Slashdot Mirror
Clean Needles for Hackers
scubacuda writes "Jon Lasser of the Register opines that we should "give up on the notion that computer security can be improved by putting more people in prison." He argues that a "harm reduction" approach (similar to that of "clean needle" campaign in the War on Drugs) might be more productive. If we, say, wrote in safer programming languages, used tools like Immunix's StackGuard, ProPolice, or OpenBSD 3.3, chroot and UML, we could reduce the damage a malicious hacker might do without damaging our civil liberities."
As a personal choice, but demanding other people make the same choice takes away the freedom you're trying to protect. The people committing the crimes are the ones that should have their freedom restricted.
How does punishing people who commit crimes reduce our civil liberties?
... then we should actually make more legal cr/hacking available for people to "get it out of their system".
That's basically what they do for crack users -- give them clean needles so they don't hurt themselves anymore. Let's give the hackers clean times to work on their hacking so that they can't get thrown in jail.
I'm sorry, but this idea still makes no sense.
Some people get respect from their friends by being sent to prison or running the risk of it.
Crackers fall into that category.
Cuiusvis hominis est errare; nullius nisi insipientis in errore perseverare.
Pardon my ignorance, but how does using UML make software safer? Come to that, what the hell is a "safer" computer language?
Mother is the best bet and don't let Satan draw you too fast.
So making people write good code isn't impacting people's civil liberties? Considering most of the developers I know, that'd put most of them out of work...
Drug addition is a physical additiction. The idea of the needle exchange program is to prevent reduce the spread of a FATAL disease. The purpose of the laws against needles is to cut the use of drugs, but the drugs are still illegal.
Here, this guy is proposing something along the lines of eliminating car locks so that noone will be arrested for carrying burgulary tools.
Fight Spammers!
Since when are we putting hackers behind bars just for hacking? We put people in jail for breaking the law, and usually first time convicted hackers just get probation. The only hackers we put in jail are repeat offenders or those whose crimes escalated into other higher crimes. If you root a banks server and send $100 million to your swiss bank account you're a bank robber, not a hacker. If you steal code, you're commiting an act of industrial espionage, not hacking. I think alot of people take the stance that if you commit a crime through a computer, it's just harmless hacking, and not worthy of jail time. Basically my point is there is a huge difference b/w DoSing some jerk on IRC and releasing the next big superworm that causes billion in damages and could possibly cost lives.are NOT the same thing. One thing is "hacking" (Cracking! Damnit.) the other is just being a criminal.
Everyone is entitled to their own opinion. It's just that yours is stupid.
This really is a terrific idea, attacking the problem at it's base level. But part of the problem is still social influences in regards to hacking. Script kiddies still see defaming a website as cool, and above reproach.
In addition to dealing with security at it's fundamental levels (ie. underlying languages), a social campaign to change how hacking is viewed is really needed. 0wnz0ring a retirement homes website via a 0day bug should be viewed the same as mugging a 90 year old resident of said home, but it isn't. Now ask, how do we change that?Sorry, slightly offtopic, but I think the combination of these two problems (Underlying Language and Social Stigma) is really the answer to alot of security problems faced by IT today.
"Powers. I have them."
People who break into other people's computers are trespassing. This represents an initiation of force -- a "natual crime" if you will -- because there is an actual breach of property rights. There is no question whether it is just to take action against these people.
People who use or trade drugs, on the other hand, have initiated no force. There is no breach of property rights. Drug "crimes" represent, at best, a breach of government-mandated conformity -- an "artificial crime" if you will.
To compare the two is not only illogical, but dangerously misleading.
Hackers are not dying of really horrid diseases and passing these diseases onto non-hackers, are they? Maybe we should give clean needles to the hackers, and then let the war-on-drugs folks deal with them.
How does putting someone in jail for *committing* a crime violate MY civil liberties? Sure, I'm going to lock my doors, but that doesn't mean that anyone who breaks the lock should be let free.
-Brent
So that car theives are less likely to break into them and steal them.
I don't see what drawing stupid little boxes with arrows between them has to do with computer security.
Firstly, I doubt this is entirely workable. There's too much unsecured legacy code that no one's going to want to rewrite.
But mainly, this is simply the wrong attitude. If someone breaks into your house, it is the burglar's fault. It isn't your fault for not surrounding your house with barbed wire and a pack of rabid dogs. While I agree that penalties for hackers are often overly harsh, that doesn't change the fact that they knowingly committed a crime of their own free will, and should be punished for it. Hackers are responsible for their own actions. It's that simple.
Whoa, what a concept! Improve systems security making them more secure!
h@hh@hh@...@.&.... "You shall not pass!"
You'd probably get a lot less hacking / script kiddies if they knew that on first offense they'd goto jail. I'm sure that giving them carte blanche to do whatever they want will greatly reduce the amount of hacking.
slashdot, news for crazed liberal socialist zealots
Clean needles for hackers? What sort of analogy is that?
Addicts get clean needles in drug programs so they don't catch AIDS and start costing society even more.
In the case of hackers, a program on the same lines would give them money so they don't commit fraud and cost society even more.
If you wanted to find an analogy to writing more secure code in drug solutions it would be making it physically impossible for heroin addicts to take their drug (Cut their arms off? Lock them up?)
I just don't see the relationship between needle programs and software security. Its a very weak analogy.
A better analogy might be that giving up on IT security is like giving up on transportation security.
SCO to Hell
... how does help to pass laws, which could be used for putting innocent people in jail? It is kind of stupid, when anyone forms a law about something, he does not have a clue about. Is there any law in the U. S. which would send authors of such laws into jail? Something like DMSPA (= Digital Millenium Stupidity Prevention Act)?
They are talking about User Mode Linux, not Unified Markup Language. How ridiculous.
Everyone is entitled to their own opinion. It's just that yours is stupid.
I thought this was a very interesting perspective. The point of harm reduction is not to focus on individual behavior or particular tools to be used. There is a larger issue, harm reduction recognizes that tools exist to stop certain behaviors or effects but that individuals don't often implement those tools or alter their behavior. Harm reduction, as applied here, would seem to suggest viewing computer security in terms of populations and would be willing to live with a certain persistent level of security problems in the population. Harm reduction seeks not to alter all behavior but to reduce the incidence of the behavior for the population. Harm reduction has been very effective in HIV prevention and drug use. By focusing on population-level interventions, one can avoid restrictions on the particular individual. If I can alter the infrastructure or intervene on a population level, without affecting people's ability to perform their desired tasks, and can get a reduction in the number of security problems, then I can avoid draconian criminal penalties that seek to control individual behavior.
