 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tag povrayorg> wrote in message
news:48cbefd0@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > > Finding a security weakness and then *not* exploiting it for your
own
> > > selfish purposes but instead reporting the weakness so that they will
> > > patch it justifies it.
> > If the end justifies the means, am I to assume you also agree that
breaking
> > into people's homes to expose their security flaws and pretend-robbing
> > people at gunpoint to expose their unprotectedness are also just dandy,
and
> > moreover a good deed, provided you don't actually steal anything?
> Yes, those two things are completely equivalent.
>
> Breaking into someone's home usually causes material damage which costs
> money. Breaking into a computer system usually doesn't.
You can break into a house without costing material damage. Ever head of
picking locks? Does that legitimize it?
> Breaking into someone's home exploits a security flaw which everyone
> *already knows*.
No. Do you know how secure your lock is? Do you know how long it takes to
pick it? I'm doing you a service by demonstrating how easy it is.
> There's nothing to prove.
Ah, that's the crux of the matter: A hacker proves his superiority!
> It's up to the owner of the
> house to decide whether he wants to fix it or not. Breaking into a
computer
> system exploits a flaw which is *not known* by the system administrators.
Whether it's known or not known or in the process of being fixed or not is
completely irrelevant. Hacking is a crime, same as lockpicking without
owner's consent.
If the admins invited him to hack, that would be fine. As it is if you
invite a locksmith to pick your lock.
> Upgrading the security of a house is expensive. Security upgrades of
> a computer system are usually part of the software license (ever heard
> of free security patches?)
Again, completely immaterial how expensive or cheap it is to fix something.
Having said that, it's not necessarily cheap to fix security flaws either.
> A malicious robber breaking into a house causes damage to the owner
> of that house only. A malicious hacker breaking into a university computer
> can potentially cause damage to thousands of people.
That makes no sense whatsover. If anything, you are legitimizing breaking
into institutions instead of houses. Maybe I should change my example to
breaking into a business, a hospital, a school, a military bases... etc. I'm
sure courts will then give me even bigger medals of honour for doing the
public a service which affects many more people.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbfe62@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > There are many costs (including waking up the sys-admin in the middle of
the
> > night and paying overtime wages, or taking the system offline for a
while
> > and inconvenience legitimate users) with any systems attack.
> A security hole report does not cause wakin gup the sysadmin in the
> middle of the night and paying overtime wages or taking the system
offline.
Really? If I send you an e-mail listing all your financial and confidential
information, won't you be wasting the rest of your day frantically calling
every bank, agency, government institution, and business to inform them to
disable your cards, change numbers, accounts... etc? In the meantime, you
won't have access to those things. Now consider confidential information of
thousands of students and do the math. Everything has a cost. Even if fixing
the system doesn't cost money (hah, in a dream world!), major damage is done
with any such reckless act.
> It causes the sysadmin to send a report to the software house with which
> they have a software license so that they will fix the security hole. At
> regular working hours.
Not all systems are such turnkey operations, and the vendor won't himself
have a fix for every type of security breach even if they were.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbee01@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > You get permission (and probably supervision)
> > before testing other people's systems security flaws. You don't go
around
> > breaking into other people's systems to prove your machismo, and more
than
> > you go around breaking into other people's homes.
> A student goes to the university directors and asks permission to try
> to hack the system? Haha!
What's wrong with that? If he makes a good case, he has a good chance of
being taken seriously. And if not, and if he's really obsessed, he can
suggest that he will hack regardless and give them the option to keep it
clean and under wraps. I don't recommend such borderline blackmail, but even
that is still better than committing a more serious and costly crime.
> This would only lead for the security flaw to never be found and fixed.
You are guessing.
> Well, not until a malicious cracker exploits it first.
Again, that's a guess.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> > A security hole report does not cause waking up the sysadmin in the
> > middle of the night and paying overtime wages or taking the system
> offline.
> Really? If I send you an e-mail listing all your financial and confidential
> information, won't you
No, because I don't read my email in the middle of the night, while
sleeping.
> be wasting the rest of your day frantically calling
> every bank, agency, government institution, and business to inform them to
> disable your cards, change numbers, accounts... etc? In the meantime, you
> won't have access to those things. Now consider confidential information of
> thousands of students and do the math. Everything has a cost. Even if fixing
> the system doesn't cost money (hah, in a dream world!), major damage is done
> with any such reckless act.
So basically if the sysadmin is kept ignorant of the security hole,
no extra money is wasted and everybody is happy (but the security hole
goes unnoticed and unfixed). Apparently this is the desirable thing,
according to you.
> > It causes the sysadmin to send a report to the software house with which
> > they have a software license so that they will fix the security hole. At
> > regular working hours.
