 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] y com> wrote:
> "Warp" <war### [at] tagpovrayorg> wrote in message
> news:48cbd5e0@news.povray.org...
> > somebody <x### [at] ycom> wrote:
> > > The question you should be asking is, did anyone ask you to fix their
> > > security in the first place? Spend your time and energy on things that
> there
> > > is a demand for, not on things that you are unwelcome to do.
> > It's exactly that kind of bastard mentality that causes all the
> > ridiculous lawsuits.
> No, it's the type of mentality that keeps a civilized society running. If
> the society approved of people who sought to fix the problems they perceived
> on others their own way, we would go back to lawlessness and every man fend
> for himself.
Wait a minute. You are talking as if this person had pointed out what
he thought was a personality flaw on someone and got scolded because of
being impolite.
No, he spotted a technical security flaw in the computer system, and
pointed it out so that it could be fixed, so that the system would be
more secure for everyone (for the university, the students and himself).
Sure, he was actively searching for flaws, but his intention clearly were
not malicious. There would thus be two options:
1) He "obeys the law", doesn't try to hack the system, the security flaws
get unnoticed, and at some point a malicious cracker will exploit the
system because it was never fixed. The malicious cracker is probably from
southern Asia or eastern Europe or whatever, will never get caught and
will never get punished, and if he made serious damage to the system
both the university and the students will suffer from this. The only one
who wins in this situation is the malicious cracker.
2) He searches for security flaws because it's his hobby, and if he finds
one, he reports it so that it will get fixed. If it gets fixed, luckily
no crackers will ever exploit the flaw, and the data will be secure and
nobody will suffer. Except for this person who made the report. The only
loser in this situation is the one who helped finding the security hole.
This will teach him a lesson: Next time he will *not* report any flaws
he finds, so they will not get fixed, and we are back at option 1.
And the world is again a better place to live.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> You get permission (and probably supervision)
> before testing other people's systems security flaws. You don't go around
> breaking into other people's systems to prove your machismo, and more than
> you go around breaking into other people's homes.
A student goes to the university directors and asks permission to try
to hack the system? Haha!
This would only lead for the security flaw to never be found and fixed.
Well, not until a malicious cracker exploits it first.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> > Well, no, because fixing a broken window costs money.
> And it doesn't cost money to fix a compromised system?
The person who hacked into the system didn't cause the flaw. The flaw
is there regardless. The only difference is whether it's a known flaw
or not.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> > Finding a security weakness and then *not* exploiting it for your own
> > selfish purposes but instead reporting the weakness so that they will
> > patch it justifies it.
> If the end justifies the means, am I to assume you also agree that breaking
> into people's homes to expose their security flaws and pretend-robbing
> people at gunpoint to expose their unprotectedness are also just dandy, and
> moreover a good deed, provided you don't actually steal anything?
Yes, those two things are completely equivalent.
Breaking into someone's home usually causes material damage which costs
money. Breaking into a computer system usually doesn't.
Breaking into someone's home exploits a security flaw which everyone
*already knows*. There's nothing to prove. It's up to the owner of the
house to decide whether he wants to fix it or not. Breaking into a computer
system exploits a flaw which is *not known* by the system administrators.
Such discovered security holes are usually patched as soon as possible
(only stupid sysadmins would ignore such a security hole).
Upgrading the security of a house is expensive. Security upgrades of
a computer system are usually part of the software license (ever heard
of free security patches?)
A malicious robber breaking into a house causes damage to the owner
of that house only. A malicious hacker breaking into a university computer
can potentially cause damage to thousands of people.
Yes, I see how these two situations are completely comparable to each
other.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbee4f@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > > Well, no, because fixing a broken window costs money.
> > And it doesn't cost money to fix a compromised system?
> The person who hacked into the system didn't cause the flaw. The flaw
> is there regardless. The only difference is whether it's a known flaw
> or not.
The act of hacking incurs a cost. I gave some examples in another post.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> There are many costs (including waking up the sys-admin in the middle of the
> night and paying overtime wages, or taking the system offline for a while
> and inconvenience legitimate users) with any systems attack.
A security hole report does not cause wakin gup the sysadmin in the
middle of the night and paying overtime wages or taking the system offline.
It causes the sysadmin to send a report to the software house with which
they have a software license so that they will fix the security hole. At
regular working hours.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbefd0@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > > Finding a security weakness and then *not* exploiting it for your
own
> > > selfish purposes but instead reporting the weakness so that they will
> > > patch it justifies it.
