Slashdot Mirror
All We Want Is Whatever's On Your Machine
kubla2000 writes: "A breathless story about how the best defense against [fill in the blank: piracy, virii, hacking] is a good offense at CNet. What struck me most though is that in the midst of the rant from Timothy Mullen (no stranger to hacking the hack as this story from computerworld magazine shows, was a throw-away line justifying the RIAA and MPAA's appeal to Congress to make it legal to do this! It seems the bandwagons have started rolling. Who's next to jump on?"
If they should be able to run code at our computers, they increase the security risk, since viruses may exploit these programs.
Who wants to get together and build a worm that does nothing but fix known security problems? We can make it grab all it's data from a chat-room, or web page, so it can stay small, but call upon a large database of known exploits, download them to the machine, and execute them...
Perhaps self modifying? To take advantage of newer exploits as they are found, so it can continue spreading itself? (Again data taken from IRC or Web URL) Perhaps just several variants of the worm...
What fun we could have!
policy to me.
This can't be a good thing: just think of
the court cases, and the added burden on the legal system.
Imagine a scenario like this:
Company A, B, and C are infected with viruses.
Company A tells Company B to "santize your systems, and stop infecting us, !". Company B has santizied it's system, and tells Company A to "go pound salt".
Company A, unknowingly infected by Company C but still blaming Company B shuts down Company B's system. Company B is not happy.
Company B manages to bring it's system back up, and shuts down Company A in retribution.
Lawsuits ensue. The courts, which could be ruling on citizen's issues instead, (like, say, overruling the DCMA), become backed up with corporate bickering. The citizens lose. Ugly situation.
And that's not touching on any of the questionable ethics of government sponsored vigilantism. I'll
leave that flamewar to others -- I imagine things will get quite toasty.
I thought it was fairly well balanced actually. Outlined the problems of "hacking back" in language that everyone can understand...
Prior to that, you acquired a time machine, I believe...
Considered harmful.
What he says on the issue is: What he seems to be advocating is decriminalization of defending your computer against an active attack. I tend to agree. It's like saying it isn't theft to take a crowbar away from someone who is using it to jimmy your front door.
The author has blurred all sorts of lines, viruses and worms, copyright and attack, defense of ones computer and defense of ones IP.
I'd be interested to hear Mullen's comments on the story.
-Peter
Wouldn't any DOS-attack against an alleged "offender" also hit the bandwidth/resources of all the innocent systems along the way? I'm not sure how this wouldn't create lots of collateral damage for people who aren't involved.
We've already seen something akin to this, at least on a small scale.
:P
Working as a telephone tech support person for a non-tech sector company, Klez was particularly annoying as we would get angry telephone calls from our own corporate executives about how our server based antivirus program wasn't working, as they were getting angry emails from people at other companies telling them to stop sending them the Klez virus.
All because the damn thing sent false header information and someone outside both companies had been infected, people would continue to blame the wrong parties when their own antivirus program would point them at the wrong culprit, despite all the media stories explaining the damn thing in clear detail.
We had a number of execs refuse to believe us when we told them their machine was clean, as "obviously" we were wrong according to the people at the other company. Even had one high up try to install her own antivirus program because she didn't trust ours and ended up trashing her computer.
I just loved the whole telephone support deal during the peak Klez season.
Seems to me that the RIAA and other such groups should think twice before declaring the start of this new arms race.
It's like doctors questioning the overprescription of antibiotics -- the more agressive their weapons become, the more clever we will become in working around them. Increased use of antibiotics and other agressive medicine is creating superbugs. The same is true online:
As the internet becomes more dangerous for p2p networks, only the stronger networks will survive.
Personally, the headline seemed fairly clear. Yes, it's not exactly literal, but considering the context it should be pretty easy to tell that "we" refers to the media industry, and refers to their ability to hack their customer's systems.
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
pb Reply or e-mail; don't vaguely moderate.
If this article were advocating that people could go on "white-hat" vigilante attacks against people they didn't like, everyone would point out how ridiculous that would be. Well this is really pretty similar, because if you say that it is legal to crack computers causing problems to other computers, then you have all kinds of ways of weasling out of trouble for cracking. Script kiddies would be delighted!
