Date: Thu, 16 Feb 2006 19:35:48 -0500
From: dave <fla.linux@...il.com>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilites in new laws on computer hacking


Marcus,

You use the analogy of trespassing to describe unauthorized access to a 
computer system or it's resources. I agree with you but I think a point 
was missed...

The laws being passed today against *cyber crime* far exceed the basic 
property laws. If someone gains access to a system he does not have 
permission to access yes he has broken a law. But the punishment should 
fit the crime. To use your analogy: If I wandered into your field and I 
was caught and prosecuted I would face charges for basic trespassing...I 
would pay a fine and go about my business. If I was a repeat offender I 
might do 30 days. Let's say I cut a small hole in the fence so I could 
easily return (that pond of your has some great fish!) I would also be 
made to pay for the fence to be repaired etc... Now, If I cracked your 
server and poked around a bit (yea...in the wee hours of the morning) 
let's say I even set up a small backdoor so I could return again...If 
prosecuted what kind of punishment should I receive? Would you be 
content if i payed the court a 150 dollar fine? Also, can this act be 
classified as *cyber terrorism*? Too many this seems to be the direction 
the government will and is taking...even towards minor criminal offenses 
such as simple trespassing.

I think what the poster was saying is this, "If a teenager could face 
possible *cyber terrorism* (or any serious felony) charges for trying to 
break into computer networks simple to learn then things have gone too 
far". Yes it is wrong and unethical but there is a ring of truth to his 
thought process (even if his post was ridiculous overall)...hey you 
might not care of the intentions of the trespasser but I do! To me there 
is a big difference between someone cracking my server to look around 
and more or less do nothing and someone looking to set up a warez site 
or use my server to host a phishing scam etc...

Unauthorized access is unauthorized access and is never ok from a 
legitimate security (white hat) point of view. But whether or not the 
intruder had malicious intentions should weigh in too. I do NOT think it 
is ok to *cross the line*. But in the past I have played a prank or two 
that could probably be refered to as *crossing the line* but I am 
certainly no criminal.

just my two cents...


Marcus J. Ranum wrote:

