Date: Fri, 13 Jan 2012 12:17:57 +0100
From: "Giles Coochey" <giles@...chey.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Rate Stratfor's Incident Response

+1 to the below.

The days where you could hood-wink a judge and say you were just playing
on the computer are over. Get with it.

On Fri, January 13, 2012 11:57, Ferenc Kovacs wrote:
> On Thu, Jan 12, 2012 at 10:46 PM, Benjamin Kreuter
> <ben.kreuter@...il.com>wrote:
>
>> On Thu, 12 Jan 2012 16:06:53 -0500
>> Valdis.Kletnieks@...edu wrote:
>>
>> > On Thu, 12 Jan 2012 15:16:19 EST, Benjamin Kreuter said:
>> >
>> > > Really, calling it "breaking in" is a stretch.  You connected a
>> > > computer to a publicly accessible computer network, where anyone can
>> > > send anything to your computer.  If hacking such a system is
>> > > "breaking in," you might as well claim that shouting across your
>> > > neighbor's yard is "breaking in."
>> >
>> > Bad analogy.  Closer would be if you have a house that's got a
>> > driveway on a public street, and you claim it's not breaking and
>> > entering if you walk up the driveway, try the doorknob, find it
>> > unlocked, and let yourself in without the permission of the
>> > residents.  Saying that "anybody could walk up and let themselves in
>> > the door" doesn't make it legal.
>>
>> Would you say that we should arrest the person who walks into the
>> house, takes a picture of themselves standing next to an expensive
>> television and leaves the picture next to a note that says "your door
>> was unlocked?"
>>
>>
> yeah, it would still be an offence in most country.
>
>
>> Really though, it is still a terrible analogy.  You can disconnect a
>> computer from the Internet; you cannot disconnect a building from a
>> street.  A hacker in a foreign country might be attacking your computer
>> system from that country, and could be outside the jurisdiction of any
>> relevant law enforcement agency; a person who breaks into a building is
>> committing a crime in whatever jurisdiction the building is in.
>>
>
> the crime would still be a crime in the country where the
> building/computer
> is located, you just can't get the offender prosecuted, just like if he
> would flee the country after trespassing into your house.
>
>
>>
>> Analogies are nice and they help non-technical folks understand what
>> is going on, but let's not get carried away with them. Someone who
>> attacks a computer system over the Internet (or any other network) is
>> sending unwanted/malicious messages.  This is not the same as physically
>> breaking into a building, locker, or computer. It may be illegal, but
>> it is still very different from other crimes.
>
>
> why is it different? the only difference imo is that the whole
> IT/networking stuff is relatively new, and the law was lagging behind, and
> some people still that it is, when it isn't really anymore.
> you can get the same amount of fine/years in prison whether you stole the
> money/confidential info through physical or electronical means.
>
>
>>  If anything, the closest
>> type of criminal would be a con man, which seems fitting given how many
>> of today's attacks have an element of social engineering.
>>
>
> nope.
> of course social engineering can be compared to Confidence trick, because
> it is a Confidence trick.
> but social engineering is only one vulnerability from the many, and
> usually
> it is used together with other methods (you get the credentials using
> that,
> then you proceed and access the system using those credentials, which is
> the gaining unauthorized access to the system.
>
> --
> Ferenc Kovács
> @Tyr43l - http://tyrael.hu
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists