Slashdot Mirror
All We Want Is Whatever's On Your Machine
kubla2000 writes: "A breathless story about how the best defense against [fill in the blank: piracy, virii, hacking] is a good offense at CNet. What struck me most though is that in the midst of the rant from Timothy Mullen (no stranger to hacking the hack as this story from computerworld magazine shows, was a throw-away line justifying the RIAA and MPAA's appeal to Congress to make it legal to do this! It seems the bandwagons have started rolling. Who's next to jump on?"
Who wants to get together and build a worm that does nothing but fix known security problems? We can make it grab all it's data from a chat-room, or web page, so it can stay small, but call upon a large database of known exploits, download them to the machine, and execute them...
Perhaps self modifying? To take advantage of newer exploits as they are found, so it can continue spreading itself? (Again data taken from IRC or Web URL) Perhaps just several variants of the worm...
What fun we could have!
What he says on the issue is: What he seems to be advocating is decriminalization of defending your computer against an active attack. I tend to agree. It's like saying it isn't theft to take a crowbar away from someone who is using it to jimmy your front door.
The author has blurred all sorts of lines, viruses and worms, copyright and attack, defense of ones computer and defense of ones IP.
I'd be interested to hear Mullen's comments on the story.
-Peter
Seems to me that the RIAA and other such groups should think twice before declaring the start of this new arms race.
It's like doctors questioning the overprescription of antibiotics -- the more agressive their weapons become, the more clever we will become in working around them. Increased use of antibiotics and other agressive medicine is creating superbugs. The same is true online:
As the internet becomes more dangerous for p2p networks, only the stronger networks will survive.
If this article were advocating that people could go on "white-hat" vigilante attacks against people they didn't like, everyone would point out how ridiculous that would be. Well this is really pretty similar, because if you say that it is legal to crack computers causing problems to other computers, then you have all kinds of ways of weasling out of trouble for cracking. Script kiddies would be delighted!
As usual, this just sidesteps the more important issue which is that of secure software. If Microsoft tied up he bugs in Outlook and finally realised/admitted that secure by default is more important than snazzy and integrated by default, we wouldn't have half these problems. And if the software industry in general were really made to be more careful about its security, we could sit back and relax *a little*.
This sort of idea does little to prevent malicious scripts, and does a lot of encourage vigilantism, which is exactly the sort of nonsense that just makes things worse, and opens the legal doors to companies cracking into your computer to check if you've written about their products (y'never know lol).
> Is it me, or is this story's headline totally
> incoherant?
No, it's cut straight out of 'The Slashdot Guide for Guaranteeing your Submission is Accepted', chapter 2 which discusses creating a sensationalist headline that enables people to leap to conclusions about a story before reading it.
Bonus points are awarded for managing to make it sound like it's an issue of the man against the little man.
Cause yeah, I picked that up too.. the headline and following text had almost nothing to do with the actual story.
I'd suggest the guy submitted before reading the story, but trying to comprehend the lack of thought that would require makes my brain hurt.
Basically, even if you take away the factor of 'trade offs' (of security/privacy vs freedom) and personal freedom in general, the fact is that history has proven that such tactics in the end not only fail to accomplish their goal, but the cost to achieve this failure only adds more injury. What finally adds insult is the fact that the vast majority of time, the problems actually become WORSE, whether from direct or indirect results.
Now the part that pisses me off is people's response to this little historical lesson. Many refuse to actually heed the lesson but only bastardize aspects of it to fit their self centered needs. This is much akin (in many ways) to the situation where a child will justify (instead of reason) with very hand selected 'facts' as arguments simply to get some nintendo game, cd, bike, etc. Any sort of logical analysis and use of reason is only mimicked and faked. When people like this never grow out of this but age chronologically they continue to use such 'thinking' to justify positions in things like politics and lifestyle choices.
Well, either way... even if self labled 'heroes of the people' that are in reality only petty whoring thieves choose to use this fact as an excuse I suppose there is nothing to be done about it. The fact remains, regardless of how the short sighted, greedy, and manipulative sheep refuse to acknowledge that their actions cause more problems form them and others down the road (as if they EVER trully think of anyone else), the problem requires education not FUD or their reactive responsive FUD.
The point is that the proper authorities already have the power to search computers for pirated data and viruses (with a warrant), so why do we need to give ordinary citizens (copyright holders and sys admins) this kind of power?
If you don't have anything nice to say, shut up you stupid prick.
This made no sense whatsoever. The only coherent point I read was reply about how hackers break in and then patch the system. Whats so bad about that? Lets look at facts Pat.
o -- Lazy System Administrator is paid $75,000 dollars a year to secure a server.
o -- Over worked and under paid factory worker is paid about $15,000 dollars a year and spends his leisure time chating on IRC and hacking unsecure systems.
o -- The later, takes time and helps the aforementioned secure his system. While he spends some quality time at the fairway play 18 holes of golf.