The 'clean needle' approach basically involves making life easier for the criminal group (drug addicts) so that they don't need to commit so many troublesome crimes -- thus making life easier for everyone.
The approach advocated in the Register involves making life harder for the criminal group (hackers) so that they aren't able to commit troublesome crimes.
There is no similarity, and furthermore, while the 'clean needle' thing is hightly controversial and frequently shades into a program of government-subsidised drug abuse, writing software more securely is obviously beneficial and should be a no-brainer.
I therefore conclude, your honor, that the phrase 'clean needle' was only introduced because it's eyecatching -- perhaps because the original submitter was caught in a fringe eddy of the Really Rather Silly Field (RRSF) that usually surrounds The Register.
Whence? Hence. Whither? Thither.
So uhhh... what does UML have to do with security?
So... we should not only rely on throwing hackers in jail to prevent hacking, we should also increase security on our computers.
And in other news, fire is hot and the Iraqi Information Minister has been telling lies all along.
Adidas To Bring Back Sneakernet
The reality is that our whole criminal justice system is badly broken: too many people locked up too long for the wrong reasons, truly vile and/or psychologically damaged people who ought to be locked up getting out too soon because of the revolving-door necessity of perpetual overcrowding, a for-profit prison system which lobbys powerfully for the continued growth of the inmate population, and a system of incarceration where at best people are rehabilitated in spite of the system, and at worst they are exposed to rape, violence, sexually transmitted disease, pervasive availability of drugs, ending with an individual coming out with AIDS, little possibility of finding anything but the most menial employment, but a lot more exposure to the criminal underworld.
I'm afraid the plight of the incarcerated cracker is a very small worm in a can that no politician with the power to affect the situation has the guts to touch with a ten foot pole.
It Is the Nature of Information to Transgress Artificial Boundaries
This isn't about letting hackers go free. It's about making systems more secure without having to violate civil liberties by enforcing draconian security measures.
Or, to put it another way, alleviating a symptom (rampant hacking) of a problem (programs with security holes) by actually solving the problem (using safer programming methods to close the security holes) while still punishing those who continue to try to hack, who, with these lower-level holes closed, will have to resort to higher-visibility methods where they are easy to catch using ethical (i.e. strictly-reactive) methods of law enforcement, rather than violating the rights of 10,000 innocent people for the sake of catching a single wrongdoer.
Let's get them snacking! Wait I think they already do that, but if they did more of it think of the boon to the convenience store industry. It might just pay for itself in the long run.
~S
It's like saying we need to stop putting rapists in jail, and instead make all women wear chastity belts. Or don't put muggers in jail, arm everybody instead.
Both of these examples interfer with normal operation - I don't want to have to make extra effort (I could be being creative in the time I have to spend on extra security) because hackers are at large.
that extend well beyond whatever the law was intended to accomplish.
A recent example is the Computer Decency Act. The reason the US Supreme Court shot it down was not because pornography is good but because they didn't want to turn the internet into a reading room for kindergartners.
I wasn't happy with the wording of the article even though I agree that throwing people in prison doesn't actually work. Better wording would have been that companies should take responsibilty for their own security.
There are generally accepted coding standards out there. We all know that buffer overflows are Bad Things, yet unbounded buffers still seem to magically appear in production code. Software manufacturers should be held to the same standards as everyone else. If your failure to exercise a reasonable amount of care causes harm, you should be liable to the person you harmed.
Similarly, if your cracking activities cause harm, or violate the law, then you should face the consequences.
Bottom line: Don't let companies off the hook for writing Bad Code, and don't let malicious crackers off the hook just because what they actually did was technologically possible.
Laws affecting technology will always be bad until enough techies become lawyers.
This isn't like a clean-needle program.
The idea of a clean-needle program is to provide a safer way to commit the crime. Applied to hacking, this would be more like providing free public honeypot servers which the hackers could 0wn to their heart's content.
Closing the security holes -making it impossible to hack- would be more like actually eradicating the drugs themselves. Worthy goals in both cases, I think, but it means that the analogy is more like the current War on Drugs than the idea of clean-needle programs.
i personally don't want to have to learn another language. its not that i'm against it, but that doing so is actually a performance hit, ex. if (x + y + z) is not valid in java, is has to be converted ((x+y+z)> 0) to boolean, not just cast. being forced to learn all the little rules that are required to compile in some new language takes time, and its not always clear that there are advantages.
certainly its possible to educate programmers about proper, secure methodologies, but then it becomes a question of habit; if you don't force yourself to do it everytime, you're going to forget in that one critical instance.
why not code that knowledge into the tool that builds the program?
...vividly encapsulates that post-Watergate/pre-punk/coked-up moment when you could trust no one, least of all yourself.
If you lock your systems down tight, you still have to worry about social attacks. Unless something is done, social engineering will always be one of the most effective, least difficult methods for gaining access.
One of the biggest needs of improvement is in employee education. Most people just do not understand why the password "Snoopy", or "office", or their name, their username, etc. is bad. They don't see why locking their desktop when they go to lunch is important. They're happy to tell you their username and password if you ask them (perhaps while throwing some confusing technical terms at them).
Some of the energy being spent (and there's a lot of energy people are putting into technical security measures) should be devoted to educating users on good security practices.
.sigs are for post^Hers.
Now I'm not one to blame the victim, but remember, once a malicious person has accessed your system, no amount of jail time will bring back your data.
Beny"I'm a humble person really,
I'm actually much greater than I think I am"
This is not a clean needle program. That would be equivalent to treating system intrusion as a kind of disorder and providing "safe" systems for them to hack into to deal with their urge to crack.
This is really nothing more than increased security and good programming practices. It's watching your back. That's it.
That said there's a lot to what we in IT should be doing to make the world a safer place. But we can do it without lousy analogies.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
I find it disturbing the number of people that are posting saying things like "but these people break the law, so they deserve what they get".
