 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Orchid XP v8" <voi### [at] dev null> wrote in message
news:48cbdeca@news.povray.org...
> somebody wrote:
> > And one more thing to say on the subject: Why is it that people think
the
> > ease by which one can commit a cybercrime justifies it?
> I don't think anybody does.
I do think many do.
> > No shop owner is required to keep their
> > wares under lock in all times in order to be able to charge a thief.
> No, but you know what? Their wares usually have somebody standing over
> them to protect them.
No, not really. There's a whole bunch of clothes, shoes, ... etc sitting on
racks on the outside of the store by the door. All the salespeople are
inside and none of them can see the street. They are completely unprotected
and insecure. I think I'll help myself to a new outfit.
> I rather suspect that if you just took some stuff
> and left it unattended in the middle of the street and then tried to
> prosecute the guy who stole it, you wouldn't get very far.
University system is hardly "the middle of the street". It's obviously not
abandoned or refuse. There's no question whatsoever about who owns the
system or the data.
> It's not that you have to make theft "impossible", but you have to make
> *some* kind of effort.
That he used a keylogger means the university did make some kind of an
effort. Any security system can be compromised if you try hard enough. At
worst, you pay $4.95 and a packet of bubble gum to a user (I don't remember
the link now but there was a study on how alarmingly willing employees were
in exposing confidential business information, passwords... etc). But
bribing itself is still a crime, no matter how little of a bribe you were
able to get away with.
Again, the point is, if you break the law, you are a criminal, regardless of
how easy it was to break the law. I can go to a random person on the street
and punch him in the face with no trouble whatsoever. Do you think the
defense that he wasn't wearing a motorcycle helmet will fly in court?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbd5e0@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > The question you should be asking is, did anyone ask you to fix their
> > security in the first place? Spend your time and energy on things that
there
> > is a demand for, not on things that you are unwelcome to do.
> It's exactly that kind of bastard mentality that causes all the
> ridiculous lawsuits.
No, it's the type of mentality that keeps a civilized society running. If
the society approved of people who sought to fix the problems they perceived
on others their own way, we would go back to lawlessness and every man fend
for himself.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Well, no, because fixing a broken window costs money.
>
> And it doesn't cost money to fix a compromised system?
Depends how it was compromised, doesn't it?
>> You can "break into" a computer system without causing damage that has
>> to be repaired.
>
> OK, assume I only go into houses that have windows that are ajar, or that I
> leave money for the window repair, or that I pick the lock instead... etc.
If you tell somebody "hey, your window is ajar", they'll believe you.
If you tell somebody "hey, your computer system is insecure", it's
unfortunately rather unlikely that they'll believe you.
Now if some guy wanders round randomly trying to break into systems,
then yes, that's not really acceptable and they deserve to be convicted
with something. But if you tell somebody their system is insecure and
they fail to do anything about it... what else are you supposed to do? I
mean, if it has no impact on you, then fine. But if that system holds
data about you, presumably you'd *like* it to be nice and secure.
(Obviously, I don't know which of those two scenarious was actually the
case in this particular story. Presumably the court case will decide.)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Orchid XP v8" <voi### [at] devnull> wrote in message
news:48cbe6bb$1@news.povray.org...
> >> Well, no, because fixing a broken window costs money.
> > And it doesn't cost money to fix a compromised system?
> Depends how it was compromised, doesn't it?
There are many costs (including waking up the sys-admin in the middle of the
night and paying overtime wages, or taking the system offline for a while
and inconvenience legitimate users) with any systems attack. It's naive to
assume it's all bits and bytes so no physical harm is possible.
> >> You can "break into" a computer system without causing damage that has
> >> to be repaired.
> > OK, assume I only go into houses that have windows that are ajar, or
that I
> > leave money for the window repair, or that I pick the lock instead...
etc.
> If you tell somebody "hey, your window is ajar", they'll believe you.
What's this obsession with convincing people of something? Anyway, moving
on...
> If you tell somebody "hey, your computer system is insecure", it's
> unfortunately rather unlikely that they'll believe you.
Question: If you have not already hacked into the system, how do you know if
it's not secure?
> Now if some guy wanders round randomly trying to break into systems,
> then yes, that's not really acceptable and they deserve to be convicted
Ah. So since this guy presumably did not design the system himself, he'd not
know if it's secure or not. Like you yourself mentioned, as well as Warp
mentioned in another post, it's not like looking at a window that's ajar.
So, by your admission, "wandering round randomly trying to break into
systems" is precisely what he must have been doing. And by your conclusion,
"that's not really acceptable and they deserve to be convicted".
> with something. But if you tell somebody their system is insecure and
> they fail to do anything about it... what else are you supposed to do? I
> mean, if it has no impact on you, then fine. But if that system holds
> data about you, presumably you'd *like* it to be nice and secure.
