<<< Date Index >>>     <<< Thread Index >>>

RE: Vulnerabilites in new laws on computer hacking



Hello

A large number of people state that;
1       They are security professionals
2       That they need to break into systems to be effective.
3       That ethics do not matter.

The first point is that the two are mutually exclusive. Any professional
must by definition be a professional - this means that they need to be a
part of a profession. To do this requires that the person subscribe to a
code of ethics. That they uphold those ethical standards.

ISC2 and ISACA and other groups do have an ethics requirement. Breaking
into systems without authorisation is a breach of those conditions.

Next there is the fact that the best planned pen test has possible
consequences. Systems get damaged even on limited testing at times.
There are a number of people here who seem to forget this. Do they
propose to pay damages when they cause this damage?

Next there is the issue that if the "I just wanted to learn" style lame
excuse was allowable, this would be available in all instances. The
person attempting to transfer a couple million from a bank would have
the (now) valid argument that it was just to see if he/she could do this
and learn. That they did not take the money and this makes it ok.

The first part on positive learning would be to teach some real skills.
Engineering good systems in the first place takes fart more skill than
breaking into a system. A good systems engineer (using a well defined
SDLC) needs all the testing skills that the people on this list purport
to have. Just they ALSO need to have the skill to create a viable system
as well. This is not to state that there is a large amount of good
engineering, but to state that good engineering is a far superior skill
and does not require you to break the law.

Regards
Craig S Wright

-----Original Message-----
From: Anthony Cicalla [mailto:Anthony.Cicalla@xxxxxxxxxxxx]
Sent: 16 February 2006 5:32
To: 'self-destruction@xxxxxxxxxxx'; bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Vulnerabilites in new laws on computer hacking

I would have to say that I agree with you in what you have said.  I am a
young security professional with a cissp, but growing up I did not have
the $ to be able to purchase vmware and all the software to setup a test
environment. I also bet that most of you between ages 12 - 16 had the
minimum 500.00 for a pc and another 300.00 for vmware and the list goes
on and on.  To learn computer / network security is expensive and the
materials are costly in a lot of situations. If we are going to make
stricter laws why do we not have something setup for more positive
learning.  Maybe a sponsored couple of sites to teach this and be legal
targets for script kiddies. Just some of my thoughts on the matter.
After saying this I don't support illegal activities but if we want the
kids to learn and not go to jail  for being curious then we as a
community need to look at this and provide a positive outlet for this
type of activity.

-----Original Message-----
From: self-destruction@xxxxxxxxxxx [mailto:self-destruction@xxxxxxxxxxx]
Sent: Saturday, February 11, 2006 8:35 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Vulnerabilites in new laws on computer hacking


It'd be interesting to see if this post gets approved by the moderators
of bugtraq.

As all of you know, this forum (bugtraq) is constantly monitored not
only by crackers and infosec professionals, but also by government and
law-enforcement agencies.

The reason why I'm posting this message is because I'd like to bring
attention to the new laws on hacking.

As everyone knows, laws on computer hacking are going tougher. There are
however, some negative consequences.

"Advanced societies" are updating computer crime laws faster than the
rest of the world. This means that new generations of these more
"advanced societies" will have no clue about how remote computer attacks
are carried out. Future generations of security "experts" will be among
the most ignorant in the history of computer security.

New generations of teenagers will be scared of doing online exploration.
I'm not talking about damaging other companies' computer systems. I'm
talking about accessing them illegally *without* revealing private
information to the public or harming any data that has been accessed. To
me, there is a big difference between these two types of attacks but I
don't think that judges feel the same way. Furthermore, I don't even
think that judges understand the difference.

Now, I'm not saying that I support accessing computer systems illegally.
All I'm saying is that by implementing very strict laws on "hacking", we
will create a generation of ignorant security professionals. I think to
myself, how the hell will these "more advanced societies" protect
themselves against cyber attacks in the future?

These new tougher computer laws will, in my opinion, have a tremendous
negative impact in the defense of these "advanced societies". It almost
feels to me like we're destroying ourselves.

I know what you're thinking. You can learn about security attacks by
setting up you're own controlled environment and attacking it yourself.
Well, what I say is that this approach *does* certainly make you a
better attacker, but nothing can be compared to attacking systems in
real world scenarios.

Now, I personally know many pentesters and I can say that most of them
*do* cross the line sometimes when doing online exploration in their own
free time. However, these guys would *never* harm anything or leak any
sensitive information to the public. That's because they love what they
do, and have very strong ethical values when it comes to privacy.

I would say that most pentesters are "grey hats", rather than "white
hats".
In fact, I believe that the terms white and black hat are completely
artificial because we all have different sides. The human mind is not
binary, like black or white, it's something fuzzy instead, with many
layers.
The terms white and black hat were, in my opinion, created by business
people to point out who the "good guys" and "bad buys" are.

If I was the technical director of a computer security testing company I
would try to find pentesters that are not malicious, but that do cross
the line sometimes but at the same time, know when it's a good time to
stop exploring.

If you hire someone that has never broken into a system, this guy will
not be able to produce valuable reports for customers because he will
not be able to find vulnerabilities that can't be found running a
scanner.

In summary, I'd like governments of the world to rethink their strategy
when fighting computer crime. Extremism never worked and never will.

Remember, many of today's script kiddies will be the infosec
professionals of tomorrow.

Liability limited by a scheme approved under Professional Standards Legislation 
in respect of matters arising within those States and Territories of Australia 
where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If 
you are not the intended recipient, you must not use or disclose the 
information. If you have received this email in error, please inform us 
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the 
email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may 
not rely on this message as advice unless it has been electronically signed by 
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a 
Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments 
due to viruses, interference, interception, corruption or unauthorised access.