<<< Date Index >>>     <<< Thread Index >>>

Vulnerabilites in new laws on computer hacking



It'd be interesting to see if this post gets approved by the moderators of 
bugtraq.

As all of you know, this forum (bugtraq) is constantly monitored not only by 
crackers and infosec professionals, but also by government and law-enforcement 
agencies.

The reason why I'm posting this message is because I'd like to bring attention 
to the new laws on hacking.

As everyone knows, laws on computer hacking are going tougher. There are 
however, some negative consequences.

"Advanced societies" are updating computer crime laws faster than the rest of 
the world. This means that new generations of these more "advanced societies" 
will have no clue about how remote computer attacks are carried out. Future 
generations of security "experts" will be among the most ignorant in the 
history of computer security.

New generations of teenagers will be scared of doing online exploration. I'm 
not talking about damaging other companies' computer systems. I'm talking about 
accessing them illegally *without* revealing private information to the public 
or harming any data that has been accessed. To me, there is a big difference 
between these two types of attacks but I don't think that judges feel the same 
way. Furthermore, I don't even think that judges understand the difference.

Now, I'm not saying that I support accessing computer systems illegally. All 
I'm saying is that by implementing very strict laws on "hacking", we will 
create a generation of ignorant security professionals. I think to myself, how 
the hell will these "more advanced societies" protect themselves against cyber 
attacks in the future?

These new tougher computer laws will, in my opinion, have a tremendous negative 
impact in the defense of these "advanced societies". It almost feels to me like 
we're destroying ourselves.

I know what you're thinking. You can learn about security attacks by setting up 
you're own controlled environment and attacking it yourself. Well, what I say 
is that this approach *does* certainly make you a better attacker, but nothing 
can be compared to attacking systems in real world scenarios.

Now, I personally know many pentesters and I can say that most of them *do* 
cross the line sometimes when doing online exploration in their own free time. 
However, these guys would *never* harm anything or leak any sensitive 
information to the public. That's because they love what they do, and have very 
strong ethical values when it comes to privacy. 

I would say that most pentesters are "grey hats", rather than "white hats". In 
fact, I believe that the terms white and black hat are completely artificial 
because we all have different sides. The human mind is not binary, like black 
or white, it's something fuzzy instead, with many layers. The terms white and 
black hat were, in my opinion, created by business people to point out who the 
"good guys" and "bad buys" are.

If I was the technical director of a computer security testing company I would 
try to find pentesters that are not malicious, but that do cross the line 
sometimes but at the same time, know when it's a good time to stop exploring. 

If you hire someone that has never broken into a system, this guy will not be 
able to produce valuable reports for customers because he will not be able to 
find vulnerabilities that can't be found running a scanner.

In summary, I'd like governments of the world to rethink their strategy when 
fighting computer crime. Extremism never worked and never will.

Remember, many of today's script kiddies will be the infosec professionals of 
tomorrow.