>self-destruction@...best.com apparently writes:
>  
>
>>"Advanced societies" are updating computer crime laws faster than the
>>rest of the world. This means that new generations of these more
>>"advanced societies" will have no clue about how remote computer attacks
>>are carried out. Future generations of security "experts" will be among
>>the most ignorant in the history of computer security.
>>    
>>
>
>This is an interesting assertion: Legislation causes ignorance. I'll get
>to that in a moment but let me comment on the "advanced societies"
>issue and offer a different perspective.
>
>Advanced societies (as you call them) are the technological and
>economical fast-movers; the ones that have invested heavily across
>their economies in high tech, which means IT. One way of looking at
>the tightening of legislation in those societies is that it is a reaction
>to the disproportionate pain that technologically advanced societies
>suffer as a consequence of cyber-crime. As a society becomes
>increasingly dependent on computing, the cost of protecting those
>computers becomes a large item in the "expense" column. So
>perhaps you might look at it from this perspective:
>The reaction of the technologically advanced societies to cyber-crime
>is a harbinger of how EVERY society will react to cyber-crime as they
>move up the economic chain. The reason the rest of the world is not
>reacting as the advanced societies are is because they can still
>afford not to.
>
>Put differently - if you think it's bad (from your perspective) now, you
>ain't seen nothin' yet!
>
>  
>
>>New generations of teenagers will be scared of doing online exploration.
>>    
>>
>
>This is a ridiculous assertion - if you were correct that legislation
>significantly stifles criminal activity, then the US would be winning
>the "War On Drugs" right? After all, drugs are broadly illegal in the
>US and - well - are teenagers scared of exploring dope? Hmmm...
>Maybe not.
>
>Let's look at another aspect of that: I know of no society that is
>placing serious restrictions on an individual's ability to explore
>his/her own systems. I worded that carefully because the DRM
>and "Super DMCA" have gotten a lot of press over the implication
>that a user might not be able to "explore" data that they bought
>and paid for (i.e.: an application or a DVD) but actually the
>debate there is whether the user actually owns the data or
>merely owns the right to access the data, and that's a contract
>law question more than anything else. However, I know of no
>advanced society that says I can't buy a bunch of computers and
>copies of VMWare or honeyd or whatever and build myself a
>lab LAN/WAN and hammer it however I please, destructively
>"test" the software on it, etc. Perhaps I might not be motivated
>to go to the trouble of setting up my own test LAN, or I might
>not have the financial or intellectual resources to do so - but
>those are not a result of fear. There is nothing to stop groups
>of teen agers (to stick with your example) from playing capture
>the flag LAN parties with their own machines, as long as
>they're consenting - they're welcome to have at it as long as
>their electricity and caffeine supply holds out!!
>
>So - unlike the situation with drugs - there's STILL a perfectly
>legitimate avenue for socially sanctioned exploration. And we
>have seen that the "War On Drugs" hasn't exactly had a very
>great cooling effect on dope use - so I simply can't accept
>your assertion that teen agers are somehow going to be
>terrified to explore computers. 
>
>... but is that what you're talking about, really? I don't think so.
>
>  
>
>>I'm not talking about damaging other companies' computer systems. I'm
>>talking about accessing them illegally *without* revealing private
>>information to the public or harming any data that has been accessed.
>>    
>>
>
>*Aha*
>
>So you're talking about "exploring" someone's computer
>without their permission.
>
>In virtually every society (not just the advanced ones) that have a
>notion of property, there is a notion of property rights. The very
>notion of property rights argues that _I_ have the right to control
>how _MY_ property is used. In fact, property rights make up
>the core of the social contract and the rule of law - i.e.: trespassing
>is a very, very old crime. "Exploring" someone's computer without
>their permission is a violation of their property rights, pure and
>simple. In any society under the rule of law, under virtually any
>moral and legal system I have encountered, there are protections
>that govern intrusion into another's property.
>
>So, I believe you're being intellectually dishonest calling such
>actions "exploring" - "trespassing" might be a better word, as
>a starting point for further dialog.
>
>It sounds like you're adopting the position that I've often
>heard voiced by trespassers, namely, "I didn't do any
>harm" or "I was passing through" etc - which is not a
>tenable position in the face of ANY attempt by the property
>owner to give notice that intrusion is unwelcome. For
