Slashdot Mirror
Clean Needles for Hackers
scubacuda writes "Jon Lasser of the Register opines that we should "give up on the notion that computer security can be improved by putting more people in prison." He argues that a "harm reduction" approach (similar to that of "clean needle" campaign in the War on Drugs) might be more productive. If we, say, wrote in safer programming languages, used tools like Immunix's StackGuard, ProPolice, or OpenBSD 3.3, chroot and UML, we could reduce the damage a malicious hacker might do without damaging our civil liberities."
How does punishing people who commit crimes reduce our civil liberties?
Drug addition is a physical additiction. The idea of the needle exchange program is to prevent reduce the spread of a FATAL disease. The purpose of the laws against needles is to cut the use of drugs, but the drugs are still illegal.
Here, this guy is proposing something along the lines of eliminating car locks so that noone will be arrested for carrying burgulary tools.
Fight Spammers!
People who break into other people's computers are trespassing. This represents an initiation of force -- a "natual crime" if you will -- because there is an actual breach of property rights. There is no question whether it is just to take action against these people.
People who use or trade drugs, on the other hand, have initiated no force. There is no breach of property rights. Drug "crimes" represent, at best, a breach of government-mandated conformity -- an "artificial crime" if you will.
To compare the two is not only illogical, but dangerously misleading.
Firstly, I doubt this is entirely workable. There's too much unsecured legacy code that no one's going to want to rewrite.
But mainly, this is simply the wrong attitude. If someone breaks into your house, it is the burglar's fault. It isn't your fault for not surrounding your house with barbed wire and a pack of rabid dogs. While I agree that penalties for hackers are often overly harsh, that doesn't change the fact that they knowingly committed a crime of their own free will, and should be punished for it. Hackers are responsible for their own actions. It's that simple.
I just don't see the relationship between needle programs and software security. Its a very weak analogy.
A better analogy might be that giving up on IT security is like giving up on transportation security.
SCO to Hell
I find it disturbing the number of people that are posting saying things like "but these people break the law, so they deserve what they get".
Come on Americans, what's happened to you recently? Where's your spirit gone? The spirit of justice, fairness, freedom? Is it right that teenagers get sent to jail for "hacking" when the state of IT security is so poor? If your bank left sacks of money outside it's doors, when they got stolen by a couple of kids would you think it was the kids were guilty of a crime, or the bank?
In the old America, the kids would get a stern telling off and the bank manager would be accused of negligence. These days the kids would be looking at a long jail sentence, and the bank would be pressing the government to pass laws waiving them of any responsibility.
If we, say, wrote in safer programming languages, used tools like Immunix's StackGuard, ProPolice, or OpenBSD 3.3, chroot and UML, we could reduce the damage a malicious hacker might do without damaging our civil liberities.
Hmm... why does this sound like "it's the victim's fault"? C'mon! Nobody would say that to a woman who was dragged into an alley, beaten and raped.
If anything, it seems to me that prison time puts out a loud and clear message to crackers that what they do is indeed a crime and will be treated as such.
Don't enough people get slapped on the wrist by the justice system already anyway?
-A
is not the hackers. Or viruses. Or trojans. Or bugs. It's the money.
Most software still is propietary and someone wants to make money with it. So he wants to see it protected. He doesn't want his software to be secure since that costs money. Having someone thrown into jail costs less money, so that's the preferred way.
At least this is my experience with the thoughts of suits. Many think of software like it would be, say, a car: with enough brute force you can get into any car you like easily. They don't realize that this is not how software works. You don't hack software (i.e. servers) by using brute force attacks but by cleverly exploiting weak spots, like the lock or the window seal.
But since many suits don't get this they think no matter what, their software can be hacked by Joe Average and thus that they need fierce laws that prevent them from doing so instead of securing their software in the first place.
I personally think the plethora or virii and other exploits loose on the net today is a very good thing.
Picture your computer as your faithful dog, man's best friend.
Now say your neighbor has one too.
Your neighbor lets his dog run free, and it tends to play in the local junkyard, picking up god knows what.
You on the other hand, keep your dog nice and sheltered, only letting it outside on a leash when you walk it.
Now which dog do you think will have a more robust immune system, if they both get sick which is more likely to survive?
The septic environment that is today's internet forces us to make decisions that increase security, strengthening our digital immune systems.
Imagine if there had been far less malicious hacking over the last decade or so. Imagine a world where there are no effective anti-virus programs because there are no particularly effective viruses. Where all those security holes we've read about over the years are still exploitable because we never found out about them the hard way.
Now imagine how vulnerable such a world's systems would be if some person or organization decided to try to take them down.
"The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
If we, say, wrote in safer programming languages, used tools like Immunix's StackGuard, ProPolice, or OpenBSD 3.3, chroot and UML, we could reduce the damage a malicious hacker might do without damaging our civil liberities.
You're saying that developers should take responsibility for what they write to ensure it's secure? You're kidding, right? I mean, who the hell wants to be responsible in this day and age?
This kind of thing will never happen because businesses (plenty of them out there that would rahter sue than write solid code) are too lazy. I've been told "secure code doesn't make business sense -- it costs money".
Question: when a company/whatever gets hacked, who handles the prosecution? Do you just turn it over to the FBI and they go and nail the little bastard? If that's the case, what this story discusses will never happen.
Why bother.
Sure, clean needles are a harm reduction tactic, but the harm that is being reduced is the harm to the drug user. No matter how many drugs a user puts in their arm, it doesn't affect my health.
.
