Re: Vulnerabilites in new laws on computer hacking
Paul,
On 2006-02-15 Paul Schmehl wrote:
> --On Saturday, February 11, 2006 16:35:20 +0000 self-destruction@xxxxxxxxxxx
> wrote:
>> New generations of teenagers will be scared of doing online
>> exploration. I'm not talking about damaging other companies' computer
>> systems. I'm talking about accessing them illegally *without*
>> revealing private information to the public or harming any data that
>> has been accessed. To me, there is a big difference between these two
>> types of attacks but I don't think that judges feel the same way.
>> Furthermore, I don't even think that judges understand the
>> difference.
>
> To me there is not. They're my systems. Stay out, thank you very
> much.
>
> If you want to learn how to hack, set up your own network, install
> some OSes, with various patch levels, and hack away. You can learn
> everything you need to know without ever touching a system you do not
> own. Get your buddies involved. Hack each other's boxes. But do not
> hack into systems that do not belong to you. That *should* be illegal
> and you *should* be prosecuted.
while I agree with you that for learning and practicing it would suffice
to build your own systems to tamper with, I have to disagree on the part
that hacking into other people's systems *without* doing any damage
should be illegal.
Why is that? Well, first of all because the definition of what is and
what isn't hacking is very blurry. Is a portscan hacking? Is directory
traversal as in the case of Daniel Cuthbert [1] hacking?
In addition to that some vulnerabilities can be discovered only ITW,
simply because you cannot rebuild that environment in your lab. Two
years ago we had a case like that over here in Germany [2] (the article
is in german, but maybe an online translator will help). The OBSOC
(Online Business Solution Operation Center) system of the Deutsche
Telekom AG did not do proper authentication, so by manipulating the URL
you could access other customers' data. How would you detect such a
vulnerability without actually hacking the system? Is one supposed to
not notice these things? Will that really make them go away?
[1] http://taint.org/2005/10/12/205836a.html
[2] http://www.ccc.de/t-hack/stn/inhlt/drartkl.htm
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq