 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] y com> wrote:
> That's my point, calling it a hobby gives a legitimizing impresion.
You still misunderstand my sentence (on its context). Probably on
purpose. You are sticking to one word I used, rather than trying to
aknowledge what I meant with the whole post.
Fine, if that's the best argument you can come up with, so be it.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Doctor John nous illumina en ce 2008-09-13 08:58 -->
>
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
>
>
> Can't make my mind up on this; is the university right in prosecuting or
> are they overreacting to cover their own insecure *ssh*les?
> Right now I'm leaning in the direction of overreacting but I'm willing
> to be convinced otherwise
>
> John
>
That guy acted as a "troubleshooter".
What he did was:
I enter your system.
I tell you hwo I did it.
I tell you what the vulnerability is or are.
I tell you HOW to correct the vulnerability I used.
If you act correctly, the result is a safer system, with one or several less
vulnerability.
If you act foolishly, you procecute the guy, you do nothing about the flaws he
showed you, and your system is still at least as vulnerable as before.
--
Alain
-------------------------------------------------
You know you've been raytracing too long when...
you ever saw a beautiful scenery and regretted not to take your 6" reflective
ball and a digital camera, thinking "this would have been a perfect light probe"
-Johnny D
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody nous illumina en ce 2008-09-13 12:10 -->
> "Warp" <war### [at] tagpovrayorg> wrote in message
> news:48cbd5e0@news.povray.org...
>> somebody <x### [at] ycom> wrote:
>
>>> The question you should be asking is, did anyone ask you to fix their
>>> security in the first place? Spend your time and energy on things that
> there
>>> is a demand for, not on things that you are unwelcome to do.
>
>> It's exactly that kind of bastard mentality that causes all the
>> ridiculous lawsuits.
>
> No, it's the type of mentality that keeps a civilized society running. If
> the society approved of people who sought to fix the problems they perceived
> on others their own way, we would go back to lawlessness and every man fend
> for himself.
>
>
In everydays life, you're right... mostly. When you stumble on something wrong,
you are bound to report it to someone competent on the mather, or correct it
yourself if you are abilited or competent to do so. If you search for something
wrong, for any reason, and find something, you must act about it.
In computer world, we NEED hackers to find and report flaws. Why do you think
patches are isued for every OSs and most applications? Only because some hackers
hunted for flaws and put them under the noses of devlopers. In the computer
world, hackers are our private investigators. Many hackers are now paid workers
at various software firms and security agencies. Calling every hackers
"criminal" is insanely gross over symplification. It all depend on why he hack,
and what he does after the hacking.
--
Alain
-------------------------------------------------
Don't kiss an elephant on the lips today.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody wrote:
> "Warp" <war### [at] tagpovrayorg> wrote in message
> news:48cbee01@news.povray.org...
>> somebody <x### [at] ycom> wrote:
>
>> This would only lead for the security flaw to never be found and fixed.
>
> You are guessing.
>
No more so, given the evidence of how such things "always" lead, than
"guessing" that the odds of rolling a seven with two six sided dice is
likely to be higher than rolling a 12.
--
void main () {
if version = "Vista" {
call slow_by_half();
call DRM_everything();
}
call functional_code();
}
else
call crash_windows();
}
<A HREF='http://www.daz3d.com/index.php?refid=16130551'>Get 3D Models,
3D Content, and 3D Software at DAZ3D!</A>
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Doctor John wrote:
>
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
>
>
> Can't make my mind up on this; is the university right in prosecuting or
> are they overreacting to cover their own insecure *ssh*les?
> Right now I'm leaning in the direction of overreacting but I'm willing
> to be convinced otherwise
The university is acting within its rights. There were other ways of
drawing attention to the problem other than breaking the law. Notifying
the security people risk, and then their non-IT bosses, are prudent
steps, and I see no indication that the student did this *prior* to his
own hacking.
Granted, you cannot *prove* that the vulnerability is real without
making a successful penetration, but that really is beside the point.
It is not substantively different from a situation where you live in an
apartment for which the landlord has failed to install adequate door
locks. You cannot break into other people's apartments in order to
demonstrate the inadequacy of the existing security. You tell the
landlord, advise the tenants, and if nothing happens, move out.
Consider for a moment the results of allowing people to hack first, and
then report the results of their hacking. People who are hacking for
criminal reasons will, if caught, claim that as a defense.
Regards,
John
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 14-Sep-08 5:43, John VanSickle wrote:
> Doctor John wrote:
>>
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
>>
>>
>> Can't make my mind up on this; is the university right in prosecuting
>> or are they overreacting to cover their own insecure *ssh*les?
>> Right now I'm leaning in the direction of overreacting but I'm willing
>> to be convinced otherwise
>
> The university is acting within its rights. There were other ways of
> drawing attention to the problem other than breaking the law. Notifying
> the security people risk, and then their non-IT bosses, are prudent
> steps, and I see no indication that the student did this *prior* to his
> own hacking.
