 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Doctor John wrote:
>
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
>
>
> Can't make my mind up on this; is the university right in prosecuting or
> are they overreacting to cover their own insecure *ssh*les?
> Right now I'm leaning in the direction of overreacting but I'm willing
> to be convinced otherwise
The university is acting within its rights. There were other ways of
drawing attention to the problem other than breaking the law. Notifying
the security people risk, and then their non-IT bosses, are prudent
steps, and I see no indication that the student did this *prior* to his
own hacking.
Granted, you cannot *prove* that the vulnerability is real without
making a successful penetration, but that really is beside the point.
It is not substantively different from a situation where you live in an
apartment for which the landlord has failed to install adequate door
locks. You cannot break into other people's apartments in order to
demonstrate the inadequacy of the existing security. You tell the
landlord, advise the tenants, and if nothing happens, move out.
Consider for a moment the results of allowing people to hack first, and
then report the results of their hacking. People who are hacking for
criminal reasons will, if caught, claim that as a defense.
Regards,
John
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 14-Sep-08 5:43, John VanSickle wrote:
> Doctor John wrote:
>>
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
>>
>>
>> Can't make my mind up on this; is the university right in prosecuting
>> or are they overreacting to cover their own insecure *ssh*les?
>> Right now I'm leaning in the direction of overreacting but I'm willing
>> to be convinced otherwise
>
> The university is acting within its rights. There were other ways of
> drawing attention to the problem other than breaking the law. Notifying
> the security people risk, and then their non-IT bosses, are prudent
> steps, and I see no indication that the student did this *prior* to his
> own hacking.
>
> Granted, you cannot *prove* that the vulnerability is real without
> making a successful penetration, but that really is beside the point.
>
> It is not substantively different from a situation where you live in an
> apartment for which the landlord has failed to install adequate door
> locks. You cannot break into other people's apartments in order to
> demonstrate the inadequacy of the existing security. You tell the
> landlord, advise the tenants, and if nothing happens, move out.
It is the same sort of wrong comparison that 'somebody' made. The
difference is that this vulnerability is known and hacking a system
often involves a new exploit that is unknown to the owners. A better
comparison might be a house owner with a large fence around his house
with spikes on top. One day a guy walks up to him and says: 'You know
that large tree on your property, that has very long branches reaching
over the fence. I was walking past that and though it might be a easy
access to your property. I tried the largest low hanging branch and
indeed it could easily support me.' After which the house owner calls
the cops and have him arrested for breaking into his property.
> Consider for a moment the results of allowing people to hack first, and
> then report the results of their hacking. People who are hacking for
> criminal reasons will, if caught, claim that as a defense.
Not necessary, the guy in question apparently had no criminal intentions
and can prove that by notifying the sysop. If he had been caught in the
act he would have had a serious problem.
I can understand your position, but I also know that there is a large
group of systems that is not adequately protected. If the system will be
hacked mostly third persons will suffer the consequences. Protecting the
sysops with a law that prohibits hacking will increase the problem. A
more balanced law would include:
- hacking is illegal
- reporting a hack to the sysop with a full disclosure of the
vulnerability and a proof that no harm has been done during the hacking
will result in dropping the case by the prosecution. (I don't know if
that can be implemented in the US, we have a couple of such
constructions within the Dutch system).
- prosecuting the sysops that fail to secure their systems. With
different penalties for systems that can be used as e.g. zombie
machines, machines containing privacy information, machines with
financial information.
- prosecuting software companies that knowingly introduce vulnerabilities.
Hmm, this seems to be also the order of likeliness of implementation.
The first is easy, no objection from large pressure groups, the second
would imply that you educate judges and lawyers, the third will be
opposed by small firms and the last one is impossible as that would lead
to prosecution of MS and SONY, to name a few.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Sat, 13 Sep 2008 13:58:35 +0100, Doctor John <joh### [at] home com> wrote:
>http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
>
>Can't make my mind up on this; is the university right in prosecuting or
>are they overreacting to cover their own insecure *ssh*les?
>Right now I'm leaning in the direction of overreacting but I'm willing
>to be convinced otherwise
>
>John
I agree with "somebody".
Wrong is wrong, illegal is illegal no mater the intentions. As others have said
there are other ways to let people know if there is a security leak. Also
further education should not only teach technical subjects but some
understanding of morals as well. I think that some of the differences in answers
has to do with age and experience. Younger people often think that if they mean
no harm then they are doing no wrong.
It is also up to the authorities what any punishment is due. Whether it is light
or heavy.
--
Regards
Stephen
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 13 Sep 2008 12:52:33 -0400, Warp <war### [at] tagpovrayorg> wrote:
> Breaking into someone's home usually causes material damage which costs
>money. Breaking into a computer system usually doesn't.
Even if no material damage is done breaking into someone's (no relation) house
generally psychological damage is done.
--
Regards
Stephen
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
andrel <a_l### [at] hotmailcom> wrote:
> - prosecuting the sysops that fail to secure their systems.
The prosecutor would have to prove that it was possible to secure the
system after the flaw was known by reasonable means.
> the last one is impossible as that would lead
> to prosecution of MS and SONY, to name a few.
AFAIR Sony has been prosecuted for their rootkit fiasco in many countries.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 14-Sep-08 14:46, Stephen wrote:
> On Sat, 13 Sep 2008 13:58:35 +0100, Doctor John <joh### [at] homecom> wrote:
>
>>
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
>>
>> Can't make my mind up on this; is the university right in prosecuting or
>> are they overreacting to cover their own insecure *ssh*les?
>> Right now I'm leaning in the direction of overreacting but I'm willing
>> to be convinced otherwise
>>
>> John
>
> I agree with "somebody".
