lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 13 Jan 2012 11:57:41 -0500
From: Benjamin Kreuter <ben.kreuter@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Rate Stratfor's Incident Response

On Fri, 13 Jan 2012 11:57:27 +0100
Ferenc Kovacs <tyra3l@...il.com> wrote:

> On Thu, Jan 12, 2012 at 10:46 PM, Benjamin Kreuter
> <ben.kreuter@...il.com>wrote:
> 
> > On Thu, 12 Jan 2012 16:06:53 -0500
> > Valdis.Kletnieks@...edu wrote:
> >
> > > On Thu, 12 Jan 2012 15:16:19 EST, Benjamin Kreuter said:
> > >
> > > > Really, calling it "breaking in" is a stretch.  You connected a
> > > > computer to a publicly accessible computer network, where
> > > > anyone can send anything to your computer.  If hacking such a
> > > > system is "breaking in," you might as well claim that shouting
> > > > across your neighbor's yard is "breaking in."
> > >
> > > Bad analogy.  Closer would be if you have a house that's got a
> > > driveway on a public street, and you claim it's not breaking and
> > > entering if you walk up the driveway, try the doorknob, find it
> > > unlocked, and let yourself in without the permission of the
> > > residents.  Saying that "anybody could walk up and let themselves
> > > in the door" doesn't make it legal.
> >
> > Would you say that we should arrest the person who walks into the
> > house, takes a picture of themselves standing next to an expensive
> > television and leaves the picture next to a note that says "your
> > door was unlocked?"
> >
> >
> yeah, it would still be an offence in most country.

Except that we do not arrest people for every violation of the law; if
we did, almost the entire population would have to be arrested.  We do
not even convict every guilty person e.g. abolitionists who were
acquitted despite having clearly broken fugitive slave laws prior to the
civil war.  Intent is an important part of criminal cases, and courts
do at least try to do what is in the best interests of society.

Are society's interests really served by arresting people who point out
security problems?  I suppose that it is a matter of debate and that we
could discuss ad infinitum what the appropriate way to bring attention
to a vulnerability or exploit might be.

> 
> > Really though, it is still a terrible analogy.  You can disconnect a
> > computer from the Internet; you cannot disconnect a building from a
> > street.  A hacker in a foreign country might be attacking your
> > computer system from that country, and could be outside the
> > jurisdiction of any relevant law enforcement agency; a person who
> > breaks into a building is committing a crime in whatever
> > jurisdiction the building is in.
> >
> 
> the crime would still be a crime in the country where the
> building/computer is located, you just can't get the offender
> prosecuted, just like if he would flee the country after trespassing
> into your house.

Except that in this case, the offender was never physically present in
the country where the computer is located.  Suppose I criticize the
Thai monarchy from my desk here in Virginia; I have violated the laws of
Thailand, but I am not in Thailand, and the situation would be no
different if I were to email the offending statement to someone who is
located in Thailand.  What analogy would you draw there?  That I spat
on the faces of people in the Thai royal family, then fled the country
and hid in Virginia?

> 
> >
> > Analogies are nice and they help non-technical folks understand what
> > is going on, but let's not get carried away with them. Someone who
> > attacks a computer system over the Internet (or any other network)
> > is sending unwanted/malicious messages.  This is not the same as
> > physically breaking into a building, locker, or computer. It may be
> > illegal, but it is still very different from other crimes.
> 
> 
> why is it different? the only difference imo is that the whole
> IT/networking stuff is relatively new, and the law was lagging
> behind, and some people still that it is, when it isn't really
> anymore. you can get the same amount of fine/years in prison whether
> you stole the money/confidential info through physical or
> electronical means.

Suppose I download a database of customer records, complete with bank
account information.  Have I stolen something?  No, I have not, aside
from a tiny about of bandwidth and electrical power.  If this were not
a different sort of crime, there would be no need to pass laws to
criminalize it; yet that is exactly what we did.  Having a confidential
document in your possession is not theft, nor is downloading the
document from a computer system.  What you do with the confidential
document is what matters.

Given a database of credit card numbers, someone can do a variety of
things.  You could make unauthorized, fraudulent payments with the
credit accounts.  You could print it out and make some wallpaper.  You
could just let it sit on your hard drive.  Some of these things are
clearly criminal without any special computer crimes laws, while others
one would be hard-pressed to call immoral (is it really immoral to
simply have credit card numbers on your hard drive?).  

> 
> >  If anything, the closest
> > type of criminal would be a con man, which seems fitting given how
> > many of today's attacks have an element of social engineering.
> >
> 
> nope.
> of course social engineering can be compared to Confidence trick,
> because it is a Confidence trick.
> but social engineering is only one vulnerability from the many, and
> usually it is used together with other methods (you get the
> credentials using that, then you proceed and access the system using
> those credentials, which is the gaining unauthorized access to the
> system.

I did not say that it was the same as a confidence trick, I said it was
similar.  Con men do not use force (usually), they just dress
themselves up a certain way and say the right things to convince people
to lower their defenses.  Cracking computer security systems (without
social engineering -- with social engineering, you basically are a con
man) is similar in that you are simply sending the right combination of
messages to a computer system to get to it do something it would not
normally do. Perhaps you spoof an address, or send a message that would
normally be sent by an user that was authorized, or send messages too
quickly, or send messages that are too big, or send messages from many
different sources, or send a message with an unknown format, or
politely ask some other computer or user to send messages for you --
all things that are common in confidence tricks (with a little
adjustment in terminology).

-- Ben



-- 
Benjamin R Kreuter
UVA Computer Science
brk7bx@...ginia.edu

--

"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