lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 16 Feb 2006 12:19:11 -0500
From: Sysmin Sys73m47ic <sysmin.systematic@...il.com>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilites in new laws on computer hacking

> > "Advanced societies" are updating computer crime laws faster than the
> > rest of the world. This means that new generations of these more
> > "advanced societies" will have no clue about how remote computer attacks
> > are carried out. Future generations of security "experts" will be among
> > the most ignorant in the history of computer security.

Self Destruction, Very well put. You really hit the nail on the head,
which means you are probably going to get a ton of flack. Many will
not understand where you are coming from with this post, hence the
post from Paul. I understand exactly, there are a lot of people
calling themselves penetration testers and selling their services to
companies and they really do not have clue what is going on. They hand
their customer a Nessus scan and wash their hands. I have to deal with
them quite often and truthfully it makes me sick.

Now, I am not advocating breaking in to other people's systems, but as
the paranoia about breaking in to systems increases there seems to be
a buffer zone that will increase and engulf a the gray area
surrounding systems (ie Wardriving, teaching, etc.). So, although I
agree with you I don't really have a solution to the problem either.
To say that Intent should be taken in to account on computer crimes
would lend tons of ammunition for a defense attorney for every
computer crime case.

You would think by now, we as humans would let some common sense in to
our thick skulls, but that is not the case. Enacting harsher
punishments for laws does not stop criminals from committing crimes.
Criminals commit crimes irregardless of laws and harshness of
punishment, HELLO... They don't think they will get caught. Any
analysis of 10-20-Life laws or Three Strikes laws will tell you that.
Gun control is another issue I can't get over, the bad guys still had
the guns. All gun control does is stop law abiding citizens from
owning them. Anyone who says otherwise is kidding themselves.

Most of the fraud, scams, and misc computer crimes are not happening
in the countries enacting these laws anyway.

> That's silly.  Researchers know full well how to do this without ever
> breaking any laws.  In fact, most of the best researchers who are finding
> the bugs and weaknesses in systems never breakin to any system not owned by
> them.

Paul, this isn't necessarily true. Right or wrong, many people cut
their teeth messing with other people's systems.

> > New generations of teenagers will be scared of doing online exploration.
> > I'm not talking about damaging other companies' computer systems. I'm
> > talking about accessing them illegally *without* revealing private
> > information to the public or harming any data that has been accessed. To
> > me, there is a big difference between these two types of attacks but I
> > don't think that judges feel the same way. Furthermore, I don't even
> > think that judges understand the difference.
> >
> To me there is not.  They're my systems.  Stay out, thank you very much.
>
> If you want to learn how to hack, set up your own network, install some
> OSes, with various patch levels, and hack away.  You can learn everything
> you need to know without ever touching a system you do not own.  Get your
> buddies involved.  Hack each other's boxes.  But do not hack into systems
> that do not belong to you.  That *should* be illegal and you *should* be
> prosecuted.

> And you're wrong.  I don't have to hack into someone else's equipment to
> know how to hack into things.

Just to play devil's advocate here, perhaps you have $100,000 for a
real lab. There is only so much simulation that can be done in a lab.
Truly learning how to do many of these things takes years and more
than just a test windows box. As I said, just devil's advocate. I am
not saying to go nuts and break in to everyone's system. The answer
you gave is not a feasible one for a 16 year old kid. I think a better
answer would have been, create better programs in schools that
actually have the money for such a lab.

Now going back to Self Destruction's point, harsher laws may make it
illegal to teach such skills in school, this would only serve to
support his point even more.

> Do locksmiths break in to random houses to learn their craft?

You can't compare the complexity dynamic nature of today's modern
computing environments with that of a locksmith.

> > I know what you're thinking. You can learn about security attacks by
> > setting up you're own controlled environment and attacking it yourself.
> > Well, what I say is that this approach *does* certainly make you a better
> > attacker, but nothing can be compared to attacking systems in real world
> > scenarios.

Right on. 100 percent correct. There is no substitute for real world
experience in penetration testing. No training course or certification
test can make up for that.

--
Sysmin Sys73m47ic

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