>example, in most US States, ignoring a "No Trespassing"
>sign is a criminal act. I would argue that there's an exact
>mapping between the circumstance of my posting a
>"No Trespassing" sign on my property and my installing
>a firewall on my Internet connection. It gets more complex
>when you consider that in some jurisdictions it is not
>even necessary to post a "No Trespassing" sign to
>assert your property rights. Indeed, I am not required
>to post a "No Stealing" sign on my car when I park
>it, NOR am I required to lock it in order to assert the
>full protection of the law. This maps exactly to the
>situation in which I have an internet connection with
>no firewall at all; the fact that I do not have a "No Exploring"
>sign is NOT an implicit invitation to explore. Never
>mind complex moral philosophies - common courtesy
>requires that one ask permission before going where
>they are not invited.
>
>  
>
>>To
>>me, there is a big difference between these two types of attacks but I
>>don't think that judges feel the same way. Furthermore, I don't even
>>think that judges understand the difference.
>>    
>>
>
>In most of the "advanced societies" you are referring to, it is not
>a judge who makes this determination - it is a jury.
>
>Whether a jury understands or does not understand, or
>respects or does not respect, a distinction YOU choose to
>make is irrelevant. You are playing self-serving semantic
>games. By asserting that you feel there is a difference between
>one type of trespassing (the kind you deem harmful) and
>another type of trespassing (the kind you deem harmless)
>you are creating a distinction of convenience only to yourself.
>Does the law recognize such a distinction? I submit to you
>that unless the laws recognize "harmless trespass"
>versus "harmful trespass" then you are on shaky ground.
>
>Put differently, if you trespass on my property, I do not
>have to care about your intent. I merely have to care that
>you violated my property rights. Your "I meant no harm"
>argument is part of your plea for clemency once you've been
>convicted and it's time to pass sentence.
>
>  
>
>>Now, I'm not saying that I support accessing computer systems illegally.
>>    
>>
>
>Actually, you do appear to be saying that. Or, more precisely, you
>appear to be saying that by enforcing our existing property rights
>over our computers, we (the computer owners of the world) are
>going to somehow increase the level of ignorance about computer
>security.
>
>That's a ridiculous position!
>
>  
>
>>All I'm saying is that by implementing very strict laws on "hacking", we
>>will create a generation of ignorant security professionals. I think to
>>myself, how the hell will these "more advanced societies" protect
>>themselves against cyber attacks in the future?
>>    
>>
>
>Those more "advanced societies" will protect themselves
>quite well, for a number of reasons. First off, because they
>have more at stake, they will be obligated to (waste) invest
>more time preparing to stave off trespassers. As your stake
>increases your motivation to preserve it increases accordingly.
>This is part of the tyranny of the cyber-criminal: the cost they
>force the innocent to incur is disproportionate. An E-banking
>company may spend hundreds of thousands of dollars to
>build a defensible network whereas my grandmother might
>begrudge $19.95 for an antivirus package. Disproportionate
>spending will result in, unfortunately, a disproprtionate demand
>for defensive expertise.
>
>What does that mean? That means you'll be dealing with
>guys like me. :) Folks from an engineering/system design/
>architecture background, who treat this "cyber-crime" as
>a serious problem that can be managed effectively using
>engineering and design disciplines. Security is nothing
>more than extending a failure analysis forward into a
>predictive failure analysis model (formally or ad hoc) and
>checking your implementations against past experiences
>of failure. This is exactly the same design discipline that
>civil engineers use when they build bridges: they
>understand that a bridge will be exposed to wind, rain,
>corrosives dropped on the road surface, vibration, metal
>fatigue, etc. These failure paradigms are extrapolated from
>past experience and taxonomized as aspects of a discipline.
>You will not find a bridge designer who has not heard of
>the Tacoma Narrows Bridge or metal fatigue or rust-oleum
>(or stainless steel, for that matter!). Software is only on
>the verge of becoming an engineering discipline, but
>eventually, I hope, you will not find a designer of mission
>critical software who does not know what a buffer overflow
>is, or who does not understand component testing.
>
>So, as much as you may not like it, there are plenty of
>folks out there who understand that software security is a
>design and architecture issue - not a process of slapping
>band-aids on bad code until it's, well, bad code covered
>with band-aids. What you'll find is that engineers who
>understand engineering discipline find bug-hunting to be
>an utterly boring process; well-designed and implemented