Come on Americans, what's happened to you recently? Where's your spirit gone? The spirit of justice, fairness, freedom? Is it right that teenagers get sent to jail for "hacking" when the state of IT security is so poor? If your bank left sacks of money outside it's doors, when they got stolen by a couple of kids would you think it was the kids were guilty of a crime, or the bank?
In the old America, the kids would get a stern telling off and the bank manager would be accused of negligence. These days the kids would be looking at a long jail sentence, and the bank would be pressing the government to pass laws waiving them of any responsibility.
If we, say, wrote in safer programming languages, used tools like Immunix's StackGuard, ProPolice, or OpenBSD 3.3, chroot and UML, we could reduce the damage a malicious hacker might do without damaging our civil liberities.
Hmm... why does this sound like "it's the victim's fault"? C'mon! Nobody would say that to a woman who was dragged into an alley, beaten and raped.
If anything, it seems to me that prison time puts out a loud and clear message to crackers that what they do is indeed a crime and will be treated as such.
Don't enough people get slapped on the wrist by the justice system already anyway?
-A
Instead of putting murderers behind bars, why don't we just make everyone wear bulletproof vests? We can't infringe on the rights of murderers!
Username taken, please choose another one.
is not the hackers. Or viruses. Or trojans. Or bugs. It's the money.
Most software still is propietary and someone wants to make money with it. So he wants to see it protected. He doesn't want his software to be secure since that costs money. Having someone thrown into jail costs less money, so that's the preferred way.
At least this is my experience with the thoughts of suits. Many think of software like it would be, say, a car: with enough brute force you can get into any car you like easily. They don't realize that this is not how software works. You don't hack software (i.e. servers) by using brute force attacks but by cleverly exploiting weak spots, like the lock or the window seal.
But since many suits don't get this they think no matter what, their software can be hacked by Joe Average and thus that they need fierce laws that prevent them from doing so instead of securing their software in the first place.
having moved to a city with high crime rates (in comparison to other European or US-American cities), I find myself surveilled by CCTV cameras, annoyed by having to use a giant steering wheel lock, constantly nervous about someone stealing my bike (which they did once, of course). The place I work in, full of computers and fancy technology gadgets, has doors locked everywhere. When I forget to take the little plastic transponder with me, I'll lock myself up in the restrooms.
That's about the view presented in the posting: If there are too many thieves, let's build a higher wall.
Sorry, but I hate that idea. This is not freedom.
ps.: the city is dublin. don't come here, there's no broadband (at home) available anyways...
This is the last straw. Comparing a junky and a fat, teenage kid who lives in a basement. I can't take it anymore. Go get strung out and then tell me the only reason you quit shooting dope was because you coudl get clean needles. WTF I hate you all
What a novel solution... let's make our systems so that people can't hack them. What a great idea! While we're at it, let's design a freeway system that prevents anyone from ever crashing their cars.
:)
The reality of the situation is that it's pretty much impossible for a developer to anticipate all of the strange ways that a system can be exploited. And considerable thought already does get put into writing secure systems, in spite of what the original post intimates.
And a "redoubling" of efforts to ensure security is pretty pointless unless Microsoft is on board with it... which they won't be because it doesn't make them any more money.
If you really want to approach the problem differently from jail time for hackers, then how about jail time for hackees. If you're the admin for a system that gets hacked and is used to attack another system, you get 1 month in the pokey for every publicly-available security patch that you haven't applied to the system.
Of course... then the problem here at our university would be: who the hell will be left to teach classes while the MIS faculty are in jail?
I agree with some other people. This analogy is just horrible. Hacking and drug use, use of tools that target security to develop safer application vs. use of clean needles to prevent spread of disease through drug use....I mean, does drug use = hacking (in the programming sense of the word, not cracking)?
Besides, use of things like safer OSes and more secure libraries - if you really want that kind of security, then the onus, quite frankly, should be on the OS vendor. In many cases, it'd be Microsoft, of course. If Microsoft developed a secure OS and provided (even if through 3rd party) a set of secure libraries for developers to use, then it would cover all the bases. Of course, nobody in the free software world would ever want that because it "locks" you in to using only Microsoft stuff.
Lastly, a comment on crime and punishment. In the U.S. (I don't know about elsewhere), it is vastly more profitable (for certain parties), and therefore in some ways, desirable, for people to break the law. Why? Law enforcement can issue fines, lawyers (by far the biggest benefactors) can get their fees, and for the lucky criminals that don't get caught, there's the pure profit of the crime itself, however little it might be (not talking about crimes like homicide). In many ways, the government's structured to take law breaking into consideration as a means of providing income (parking tickets).
I personally think the plethora or virii and other exploits loose on the net today is a very good thing.
Picture your computer as your faithful dog, man's best friend.
Now say your neighbor has one too.
Your neighbor lets his dog run free, and it tends to play in the local junkyard, picking up god knows what.
You on the other hand, keep your dog nice and sheltered, only letting it outside on a leash when you walk it.
Now which dog do you think will have a more robust immune system, if they both get sick which is more likely to survive?
The septic environment that is today's internet forces us to make decisions that increase security, strengthening our digital immune systems.
Imagine if there had been far less malicious hacking over the last decade or so. Imagine a world where there are no effective anti-virus programs because there are no particularly effective viruses. Where all those security holes we've read about over the years are still exploitable because we never found out about them the hard way.
Now imagine how vulnerable such a world's systems would be if some person or organization decided to try to take them down.
"The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
I liken this to the current state of American jails. People are always complaining that we have too many people in jail, and that [insert %] of inmates are [insert race here], and that isn't right. The same people doing the complaining always offer solutions that place the burden of the criminals' behavior upon the tax payers and law abiders. The real answer is: stop breaking the damn law!
is to outlaw M$ products.
Winbloz is an insecure product. It's broken out of the box and can not be repaired. This is documented fact.
There's no need to screw with the compilers.
Back in 1984 I was working on a source store that I tied into the project management and then I was able to restrict the mainframe's compiler to only accept source from the machines of the guy who was supposed to be working on it.
Even then it went to UT, QA, SIT and finally production. The source and destination environments were set by the workflow NOT developer and depended on who was requesting the compile.
If you weren't supposed to be working on a program, and it didn't have a migration path, you couldn't compile it. BUT you could compile anything you wanted on your own VM (This was on a mainframe. It was in 1984)
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
We used UML and our project is now secure! Go UML!
From the article:
Most individuals can control themselves, but there is a substantial group of people for whom no legal penalties will be enough to discourage their behavior.
