him in the face with no trouble whatsoever. Do you think the
defense that he wasn't wearing a motorcycle helmet will fly in court?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbd5e0@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > The question you should be asking is, did anyone ask you to fix their
> > security in the first place? Spend your time and energy on things that
there
> > is a demand for, not on things that you are unwelcome to do.
> It's exactly that kind of bastard mentality that causes all the
> ridiculous lawsuits.
No, it's the type of mentality that keeps a civilized society running. If
the society approved of people who sought to fix the problems they perceived
on others their own way, we would go back to lawlessness and every man fend
for himself.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Well, no, because fixing a broken window costs money.
>
> And it doesn't cost money to fix a compromised system?
Depends how it was compromised, doesn't it?
>> You can "break into" a computer system without causing damage that has
>> to be repaired.
>
> OK, assume I only go into houses that have windows that are ajar, or that I
> leave money for the window repair, or that I pick the lock instead... etc.
If you tell somebody "hey, your window is ajar", they'll believe you.
If you tell somebody "hey, your computer system is insecure", it's
unfortunately rather unlikely that they'll believe you.
Now if some guy wanders round randomly trying to break into systems,
then yes, that's not really acceptable and they deserve to be convicted
with something. But if you tell somebody their system is insecure and
they fail to do anything about it... what else are you supposed to do? I
mean, if it has no impact on you, then fine. But if that system holds
data about you, presumably you'd *like* it to be nice and secure.
(Obviously, I don't know which of those two scenarious was actually the
case in this particular story. Presumably the court case will decide.)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Orchid XP v8" <voi### [at] devnull> wrote in message
news:48cbe6bb$1@news.povray.org...
> >> Well, no, because fixing a broken window costs money.
> > And it doesn't cost money to fix a compromised system?
> Depends how it was compromised, doesn't it?
There are many costs (including waking up the sys-admin in the middle of the
night and paying overtime wages, or taking the system offline for a while
and inconvenience legitimate users) with any systems attack. It's naive to
assume it's all bits and bytes so no physical harm is possible.
> >> You can "break into" a computer system without causing damage that has
> >> to be repaired.
> > OK, assume I only go into houses that have windows that are ajar, or
that I
> > leave money for the window repair, or that I pick the lock instead...
etc.
> If you tell somebody "hey, your window is ajar", they'll believe you.
What's this obsession with convincing people of something? Anyway, moving
on...
> If you tell somebody "hey, your computer system is insecure", it's
> unfortunately rather unlikely that they'll believe you.
Question: If you have not already hacked into the system, how do you know if
it's not secure?
> Now if some guy wanders round randomly trying to break into systems,
> then yes, that's not really acceptable and they deserve to be convicted
Ah. So since this guy presumably did not design the system himself, he'd not
know if it's secure or not. Like you yourself mentioned, as well as Warp
mentioned in another post, it's not like looking at a window that's ajar.
So, by your admission, "wandering round randomly trying to break into
systems" is precisely what he must have been doing. And by your conclusion,
"that's not really acceptable and they deserve to be convicted".
> with something. But if you tell somebody their system is insecure and
> they fail to do anything about it... what else are you supposed to do? I
> mean, if it has no impact on you, then fine. But if that system holds
> data about you, presumably you'd *like* it to be nice and secure.
What happened to good old method of communication?
> (Obviously, I don't know which of those two scenarious was actually the
> case in this particular story. Presumably the court case will decide.)
True. But regardless, it's a crime. And I'm tempted to think that he did not
contact and try to communicate with the sys-admin first. I don't know of
many hacker who do that before hacking.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
