 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
Can't make my mind up on this; is the university right in prosecuting or
are they overreacting to cover their own insecure *ssh*les?
Right now I'm leaning in the direction of overreacting but I'm willing
to be convinced otherwise
John
--
"Eppur si muove" - Galileo Galilei
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Doctor John <joh### [at] home com> wrote:
>
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
> Can't make my mind up on this; is the university right in prosecuting or
> are they overreacting to cover their own insecure *ssh*les?
> Right now I'm leaning in the direction of overreacting but I'm willing
> to be convinced otherwise
No good deed goes unpunished. (Although this is certainly not the worst
case of someone reporting security weaknesses to some company and getting
sued for it.)
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp wrote:
> No good deed goes unpunished. (Although this is certainly not the worst
> case of someone reporting security weaknesses to some company and getting
> sued for it.)
The trouble is, if you say "hey, your security is really weak, you
should fix it", people tend to not believe you. And if you walk up and
say "hey, your security is really weak, I just hacked all your systems",
they go "OMG, you're a hacker! DIE!!!"
There seems to be no way to win.
Of course, from the other side, *anybody* can walk up and claim that a
system is insecure. That doesn't necessarily mean they know what the
hell they're talking about. And if somebody breaks into your system, you
can either enjoy the bad publicity of having "poor security", or you can
sue the person, which makes them look like the bad guy, not you.
It's easier and cheaper to scapegoat somebody else than fix the problem...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbc7b9@news.povray.org...
> Doctor John <joh### [at] homecom> wrote:
> >
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
> > Can't make my mind up on this; is the university right in prosecuting or
> > are they overreacting to cover their own insecure *ssh*les?
> > Right now I'm leaning in the direction of overreacting but I'm willing
> > to be convinced otherwise
> No good deed goes unpunished. (Although this is certainly not the worst
> case of someone reporting security weaknesses to some company and getting
> sued for it.)
So it would be a good deed for me to break into neighbourhood houses (which
would be trivial, as practically all have unprotected ground level glass
windows) when the owner is away and place a note on the coffee table to tell
them their house is insecure.
Or, maybe it's a good deed worth a good samaritan medal to rob someone at
gunpoint, and when you get the money, to hand it back to them, saying that
you were demonstrating the point that they should not be walking alone at
that time of the day in that place.
*Reporting* a security weakness is a good deed. *Exploiting* a security
weaknes is a bad deed, even if followed by reporting.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Orchid XP v8" <voi### [at] devnull> wrote in message
news:48cbcbf6$1@news.povray.org...
> Warp wrote:
> > No good deed goes unpunished. (Although this is certainly not the
worst
> > case of someone reporting security weaknesses to some company and
getting
> > sued for it.)
> The trouble is, if you say "hey, your security is really weak, you
> should fix it", people tend to not believe you.
That's fine. Not everyone has to believe everything you say. You do a good
deed, and move on. You don't try to force things down other people's
throats, especially if doing so will also break the law.
> And if you walk up and
> say "hey, your security is really weak, I just hacked all your systems",
> they go "OMG, you're a hacker! DIE!!!"
The question you should be asking is, did anyone ask you to fix their
security in the first place? Spend your time and energy on things that there
is a demand for, not on things that you are unwelcome to do.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Warp" <war### [at] tagpovrayorg> wrote in message
news:48cbc7b9@news.povray.org...
> Doctor John <joh### [at] homecom> wrote:
> >
http://www.canada.com/ottawacitizen/news/city/story.html?id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
> > Can't make my mind up on this; is the university right in prosecuting or
> > are they overreacting to cover their own insecure *ssh*les?
> > Right now I'm leaning in the direction of overreacting but I'm willing
> > to be convinced otherwise
> No good deed goes unpunished. (Although this is certainly not the worst
> case of someone reporting security weaknesses to some company and getting
> sued for it.)