That's true of every crime I can think of. That's why we like to keep people who have demonstrated that legal penalties don't discourage them in prison, where they can do no further harm. Legal penalties may not aways be a deterent to crime, but they sure as hell can be an impediment to it.
In the US, Justice and Vengeance are one in the same.
Where's the justice of prison for some kid who places All Your Base-esque speech on some random corporate website?
Sure, the kid did wrong. The kid should be punished, and made to understand that what he or she did was wrong.
The corporation probably lost money, and loads of it, while CATS was preaching to the Captain.
Here's the thing: Prison isn't going to do much for the kid, and it certainly won't help the corporation recoup losses. A civil lawsuit likely wouldn't either - you can't get money out of a rock and all.
With all the talk of 'h4x0ring' being a 'terrorist act' lately, this sort of thing is only going to become a larger issue.
Now, the civil liberty in me says, "Life for a defacement? Wrong." The system administrator in me says, "Life for a defacement? Wrong. Baseball bat and five minutes alone? Right!"
Random idea: Chain the little bastards to a desk, which has, say, a 486 also chained to it, and make 'em do restitution work for whatever they went and fucked with. For the equivalent of hard time, have Bill Gates standing next to the desk, throwing Windows CDs at the guilty. For the equivalent of white collar crime, have a BSD Daemonette standing next to the desk, prodding the guilty with a pitchfork. Mmmm, BSD Daemonettes.
As for reducing threats by using 'safe languages', feh. Here's a solution: Hire people who realize that OMG STRINGS NEED TO BE CHECKED FOR LENGTH!
Buffer overflows are a product of two things: Hiring cheap labor from India, and hiring cheap labor from the US. Start paying what programmers are worth, and you'll get programmers who know what the hell they're doing in return.
I'm not sure you can link clean needle programs with the War against Drugs. People who run clean needle programs think the so-called war is a disaster and the drug war people think the needle people are unmitigated lunatics.
My
Limekiller
This idea misunderstands things. It's widely and openly acknowledged that security can never be perfectly impenetrable. You therefore make security as best as you can, and make it illegal to breach security, and then punish breaches of security when you catch those responsible for them.
Where this all gets hazy and crazy is when people with wide-open systems can prosecute someone for "hacking" them when all they did was walk in through an open door. Open doors are good for public places; if you don't want your computer systems to be public, don't allow it. Put a lock on it. If someone breaks and enters, that's prosecutable. But that should be the line drawn.
What we need is for the law to say that an open door is good as an invitation, but that breaching a locked door with a sign on it that says Authorized Access and Use Only is a criminal offense -- the equivalent of tresspassing, breaking and entering, robbery, or destruction of property, as is appropriate to what actually takes place.
You see? You see? Your stupid minds! Stupid! Stupid!
If we, say, wrote in safer programming languages, used tools like Immunix's StackGuard, ProPolice, or OpenBSD 3.3, chroot and UML, we could reduce the damage a malicious hacker might do without damaging our civil liberities.
You're saying that developers should take responsibility for what they write to ensure it's secure? You're kidding, right? I mean, who the hell wants to be responsible in this day and age?
This kind of thing will never happen because businesses (plenty of them out there that would rahter sue than write solid code) are too lazy. I've been told "secure code doesn't make business sense -- it costs money".
Question: when a company/whatever gets hacked, who handles the prosecution? Do you just turn it over to the FBI and they go and nail the little bastard? If that's the case, what this story discusses will never happen.
Why bother.
People make a decision whether or not to break the law. The analogy of giving needles to IV drug users to stave off disease is not applicable here to computer hackers. The disease of IV drug users is chemical addiction, the result of activating a biological predisposition for the addiction. Hackers probably have an affliction closely resembling gambling addiction, but either way, one makes a decision to do the wrong thing even though s/he may know it is wrong. It isn't bob's fault his computer is insecure, it's joe's fault for hacking it.
The humiliation of the crime, fear of rotting in prison from boredom, and lack of control over one's life should be a strong enough deterrent to persuade one's decision in the direction of NOT acting against the law. However, look at our prison population compared to other countries. America has more people in prison for one crime or another compared to any other country. In other countries the punishements usually are much harsher for the crimes committed (in the middle east it is said that thieves loose one hand, hence they are likely never to steal again). Here in America, we take away your life (freedom) for a while, sometimes for the remainder of your natural life. One way or another, prison will rehabilitate the offender, often through reflection on the crime and the horrid experience of being locked in cage, hearing the screams of fellow inmates calling for help, pleading to be set free and promising to NEVER again do whatever they did to get in there. Well, their time pleading for mercy will have a cumulative effect on their behavior. They will weather the storm of their actions and experiences, and be transformed into a law abiding and productive citizen.
You don't leave your door unlocked, do you?
Duuh?!?
And as further proof, you go to Rutgers.
(similar to that of "clean needle" campaign in the War on Drugs)
Sounds great. If I were a hacker does this mean I get a support group, help weaning off of my addiction to hacking, and generous government grants and welfare? Somehow I think not.
Sure, clean needles are a harm reduction tactic, but the harm that is being reduced is the harm to the drug user. No matter how many drugs a user puts in their arm, it doesn't affect my health.
.
How exactly can we "harm reduce" the effects of hacking? These guys aren't hacking their own servers, they are hacking production boxes.
Here's a harm reduction suggestion. The register can pay to maintain honeypots to lure hackers away from real production boxes on the internet....but I doubt they have the time or money to pull that off.
Of course, if you use a honeypot while trying to protect yourself you might actually go to jail
-ted
OF COURSE all these things will help.
:-)
One thing the oft-maligned Theo DeRaadt is doing with the newest versison of OpenBSD is using ProPolice... which of course breaks a large amount of the ports tree. Luckily for we OpenBSD users the Ascended Masters who write and maintain our OS don't mind sacrificing comfort for correctness!
And we can do this and make our own security better, but most security incidents today happen because of compromised windows machines. So we have two problems:
1. These machines are generally easy to upgrade but admins are lazy (what makes you think people will upgrade even if we tell them the next version is safer)
2. What makes you think Microsoft would recode their apps using these products (or anything similar) anyway?
If we make UNIX machines harder to break into people will just move on to easier targets. I think every little bit helps, the UNIX machines might as well be secure, but it won't do you any good if someone targets you're DSL router or your active directory server.