As usual, this just sidesteps the more important issue which is that of secure software. If Microsoft tied up he bugs in Outlook and finally realised/admitted that secure by default is more important than snazzy and integrated by default, we wouldn't have half these problems. And if the software industry in general were really made to be more careful about its security, we could sit back and relax *a little*.
This sort of idea does little to prevent malicious scripts, and does a lot of encourage vigilantism, which is exactly the sort of nonsense that just makes things worse, and opens the legal doors to companies cracking into your computer to check if you've written about their products (y'never know lol).
"Well, his computer pinged me a few times, so I used a buffer overflow to gain access to his machine, and formatted his harddrive."
As you can see, there are two issues that are left unresolved: what defines an illegal attack, and what defines an appropriate "counter attack".
As for this falling under a self-defense part of the law, I would suggest looking at the goal of self-defense: stopping an attack against you. Self defense does not mean kill someone, does not mean detain someone, or anything else. Although it is possible that those could be necessary in an act of self defense, in most cases they are not.
With all this in mind, take a look at how you can stop the attack on you. The best way would be with a firewall or patching the problem. From there on, you should report the problem to the authorities (ala "real life"), probably being the machine's isp, and possibly the police/fbi.
Vigilanties are not protected by the law, and their best hope is to convince a jury/judge that they were doing the "right thing". Unfortunately, most of them aren't qualified to make that decision :]
If hacking is illegal, only criminals will hack.
To protect ourselves, we need to make justified hacking legal!
God knows the world doesn't have enough hackers.
Now, seriously... if it's possible to do something nasty, like spreading a virus or disabling a remote system, someone will do it - regardless of what the law says. This is true of all laws, whether we like it or not. There are two important differences in the 'digital' world:
- The Internet is such a hopelessly confused tangle of metaphors that often we have trouble telling exactly how our normal ideas apply.
- The Internet is not like the physical world, and often our ideas don't apply.
Now, the point here is that while laws can help protect the Internet, the actual solution - perhaps the only solution - is for our machines to protect themselves. No - that's the wrong metaphor. There's no reason a computer needs to start running a bit of malicious code just because of a bunch of bytes it happens to read through the network. Our computers can only be hurt by others if they themselves allow it.
> Is it me, or is this story's headline totally
> incoherant?
No, it's cut straight out of 'The Slashdot Guide for Guaranteeing your Submission is Accepted', chapter 2 which discusses creating a sensationalist headline that enables people to leap to conclusions about a story before reading it.
Bonus points are awarded for managing to make it sound like it's an issue of the man against the little man.
Cause yeah, I picked that up too.. the headline and following text had almost nothing to do with the actual story.
I'd suggest the guy submitted before reading the story, but trying to comprehend the lack of thought that would require makes my brain hurt.
Basically, even if you take away the factor of 'trade offs' (of security/privacy vs freedom) and personal freedom in general, the fact is that history has proven that such tactics in the end not only fail to accomplish their goal, but the cost to achieve this failure only adds more injury. What finally adds insult is the fact that the vast majority of time, the problems actually become WORSE, whether from direct or indirect results.
Now the part that pisses me off is people's response to this little historical lesson. Many refuse to actually heed the lesson but only bastardize aspects of it to fit their self centered needs. This is much akin (in many ways) to the situation where a child will justify (instead of reason) with very hand selected 'facts' as arguments simply to get some nintendo game, cd, bike, etc. Any sort of logical analysis and use of reason is only mimicked and faked. When people like this never grow out of this but age chronologically they continue to use such 'thinking' to justify positions in things like politics and lifestyle choices.
Well, either way... even if self labled 'heroes of the people' that are in reality only petty whoring thieves choose to use this fact as an excuse I suppose there is nothing to be done about it. The fact remains, regardless of how the short sighted, greedy, and manipulative sheep refuse to acknowledge that their actions cause more problems form them and others down the road (as if they EVER trully think of anyone else), the problem requires education not FUD or their reactive responsive FUD.
The point is that the proper authorities already have the power to search computers for pirated data and viruses (with a warrant), so why do we need to give ordinary citizens (copyright holders and sys admins) this kind of power?
If you don't have anything nice to say, shut up you stupid prick.
OK, so how do I know that the worm my server was infected by didn't include a trojan?
;-)
Silly me... if I cared about things like that, I wouldn't leave my server infected, would I.
How about if it just shut down insecure machines or publically shamed the owner?