>
> Granted, you cannot *prove* that the vulnerability is real without
> making a successful penetration, but that really is beside the point.
>
> It is not substantively different from a situation where you live in an
> apartment for which the landlord has failed to install adequate door
> locks. You cannot break into other people's apartments in order to
> demonstrate the inadequacy of the existing security. You tell the
> landlord, advise the tenants, and if nothing happens, move out.
It is the same sort of wrong comparison that 'somebody' made. The
difference is that this vulnerability is known and hacking a system
often involves a new exploit that is unknown to the owners. A better
comparison might be a house owner with a large fence around his house
with spikes on top. One day a guy walks up to him and says: 'You know
that large tree on your property, that has very long branches reaching
over the fence. I was walking past that and though it might be a easy
access to your property. I tried the largest low hanging branch and
indeed it could easily support me.' After which the house owner calls
the cops and have him arrested for breaking into his property.
> Consider for a moment the results of allowing people to hack first, and
> then report the results of their hacking. People who are hacking for
> criminal reasons will, if caught, claim that as a defense.
Not necessary, the guy in question apparently had no criminal intentions
and can prove that by notifying the sysop. If he had been caught in the
act he would have had a serious problem.
I can understand your position, but I also know that there is a large
group of systems that is not adequately protected. If the system will be
hacked mostly third persons will suffer the consequences. Protecting the
sysops with a law that prohibits hacking will increase the problem. A
more balanced law would include:
- hacking is illegal
- reporting a hack to the sysop with a full disclosure of the
vulnerability and a proof that no harm has been done during the hacking
will result in dropping the case by the prosecution. (I don't know if
that can be implemented in the US, we have a couple of such
constructions within the Dutch system).
- prosecuting the sysops that fail to secure their systems. With
different penalties for systems that can be used as e.g. zombie
machines, machines containing privacy information, machines with
financial information.
- prosecuting software companies that knowingly introduce vulnerabilities.
Hmm, this seems to be also the order of likeliness of implementation.
The first is easy, no objection from large pressure groups, the second
would imply that you educate judges and lawyers, the third will be
opposed by small firms and the last one is impossible as that would lead
to prosecution of MS and SONY, to name a few.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Sat, 13 Sep 2008 13:58:35 +0100, Doctor John <joh### [at] homecom> wrote:
>http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
>
>Can't make my mind up on this; is the university right in prosecuting or
>are they overreacting to cover their own insecure *ssh*les?
>Right now I'm leaning in the direction of overreacting but I'm willing
>to be convinced otherwise
>
>John
I agree with "somebody".
Wrong is wrong, illegal is illegal no mater the intentions. As others have said
there are other ways to let people know if there is a security leak. Also
further education should not only teach technical subjects but some
understanding of morals as well. I think that some of the differences in answers
has to do with age and experience. Younger people often think that if they mean
no harm then they are doing no wrong.
It is also up to the authorities what any punishment is due. Whether it is light
or heavy.
--
Regards
Stephen
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 13 Sep 2008 12:52:33 -0400, Warp <war### [at] tagpovrayorg> wrote:
> Breaking into someone's home usually causes material damage which costs
>money. Breaking into a computer system usually doesn't.
Even if no material damage is done breaking into someone's (no relation) house
generally psychological damage is done.
--
Regards
Stephen
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
andrel <a_l### [at] hotmailcom> wrote:
> - prosecuting the sysops that fail to secure their systems.
The prosecutor would have to prove that it was possible to secure the
system after the flaw was known by reasonable means.
> the last one is impossible as that would lead
> to prosecution of MS and SONY, to name a few.
AFAIR Sony has been prosecuted for their rootkit fiasco in many countries.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 14-Sep-08 14:46, Stephen wrote:
> On Sat, 13 Sep 2008 13:58:35 +0100, Doctor John <joh### [at] homecom> wrote:
>
>>
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
>>
>> Can't make my mind up on this; is the university right in prosecuting or
>> are they overreacting to cover their own insecure *ssh*les?
>> Right now I'm leaning in the direction of overreacting but I'm willing
>> to be convinced otherwise
>>
>> John
>
> I agree with "somebody".
> Wrong is wrong, illegal is illegal no mater the intentions. As others have said
> there are other ways to let people know if there is a security leak. Also
> further education should not only teach technical subjects but some
> understanding of morals as well. I think that some of the differences in answers
> has to do with age and experience. Younger people often think that if they mean
> no harm then they are doing no wrong.
And partly by cultural background. As a true Dutchman I am horrified by
laws passed on good intentions and 'ethics'. You should pass laws that
solve problems (preferably after identifying what the real problem is),
not ones that are counterproductive.
Possibly the dividing line in this discussion is that on the one hand
people argue that it is forbidden and others who argue that that law
simply should not have existed in that way.
> It is also up to the authorities what any punishment is due. Whether it is light
> or heavy.
The case is in Canada so there may be some hope that the judgment is by
authorities based on facts. I don't know the details of the Canadian system.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