> Not all systems are such turnkey operations, and the vendor won't himself
> have a fix for every type of security breach even if they were.
And thus it's better for the sysadmins *not* knowing about the security
hole?
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> > There's nothing to prove.
> Ah, that's the crux of the matter: A hacker proves his superiority!
No, the hacker proves that there's a concrete security hole which
should be fixed.
> If the admins invited him to hack, that would be fine. As it is if you
> invite a locksmith to pick your lock.
So as long as he didn't ask permission it's better that the sysadmins
are kept ignorant of the security flaw in the system.
Basically the situation is that the sysadmins *benefited* from the
hacking, and as a reward, the university sues the person who performed
the hacking.
> > Upgrading the security of a house is expensive. Security upgrades of
> > a computer system are usually part of the software license (ever heard
> > of free security patches?)
> Again, completely immaterial how expensive or cheap it is to fix something.
> Having said that, it's not necessarily cheap to fix security flaws either.
Which is not the fault of the hacker, really. He shouldn't be punished
because fixing a security hole (which was not created by the hacker) is
expensive to fix.
> > A malicious robber breaking into a house causes damage to the owner
> > of that house only. A malicious hacker breaking into a university computer
> > can potentially cause damage to thousands of people.
> That makes no sense whatsover. If anything, you are legitimizing breaking
> into institutions instead of houses. Maybe I should change my example to
> breaking into a business, a hospital, a school, a military bases... etc. I'm
> sure courts will then give me even bigger medals of honour for doing the
> public a service which affects many more people.
No. If you break into a big institution and then make a report on how
you did it and which flaws you exploited, the institution will benefit
from it (because they will be able to fix those flaws), and you will be
rewarded with jailtime.
Of course nobody breaks into institutions for the sole reason of
reporting how he did it. Too much work for no benefit.
Hacking a computer, however, is a hobby.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cc040e@news.povray.org...
> Basically the situation is that the sysadmins *benefited* from the
> hacking,
Hardly. They'll likely get into trouble themselves, if not fired. You may
think that's justified since they didn't do a perfect job, but it's
disingenuous to present the hacker as the victim and everyone else as
ungrateful beneficiaries.
[...]
> Hacking a computer, however, is a hobby.
Everyone's entitled to their own opinions, but it's this type of thinking
that glorifies something that which in actuality is a crime.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody a écrit :
> "Warp" <war### [at] tagpovrayorg> wrote in message
> news:48cc040e@news.povray.org...
>> Hacking a computer, however, is a hobby.
>
> Everyone's entitled to their own opinions, but it's this type of thinking
> that glorifies something that which in actuality is a crime.
>
Besides, that's hardly a justification. Martial arts are one of my
hobbies, and yet I don't go attacking people randomly just to prove them
that their self-defence training is lacking... Even without causing
significant harm (which would be possible) it would be illegal and
normally prosecuted without any discussion of this sort happening.
--
Vincent
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> "Warp" <war### [at] tagpovrayorg> wrote in message
> news:48cc040e@news.povray.org...
> > Basically the situation is that the sysadmins *benefited* from the
> > hacking,
> Hardly. They'll likely get into trouble themselves, if not fired.
Why would they get fired?
> > Hacking a computer, however, is a hobby.
> Everyone's entitled to their own opinions, but it's this type of thinking
> that glorifies something that which in actuality is a crime.
Perhaps you understood incorrectly my sentence. "Hobby" did have a
completely neutral meaning in it.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Vincent Le Chevalier <gal### [at] libertyallsurfspamfr> wrote:
> > "Warp" <war### [at] tagpovrayorg> wrote in message
> > news:48cc040e@news.povray.org...
> >> Hacking a computer, however, is a hobby.
> >
> > Everyone's entitled to their own opinions, but it's this type of thinking
> > that glorifies something that which in actuality is a crime.
> Besides, that's hardly a justification.
I didn't say it as a justification. Put it in the original context
of my post, rather than taking that one sentence alone.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cc1a36@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > "Warp" <war### [at] tagpovrayorg> wrote in message
> > > Hacking a computer, however, is a hobby.
> > Everyone's entitled to their own opinions, but it's this type of
thinking
> > that glorifies something that which in actuality is a crime.
> Perhaps you understood incorrectly my sentence. "Hobby" did have a
> completely neutral meaning in it.
That's my point, calling it a hobby gives a legitimizing impresion. Hacking
into other people's systems can no longer be called a hobby than robbing
banks can. It's not neutral, it carries a criminal element. Why is it so
hard to understand that certain "bit and bytes" can fall into "other
people's property" category? It's their system, their data. You have no
right whatsoever, even with good intentions, to violate their property.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