Xix.
"Everything is adjustable, provided you have the right tools"
This made no sense whatsoever. The only coherent point I read was reply about how hackers break in and then patch the system. Whats so bad about that? Lets look at facts Pat.
o -- Lazy System Administrator is paid $75,000 dollars a year to secure a server.
o -- Over worked and under paid factory worker is paid about $15,000 dollars a year and spends his leisure time chating on IRC and hacking unsecure systems.
o -- The later, takes time and helps the aforementioned secure his system. While he spends some quality time at the fairway play 18 holes of golf.
I don't see no problem. I concur that they need to switch jobs.
Back to you Pat.
In other news.. Scientists have unravaled the mysteries of how chocolate pudding will prevent cavaties and reduce heart disease.....
Surely, you mean "ninjii", don't you?
You see? You see? Your stupid minds! Stupid! Stupid!
I've been cranking on this idea for a while and it may be possible to thwart the RIAA. Some really smart encryption heads/programmers could tweak the current file sharing protocols to switch port numbers, route the data to dead end/non-existent IP addresses using some complicated algoerithm. Yeah, it might take a little longer to get your file (MP3, let's be honest), but the DOS attacks wouldn't be able to go through since your IP address would "flicker" in and out of existence. From the perspective of the network, there would be periodic and unpredictable breaks in the network. A LimeWire-type P2P would be pretty cool, switching port numbers, and periodically breaking connection (for a finite amount of time, then reconnecting). With everyone's computer running this program, the network would be a virtual Christmas Tree of flickering IP addresses and port numbers. It would even be cool if a series of virtual or decoy IP address existed, making life very complicated for the RIAA DOS attacks. Gah-ah-lly, my imagine runs wild, I just wish I had the programming knowledge to make his work. It sounds so fun. Of course, this assumes that the stupod law passes through Congress. Is Joe Smith transferring files illegally or not? I'm sure some Ivy-League Geek will figure this out. The RIAA doesn't have a chance.
Using his technique, the computer that launches an attack is paralyzed and requires an administrator to restart it, but it stays online and is not otherwise harmed, said Mullen, who is a columnist for SecurityFocus.com
Requires an administrator to restart it? Do they mean it basically crashes and has to be rebooted? How does that do anything to solve the virus? Sure it temporarily disables it, but if it's a 9x/ME box there is no "administrator" and if it's NT/2K/XP there may be many people with admin rights. Furthermore, your average grandmother-using-aol-on-her-emachine would have no idea what to do, or that she has a virus, or what a virus is. Temporarily disabling machines doesn't do anything to solve virus problems. The only thing that will solve virus problems is educated computer users, and that is unlikely to happen anytime soon.
Just as an FYI: the one and only time one of my submissions was accepted, the headline was changed by an editor.
all of the email i've been getting starting on friday. it started with delivery failure messages to people i hadnt sent email to. then i started getting email from virus scanning programs telling me i'm sending the klez virus to people. it's odd because i use pine to view/send email on linux. the email is also being sent by an account i only use to recieve email. i just dont want to get blacklisted or something because of a security flaw that occurs on windows systems.
-- john
If Microsoft tied up he bugs in Outlook and finally realised/admitted that secure by default is more important than snazzy and integrated by default
/. You people don't take notice of anything that Microsoft make less than 5 years old. That's why you still think Windows 98 is Microsoft's pinnacle of stability.
You mean like Outlook 2K2 in the Office XP suite that keeps its security settings on a setting thats tighter than a fish's asshole by default? That's right. It now assumes every email is out to get you.
Oh wait, my mistake. This is
This is all despite the fact that many (but not all) of the Outlook "viruses" required the user to actually OPEN the emails. Get over it already.
If they should be able to run code at our computers, they increase the security risk, since viruses may exploit these programs.
That's why this will only encourage more defiance of copyrights - because the chances of any one of us having our security breached is much less if we all insist and expect each other to not support them. I think copyrights are old-world, and the sooner we get rid of them, the better.
It's important to remember WHY vigilante actions are generally illegal:
I can only think of one set of circumstances in which our culture and law condone vigilante justice: self defense of a human being against bodily harm.
It is important to remember that computer crime is almost universally property crime. With rare exceptions there is absolutely no danger to the person of a human being posed by computer cracking, and thus no reasonable basis for authorizing vigilante justice.
