Re: Vulnerabilites in new laws on computer hacking
--On Saturday, February 11, 2006 16:35:20 +0000
self-destruction@xxxxxxxxxxx wrote:
It'd be interesting to see if this post gets approved by the moderators
of bugtraq.
As all of you know, this forum (bugtraq) is constantly monitored not only
by crackers and infosec professionals, but also by government and
law-enforcement agencies.
The reason why I'm posting this message is because I'd like to bring
attention to the new laws on hacking.
As everyone knows, laws on computer hacking are going tougher. There are
however, some negative consequences.
"Advanced societies" are updating computer crime laws faster than the
rest of the world. This means that new generations of these more
"advanced societies" will have no clue about how remote computer attacks
are carried out. Future generations of security "experts" will be among
the most ignorant in the history of computer security.
That's silly. Researchers know full well how to do this without ever
breaking any laws. In fact, most of the best researchers who are finding
the bugs and weaknesses in systems never breakin to any system not owned by
them.
New generations of teenagers will be scared of doing online exploration.
I'm not talking about damaging other companies' computer systems. I'm
talking about accessing them illegally *without* revealing private
information to the public or harming any data that has been accessed. To
me, there is a big difference between these two types of attacks but I
don't think that judges feel the same way. Furthermore, I don't even
think that judges understand the difference.
To me there is not. They're my systems. Stay out, thank you very much.
If you want to learn how to hack, set up your own network, install some
OSes, with various patch levels, and hack away. You can learn everything
you need to know without ever touching a system you do not own. Get your
buddies involved. Hack each other's boxes. But do not hack into systems
that do not belong to you. That *should* be illegal and you *should* be
prosecuted.
Now, I'm not saying that I support accessing computer systems illegally.
Yes, you are. You're talking about breaking in to systems that you do not
have permission to enter.
All I'm saying is that by implementing very strict laws on "hacking", we
will create a generation of ignorant security professionals. I think to
myself, how the hell will these "more advanced societies" protect
themselves against cyber attacks in the future?
And you're wrong. I don't have to hack into someone else's equipment to
know how to hack into things.
These new tougher computer laws will, in my opinion, have a tremendous
negative impact in the defense of these "advanced societies". It almost
feels to me like we're destroying ourselves.
That's because you have tunnel vision. You think the only way to learn to
hack is to attempt to break in to someone else's equipment.
Do locksmiths break in to random houses to learn their craft?
I know what you're thinking. You can learn about security attacks by
setting up you're own controlled environment and attacking it yourself.
Well, what I say is that this approach *does* certainly make you a better
attacker, but nothing can be compared to attacking systems in real world
scenarios.
Now, I personally know many pentesters and I can say that most of them
*do* cross the line sometimes when doing online exploration in their own
free time. However, these guys would *never* harm anything or leak any
sensitive information to the public. That's because they love what they
do, and have very strong ethical values when it comes to privacy.
Oh, well that gives me great comfort. Never mind that I can be prosecuted
for the breakin because I've violated a law such as GLB, HIPAA, etc. by
"allowing" a breakin. I'm glad your friends are so "ethical". If you only
think about what's in it for you, you'll always be slanted toward violating
the law. Try thinking about the poor victim whose systems you're breaking
in to. Put yourself in their shoes and ask yourself, how would I feel if I
discovered that someone had entered my systems without my knowledge? Or
bettter yet, how about if I reach in your pocket and take the keys to your
car, take it out for a spin, then return it? Are you OK with that? No
hard feelings?
Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/