And one more thing to say on the subject: Why is it that people think the
ease by which one can commit a cybercrime justifies it? That doesn't work
like that in real life. Nobody gives the excuse "Well officer, sure I was
doing 200 mph, but see, that's a security flaw in the system. The car or the
road should not allow me to depress that lever that hard". It's ridiculously
easy in real life to commit crimes. Pretty much *everything* is insecure. I
would walk with thousands of dollars worth of goods just strolling around a
market or a mall with open displays. No shop owner is required to keep their
wares under lock in all times in order to be able to charge a thief. It's
understood that it's their goods, they own it. Well, university records are
property of the institution, I don't think the hacker could possibly be
confused on that matter. And it's not like the hacker accidentally came
across them in his browsing, he had a clear intent to break in and worked at
it.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> Warp wrote:
>
>> No good deed goes unpunished. (Although this is certainly not the worst
>> case of someone reporting security weaknesses to some company and getting
>> sued for it.)
Agreed, the "shoot-the-messenger" mind-set seems to be endemic
> The trouble is, if you say "hey, your security is really weak, you
> should fix it", people tend to not believe you. And if you walk up and
> say "hey, your security is really weak, I just hacked all your systems",
> they go "OMG, you're a hacker! DIE!!!"
>
> There seems to be no way to win.
>
> Of course, from the other side, *anybody* can walk up and claim that a
> system is insecure. That doesn't necessarily mean they know what the
> hell they're talking about. And if somebody breaks into your system, you
> can either enjoy the bad publicity of having "poor security", or you can
> sue the person, which makes them look like the bad guy, not you.
>
> It's easier and cheaper to scapegoat somebody else than fix the problem...
>
My problem here is that the young hacker in question seems to have been
naive rather than malicious.
1. Hacking the system without permission is not legal.
2. Pointing out the vulnerabilities (and taking the time
to compile a report) is helpful.
3. Actually producing and printing out the list of user
passwords was probably overkill.
IMO what the lad should have done was to offer to demonstrate the
vulnerabilities whilst their techies were present.
Of course, he may have already tried going down that route but was
turned down in which case he turned to the course of hacking the system
to get attention. I suppose that will presented in his defence if the
case actually gets to court.
My advice to Carleton, drop the charges and talk to the student. Point
out the error of hacking a system without permission but thank him for
helping to ensure the system is now secured. (I assume they have patched
the holes :-) )
BTW Look at the guy's name. I trust this is not another "war-on-terror"
overreaction.
John
--
"Eppur si muove" - Galileo Galilei
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> The question you should be asking is, did anyone ask you to fix their
> security in the first place? Spend your time and energy on things that there
> is a demand for, not on things that you are unwelcome to do.
It's exactly that kind of bastard mentality that causes all the
ridiculous lawsuits.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> *Reporting* a security weakness is a good deed. *Exploiting* a security
> weaknes is a bad deed, even if followed by reporting.
Now please explain to us the exact means by which you will know the
security weakness without actually testing it. You will consult a
psychic? Or read it from tarot cards? Maybe you will see a vision
while you are on an LSD trip. Or perhaps you will use telepathy to
read the minds of the programmers who created the system, study their
code and then find the weakness. Yeah, that will work.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
somebody <x### [at] ycom> wrote:
> And one more thing to say on the subject: Why is it that people think the
> ease by which one can commit a cybercrime justifies it?
Finding a security weakness and then *not* exploiting it for your own
selfish purposes but instead reporting the weakness so that they will
patch it justifies it.
The other alternative is that you will not report it (for the fear of
a lawsuit) and then a malicious hacker will find it and exploit it for
malicious purposes. And then everyone is happy?
> And it's not like the hacker accidentally came
> across them in his browsing, he had a clear intent to break in and worked at
> it.
Oh, right. If you accidentally find a weakness and report it, that's
just ok, but if you intentionally try to find weaknesses in order to
report them, you should go to jail. That makes sense.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