>systems don't need "pen testers" - they cross-check
>themselves. The only reason the industry is in the
>horrible condition it's in today is because the vast
>majority of code that's been fielded to date is crap. That
>will have to change. And when it does, "pen testers"
>will become peons in the quality assurance department.
>
>  
>
>>These new tougher computer laws will, in my opinion, have a tremendous
>>negative impact in the defense of these "advanced societies". It almost
>>feels to me like we're destroying ourselves.
>>    
>>
>
>I think you're kidding yourself.
>
>  
>
>>I know what you're thinking. You can learn about security attacks by
>>setting up you're own controlled environment and attacking it yourself.
>>Well, what I say is that this approach *does* certainly make you a
>>better attacker, but nothing can be compared to attacking systems in
>>real world scenarios.
>>    
>>
>
>Who cares if someone is a good attacker?
>
>Let me try that differently. What is a "good attacker"? (By good
>I assume you mean "skilled") A skilled attacker is someone
>who has internalized a set of failure analysis of past failures, and
>can forward-project those failures (using imagination) and
>hypothesize instances of those failures into the future. Put
>concretely - a skilled attacker understands that there are
>buffer overruns, and has a good grasp of where they usually
>occur, and laboriously examines software to see if the usual
>bugs are in the usual places. This is a process that, if the
>code was developed under a design discipline, would be
>replaced trivially with a process of code-review and unit
>testing (a little design modularization wouldn't hurt, either!).
>
>But it's not actually rocket science or even interesting.
>What's so skilled about sitting with some commercial
>app and single-stepping until you get to a place where
>it does network I/O, then reviewing the surrounding code
>to see if there's a memory size error? (Hi, David!) Maybe
>YOU think that's security wizardry but, to me, that's
>the most boring clunch-work on earth. It's only interesting
>because right now there's a shockingly huge amount of
>bad code being sold and the target space for the
>"hit space bar all night, find a bug, and pimp a
>vulnerability" crowd to play with.
>
>  
>
>>Now, I personally know many pentesters and I can say that most of them
>>*do* cross the line sometimes when doing online exploration in their own
>>free time. However, these guys would *never* harm anything or leak any
>>sensitive information to the public. That's because they love what they
>>do, and have very strong ethical values when it comes to privacy.
>>    
>>
>
>Your understanding of ethics appears to be shakier than
>your understanding of software engineering.
>
>You're trying to excuse the trespasser that "never harms anything"
>from having done wrong, but you cannot do that because you never
>asked the victim's opinion. Indeed, the very fact that the victim
>may have already gone to expense to try to prevent the trespass
>merely means that the trespasser has added insult to injury! The
>trespasser is still morally culpable.
>
>Suppose a property owner has a 250 acre property they want to
>keep private. After all, it's theirs, they have the right to want to keep
>it private, and they want to enjoy it without having strangers wandering
>about in their land. So our property owner spends $400 on 500 "No
>Trespassing" signs and nails and spends 2 days nailing signs to
>trees around the perimeter of their property. Now, a stranger
>comes along, ignores the signs, becomes a trespasser, and leaves.
>Has the property owner been wronged? Absolutely. Whether the
>trespasser "never harmed anything" or not, they ignored the
>property owner's moral rights, and additionally the property owner
>has now spent 2 days nailing and $400 on signs - and it was
>wasted. Obviously, you can't assign the entire cost of the signs
>and the wasted time to a single trespasser, but it's certainly
>insult to injury. The trespasser has no moral right to claim that
>their assessment of "not harming anything" superceeds the
>property owner's -- after all, by placing "No Trespassing" signs,
>the property owner has explicitly informed the trespasser that
>trespass in and of itself is harmful. This is why trespassing is a
>crime, and aggravated trespass is a felony (aggravated
>trespass would be if the trespasser decided to tear down a
>few of the signs, just to show that stupid land-owner that he
>"knows better" and "means no harm")
>
>Obviously, you can map these values to IP networks - the
>fact that a system has ANY form of security enabled AT ALL
>is analogous to a "No Trespassing" sign. Though I question
>the moral underpinnings of an Internet society in which the
>prospective victim has to put a "NO STEALING" sign on
>their car and a "NO RAPING" sign on their backside and
>a "NO SPYING" sign in their window, and a "NO WIRETAPPING"
>sign on their phone, etc.
>
>In other words, in the real world, property rights are an
>ingrained concept in virtually all societies. The movement of