If what we want to do is stop viruses and worms and the like, there's a simple thing we could do that would eliminate over 99% of them.
Just ban all Microsoft systems from the Internet.
The remaining handful of viruses and worms wouldn't be enough of a problem to get the media's attention. We'd want a mop-up operation to stop them, of course. But that would be a minor technical project that the media wouldn't find interesting.
We should have done this five years ago, when it was becoming clear that Microsoft had no intention of fixing the security holes they were building into their systems, and their customers were too clueless to demand fixes.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
It is illegal to attack a machine that is attacking you. It's illegal to release a worm/virus into the wild. However, its NOT illegal to participate in its distribution simply because you're too inept to keep your machines patched. Those who are indirectly causing all the damage will suffer no liabilities as a result. And perhaps punishing them isn't the answer.
However, look at it from the worm's perspective. It seeks only to invade and to reproduce. It doesn't care about legalities or consequences. It will do what its designed to do, and will do so indefinitely until its means of propagation has been eliminated. The vulnerable machines are out there. They will always be out there. And as long as they're out there, there will be breeding grounds for worms.
We need to meet halfway on this one. If we can't attack the machines that are already attacking us, we should at the very least be able to stop the problem. In fact, it makes sense to stop the problem before it even starts. If someone is running an unpatched system, they're going to be the participants in a worm redistribution program eventually. If it has to happen, let it be a benign worm that hits it. Invade the machine, fix all known holes, then propagate to a set range of addresses, then die. No more worms for that host, and in a matter of hours, that exploit will have been completely removed from the world, or at least as well as the worms could find it.
Perhaps at least with XP's automatic updates, these patches might be implemented on a regular basis. However, what about all the people that don't allow themselves to use the automatic update features? There are plenty of pirates and security wary but otherwise legitimate users who won't use the automatic update features. Those machines are just as vulnerable. IF the user isn't willing to patch them, then let someone legitimately be allowed to do so. Or at least look the other way when it happens.
-Restil
Play with my webcams and lights here
Consider. Anything you write is protected by copyright automatically.
Let's suppose you write an email. While it shouldn't be necessary, perhaps you might include an explicit restriction in the body of the email, or at the bottom like lawyers often do: "This material is copyright by the sender and may not be reproduced in whole or in part by any means, including but not limited to reproducing on paper via a printer, forwarding to any other mailbox, storing on punch cards, paper tape, magnetic tape, optical media, or any other machine-readable form of reproduction. If you wish to reproduce this item, licenses are available from the sender for a nominal fee."
Let's suppose you sent your email to the RIAA. They are entitled to exactly one copy, which will end up in the mailbox of the receptionist. This will pose a dilemma, which will probably be solved by violating your copyright.
You might find it necessary to take steps to protect your intellectual property.
I wrote a script on my server web server (that constently gets hit over and over by nimda... about 300 times a day it seems) to use the vonrobility against them.
It uses nimda vonrobility to hit them back and gives them hundreds of popup messages thruout their system, telling them to apply the patch and get some type of security (then the scripts delete themselves).It also applys an "at" command to launch a vbs file on their system to remisystem nd them to get a patch.Just anough to anoy them.
It work seems to work. I impliment this because I work at a very small ISP here in town hosting dsl lines. Our lines are always getting eatten up by nimda, even still. This way it saves on our bandwidth for everyone else to use. The funny thing is that it works. Traffic used by nimda on the network has gone down dramaticly because of it. We applied the program to all the gateways (since they are all linux boxxes). Just added Apache with my scirpt to fish out as many people as possible.
I love it. We get calls from customers yelling and screaming that they didn't have nimda and we prove it to them by emailing them the log file. Some are even thankful. Zac Bowling
No.
Did they change the original article online? 'Cause I don't see anything like that in the news.com article now.
Indeed.
Maybe we should talk to these guys? I've heard that they're totally awesome:
http://www.realultimatepower.net/
Be careful when talking to them though: say one wrong thing and they may just totally flip out and cut your head off.
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
A breathless story about how the best defense against [fill in the blank: piracy, virii, hacking] is a good offense at CNet.
Yes! CNet is the root of all these evils for publishing stuff like this! A good offence at CNet would surely be in the best intrest of the public.