So whats it going to take? Large corporations standing up in meetings saying they will not buy products unless security has been reviewed? Think about the SQL slammer worm which completely screwed up parts of the Internet for 4 hours or more. Is anyone reacting? Anyone saying "well damn, guess I'd better not use MSSQL." or "hell, guess I better put a firewall in front of this thing." Anyones corporate security policy change at all? Maybe, but did your software standards change?
There are hundreds of things that need to change before things get better. How about securing open proxys? Stopping open mail relays. Getting rid of every old and insecure version of bind, sendmail, and apache thats still running somewhere on the internet. Rewriting insecure webpage forms so they don't allow db access to everyone. Turning off telnet in a bunch of places. Same with FTP. Turn off unencrypted IMAP and POP3.
Turn off open wireless networks, convince cable and DSL companies that despite whatever cost savings or easy configurating they get from it, putting everyone on the same network is a bad idea.
So if I could wave a magic wand and all this stuff got taken care of, tomorrow we'd see a slashdot post saying that a fatal flaw in Ethernet causes everyone to be vunerable to any attack, nobody is upgrading because it's too expensive and there is no software fix for it.
Unfortunatly, the easiest and quickest way to make these things stop is to put alot of people in jail for a very long time. Corporations (who have the money and the government backing) don't think it's very funny when people target their 10 year old sparc 5 thats acting as a webserver and break in. To them it doesn't matter that it's really their fault, they want some revenge, and a call to their government friends gets it for them.
We the people of the United States can't change a damn thing, even if we want to (Apologies to non-US citizens who've read this far, I'll shutup in a minute). Changing our coding standards (while amusing to some of the true crackers that are still out there) won't change anything for the thousands of script kiddies who target year-old exploits and scan the entire internet for more boxes to compromise.
Those of you who are not cynical feel free to respond and send solutions.
Maybe you were just getting into the semantics of the arguement, but it sounds to me like you are saying that illegally cracking a system (or 'coaxing' as you so quaintly put it) isn't nearly as bad as physical theft or trespassing. From a moral, ethical and legal standpoint you are wrong if that is indeed your position.
So we all can reduce the effects of crackers by using safer programming languages, chroot, and other methods of good admin? What a concept! They offer suggestions like "Of course, if you don't need that particular daemon, it's better to simply turn it off."
That is so profound. I think I will go change all my root passwords from "password" to something else, maybe even mixing cases of letters. It never dawned on me before. I might even start using iptables.</sarcasm>
This is hardly newsworthy. It is saying: The more you implement good security measures, the less security problems you will have. While I love the Register, this article should be modded redundant itself. Its not that its wrong, its just not offering anything new or interesting.
Tequila: It's not just for breakfast anymore!
So, the article posting is basically opining that, if programs were completely secure, there would be not security breaches. Very nice thinking, but the sky is blue in the world I live in.
Manipulate the moderator system! Mod someone as "overrated" today.
Dmitry Skylarov.
'nuff said.
My beliefs do not require that you agree with them.
We need both approaches. There are definitely some coders who should either improve the quality of their work product or leave the business. But OTOH jailing e-burglars and cyberforgers also reduces harm: they can't harm me or my friends and neighbors while they're busting rocks.
I'm of mixed minds about this idea. It sounds too much like a blame the victim mentality.
"You used Windows, it's your fault your server was hacked. You should only use XXX."
"She was wearing a sexy blouse, she was asking to be raped. Women should only wear burkas."
"You left your car door unlocked, you were asking for it to be stolen. Everyone should lock their car doors and buy a Club (tm)."
If you want to use the clean needle program as an analogy, what we should do is provide public honeypots for people to test their skills against. Something along these lines:
"Hey Kids, try and crack Kevin Mitnick's computer. This is a special setup for you to test your skills against."
"It's the Call Captain Crunch from the Vatican challenge! Captain Crunch has enabled caller id on his phone. Your job is to determine the Pope's private phone number and get it to appear as the originating phone number on the good Captain's caller id box."
But vandalism, and that's what we're talking about here, is different than drug use. Drug use is at it's most basic, a crime against yourself. A consensual crime. Yes, addicts steal and kill, but the act of taking the drug itself only harms the user. That's why drug give away programs are supposed to work -- they eliminate the addicts need to commit a crime to feed the habit.
People in IT, especially consultants won't like to hear this, but if you hire a consultant to manage your server and it gets broken into, you should go after both the criiminal for the vandalization and the consultant for malpractice. Madonna should have a cause of action for malpractice against whoever designed her site so poorly that it was easily cracked. And the vandal, like all vandals, should be punished.
And not having 10' high barbed wire fences around your property is invitation to trespass.
Just because someone shoul dknow better than to leave things open does not lessen the crime at all. The intent of the transgresso is important however. If the trespass or computer intrusion was accidental, then that's different but if the transgressor's intention was to hack the computer, it doesn't matter if they broke a 128 bit key or tapped the spacebar twice.
Rich
Clean needles for hackers??? (First, I'll assume you meant the unethical cracker type) That comparison would have us giving better tools to UCT hackers to attack systems and then allow some leway for it to happen. Of course, in the case of the druggie, he's only "cracking" (pardon the pun) himself.
Is it a crime to break into systems unnounced? I'll accept that. Is it a crime to see an insecure system and notify the owner? No, but then there's the paradox - defining "breaking in" and "noticing insecurity" to be mutually exclusive.
Yes, if you leave your front door unlocked, the theif still committed the crime of theft. But your own stupidity made it easy for him.
Now having your neighbor arrested for saying "Dude, I saw your door open while you were out. Better close it before something bad happens" is idiotic at the least.
Give the masses safer programming languages and/or execution environments. Make them open so that they can be suited to the needs of the many. But if arrogance on the installer's part ("I'll never get hacked with this in place", "This feature is dumb so let's comment it out", "here's my own great new feature") allows the network/system/application to be hacked...well, stupidity isn't illegal.
Force these dicisions on anyone? No way. If you do, you're no better than the liberty-hating terrorists everyone's been complaining about lately...
Not quite, it's more like saying that if you don't have bulletproof glass windows and 10 deadbolts on all your doors, any intrusion that occurs is YOUR fault, not the fault of the intruder.