>"advanced societies" to tighted up cybercrime laws is
>simply a reflection of those advanced societies rationally
>extending the moral values of property rights into cyber-space.
>
>The view you espouse, in which you arrogate to yourself
>the right to decide what constitutes harmless trespass
>versus harmful trespass -- that's a view that probably will
>not last very long, IF IT EVER EXISTED AT ALL. Let me be
>frank with you, since you seem to want to be an apologist
>for the cyber-trespasser: the fact that $6 billion annually is
>spent on firewalls, IDS, antispyware, antivirus, vulnerability
>management, etc -- is a VERY LOUD STATEMENT that
>society as a whole DOES NOT APPROVE OF CYBER
>TRESPASSING. On the internet, virtually every tree has a
>"No trespassing" sign nailed to it. You choose to pretend
>not to see it at your own risk.
>
>  
>
>>I would say that most pentesters are "grey hats", rather than "white
>>hats".
>>    
>>
>
>I agree with you. I would say that most pentesters are
>failed security analysts who do not understand engineering
>discipline and have chosen to engage in the war of band-aids
>instead of learning how to build correct systems. And then
>there are the pentesters who really are cybertrespassers
>at heart, who have found a financial and moral justification
>for doing something for money that they'd otherwise do
>anyhow, for free, in the wee hours of the night.
>
>Put differently: either way you slice it, pentesters aren't
>worth a bucket of warm spit as far as I am concerned.
>
>  
>
>>In fact, I believe that the terms white and black hat are completely artificial because we all have different sides. The human
>>mind is not binary, like black or white, it's something fuzzy instead,
>>with many layers. The terms white and black hat were, in my opinion,
>>created by business people to point out who the "good guys" and "bad
>>buys" are.
>>    
>>
>
>I belive that you are seeing to create moral ambiguity because
>if you don't have that ethical grey area to work in, you've lost
>your playground.
>
>You're right, though - black/white hat is probably poor
>terminology. As a property owner (both in the real world
>and in cyberspace) there are only two kinds of people on
>my land:
>- Invited Guests
>- Trespassers
>There is no room there for moral ambiguity.
>
>  
>
>>If I was the technical director of a computer security testing company I
>>would try to find pentesters that are not malicious, but that do cross
>>the line sometimes but at the same time, know when it's a good time to
>>stop exploring.
>>    
>>
>
>I am glad you are not the technical director of a computer
>security testing company then. In fact, I hope you are not
>employed in the field of computer security at all, if you
>would be trying to recruit, as professionals, people who
>"cross the line."   In fact I am extremely glad that you're
>also not the director of a day-care facility, and that you
>don't want to hire employees that "occasionally grope
>the children" (but not TOO much!) or that you aren't the
>director of a bank, who'd want to hire tellers that
>"only occasionally pocket (small denomination) bills."
>
>  
>
>>If you hire someone that has never broken into a system, this guy will
>>not be able to produce valuable reports for customers because he will
>>not be able to find vulnerabilities that can't be found running a
>>scanner.
>>    
>>
>
>If you're trying to understand the security properties of a
>system by breaking into it, you not producing valuable
>reports, anyhow. All you are doing is telling them where
>to put the next band-aid.
>
>  
>
>>In summary, I'd like governments of the world to rethink their strategy
>>when fighting computer crime. Extremism never worked and never will.
>>    
>>
>
>In summary; the views you expressed typify, to me, the negative
>effect of accepting a moral grey area into our profession. You speak
>of ethics and, in the next breath, you show that you don't even know
>what ethics ARE. You speak of learning, and, in the next breath, you
>show that you don't understand how to apply learning in a disciplined
>and predictable manner.
>
>  
>
>>Remember, many of today's script kiddies will be the infosec
>>professionals of tomorrow.
>>    
>>
>
>Ironically, I am the person who first coined the expression
>"script kiddie" (back in 1994 I think it was...)  - but I originally
>used the term not to apply to the ankle-biter cybercriminals,
>I was using the term "script kiddy" to describe the first-generation
>security auditors! Back in the early 90's, when the "big 6"
>first got into the security audit game, they used to send these
>ignorami right out of college, with checklists, who'd go around
>customer sites looking to see if the /etc/passwd file on
>Windows machines had the correct permissions - and they'd
>write a report saying that the "passwd file is missing!"
>
>In the sense that I originally coined the expression "script
>kiddy" I was referring to those of you who now proudly call
>yourselves "pentesters"
>
>Ironic, huh?
>
>mjr. 
>
>
>  
>

Powered by blists - more mailing lists