I don't see no problem. I concur that they need to switch jobs.
Back to you Pat.
In other news.. Scientists have unravaled the mysteries of how chocolate pudding will prevent cavaties and reduce heart disease.....
I've been cranking on this idea for a while and it may be possible to thwart the RIAA. Some really smart encryption heads/programmers could tweak the current file sharing protocols to switch port numbers, route the data to dead end/non-existent IP addresses using some complicated algoerithm. Yeah, it might take a little longer to get your file (MP3, let's be honest), but the DOS attacks wouldn't be able to go through since your IP address would "flicker" in and out of existence. From the perspective of the network, there would be periodic and unpredictable breaks in the network. A LimeWire-type P2P would be pretty cool, switching port numbers, and periodically breaking connection (for a finite amount of time, then reconnecting). With everyone's computer running this program, the network would be a virtual Christmas Tree of flickering IP addresses and port numbers. It would even be cool if a series of virtual or decoy IP address existed, making life very complicated for the RIAA DOS attacks. Gah-ah-lly, my imagine runs wild, I just wish I had the programming knowledge to make his work. It sounds so fun. Of course, this assumes that the stupod law passes through Congress. Is Joe Smith transferring files illegally or not? I'm sure some Ivy-League Geek will figure this out. The RIAA doesn't have a chance.
It's important to remember WHY vigilante actions are generally illegal:
I can only think of one set of circumstances in which our culture and law condone vigilante justice: self defense of a human being against bodily harm.
It is important to remember that computer crime is almost universally property crime. With rare exceptions there is absolutely no danger to the person of a human being posed by computer cracking, and thus no reasonable basis for authorizing vigilante justice.
Your ideas are valid but you are treading on dangerous ground. Let me explain.
Suppose your neighbour cranks up her stereo to bone vibrating levels. This is illegal in most neighbourhoods and you have a right to complain. Now, if you walk on her property to knock on her door then technically you _could_ be guilty of trespassing. Most courts would laugh at the idea of prosecuting someone for such a trivial offense mind you - but she would have the legal right to put you into a position where you have to explain your actions to the court.
The proper thing is for you to phone the police and let them deal with the problem.
Similarly, in the case of attacks on your server, the proper response is to phone the police. Of course they probably won't do anything about it so your next step is then to register a formal complaint about the police.
Given enough pressure they might actually start dealing with the situation and the side effect is that a LOT of people are going to react to a cop knocking on the front door and telling them to turn off their cracked machine whereas if you do it many are likely to attack you.
The analogy with the noise complaint is that if you respond to your neighbours bad deeds by turning your stereo up to max - then this simply creates the situation where both parties are breaking the law.
Finally, if you complain to the police and they do nothing and then you follow this up with formal complaints about the police, when you then contact people and nicely ask them to fix their damn machine or turn it off, at least you have a defense to put before a judge. Whether that defense means much is an open question. You might be better off just suing them in small claims court for the damages they cause you.
Much of this comes down to rights that are not clearly defined. For instance when you visit my web server and ask for something you would think you clearly have this right. I did after all put the web server on line for people to access (presumably). But what if the webserver was intended (by me) to be accessable on an intranet and I was too dumb to configure it properly? Do you still have the right to access it?
Suppose we are dealing with open windoze file shares. I do know at least one person who opened her hard drive up. She thought of it as a cheap anonymous FTP service - with read and write access to everyone. She wanted people to be able to distribute music. (seriously).
Well - I warned her. Within a month someone shut her down by running a program that erased the bios. I had warned her about that risk too.
Perhaps most people would not open network shares so that their files can be available to all. But most people do not run anonymous FTP servers and web servers either. Some people do open network shares on purpose and these people are in effect publishing on the net in the same way that a webmaster is (albeit - a far more primitive way).
So, if you happen apon a machine that is open - then you can certainly argue that you thought there was an open house. Thus you would not be guilty of "hacking" you would think. Just don't count on it. Some people will accuse you of trying to break into their machine and some will even argue that you should not tell the management because this might cause an incompetant MSCE to get fired. Some will even argue that if you do tell the management that your _PURPOSE_ is to try to get someone fired. I witnessed this in fact. What a dumb bunny!
Now - if they are customers it would be a very good idea to put a clause into their service contract that "requires" you to contact them in the case of hacks. Of course, write it so that there is nothing wrong if you fail to contact them. By doing this you create a very good defense if someone sues you for damages.
Just be careful _how_ you contact them. Throwing popups into the machine is probably a risky move. Suppose it is some advertizing firm and they are giving a demo to a major client about what a great web site they can build - and suddenly your pop-ups show up and they lose the client.
In many respects I consider these sorts of threats to be analogus to someone being accused of being a peeping tom because he pointed out that someone else's fly was open and his dick was hanging out. But we are still left with the situation where people really are pretty stupid and all sorts of accusations are going to be made - many of which do not make much sense.
So, be careful.