 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> Warp wrote:
>
>> No good deed goes unpunished. (Although this is certainly not the worst
>> case of someone reporting security weaknesses to some company and getting
>> sued for it.)
Agreed, the "shoot-the-messenger" mind-set seems to be endemic
> The trouble is, if you say "hey, your security is really weak, you
> should fix it", people tend to not believe you. And if you walk up and
> say "hey, your security is really weak, I just hacked all your systems",
> they go "OMG, you're a hacker! DIE!!!"
>
> There seems to be no way to win.
>
> Of course, from the other side, *anybody* can walk up and claim that a
> system is insecure. That doesn't necessarily mean they know what the
> hell they're talking about. And if somebody breaks into your system, you
> can either enjoy the bad publicity of having "poor security", or you can
> sue the person, which makes them look like the bad guy, not you.
>
> It's easier and cheaper to scapegoat somebody else than fix the problem...
>
My problem here is that the young hacker in question seems to have been
naive rather than malicious.
1. Hacking the system without permission is not legal.
2. Pointing out the vulnerabilities (and taking the time
to compile a report) is helpful.
3. Actually producing and printing out the list of user
passwords was probably overkill.
IMO what the lad should have done was to offer to demonstrate the
vulnerabilities whilst their techies were present.
Of course, he may have already tried going down that route but was
turned down in which case he turned to the course of hacking the system
to get attention. I suppose that will presented in his defence if the
case actually gets to court.
My advice to Carleton, drop the charges and talk to the student. Point
out the error of hacking a system without permission but thank him for
helping to ensure the system is now secured. (I assume they have patched
the holes :-) )
BTW Look at the guy's name. I trust this is not another "war-on-terror"
overreaction.
John
--
"Eppur si muove" - Galileo Galilei
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] y com> wrote:
> The question you should be asking is, did anyone ask you to fix their
> security in the first place? Spend your time and energy on things that there
> is a demand for, not on things that you are unwelcome to do.
It's exactly that kind of bastard mentality that causes all the
ridiculous lawsuits.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> *Reporting* a security weakness is a good deed. *Exploiting* a security
> weaknes is a bad deed, even if followed by reporting.
Now please explain to us the exact means by which you will know the
security weakness without actually testing it. You will consult a
psychic? Or read it from tarot cards? Maybe you will see a vision
while you are on an LSD trip. Or perhaps you will use telepathy to
read the minds of the programmers who created the system, study their
code and then find the weakness. Yeah, that will work.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> And one more thing to say on the subject: Why is it that people think the
> ease by which one can commit a cybercrime justifies it?
Finding a security weakness and then *not* exploiting it for your own
selfish purposes but instead reporting the weakness so that they will
patch it justifies it.
The other alternative is that you will not report it (for the fear of
a lawsuit) and then a malicious hacker will find it and exploit it for
malicious purposes. And then everyone is happy?
> And it's not like the hacker accidentally came
> across them in his browsing, he had a clear intent to break in and worked at
> it.
Oh, right. If you accidentally find a weakness and report it, that's
just ok, but if you intentionally try to find weaknesses in order to
report them, you should go to jail. That makes sense.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp wrote:
> somebody <x### [at] ycom> wrote:
>> The question you should be asking is, did anyone ask you to fix their
>> security in the first place? Spend your time and energy on things that there
>> is a demand for, not on things that you are unwelcome to do.
>
> It's exactly that kind of bastard mentality that causes all the
> ridiculous lawsuits.
Indeed. And, um, isn't this a *student* we're talking about? Presumably
he wanted his uni to fix their security so his own details didn't get
stolen? I know *I* would!
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody wrote:
> So it would be a good deed for me to break into neighbourhood houses (which
> would be trivial, as practically all have unprotected ground level glass
> windows) when the owner is away and place a note on the coffee table to tell
> them their house is insecure.
Well, no, because fixing a broken window costs money.
You can "break into" a computer system without causing damage that has
to be repaired.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbd6b6@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > *Reporting* a security weakness is a good deed. *Exploiting* a security
> > weaknes is a bad deed, even if followed by reporting.
> Now please explain to us the exact means by which you will know the
> security weakness without actually testing it. You will consult a
> psychic? Or read it from tarot cards? Maybe you will see a vision
> while you are on an LSD trip. Or perhaps you will use telepathy to
> read the minds of the programmers who created the system, study their
> code and then find the weakness. Yeah, that will work.
Do you break into your neighbour's houses to "test" their security
weaknesses? To answer your question, that's so easy that I'm surprised you
cannot see the solution: You get permission (and probably supervision)
before testing other people's systems security flaws. You don't go around
breaking into other people's systems to prove your machismo, and more than
you go around breaking into other people's homes.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody wrote:
> And one more thing to say on the subject: Why is it that people think the
> ease by which one can commit a cybercrime justifies it?
I don't think anybody does.
> No shop owner is required to keep their
> wares under lock in all times in order to be able to charge a thief.
No, but you know what? Their wares usually have somebody standing over
them to protect them. I rather suspect that if you just took some stuff
and left it unattended in the middle of the street and then tried to
prosecute the guy who stole it, you wouldn't get very far.
It's not that you have to make theft "impossible", but you have to make
*some* kind of effort.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbd79c@news.povray.org...
> somebody <x### [at] ycom> wrote:
> > And one more thing to say on the subject: Why is it that people think
the
> > ease by which one can commit a cybercrime justifies it?
> Finding a security weakness and then *not* exploiting it for your own
> selfish purposes but instead reporting the weakness so that they will
> patch it justifies it.
If the end justifies the means, am I to assume you also agree that breaking
into people's homes to expose their security flaws and pretend-robbing
people at gunpoint to expose their unprotectedness are also just dandy, and
moreover a good deed, provided you don't actually steal anything?
> The other alternative is that you will not report it (for the fear of
> a lawsuit) and then a malicious hacker will find it and exploit it for
> malicious purposes. And then everyone is happy?
Then, the alternative to above scenarios is that a psycho will find about
the lack of secutiry in a home and slaughert all the family, and that a gun
wielding coke addict will shoot the person in the head to steal his wallet.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Orchid XP v8" <voi### [at] devnull> wrote in message
news:48cbdc9b$1@news.povray.org...
> somebody wrote:
> > So it would be a good deed for me to break into neighbourhood houses
(which
> > would be trivial, as practically all have unprotected ground level glass
> > windows) when the owner is away and place a note on the coffee table to
tell
> > them their house is insecure.
> Well, no, because fixing a broken window costs money.
And it doesn't cost money to fix a compromised system?
> You can "break into" a computer system without causing damage that has
> to be repaired.
OK, assume I only go into houses that have windows that are ajar, or that I
leave money for the window repair, or that I pick the lock instead... etc.
You are objecting to irrelevant non-issues.
What about the pretend-robbery on the street? That doesn't cost any money.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