What happened to good old method of communication?
> (Obviously, I don't know which of those two scenarious was actually the
> case in this particular story. Presumably the court case will decide.)
True. But regardless, it's a crime. And I'm tempted to think that he did not
contact and try to communicate with the sys-admin first. I don't know of
many hacker who do that before hacking.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> "Warp" <war### [at] tagpovrayorg> wrote in message
> news:48cbd5e0@news.povray.org...
> > somebody <x### [at] ycom> wrote:
> > > The question you should be asking is, did anyone ask you to fix their
> > > security in the first place? Spend your time and energy on things that
> there
> > > is a demand for, not on things that you are unwelcome to do.
> > It's exactly that kind of bastard mentality that causes all the
> > ridiculous lawsuits.
> No, it's the type of mentality that keeps a civilized society running. If
> the society approved of people who sought to fix the problems they perceived
> on others their own way, we would go back to lawlessness and every man fend
> for himself.
Wait a minute. You are talking as if this person had pointed out what
he thought was a personality flaw on someone and got scolded because of
being impolite.
No, he spotted a technical security flaw in the computer system, and
pointed it out so that it could be fixed, so that the system would be
more secure for everyone (for the university, the students and himself).
Sure, he was actively searching for flaws, but his intention clearly were
not malicious. There would thus be two options:
1) He "obeys the law", doesn't try to hack the system, the security flaws
get unnoticed, and at some point a malicious cracker will exploit the
system because it was never fixed. The malicious cracker is probably from
southern Asia or eastern Europe or whatever, will never get caught and
will never get punished, and if he made serious damage to the system
both the university and the students will suffer from this. The only one
who wins in this situation is the malicious cracker.
2) He searches for security flaws because it's his hobby, and if he finds
one, he reports it so that it will get fixed. If it gets fixed, luckily
no crackers will ever exploit the flaw, and the data will be secure and
nobody will suffer. Except for this person who made the report. The only
loser in this situation is the one who helped finding the security hole.
This will teach him a lesson: Next time he will *not* report any flaws
he finds, so they will not get fixed, and we are back at option 1.
And the world is again a better place to live.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> You get permission (and probably supervision)
> before testing other people's systems security flaws. You don't go around
> breaking into other people's systems to prove your machismo, and more than
> you go around breaking into other people's homes.
A student goes to the university directors and asks permission to try
to hack the system? Haha!
This would only lead for the security flaw to never be found and fixed.
Well, not until a malicious cracker exploits it first.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> > Well, no, because fixing a broken window costs money.
> And it doesn't cost money to fix a compromised system?
The person who hacked into the system didn't cause the flaw. The flaw
is there regardless. The only difference is whether it's a known flaw
or not.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> > Finding a security weakness and then *not* exploiting it for your own
> > selfish purposes but instead reporting the weakness so that they will
> > patch it justifies it.
> If the end justifies the means, am I to assume you also agree that breaking
> into people's homes to expose their security flaws and pretend-robbing
> people at gunpoint to expose their unprotectedness are also just dandy, and
> moreover a good deed, provided you don't actually steal anything?
Yes, those two things are completely equivalent.
Breaking into someone's home usually causes material damage which costs
money. Breaking into a computer system usually doesn't.
Breaking into someone's home exploits a security flaw which everyone
*already knows*. There's nothing to prove. It's up to the owner of the
house to decide whether he wants to fix it or not. Breaking into a computer
system exploits a flaw which is *not known* by the system administrators.
Such discovered security holes are usually patched as soon as possible
(only stupid sysadmins would ignore such a security hole).
Upgrading the security of a house is expensive. Security upgrades of
a computer system are usually part of the software license (ever heard
of free security patches?)
A malicious robber breaking into a house causes damage to the owner
of that house only. A malicious hacker breaking into a university computer
can potentially cause damage to thousands of people.
Yes, I see how these two situations are completely comparable to each
other.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbee4f@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > > Well, no, because fixing a broken window costs money.
> > And it doesn't cost money to fix a compromised system?
> The person who hacked into the system didn't cause the flaw. The flaw
> is there regardless. The only difference is whether it's a known flaw
> or not.
The act of hacking incurs a cost. I gave some examples in another post.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> There are many costs (including waking up the sys-admin in the middle of the
> night and paying overtime wages, or taking the system offline for a while
> and inconvenience legitimate users) with any systems attack.
A security hole report does not cause wakin gup the sysadmin in the
middle of the night and paying overtime wages or taking the system offline.
It causes the sysadmin to send a report to the software house with which
they have a software license so that they will fix the security hole. At
regular working hours.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
