 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tag povrayorg> wrote in message
news:48cc0297@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > > A security hole report does not cause waking up the sysadmin in the
> > > middle of the night and paying overtime wages or taking the system
> > offline.
> > Really? If I send you an e-mail listing all your financial and
confidential
> > information, won't you
> No, because I don't read my email in the middle of the night, while
> sleeping.
You should. If you did, you'd only waste the rest of your night. If you read
your e-mail in the morning and get my e-mail, you'll waste the rest of the
day.
> > > It causes the sysadmin to send a report to the software house with
which
> > > they have a software license so that they will fix the security hole.
At
> > > regular working hours.
> > Not all systems are such turnkey operations, and the vendor won't
himself
> > have a fix for every type of security breach even if they were.
> And thus it's better for the sysadmins *not* knowing about the security
> hole?
It's best for the sysadmins to have fixed the hole before anybody hacked the
system. Next best is for them knowing about the hole and nobody having
hacked the system. Next best is for them to not know about the hole and
nobody having hacked the system... etc.
You are using the psychic defense: If I didn't hack the system, someone more
malicious than I would, so I'm doing the sysadmins a favour. Sorry, that's a
ridiculous argument .
Yes, crimes sometimes can have positive after effects. Had someone had shot
the engineer of the passenger train that crashed in California that morning,
everything would have turned out better, no? But can we base our legal
systems on possibilities?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 14-Sep-08 16:50, somebody wrote:
> "andrel" <a_l### [at] hotmailcom> wrote in message
> news:48C### [at] hotmailcom...
>> On 14-Sep-08 5:43, John VanSickle wrote:
>>> Doctor John wrote:
>
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
>
>>> It is not substantively different from a situation where you live in an
>>> apartment for which the landlord has failed to install adequate door
>>> locks. You cannot break into other people's apartments in order to
>>> demonstrate the inadequacy of the existing security. You tell the
>>> landlord, advise the tenants, and if nothing happens, move out.
>
>> It is the same sort of wrong comparison that 'somebody' made. The
>> difference is that this vulnerability is known and hacking a system
>> often involves a new exploit that is unknown to the owners. A better
>> comparison might be a house owner with a large fence around his house
>> with spikes on top. One day a guy walks up to him and says: 'You know
>> that large tree on your property, that has very long branches reaching
>> over the fence. I was walking past that and though it might be a easy
>> access to your property. I tried the largest low hanging branch and
>> indeed it could easily support me.' After which the house owner calls
>> the cops and have him arrested for breaking into his property.
>
> Good for him. I'd call the cops too. What's it his business entering my
> property? "I was walking by" doesn't make sense either. Nobody walking by
> "accidentally" climbs a tree. And if he was really concerned for my safety,
> why not come point out to me the branch *without* violating the law?
1) if the branch is weak enough there is no danger, so no need to call
2) as you failed to notice, I never said he entered the property. You
(and my fictional character) assume that he did, just as the assumption
in our case here is that the student was doing something malicious. (yes
I come to that later)
>
> That it was easy to do or that the owner failed to perfectly secure
> something is not an excuse for breaking the law. Where do you draw the line?
> If the guy had to use a ladder to get to a branch, would you then willing to
> consider it a crime? If the guy had to use a helicopter to land on the tree
> or the property, would you consider that a crime now? See, there are always
> ways to compromise a property or a system if you have a criminal mind.
> Unless the suspect can show that he went into the property by mistake during
> his daily walk, and if the property owner did not draw a line around his
> property, then I'd let him go. Otherwise, if he's made an effort to climb a
> tree, use a ladder, use a helicopter... etc, it's clear what he intended to
> break the law, clear and simple.
>
>>> Consider for a moment the results of allowing people to hack first, and
>>> then report the results of their hacking. People who are hacking for
>>> criminal reasons will, if caught, claim that as a defense.
>
>> Not necessary, the guy in question apparently had no criminal intentions
>
> What do you call breaking the law?
The student had apparently no intention to cause harm to the system or
gain himself or anybody else anything by the act. The only reason you
may call him a criminal is that there is a law there that should have
been different. As a student you may excuse him for not yet knowing that
some laws don't make sense and can be used in perverse ways. In this
case a law that was intended to prosecute malicious hackers is misused
to protect an incompetent sysop at the expense of a naive student.
Aside: I don't know about your place, but here we consider somebody
innocent until proven to have broken the law.
>> I can understand your position, but I also know that there is a large
>> group of systems that is not adequately protected. If the system will be
>> hacked mostly third persons will suffer the consequences. Protecting the
>> sysops with a law that prohibits hacking will increase the problem.
>
> False dichotomy again. Why do you assume that the system will be hacked by a
> third person? It's a matter of opportunity, means and motive, and not all
> are present for anyone on the street. Clairvoyance defenses like that don't
> work, and with good reason. If you see someone speeding down the street, are
> you given a free pass to ram him? After all, he's going to get into an
> accident, right? And it's better that at least the other side anticipates
> the accident...
>
Either you did not understand what I said, or you have absolute no idea
how the world works.
BTW I consider this discussion closed as far as I am concerned. I feel
very uncomfortable talking to a 'somebody' with an e-mail address of
'x### [at] ycom'. Feel free to start a new tread on anonymity in our newsgroups.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody wrote:
> "Warp" <war### [at] tagpovrayorg> wrote in message
> news:48cc0297@news.povray.org...
>> No, because I don't read my email in the middle of the night, while
>> sleeping.
