lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <58DB1B68E62B9F448DF1A276B0886DF16F6A4EEB@EX2010.hammerofgod.com>
Date: Sun, 17 Apr 2011 20:10:35 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Rob Nelson <nexisentertainment@...il.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Florida Power & Light Company (FPL) Fort
 Sumner Wind turbine Control SCADA was HACKED

> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-
> bounces@...ts.grok.org.uk] On Behalf Of Rob Nelson
> Sent: Sunday, April 17, 2011 12:05 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] Florida Power & Light Company (FPL) Fort
> Sumner Wind turbine Control SCADA was HACKED
> 
> Why the hell are we arguing statutes? Look at the big picture: He leaked
> config files to a system that has access to something in a /nuclear power
> plant/.  He's going to jail, it's just a matter of time.

Actually, your question deserves a better answer...  The reason statues are being discussed is because they are a governing body's "best guess" at defining tort and suitable remedy or consequence in a way that encompasses and defines the action before it actually happens (or course, there is ex post facto legislation).   Discussing statue has some value in my opinion.

Rather the further contribute to the abuse of the quintessential inappropriate physical continuum analogy of "open doors and windows," I'm interested in what some of you consider the right "answers" to the following circumstances:

1) What if this is actual leaked data that lead to someone breaching the systems illustrated in a non-trivial way?   Should the poster be punished appropriately?  I feel most would say "yes."

2) What if this is actual leaked data that *could* allow someone to breach the system, but no one does.  Should he be punished appropriately?

3) What is he made the whole thing up and posted bogus data, but someone took note and started scanning the systems and found/broke something as a matter of cause?  Should he be punished?

4) And finally, what if it is all bogus data, but someone in FL took it as gospel and pulled a Columbine at the power station for being put at risk of terrorist attack?   The poster *clearly* has the intent of making FPL look like they are vulnerable (and presumably at fault) for/to SCADA facilities attack.  What then?   Did he incite a riot?  It the posting of this data in itself a terrorist act?  

This is why the statues are important.  If the latter happened, but it was all a joke, I don't think people would say "it was just public utility access so it's OK" nor would they say "he hacked the stations so he has to go to jail."  Neither of those things would be true.  But something would have to be done.  In the absence of some sort of guiding statute, it we be more difficult to arrive at a conclusion.

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