Granted, people should be more security conscious (homeowners as well as sysadmins) but in the end we have to properly assign the blame to the people who commit the intrusion.
There's a Mercedes gap too. I want one and can't afford one, but it's not government's job to do anything about it.
I'm just going to have to assume you are a European.
Recently some Nordic politician was killed, no murdered. The guy who murdered him got like 23 years in prison. Thats friggin pathetic. But its also systemetic. Europeans just aren't serious about crime. They're afraid of the death penalty and of harsh sentences.
I guess human lives don't matter when its murder. Heck not even a high profile politician's life matters.
Mac OS X and Windows XP working side by side to fight back the night.
I think that there are two problems, not one.
First: to protect the software from security holes.
Second: punish people for commiting a crime.
These are separate problems. The second is not a way to prevent security holes as the first is not the way to prevent crimes. Besides, different people are solving these two problems. The first is for software designers, the second -- for police. Both must just do their job not expecting the other to do it.
May Peace Prevail On Earth
Don't forget that needles in the US used to be over the counter items that didn't require a prescription. It was only because of the war on drugs that this became necessary. In the past, a druggie could either buy a few needles, or shoplift them.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
His point is not that everyone should 'live behind barbed wire', etc, but that people be reasonable.
His point is not that people should not be considered criminals for trespassing into your computer.
His point is that people should take a little bit of responsibility for their actions. I bought a new car and while I would consider the person that might steal it a thief, I did get an alarm system for it. The alarm system did not impose on anyone else's civil liberties and did not diminish the fact that if someone stole the car it was illegal, but by making my car that much harder to steal, I am making being a thief more difficulty.
HTTP Status 418
We all agree that robbing a bank is a serious crime (... I hope). If a bank is robbed, we blame the robber 100%.
So how would you feel if the bank kept all your money in a paper bag on a shelf behind the teller, where any 8 year-old standing on a chair could get at it? Would you still blame the robber 100% if your money was stolen? or would you at least partially blame the bank for not providing enough security?
Bank robbery is a crime, but we still expect the banks to have effective security and protection of our money. Servers and software must also provide reasonable protection against hacking.
Um, it's Unified Modelling Language. But you're right, the article is talking about "the other" UML.
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
I haven't seen this clarity of thought exhibited on slashdot before. You have restored my hope in humanity (or at least slahsdot). Thank you.
I used to bulls-eye womp-rats in my pants
It's complicated because language is complicated. As always, the goals of lawmakers is to make the spirit of the law match the letter of it. Obviously, there have been times when we have failed (the "separation of church and state" concept was brought into law and has caused religious persecution despite the fact that the purpose was to stop religious persecution). Interesting that the bill of rights is rather short to the point and uncomplicated, isn't it?
:)
Making language meet an arbitrary level of precision - the same precision as the spirit of the law - is difficult. That is why it is necessary for the system to be complicated.
I think a better, less complicated approach to law would be to require all lawyers and people who wanted to use the law to learn and speak a limited subset of language that has absolute precision (for example, there would have to not be any words that mean "very" "much" or "too").
The law has gotten so complicated that having another language that everyone had to learn would actually simplify it. George Orwell got it right with newspeak - not that we should have it, but that limiting language limits how you think - and certianly law requires a particular pattern of thinking of it's own, which, if enforced in this manner, would naturally limit the complexity of laws.
The law would certainly be against the DMCA then, since all programmers would readily be able to become lawyers.
Mod me down and I will become more powerful than you can possibly imagine!
...if it were the programmers committing the errors that cause these who went to jail.
For crying out lound, why are there any NEW buffer overflows being discovered? This just makes no sense.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Sounds like a formidable punishment to me. If I had a choice of a quick death or 23 years in prison, I am not sure what I would decide. As for the notion that polititian's life matters more than waiter's, it's kind of scary, although understandable.
not reduction of "crime".
so slashdot has succumbed do mainstream pressure and dropped the hacker vs. cracker difference?
OpenBSD 3.3 was released on 1 May 2003!
When did Theo invent a time machine, and why didn't he Open Source it?
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Let's say a group of men are shipwrecked on an island and one runs out and picks all the fruit from the few life-sustaining trees on the island while the others tend to the wounded. He now insists he owns the fruit, and demands payment of all the tools and materials which washed up from the wreck, plus a year's labor from anyone who doesn't wish to starve. Consider also the case in which he doesn't pick the fruit, but runs out and finds all the fruit trees, blazes the trails to them, and carves his initials in them, then claims perpetual total ownership over the trees.
Now, let's say each person carries a Law Giver weapon, which is perfectly effective, but only when defending natural property. In these situations who will the weapon side with?
Territory - claimed, defended, and expanded by violence and threat of violence - is natural. Claiming territory can be an act of aggression against the common welfare. Property is territory formalized with artificial rules. Rules for transactions of existing property might be considered natural and simple, but rules for the origin of property are entirely arbitrary. No matter how far down the chain of "natural" voluntary transactions, it is anchored in and tainted by an artificial and arbitrary government decision about the allocation of natural capital.
This is how, "securing your property rights screws over somebody for the benefit of somebody else" is true. It's not all of the picture, but it's a significant part of it. Defending the fruitbaskets of the man who runs out and picks all the fruit before anyone else can get to it screws over those who would have picked it themselves. There isn't one man in ten who'd agree that a just government would give this opportunistic weasel exclusive rights to nature's bounty in this situation.
Government's core function is not to secure "natural property rights." It is to minimize violence by easing the pressures that promote it. A large part of this is encouraging stability and voluntary interactions, but it's not the only part. Government is a balancing act, a series of compromises, and couldn't work according to simple, inflexible rules.
I'm not saying that hackers are not a problem. People are responsible for their own actions. But there is a way to flush them into using higher-level (and therefore higher-visibility) attacks without violating the rights of innocent people, and I would say that this makes it worth doing.
As for "giving up your C compiler", no one is asking you to do that. Take a look at the article again; it links, among other things, to StackGuard, a C compiler which manages to close some of the more glaring holes that C can let through. And yes, it's Open-Source.
Ok, so let me see if I got this right. Current (intensely clumsy) law enforcement deterrents are not working. So we should instead decriminalize hacking, and place the burden upon the victims to mitigate their vulnerability? How much more are you going to burden them than already is the case?