>
> You should. If you did, you'd only waste the rest of your night. If you
> read your e-mail in the morning and get my e-mail, you'll waste the rest
> of the day.
o_O
Are you seriously suggesting I should read my email in the middle of the
night just in case somebody mailed me with my financial information?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
John VanSickle wrote:
> and if nothing happens, move out.
And the problem remains unsolved.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Sun, 14 Sep 2008 17:40:37 +0200, andrel <a_l### [at] hotmailcom> wrote:
>
> I feel very uncomfortable talking to a 'somebody' with an e-mail address of
>'x### [at] ycom'. Feel free to start a new tread on anonymity in our newsgroups.
I concur.
--
Regards
Stephen
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Nicolas Alvarez" <nic### [at] gmailcom> wrote in message
news:48cd392c@news.povray.org...
> somebody wrote:
> > "Warp" <war### [at] tagpovrayorg> wrote in message
> > news:48cc0297@news.povray.org...
> >> No, because I don't read my email in the middle of the night, while
> >> sleeping.
> > You should. If you did, you'd only waste the rest of your night. If you
> > read your e-mail in the morning and get my e-mail, you'll waste the rest
> > of the day.
> o_O
>
> Are you seriously
Well, you answered your own question there, didn't you?
> suggesting I should read my email in the middle of the
> night just in case somebody mailed me with my financial information?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"andrel" <a_l### [at] hotmailcom> wrote in message
news:48C### [at] hotmailcom...
> On 14-Sep-08 16:50, somebody wrote:
> > "andrel" <a_l### [at] hotmailcom> wrote in message
> > news:48C### [at] hotmailcom...
> > Good for him. I'd call the cops too. What's it his business entering my
> > property? "I was walking by" doesn't make sense either. Nobody walking
by
> > "accidentally" climbs a tree. And if he was really concerned for my
safety,
> > why not come point out to me the branch *without* violating the law?
> 1) if the branch is weak enough there is no danger, so no need to call
> 2) as you failed to notice, I never said he entered the property. You
> (and my fictional character) assume that he did, just as the assumption
> in our case here is that the student was doing something malicious. (yes
> I come to that later)
But he did hack into the system and retrieve the passwords. If he didn't
enter the property, your analogy doesn't compute. If he did, then he did
violate the property rights. You cannot have your cake and eat it too.
> >> Not necessary, the guy in question apparently had no criminal
intentions
> > What do you call breaking the law?
> The student had apparently no intention to cause harm to the system or
So if I go over the speed limit but have no intention to get into an
accident, I can expect to avoid a ticket?
> gain himself or anybody else anything by the act. The only reason you
> may call him a criminal is that there is a law there that should have
> been different.
You can argue that the law is unfair (it would be a bad argument, granted,
but laws are of course not set in stone). But so long as it's there, it's by
definition, a crime to break it.
> As a student you may excuse him for not yet knowing that
> some laws don't make sense and can be used in perverse ways.
Ignorance of the law is (almost always) unacceptable as a defense. Too much
room for abuse.
> Aside: I don't know about your place, but here we consider somebody
> innocent until proven to have broken the law.
True, but I'm not the judge or the jury, nor are we sentencing him here. I
can express my opinion based on what I have read so far.
> BTW I consider this discussion closed as far as I am concerned. I feel
> very uncomfortable talking to a 'somebody' with an e-mail address of
> 'x### [at] ycom'.
That's an ad hominem. Somebody (else) might claim he doesn't feel
comfortable with people with hotmail accounts. Nonetheless, be it so.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
>
> Can't make my mind up on this; is the university right in prosecuting or
> are they overreacting to cover their own insecure *ssh*les?
> Right now I'm leaning in the direction of overreacting but I'm willing to
> be convinced otherwise
Seems to me like he installed some keyloggers and card readers and simply
skimmed off log in information. Then he actually admitted doing this to the
university - very clever...
He should have sent the 16-page report to the university without actually
performing the illegal acts or sending the document to 37 of his mates. If
they had refused to improve security, then he could have gone to the local
student papers etc and kicked up a fuss.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> No, he spotted a technical security flaw in the computer system, and
> pointed it out so that it could be fixed,
But his mistake was to go several steps further, and actually "demonstrate"
the security floor by installing keyloggers and magnetic card readers, then
accessing 32 different student accounts illegally and sending his findings
to 37 of his mates. Had he just written the document and sent it to the
university, fine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 15-Sep-08 4:14, somebody wrote:
>
>> BTW I consider this discussion closed as far as I am concerned. I feel
>> very uncomfortable talking to a 'somebody' with an e-mail address of
>> 'x### [at] ycom'.
>
> That's an ad hominem.
- no, that was the point it is an ad inhominem
- it is also not one because I tell you what I feel, without even
suggesting that what you did would make your points less valuable.
- over the years there were a few cases of people here in the newsgroups
that, like you, tried to discredit other people by accusing them of
rhetoric tricks. It is my impression that that said more about
themselves than of the addressed person. Just an observation.
> Somebody (else) might claim he doesn't feel
> comfortable with people with hotmail accounts.
Not the best attempt to return a compliment that I have seen. FYI I use
a hotmail account in newsgroups for obvious reasons. I am not hiding
behind a fictitious address. I will answer e-mails sent to that address
and it reflects even my name IRL.
> Nonetheless, be it so.
It is your choice. I think of this group as a group of (mostly) friends.
Your choice sort of spoils that idea for me. Many people here use
aliases and many use e-mail addresses that are either invalid or
mangled. Yet, because they have a recognizable identity I can think of
them as a human being. To me you're more a ghost than a human being. So
again, it is absolutely your own choice on whether you want to be part
of this group or not, but I (and perhaps others) might not respond to
anything you say. (Obviously, I make an exception for this metadicussion.)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
