Re: Vulnerabilites in new laws on computer hacking

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Vulnerabilites in new laws on computer hacking
From: Radoslav Dejanović <radoslav.dejanovic@xxxxxxxx>
Date: Thu, 16 Feb 2006 10:34:24 +0100
Cc: self-destruction@xxxxxxxxxxx
In-reply-to: <20060211163520.710.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060211163520.710.qmail@xxxxxxxxxxxxxxxxx>
User-agent: KMail/1.9.1

On Saturday 11 February 2006 17:35, self-destruction@xxxxxxxxxxx wrote:

I think I have found some holes in your way of thinking, so I'll try to 
penetrate them. :-)

> "Advanced societies" are updating computer crime laws faster than the
> rest of the world. This means that new generations of these more
> "advanced societies" will have no clue about how remote computer attacks
> are carried out. Future generations of security "experts" will be among
> the most ignorant in the history of computer security.

Actually - not. I'm sorry, but there's really no such thing as Certified 
Computer Security Expert, or Diploma Network Penetrator. The technology is 
advancing so fast that you can't make any reasonable education system that 
wouldn't become obsolete in a matter of just a few years. You have to be 
able to do a lot of self-education in order to stay on top. This is not 
true for security experts only, but for IT experts in general. It all 
comes down to how much effort you put in your own education and you will 
either float on or near the top, or you'll drown. There's already an army 
of IT experts that sank to the bottom and their knowledge is pretty much 
obsolete, as are their skills. I see them around, zombies, sucking away 
money and valuable time from their customers.  

> New generations of teenagers will be scared of doing online exploration.

You're underestimating teenagers. :-) 

> Now, I'm not saying that I support accessing computer systems illegally.
> All I'm saying is that by implementing very strict laws on "hacking", we
> will create a generation of ignorant security professionals. I think to

Security is, IMHO, a two-way game. While it is "good training" to try to 
get into someone's system, and while there is a lot to learn from that 
experience, you can get results from controlled events. If you're security 
expert, you'll find funding for a lab, and even better, you will get 
permission from some company to try to break into their network. There's 
no real difference between going in illegaly and with permission. The 
system is the same, but one way is more ethical than the other. 

Want a good training? Set-up a war game, get you and few buddies on one 
side, and some more buddies on the other side, get two computers, and try 
to break in each other's computer and steal data. This way, you can learn 
how to break in and how to protect at the same time. And, it's legal. :-)

> myself, how the hell will these "more advanced societies" protect
> themselves against cyber attacks in the future?

Barbarians ante portas! 

Having less strict law doesn't give you real advantage, it just makes you 
sleep better at night. And, if you're up to penetration, there's no law to 
stop you. 

And then some - laws can be avoided by using means that are not under the 
control of your country - having a shell account in some third world, 
barbarian country, for example. ;-) While it is not easy to hide your 
mischief in your country, if you go international there's another layer of 
(ironically - law system) protection, or at least - time advantage.

> These new tougher computer laws will, in my opinion, have a tremendous
> negative impact in the defense of these "advanced societies". It almost
> feels to me like we're destroying ourselves.

It is illegal to chop off someone's head because of drug dealing in the 
western world. Or, if you steal, you know you aren't going to have your 
right fist cut off. These are different laws around the globe, but drug 
dealers and thieves are just as common. 
And advanced (or so called) societies do understand implications, but you 
have to justify the costs. Is it better to loosen the law to allow some 
teenagers to sneak in corporations and potentially make huge damages, in 
hope that they will one day protect the country from cyberbarbarians? Or, 
do you just encourage them to switch to the dark side? 

If you tighten the law, you're protecting companies and other individuals 
from a mischief and crime, and save money. But, will that kids of today be 
able to defend our gates in the future? 

> with many layers. The terms white and black hat were, in my opinion,
> created by business people to point out who the "good guys" and "bad
> buys" are.

And we should stick to that. There's one good reason, you know: public 
image. Remember the times when a word hacker meant just a computer geek, 
some nuts that tinker with the computer all the time and produces strange 
and interesting phenomena on them? Today, if you tell someone that you're 
hacker, there's a chance that they will ask you have you ever been in jail 
before, and what big military installation have you broken into? Some 
might even ask you "how do you hack the planet?"

People (like, umm, non IT people, and then some IT people?) do need a way 
to distinguish good guys from bad guys, or they would be lost and couldn't 
know whom to trust. You can call them white hats, black hats, or hackers 
and crackers, western angels and bad barbarians (yup, pun intended).. it 
doesn't really matter, as long as there's someting general population can 
understand and stick with. We need this differentiation more than they do, 
it affects our jobs and our abilities. 

> If you hire someone that has never broken into a system, this guy will
> not be able to produce valuable reports for customers because he will
> not be able to find vulnerabilities that can't be found running a
> scanner.

I remember times when I knew absolutely nothing about computers. It was 
more than 20 years ago. Ahh, these were innocent times... :-)
There was no Internet, no networks. We have tinkered with game savefiles in 
order to make more money or increase life count. Today, the only thing I 
might find useful might be putting more money in the savefile. I'm pretty 
obsolete in that manner. But, over time, I have acquired other skills, 
some of them even useful! 

If you have a guy who is ready to learn, let him. Nobody was security 
expert in mother's womb. If you're employer, you have to find some legal 
means to let him play. Having a customer that will allow you to do 
penetration testing is a good start. If you're hot for that, you might 
make a good offer for your client and get their permission easily. ;-) 

Or, you might hire real expert. But then, you have another set of problems. 
Can you trust him? In fact, could you trust anyone? How can you control 
him? Could you make him move in direction you want him to go, or do you 
have to let him do his way and hope for the best?

> In summary, I'd like governments of the world to rethink their strategy
> when fighting computer crime. Extremism never worked and never will.

Neither does anarchy, you know. 

> Remember, many of today's script kiddies will be the infosec
> professionals of tomorrow.

Remember, kids are not really afraid of breaking laws, in fact they see it 
as another challenge. :-)

-- 
Radoslav Dejanović
Operacijski sustavi d.o.o.
http://www.opsus.hr

References:
- Vulnerabilites in new laws on computer hacking
  - From: self-destruction

Prev by Date: [SECURITY] [DSA 977-1] New heimdal packages fix several vulnerabilities
Next by Date: RE: Vulnerabilites in new laws on computer hacking
Previous by thread: Re: Vulnerabilites in new laws on computer hacking
Next by thread: Re: Vulnerabilites in new laws on computer hacking
Index(es):
- Date
- Thread