To me this is like responding to a rise in shootings by decriminalizing assault with intent to kill, and instead demanding that doctors and paramedics do a better job.
For your security, this post has been encrypted with ROT-13, twice.
Were you intentionally trying to sound like Charlton Heston? Perhaps you should form the NCA, National C Association, to protect the rights of C coders in America. You could be the president! :-)
Forget the whales - save the babies.
No matter how many drugs a user puts in their arm, it doesn't affect my health.
Unless you happen to have sex with one. Or have sex with someone who once had sex with one.
Are you getting my drift here? Governments fund harm reduction because it protects us *all*.
UML is far from helping in all cases. In several unconnected audits which I performed, using UML or other semi-formal methodology for a specification actually "hid" to the unfamiliar reader the details of a very simple system whose specification was actually wrong. Nobody noticed, partly I suspect because in UML it did look neat and clean.
The problem is that some people take modelling methodologies as a substitute for common sense. Beware!
... is a safer language.
But what they need to start doing, is imprison more of the right-type people, and less of the people who are being nailed for minor crimes, or wrongfully imprisoned, etc.
First of all, a nice dark cell for white-collar execs, complete with a large guy named "bubba", would go nicely towards prevent future Enrons
A clean needle suggests allowing them a safe place to get their fix, not preventing them from doing so (making them have to think up more stealthy/ingenius methods of hacking).
I think a clean needle would run more along the lines of the previously mentioned - give them a proper place to hack. Let them hack a home server, or a site intented to be hacked. I can suggest several sites that seem to be in demand for a good hacking
I always thought the "clean needle" approach of drug abusers was to stop the spread of infectious diseases like HIV. Not to actually get them to stop using drugs.
Writing in better (more secure) languages and using better toolkits should be done regardless of what hackers are or aren't doing. This should be the standard, not a means to abolish penalties for breaking the law.
Furthermore, hackers are criminals (in most instances). Using a technique (that should already be used) to prevent them from hacking still doesn't mean hackers will disappear. It means they'll have to try harder and be much better at what they do.
Hackers will always exsist, it's a foregone conclusion. Making it more difficult for them protects you. It doesn't protect everyone. The best protection against a criminal is either to lock them up in prison or the myriad of other (more lethal) alternatives.
I don't dislike hackers. But the "clean needle" approach to crime doesn't exsist.
I have heard that hackers are just people who are learning about computers. This is false. Hackers break into other computers for the sense of power and control they feel at controlling a part of someone elses life. They need that sense of power because they are too stupid to learn on their own.
A personal computer, yours - not someone elses, is an inexaustable resource for learning. With all the free tools available, you can literally teach your computer to do anything. So there is no limit to what you can learn about computers without controlling, exploring, or interfering with another persons computer.
Perhaps the hackers of yesterday who wanted access to a computer, but could not get one of their own might have had some excuse. But with easily or freely available computers, that excuse does not exist anymore. Anyone who wants to learn about computers can do so without hacking. Even the hackers of yesterday probably could have gotten legal access to "learn" by entering some journyman program with a corporation. They didnt have to trespass.
There was never a ligit excuse for hacking and there is no excuse now.
When the spirit moves, you just got to get up and move the body to the spirit moving.
Cuiusvis hominis est errare; nullius nisi insipientis in errore perseverare.
I agree with the safer programming languages (such as Java or OCaml). I agree with the better tools. I agree with dynamic checks, stack guards and whatever. Let's add for good measure static analysis.
But why UML? UML is a modeling language. What the above solutions are trying to catch are implementation issues.
If you're trying to catch issues at the design level, you need much more than a modeling language in which to write vague descriptions. You need tools that can show that your implementation corresponds to the design. You need tools that are capable of dealing with issues such as interlocking threads.
I contend that existing legislation is draconian because the vast majority of representatives know good and well that their constiuency by and large would not be negatively impacted by the most severe anti-hacking legislation immaginable. In fact they probably couldn't avoid political suicide by countering such measures. Its not a matter of whether the law is strict or too strict and thereby we have to take blame for using weak tools & code its what popular public opinion will swallow given special interest group involvments. We have something of a police state going on right now as a behind the scenes infrastructure protection mechanism in this time of perpetual conflict. To most people this simply could not possibly matter. To the people who's job it is to care about such things, well, you have a state or federal job. Congratulations.
To most of our citizenry Its like being an 85 year old in Singapore, sure the kids and foreigners may gripe about the strictness of the laws a bit but you personally are rather comforted by the fact that they would be taking their life in their hands if they were hanging out in your front lawn drinking beer. All that said however I'm tired of seeing leglislation implemented on the sly allowing law enforcement such access into my personal life that I think my proctologist would have take a number.
he laws & their enforcemnet do get annoying but really, the responsibility is on the individual and anyone truly concerned about this already knows fine and well that their concerns are rooted in the liklihood that they're breaking at least the spirit of existing laws and damn them for making things worse for the rest of us. I'm not down for giving them a cookie for making my life more difficult, I don't care what form it comes in.
Again, I have no pity for the law enforcement in this matter either, they've got broader sweeping powers and bigger budgets than ever because of global affairs and at a time when state budgets have clearly chosen to fund them over our teachers. You're the guys with the training budgets not the kids of tommorrow, cry me a freaking river. Its incumbent on law enforcement to know the laws we're being arm-twisted into funding so fine. Since I've picked up the check you can go do your damn job and go after real criminals I'll just work on finding the cash to afford home schooling. Clemency contingencies surrounding coding choices that involve notoriously weak tools hardly seem relevant to American citizenry when we're playing fast and loose with our literacy rating. We paid for the law enforcment, let them go after the non-americans who still have a clue on cracking a crappy program.
We're just a bunch of old folks who want those damn kids off our lawn.
mostly very true
"instruments of government" that are themselves the real problem
they are nothing but perversions and limitations of true freedom
the only pure and true form of democracy is Direct Democracy
your constitution does say: WE THE PEOPLE does it not
how and where did so many people
not very surprising when Public Education/Indoctrination is the source of their knowledge
it is the duty of all the citizens of a noble state to defend THEIR nation or to be known to one's self and others as a coward
did you say secure YOUR property rights
there is nothing more arbitrary and illusionary that property right
just ask the original indigenous inhabitants about the meaning of Property Rights
Clean needles only reduce the self inflicted bloodborne diseases drug users acquire from dirty needles. They do not prevent drug users from mugging or murdering others for drug money or from committing burglaries for drug money. Which is how most drug abusers get their drug money, once they've been hooked, and that is why there should be a war on drugs.