> > If the end justifies the means, am I to assume you also agree that
breaking
> > into people's homes to expose their security flaws and pretend-robbing
> > people at gunpoint to expose their unprotectedness are also just dandy,
and
> > moreover a good deed, provided you don't actually steal anything?
> Yes, those two things are completely equivalent.
>
> Breaking into someone's home usually causes material damage which costs
> money. Breaking into a computer system usually doesn't.
You can break into a house without costing material damage. Ever head of
picking locks? Does that legitimize it?
> Breaking into someone's home exploits a security flaw which everyone
> *already knows*.
No. Do you know how secure your lock is? Do you know how long it takes to
pick it? I'm doing you a service by demonstrating how easy it is.
> There's nothing to prove.
Ah, that's the crux of the matter: A hacker proves his superiority!
> It's up to the owner of the
> house to decide whether he wants to fix it or not. Breaking into a
computer
> system exploits a flaw which is *not known* by the system administrators.
Whether it's known or not known or in the process of being fixed or not is
completely irrelevant. Hacking is a crime, same as lockpicking without
owner's consent.
If the admins invited him to hack, that would be fine. As it is if you
invite a locksmith to pick your lock.
> Upgrading the security of a house is expensive. Security upgrades of
> a computer system are usually part of the software license (ever heard
> of free security patches?)
Again, completely immaterial how expensive or cheap it is to fix something.
Having said that, it's not necessarily cheap to fix security flaws either.
> A malicious robber breaking into a house causes damage to the owner
> of that house only. A malicious hacker breaking into a university computer
> can potentially cause damage to thousands of people.
That makes no sense whatsover. If anything, you are legitimizing breaking
into institutions instead of houses. Maybe I should change my example to
breaking into a business, a hospital, a school, a military bases... etc. I'm
sure courts will then give me even bigger medals of honour for doing the
public a service which affects many more people.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbfe62@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > There are many costs (including waking up the sys-admin in the middle of
the
> > night and paying overtime wages, or taking the system offline for a
while
> > and inconvenience legitimate users) with any systems attack.
> A security hole report does not cause wakin gup the sysadmin in the
> middle of the night and paying overtime wages or taking the system
offline.
Really? If I send you an e-mail listing all your financial and confidential
information, won't you be wasting the rest of your day frantically calling
every bank, agency, government institution, and business to inform them to
disable your cards, change numbers, accounts... etc? In the meantime, you
won't have access to those things. Now consider confidential information of
thousands of students and do the math. Everything has a cost. Even if fixing
the system doesn't cost money (hah, in a dream world!), major damage is done
with any such reckless act.
> It causes the sysadmin to send a report to the software house with which
> they have a software license so that they will fix the security hole. At
> regular working hours.
Not all systems are such turnkey operations, and the vendor won't himself
have a fix for every type of security breach even if they were.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbee01@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > You get permission (and probably supervision)
> > before testing other people's systems security flaws. You don't go
around
> > breaking into other people's systems to prove your machismo, and more
than
> > you go around breaking into other people's homes.
> A student goes to the university directors and asks permission to try
> to hack the system? Haha!
What's wrong with that? If he makes a good case, he has a good chance of
being taken seriously. And if not, and if he's really obsessed, he can
suggest that he will hack regardless and give them the option to keep it
clean and under wraps. I don't recommend such borderline blackmail, but even
that is still better than committing a more serious and costly crime.
> This would only lead for the security flaw to never be found and fixed.
You are guessing.
> Well, not until a malicious cracker exploits it first.
Again, that's a guess.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> > A security hole report does not cause waking up the sysadmin in the
> > middle of the night and paying overtime wages or taking the system
> offline.
> Really? If I send you an e-mail listing all your financial and confidential
> information, won't you
No, because I don't read my email in the middle of the night, while
sleeping.
> be wasting the rest of your day frantically calling
> every bank, agency, government institution, and business to inform them to
> disable your cards, change numbers, accounts... etc? In the meantime, you
> won't have access to those things. Now consider confidential information of
> thousands of students and do the math. Everything has a cost. Even if fixing
> the system doesn't cost money (hah, in a dream world!), major damage is done
> with any such reckless act.
So basically if the sysadmin is kept ignorant of the security hole,
no extra money is wasted and everybody is happy (but the security hole
goes unnoticed and unfixed). Apparently this is the desirable thing,
according to you.
> > It causes the sysadmin to send a report to the software house with which
> > they have a software license so that they will fix the security hole. At
> > regular working hours.
> Not all systems are such turnkey operations, and the vendor won't himself
> have a fix for every type of security breach even if they were.
And thus it's better for the sysadmins *not* knowing about the security
hole?
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
