Re: Vulnerabilites in new laws on computer hacking
On Saturday 11 February 2006 17:35, self-destruction@xxxxxxxxxxx wrote:
I think I have found some holes in your way of thinking, so I'll try to
penetrate them. :-)
> "Advanced societies" are updating computer crime laws faster than the
> rest of the world. This means that new generations of these more
> "advanced societies" will have no clue about how remote computer attacks
> are carried out. Future generations of security "experts" will be among
> the most ignorant in the history of computer security.
Actually - not. I'm sorry, but there's really no such thing as Certified
Computer Security Expert, or Diploma Network Penetrator. The technology is
advancing so fast that you can't make any reasonable education system that
wouldn't become obsolete in a matter of just a few years. You have to be
able to do a lot of self-education in order to stay on top. This is not
true for security experts only, but for IT experts in general. It all
comes down to how much effort you put in your own education and you will
either float on or near the top, or you'll drown. There's already an army
of IT experts that sank to the bottom and their knowledge is pretty much
obsolete, as are their skills. I see them around, zombies, sucking away
money and valuable time from their customers.
> New generations of teenagers will be scared of doing online exploration.
You're underestimating teenagers. :-)
> Now, I'm not saying that I support accessing computer systems illegally.
> All I'm saying is that by implementing very strict laws on "hacking", we
> will create a generation of ignorant security professionals. I think to
Security is, IMHO, a two-way game. While it is "good training" to try to
get into someone's system, and while there is a lot to learn from that
experience, you can get results from controlled events. If you're security
expert, you'll find funding for a lab, and even better, you will get
permission from some company to try to break into their network. There's
no real difference between going in illegaly and with permission. The
system is the same, but one way is more ethical than the other.
Want a good training? Set-up a war game, get you and few buddies on one
side, and some more buddies on the other side, get two computers, and try
to break in each other's computer and steal data. This way, you can learn
how to break in and how to protect at the same time. And, it's legal. :-)
> myself, how the hell will these "more advanced societies" protect
> themselves against cyber attacks in the future?
Barbarians ante portas!
Having less strict law doesn't give you real advantage, it just makes you
sleep better at night. And, if you're up to penetration, there's no law to
stop you.
And then some - laws can be avoided by using means that are not under the
control of your country - having a shell account in some third world,
barbarian country, for example. ;-) While it is not easy to hide your
mischief in your country, if you go international there's another layer of
(ironically - law system) protection, or at least - time advantage.
> These new tougher computer laws will, in my opinion, have a tremendous
> negative impact in the defense of these "advanced societies". It almost
> feels to me like we're destroying ourselves.
It is illegal to chop off someone's head because of drug dealing in the
western world. Or, if you steal, you know you aren't going to have your
right fist cut off. These are different laws around the globe, but drug
dealers and thieves are just as common.
And advanced (or so called) societies do understand implications, but you
have to justify the costs. Is it better to loosen the law to allow some
teenagers to sneak in corporations and potentially make huge damages, in
hope that they will one day protect the country from cyberbarbarians? Or,
do you just encourage them to switch to the dark side?
If you tighten the law, you're protecting companies and other individuals
from a mischief and crime, and save money. But, will that kids of today be
able to defend our gates in the future?
> with many layers. The terms white and black hat were, in my opinion,
> created by business people to point out who the "good guys" and "bad
> buys" are.
And we should stick to that. There's one good reason, you know: public
image. Remember the times when a word hacker meant just a computer geek,
some nuts that tinker with the computer all the time and produces strange
and interesting phenomena on them? Today, if you tell someone that you're
hacker, there's a chance that they will ask you have you ever been in jail
before, and what big military installation have you broken into? Some
might even ask you "how do you hack the planet?"
People (like, umm, non IT people, and then some IT people?) do need a way
to distinguish good guys from bad guys, or they would be lost and couldn't
know whom to trust. You can call them white hats, black hats, or hackers
and crackers, western angels and bad barbarians (yup, pun intended).. it
doesn't really matter, as long as there's someting general population can
understand and stick with. We need this differentiation more than they do,
it affects our jobs and our abilities.
> If you hire someone that has never broken into a system, this guy will
> not be able to produce valuable reports for customers because he will
> not be able to find vulnerabilities that can't be found running a
> scanner.
I remember times when I knew absolutely nothing about computers. It was
more than 20 years ago. Ahh, these were innocent times... :-)
There was no Internet, no networks. We have tinkered with game savefiles in
order to make more money or increase life count. Today, the only thing I
might find useful might be putting more money in the savefile. I'm pretty
obsolete in that manner. But, over time, I have acquired other skills,
some of them even useful!
If you have a guy who is ready to learn, let him. Nobody was security
expert in mother's womb. If you're employer, you have to find some legal
means to let him play. Having a customer that will allow you to do
penetration testing is a good start. If you're hot for that, you might
make a good offer for your client and get their permission easily. ;-)
Or, you might hire real expert. But then, you have another set of problems.
Can you trust him? In fact, could you trust anyone? How can you control
him? Could you make him move in direction you want him to go, or do you
have to let him do his way and hope for the best?
> In summary, I'd like governments of the world to rethink their strategy
> when fighting computer crime. Extremism never worked and never will.
Neither does anarchy, you know.
> Remember, many of today's script kiddies will be the infosec
> professionals of tomorrow.
Remember, kids are not really afraid of breaking laws, in fact they see it
as another challenge. :-)
--
Radoslav Dejanović
Operacijski sustavi d.o.o.
http://www.opsus.hr