I have yet to hear of a "hacker" who only threatened his own computer and nobody else's.
I can see it now . . .
Please . . . I don't want to be a bother, but can you help a brother out? I'm hurting, man . . . I just need five more dollars to buy some safer software . . .
I'm not tense. I'm just terribly, terribly, alert.
Hmm. You offer an example of someone claiming 'natural property rights' when he arguably does not deserve them. This does provide an example which indicates that there are not always undisputed natural property rights. One counterexample does not, however, prove the non-existence of natural property rights.
Imagine the following variation. A group of sailors is shipwrecked. One is uninjured, the others are hurt. The uninjured fellow tends their wounds, and then collects and shares fruit. After they are well, the uninjured fellow returns to the forest to gather more fruit. However, the now-able-bodied recoverees do not also go and collect fruit. They wait for the first fellow to return, and then they eat the fruit that he has collected.
Property rights are natural in a stable situation.
Claiming territory can be an act of aggression against the common welfare.
Delineating agreed upon territory can provide a method whereby the common welfare can be protected against agression. The common welfare is also not a natural state. For welfare to truly be common, and not to impose unfairly on one member of society or another, a delicate balance must be maintained.
In any event, hackers (or more correctly crackers) often do damage. The damage is rarely (but occassionally) physical, but damage is done. In such cases, Mitnik being the most famous, they must be incarcerated. By the way, Mitnik did not just come up with clever hacks. He lied to people and manipulated them to get their passwords. Felons are prohibited from owning guns, despite the fact that arms rights are specifically protected by the Constitution. People who commit crimes due to alcohol abuse are routinely prohibited from drinking for the duration of their sentence. Putting hackers in jail, and telling them they can't use personal computers (meaning general purpose computers, not calculators and the like) is hardly cruel or unusual punishment.
if ($it != $onething) {$it = $another;}
The problem *is* insecure systems. When a 14 year-old can download a script and root a hundred computers in an evening, that's a problem. There will always be 14 year-olds who think they are immune from the law (and, in many senses they are today), no matter how many hackers we prosecute. It is pretty damn easy to make systems that are much more secure so that there are many fewer scripts for kiddies to get. One easy way is to use a modern safe language, where the common security bugs that cause your and my boxes to get rooted are impossible to make. If you're still in love with cowboy C programming, there are things like Stackguard and the Pax kernel patches (address randomization, etc.) that make even C code a whole lot less exploitable.
For my money, Millennium has interpreted the article right, and the article makes a good point: the most cost effective way to improve security is to make and use more secure systems, not to try to deter 14-year olds from downloading scripts by imposing draconian laws. Of course, destructive cracking will remain illegal, and people should be prosecuted when they do it, but at least those people will have had to go through a lot more trouble to do so.
On the other, people need to do a much better job of security. The number of people I know who just load up a "cool" piece of software they've been sent by a mate is shocking. Often, it's a .exe showing an animation, when it could have been put into one of a number of 'sandboxed' formats like Shockwave or Flash.
No-one out there seems to think - they just install something that could wreck their hard drive or open up ports.
Personally, I don't download anything sent as a .EXE. I want to know the address of the website I can get it from to ensure it's reasonably reputable, and then check it's been up there for long enough to be safe.
comprises of a language were the word microsoft is not mentioned.
If killing people is wrong (and thus warrants a harsh punishment), why is it morally right to kill people who kill?
I'm of the opinion that taking someone's life is always wrong, regardless of circumstance, since it is an irrevocable action.
Double-standards are at their worst when they manifest in the judicial system.
My point is only that there are few simple answers. There is no natural, simple, easy, perfect government which we somehow consistently deviate from.
Property is not set in stone by some natural principle which is offended by taxes, nor is defense of legitimate property unconditionally above reproach. Most, if not all, actual property is tainted to some degree by aggression or fraud. It is defended as a practical matter, for practical purposes, not to suit some simplistic ideal.
I'm no supporter of computer trespass, and don't care to discuss Kevin Mitnick's case. I was only following ratamacue's tangent.
The idea I'd like to formulate is simple really.
Depending on the severity of their crime dilinquents are often sentenced with alternative sentences that are geared towards community service. In similar regard maybe court could sentence hackers to hack software daily so holes can be uncovered and plugged by software creators.
Ok, so there are some rough edges. I can't imagine a company wanting hackers on their networks but with reasonable measures. Something could be set up like a workshop in some facility (perhaps a closed one if the court deems that is needed).
The way I usually phrase your original argument is this:
"The only natural laws are the laws of physics. All other laws are social constructs."
Of course, this doesn't mean that there aren't a lot of useful social constructs that help people live happy, civilized lives (and of course some laws are more effective at this than others).
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
I can just see the adds now. Out product is safe and secure because we use UML. UML making script kiddies a thing of the past.
we should "give up on the notion that computer security can be improved by putting more people in prison."
The big thing to me is whose definition of computer security are we going to use? I think there's a big difference between hacking into somebody else's system and destroying things, and reverse engineering something to work better or downloading a software crack. However, in the eyes of the governement, and their new tough on computer crimes approach, this can be treated as practically the same thing!
Most people would die sooner than think; in fact, they do.
Do you know of any thing that the Gov. has not well and truly fouled up? When the Mustang Ranch (a Cathouse in Navada) went into bankrupcy, the Gov (IRS) took over operations it was out of business in 90 days . If they are not compent to run a cathouse how can they run a country?
Diplomacy is the art of saying "Nice doggie" until you can find a rock. Will Rogers
Ah but , that is the nub Which social constructs? Who decides? If I don't like your decision do I have an appeal? if 50,000,000 people cannot be wrong does 50,000,000+1 invalidate their beliefs?
Diplomacy is the art of saying "Nice doggie" until you can find a rock. Will Rogers
However, the key argument (I find) against this sort of argument is that the justice system is not impartial and make a lot of mistakes. One of the reasons is the jury system, where ordinary people don't understand scientific evidence given to them and tend to trust eyewitnesses above everything else [the weakest form of evidence in my view].
A significant number of innocent people have been put to death. It could be you one day, think about it.