| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 19 Feb 2006 16:35:31 +0300 From: ArkanoiD <ark@...ex.net> To: Jon Gucinski <Jgucinski@...westbank.com> Cc: bugtraq@...urityfocus.com Subject: Re: Vulnerabilites in new laws on computer hacking nuqneH, Well, actually, 12-13 years ago it was almost impossible for an individual to build a reasonable test network. Not to mention 80s, when i started to play with big mainframes. And, while it is easy to emulate software environment, it is not possible to imitate data flow and common corporate network administration flaws. Now we get some statistical papers published at least - back in early 90s there were two ways to get hands-on expirience: to break in or to get hired. Second one was a matter of pure luck for a teenager, right? Almost impossible for most of us. Expecially here in Russia. (and we did not have any computer laws anyways, but if we did i doubt it could stop us ;-) But i still think expirience i got while being a bad buy is VERY valuable. And i think if we don't have all those teenagers aroung we'd be much more vulnerable to attacks. On Thu, Feb 16, 2006 at 07:54:17AM -0600, Jon Gucinski wrote: > Wow...this is definitely a big can of worms to open... > > I both agree and disagree with your stance. Hopefully I'm caffeinated > enough to express my reasoning clearly. > > While I don't feel like elaborating too much, my drive to become an > InfoSec professional was driven mostly by the hacker > scene/culture/experience of the late 80's and early 90's...when > everything was insanely active and not yet highly legislated. > > While (and I'm using this term in a very broad way) attacking live > systems not run by you is arguably one of the better way to learn how to > pen-test, crack, etc, it is not the only way. Especially with things > like VMWare, it is quite easy and feasible to create an extensive test > network on a private LAN and not break any laws while trying out > exploits and methods; this is something that wasn't available 5 years > ago, much less 15. > > I disagree in your statement that teenagers and other newbies to the > area will be scared of online exploration. You underestimate the > adolescent feeling of invulnerability. I know that in my start I never > thought I could be tracked, though hindsight shows that I was likely > wrong. > > You state that judges cannot tell the difference between malicious and > non-malicious ( I have a hard time calling any attempted intrusion > innocent) attacks. Quite simply, that type of wish is impossible. Laws > are designed to be black and white....either you do something or not. > Reason and motive behind doing something can't be taken into > consideration unless life (and property in some locales) is threatened. > Also, it would provide a giant loophole that anyone could use; all of > the sudden you have black-hat's claiming that they were just exploring > and didn't MEAN to cause any harm. How could you prove otherwise? In a > nutshell, laws can't be based on an implicit trust of people; they must > be written for the lowest-common denominator of person, one that cannot > be trusted. > > That being said, I think our current computer crime laws in the United > States are utterly ridiculous. It makes me sad to see rapists, > murderers, and other violent criminals receive 5 years, while a virus > writer or hacker gets at least 20. Like the PATRIOT Act, too many of > our computer crime laws were knee-jerk reactions implemented without any > reasoned look at the situation. > > >>> <self-destruction@...best.com> 2/11/2006 10:35 am >>> > It'd be interesting to see if this post gets approved by the moderators > of bugtraq. > > As all of you know, this forum (bugtraq) is constantly monitored not > only by crackers and infosec professionals, but also by government and > law-enforcement agencies. > > The reason why I'm posting this message is because I'd like to bring > attention to the new laws on hacking. > > As everyone knows, laws on computer hacking are going tougher. There > are however, some negative consequences. > > "Advanced societies" are updating computer crime laws faster than the > rest of the world. This means that new generations of these more > "advanced societies" will have no clue about how remote computer attacks > are carried out. Future generations of security "experts" will be among > the most ignorant in the history of computer security. > > New generations of teenagers will be scared of doing online > exploration. I'm not talking about damaging other companies' computer > systems. I'm talking about accessing them illegally *without* revealing > private information to the public or harming any data that has been > accessed. To me, there is a big difference between these two types of > attacks but I don't think that judges feel the same way. Furthermore, I > don't even think that judges understand the difference. > > Now, I'm not saying that I support accessing computer systems > illegally. All I'm saying is that by implementing very strict laws on > "hacking", we will create a generation of ignorant security > professionals. I think to myself, how the hell will these "more advanced > societies" protect themselves against cyber attacks in the future? > > These new tougher computer laws will, in my opinion, have a tremendous > negative impact in the defense of these "advanced societies". It almost > feels to me like we're destroying ourselves. > > I know what you're thinking. You can learn about security attacks by > setting up you're own controlled environment and attacking it yourself. > Well, what I say is that this approach *does* certainly make you a > better attacker, but nothing can be compared to attacking systems in > real world scenarios. > > Now, I personally know many pentesters and I can say that most of them > *do* cross the line sometimes when doing online exploration in their own > free time. However, these guys would *never* harm anything or leak any > sensitive information to the public. That's because they love what they > do, and have very strong ethical values when it comes to privacy. > > I would say that most pentesters are "grey hats", rather than "white > hats". In fact, I believe that the terms white and black hat are > completely artificial because we all have different sides. The human > mind is not binary, like black or white, it's something fuzzy instead, > with many layers. The terms white and black hat were, in my opinion, > created by business people to point out who the "good guys" and "bad > buys" are. > > If I was the technical director of a computer security testing company > I would try to find pentesters that are not malicious, but that do cross > the line sometimes but at the same time, know when it's a good time to > stop exploring. > > If you hire someone that has never broken into a system, this guy will > not be able to produce valuable reports for customers because he will > not be able to find vulnerabilities that can't be found running a > scanner. > > In summary, I'd like governments of the world to rethink their strategy > when fighting computer crime. Extremism never worked and never will. > > Remember, many of today's script kiddies will be the infosec > professionals of tomorrow. > > NOTICE: This electronic mail message and any files transmitted with > it are intended exclusively for the individual or entity to which it > is addressed. The message, together with any attachment, may contain > confidential and/or privileged information. Any unauthorized review, > use, printing, saving, copying, disclosure or distribution is > strictly prohibited. If you have received this message in error, > please immediately advise the sender by reply email and delete all > copies.
Powered by blists - more mailing lists