I doubt, therefore I may be.
You can find the contributions at OpenSecrets.
You will discover that your favorite politicians are not only 4 sale, but that you can buy them for fire-sale prices.
Tech Public Policy stuff
Yes - I do metamoderate. But I try to keep moderation as something other than a tool for expressing agreement or disagreement with a post. Granted - its not easy to do. I'm more inclined to mod up a post I disagree with as "interesting" than "insightful".
And yes, karma-dropping doesn't always guarentee positive moderation. But the success of the tactic isn't the point. The issue is whether you've really got something to say or are just posing. Of course, I suppose if a post is ignored or moderated down, the poster can feel like a martyr. So even then, its successful.
If someone punches me in the nose, I can kick him in the nuts. And if he's a better, wiser person for it, so much the better. Now that doesn't mean I can incinerate him with one of my thermonuclear weapons, kill the whole town, beat him to death, or even go all ninja on him until I get that "so sweet I want to crap my pants" feeling.
AFAIK I get to beat on him till he quits, unless I want to skip right past go, and land my ass in a place where "getting doubles" has nothing to do with dice.
--Jimmy has fancy plans; and pants to match.
Bad editing leads to abrupt transitions. Here we go from "Striking back against a computer that is attacking you" with a worm to this:
Whah? Then we back off and contrast that approach (placing "destructive decoy digital files into peer-to-peer networks to penalize users") with the hack-back the story was really written around.
It's almost like the editor wanted to nod in the direction of the latest legislative "anti-hacker" move, whether or not it really had anything to do with his story. That's all. No "bandwagon." Just bad editing. Given the state of /.'s stories, we should relate.
"Fundamentalism" isn't about divine morality. It's about human authority.
The really silly thing about "virii" is that the worst is so obviously a product of stupidity: you can almost imagine people thinking, "Gee, I sorta remember this word 'radii', so I guess the plural of 'virus' is 'virii'!" In a similar spirit I've seen "compi" (plural of "compass"), "serii" (plural of "series"), and "stati" (plural of "status".)
Moral: if you don't know Latin, leave off pretending that you do. "Viruses" is a fine English word.
hyacinthus.
"Hi, I'm from Al Quaeda records, and I'm here to hack your computer!"
Enough said.
Or... wait, wouldn't he need the time machine from the future, so really he acquired it *after* he got the 486?
*gzzt! Poing*
GMFTatsujin
I also live in Colorado, and as I recall the "make my day" law it does NOT give us the right to use lethal force to protect our property.
That said, the law does provide an affirmative defense if you kill anyone in your house - the state must prove that we shot them even though we knew they posed no personal threat to us or others; we do not have to prove that we perceived a credible threat before we can claim "self-defense."
In practice, this is an impossible burden in most cases (excluding cases where one resident kills another), so it's a de facto acceptance of lethal force to protect property... but it's not absolute. You certainly wouldn't want to make this statement to the cops who first show up on the scene and want to know why you have a dead guy in your living room, next to a displaced TV.
(IANAL, etc., but I am a gunowner so I follow this material.)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
It is the DoD's policy not to take active measures against anybody because of the lack of certainty of getting the right person.
Great. I guess we might as well get rid of the Department of Defense, if they're not going to bother to take any active measures. I guess that whole Afghanistan thing with the "unavoidable civilian casualties" was just a figment of our imagination.
Software sucks. Open Source sucks less.
Grammer is indeed a word; it's a town in Indiana, and the spelling of the word shall be Grammer. That seemed out of context and was not capitalized, however, so I took the liberty of assuming that you had actually meant grammar.
There's no way out of this, is there?
I think when we both run out of karma it'll be finished.
I spent a year in Iraq looking for WMD and all I found was this lousy sig.
E.g.: I have a computer at work that runs win2k that I have yet to install SP2 on because SP2 is known to have issues with Novell (and we run a novell/AD network). We're trying to migrate away from novell, but as long as it's in use, I can't just break it for the sake of a "more secure" computer.
FreeBSD for the impatient.
'thanks, but I won't respond to anyone not in my district'
... Smiles.
US congressman whose salary is paid by the US government.
US congressman whose efforts affect not only directly affect other districts in his state, but the entire fifty states plus assorted territories, etc.
Now if he would only accept campaign contributions from people in his district,