> Wrong is wrong, illegal is illegal no mater the intentions. As others have said
> there are other ways to let people know if there is a security leak. Also
> further education should not only teach technical subjects but some
> understanding of morals as well. I think that some of the differences in answers
> has to do with age and experience. Younger people often think that if they mean
> no harm then they are doing no wrong.
And partly by cultural background. As a true Dutchman I am horrified by
laws passed on good intentions and 'ethics'. You should pass laws that
solve problems (preferably after identifying what the real problem is),
not ones that are counterproductive.
Possibly the dividing line in this discussion is that on the one hand
people argue that it is forbidden and others who argue that that law
simply should not have existed in that way.
> It is also up to the authorities what any punishment is due. Whether it is light
> or heavy.
The case is in Canada so there may be some hope that the judgment is by
authorities based on facts. I don't know the details of the Canadian system.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Stephen <mcavoysAT@aoldotcom> wrote:
> Wrong is wrong, illegal is illegal no mater the intentions.
Not all crimes have the same severity, and crimes can have mitigating
factors. It's not even uncommon for someone to not to be prosecuted even
though he broke the letter of the law, because the circustances were so
mitigating.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 14 Sep 2008 09:14:54 -0400, Warp <war### [at] tagpovrayorg> wrote:
>Stephen <mcavoysAT@aoldotcom> wrote:
>> Wrong is wrong, illegal is illegal no mater the intentions.
>
> Not all crimes have the same severity, and crimes can have mitigating
>factors. It's not even uncommon for someone to not to be prosecuted even
>though he broke the letter of the law, because the circustances were so
>mitigating.
This is true and in my opinion correct. John's question hangs on this point but
another aspect is; did the person in question "know" what he did was "wrong in
law" whether he agreed with the law or not.
--
Regards
Stephen
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Sun, 14 Sep 2008 15:15:41 +0200, andrel <a_l### [at] hotmailcom> wrote:
>>
>> I agree with "somebody".
>> Wrong is wrong, illegal is illegal no mater the intentions. As others have said
>> there are other ways to let people know if there is a security leak. Also
>> further education should not only teach technical subjects but some
>> understanding of morals as well. I think that some of the differences in answers
>> has to do with age and experience. Younger people often think that if they mean
>> no harm then they are doing no wrong.
>
>And partly by cultural background. As a true Dutchman I am horrified by
>laws passed on good intentions and 'ethics'. You should pass laws that
>solve problems (preferably after identifying what the real problem is),
>not ones that are counterproductive.
>
We have a saying: "The road to Hell is paved with good intentions"
>Possibly the dividing line in this discussion is that on the one hand
>people argue that it is forbidden and others who argue that that law
>simply should not have existed in that way.
>
>> It is also up to the authorities what any punishment is due. Whether it is light
>> or heavy.
>
>The case is in Canada so there may be some hope that the judgment is by
>authorities based on facts. I don't know the details of the Canadian system.
If it is based on facts then he is "guilty as charged" If it is based on
intentions then the spirit of the law can be taken into account.
--
Regards
Stephen
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"andrel" <a_l### [at] hotmailcom> wrote in message
news:48C### [at] hotmailcom...
> On 14-Sep-08 5:43, John VanSickle wrote:
> > Doctor John wrote:
> >>
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
> > It is not substantively different from a situation where you live in an
> > apartment for which the landlord has failed to install adequate door
> > locks. You cannot break into other people's apartments in order to
> > demonstrate the inadequacy of the existing security. You tell the
> > landlord, advise the tenants, and if nothing happens, move out.
> It is the same sort of wrong comparison that 'somebody' made. The
> difference is that this vulnerability is known and hacking a system
> often involves a new exploit that is unknown to the owners. A better
> comparison might be a house owner with a large fence around his house
> with spikes on top. One day a guy walks up to him and says: 'You know
> that large tree on your property, that has very long branches reaching
> over the fence. I was walking past that and though it might be a easy
> access to your property. I tried the largest low hanging branch and
> indeed it could easily support me.' After which the house owner calls
> the cops and have him arrested for breaking into his property.
Good for him. I'd call the cops too. What's it his business entering my
property? "I was walking by" doesn't make sense either. Nobody walking by
"accidentally" climbs a tree. And if he was really concerned for my safety,
why not come point out to me the branch *without* violating the law?
That it was easy to do or that the owner failed to perfectly secure
something is not an excuse for breaking the law. Where do you draw the line?
If the guy had to use a ladder to get to a branch, would you then willing to
consider it a crime? If the guy had to use a helicopter to land on the tree
or the property, would you consider that a crime now? See, there are always
ways to compromise a property or a system if you have a criminal mind.
Unless the suspect can show that he went into the property by mistake during
his daily walk, and if the property owner did not draw a line around his
property, then I'd let him go. Otherwise, if he's made an effort to climb a
tree, use a ladder, use a helicopter... etc, it's clear what he intended to
break the law, clear and simple.
> > Consider for a moment the results of allowing people to hack first, and
> > then report the results of their hacking. People who are hacking for
> > criminal reasons will, if caught, claim that as a defense.
> Not necessary, the guy in question apparently had no criminal intentions
What do you call breaking the law?
> I can understand your position, but I also know that there is a large
> group of systems that is not adequately protected. If the system will be
> hacked mostly third persons will suffer the consequences. Protecting the
> sysops with a law that prohibits hacking will increase the problem.
False dichotomy again. Why do you assume that the system will be hacked by a
third person? It's a matter of opportunity, means and motive, and not all
are present for anyone on the street. Clairvoyance defenses like that don't
work, and with good reason. If you see someone speeding down the street, are
you given a free pass to ram him? After all, he's going to get into an
accident, right? And it's better that at least the other side anticipates
the accident...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
