<<< Date Index >>>     <<< Thread Index >>>

RE: Vulnerabilites in new laws on computer hacking



On Wed, 15 Feb 2006, Anthony Cicalla wrote:

I would have to say that I agree with you in what you have said. I am a young security professional with a cissp, but growing up I did not have the $ to be able to purchase vmware and all the software to setup a test environment. I also bet that most of you between ages 12 - 16 had the minimum 500.00 for a pc and another 300.00 for vmware and the list goes on and on. To learn computer / network security is expensive and the materials are costly in a lot of situations.

Perhaps this is beating a dead horse, but could someone explain to me why the addition of a $50 computer found at a garage sale, a $10 NIC, and a $20 switch or hub to any would-be-infosec's arsenal wouldn't suffice for this purpose? We're not trying to brute force 4 kilobit pgpkeys, we're trying to present a host to attack. FreeBSD, NetBSD, OpenBSD, Linux... all free operating systems. Isn't there an x86 version of solaris that's free? $500 computers aren't needed for this testing. I suggest that the necessity for more expensive hardware is the exception, and not the rule. Bochs may not be speedy, but it works.

I would also suggest that anyone who finds that money is an obstacle is looking for excuses. I have often found ways to make outdated hardware useful in a variety of situations.

If we are going to make stricter laws why do we not have something setup for more positive learning. Maybe a sponsored couple of sites to teach this and be legal targets for script kiddies. Just some of my thoughts on the matter. After saying this I don't support illegal activities but if we want the kids to learn and not go to jail for being curious then we as a community need to look at this and provide a positive outlet for this type of activity.

-----Original Message-----
From: self-destruction@xxxxxxxxxxx [mailto:self-destruction@xxxxxxxxxxx]
Sent: Saturday, February 11, 2006 8:35 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Vulnerabilites in new laws on computer hacking


It'd be interesting to see if this post gets approved by the moderators of
bugtraq.

As all of you know, this forum (bugtraq) is constantly monitored not only by
crackers and infosec professionals, but also by government and
law-enforcement agencies.

The reason why I'm posting this message is because I'd like to bring
attention to the new laws on hacking.

As everyone knows, laws on computer hacking are going tougher. There are
however, some negative consequences.

"Advanced societies" are updating computer crime laws faster than the rest
of the world. This means that new generations of these more "advanced
societies" will have no clue about how remote computer attacks are carried
out. Future generations of security "experts" will be among the most
ignorant in the history of computer security.

New generations of teenagers will be scared of doing online exploration. I'm
not talking about damaging other companies' computer systems. I'm talking
about accessing them illegally *without* revealing private information to
the public or harming any data that has been accessed. To me, there is a big
difference between these two types of attacks but I don't think that judges
feel the same way. Furthermore, I don't even think that judges understand
the difference.

Now, I'm not saying that I support accessing computer systems illegally. All
I'm saying is that by implementing very strict laws on "hacking", we will
create a generation of ignorant security professionals. I think to myself,
how the hell will these "more advanced societies" protect themselves against
cyber attacks in the future?

These new tougher computer laws will, in my opinion, have a tremendous
negative impact in the defense of these "advanced societies". It almost
feels to me like we're destroying ourselves.

I know what you're thinking. You can learn about security attacks by setting
up you're own controlled environment and attacking it yourself. Well, what I
say is that this approach *does* certainly make you a better attacker, but
nothing can be compared to attacking systems in real world scenarios.

Now, I personally know many pentesters and I can say that most of them *do*
cross the line sometimes when doing online exploration in their own free
time. However, these guys would *never* harm anything or leak any sensitive
information to the public. That's because they love what they do, and have
very strong ethical values when it comes to privacy.

I would say that most pentesters are "grey hats", rather than "white hats".
In fact, I believe that the terms white and black hat are completely
artificial because we all have different sides. The human mind is not
binary, like black or white, it's something fuzzy instead, with many layers.
The terms white and black hat were, in my opinion, created by business
people to point out who the "good guys" and "bad buys" are.

If I was the technical director of a computer security testing company I
would try to find pentesters that are not malicious, but that do cross the
line sometimes but at the same time, know when it's a good time to stop
exploring.

If you hire someone that has never broken into a system, this guy will not
be able to produce valuable reports for customers because he will not be
able to find vulnerabilities that can't be found running a scanner.

In summary, I'd like governments of the world to rethink their strategy when
fighting computer crime. Extremism never worked and never will.

Remember, many of today's script kiddies will be the infosec professionals
of tomorrow.



/-------------------------------------------------------------------------/
"I've tried to install this linux crap about nearly five times, but everytime it stops with the error message: 'login:'
Fix that immediately or I'll go public with that." -- some random moron

                   finger://bigby@xxxxxxxxxxxxx
                  http://www.ephemeron.org/~bigby/
                  irc://irc.ephemeron.org/#the_pub
                news://news.ephemeron.org/alt.lemurs
/-------------------------------------------------------------------------/