How exactly can we "harm reduce" the effects of hacking? These guys aren't hacking their own servers, they are hacking production boxes.
Here's a harm reduction suggestion. The register can pay to maintain honeypots to lure hackers away from real production boxes on the internet....but I doubt they have the time or money to pull that off.
Of course, if you use a honeypot while trying to protect yourself you might actually go to jail
-ted
I'll give up my C compiler when they pry off the platters of my cold dead hard drive.
Seriously, the problem is not insecure systems. The problem is little fucknuts that think they have some god given right to violate my systems. There's really no comparison to be made with the war on drugs. It's much more like burglary. While the vast majority of these obnoxious little h4x0rs would never even think of robbing a bank or burglarizing a house, breaking into a computer is easy to rationalize because they don't see the damage that they're doing (and the odds of getting caught are low).
Solving the problem does not mean closing the security holes, although that should be done. Solving the problem means dipshits don't try to hack.
bance.net
So, the article posting is basically opining that, if programs were completely secure, there would be not security breaches. Very nice thinking, but the sky is blue in the world I live in.
Manipulate the moderator system! Mod someone as "overrated" today.
Dmitry Skylarov.
'nuff said.
My beliefs do not require that you agree with them.
I'm of mixed minds about this idea. It sounds too much like a blame the victim mentality.
"You used Windows, it's your fault your server was hacked. You should only use XXX."
"She was wearing a sexy blouse, she was asking to be raped. Women should only wear burkas."
"You left your car door unlocked, you were asking for it to be stolen. Everyone should lock their car doors and buy a Club (tm)."
If you want to use the clean needle program as an analogy, what we should do is provide public honeypots for people to test their skills against. Something along these lines:
"Hey Kids, try and crack Kevin Mitnick's computer. This is a special setup for you to test your skills against."
"It's the Call Captain Crunch from the Vatican challenge! Captain Crunch has enabled caller id on his phone. Your job is to determine the Pope's private phone number and get it to appear as the originating phone number on the good Captain's caller id box."
But vandalism, and that's what we're talking about here, is different than drug use. Drug use is at it's most basic, a crime against yourself. A consensual crime. Yes, addicts steal and kill, but the act of taking the drug itself only harms the user. That's why drug give away programs are supposed to work -- they eliminate the addicts need to commit a crime to feed the habit.
People in IT, especially consultants won't like to hear this, but if you hire a consultant to manage your server and it gets broken into, you should go after both the criiminal for the vandalization and the consultant for malpractice. Madonna should have a cause of action for malpractice against whoever designed her site so poorly that it was easily cracked. And the vandal, like all vandals, should be punished.
And not having 10' high barbed wire fences around your property is invitation to trespass.
Just because someone shoul dknow better than to leave things open does not lessen the crime at all. The intent of the transgresso is important however. If the trespass or computer intrusion was accidental, then that's different but if the transgressor's intention was to hack the computer, it doesn't matter if they broke a 128 bit key or tapped the spacebar twice.
Rich
It's complicated because language is complicated. As always, the goals of lawmakers is to make the spirit of the law match the letter of it. Obviously, there have been times when we have failed (the "separation of church and state" concept was brought into law and has caused religious persecution despite the fact that the purpose was to stop religious persecution). Interesting that the bill of rights is rather short to the point and uncomplicated, isn't it?
:)
Making language meet an arbitrary level of precision - the same precision as the spirit of the law - is difficult. That is why it is necessary for the system to be complicated.
I think a better, less complicated approach to law would be to require all lawyers and people who wanted to use the law to learn and speak a limited subset of language that has absolute precision (for example, there would have to not be any words that mean "very" "much" or "too").
The law has gotten so complicated that having another language that everyone had to learn would actually simplify it. George Orwell got it right with newspeak - not that we should have it, but that limiting language limits how you think - and certianly law requires a particular pattern of thinking of it's own, which, if enforced in this manner, would naturally limit the complexity of laws.
The law would certainly be against the DMCA then, since all programmers would readily be able to become lawyers.
Mod me down and I will become more powerful than you can possibly imagine!
Let's say a group of men are shipwrecked on an island and one runs out and picks all the fruit from the few life-sustaining trees on the island while the others tend to the wounded. He now insists he owns the fruit, and demands payment of all the tools and materials which washed up from the wreck, plus a year's labor from anyone who doesn't wish to starve. Consider also the case in which he doesn't pick the fruit, but runs out and finds all the fruit trees, blazes the trails to them, and carves his initials in them, then claims perpetual total ownership over the trees.
Now, let's say each person carries a Law Giver weapon, which is perfectly effective, but only when defending natural property. In these situations who will the weapon side with?
Territory - claimed, defended, and expanded by violence and threat of violence - is natural. Claiming territory can be an act of aggression against the common welfare. Property is territory formalized with artificial rules. Rules for transactions of existing property might be considered natural and simple, but rules for the origin of property are entirely arbitrary. No matter how far down the chain of "natural" voluntary transactions, it is anchored in and tainted by an artificial and arbitrary government decision about the allocation of natural capital.
This is how, "securing your property rights screws over somebody for the benefit of somebody else" is true. It's not all of the picture, but it's a significant part of it. Defending the fruitbaskets of the man who runs out and picks all the fruit before anyone else can get to it screws over those who would have picked it themselves. There isn't one man in ten who'd agree that a just government would give this opportunistic weasel exclusive rights to nature's bounty in this situation.
Government's core function is not to secure "natural property rights." It is to minimize violence by easing the pressures that promote it. A large part of this is encouraging stability and voluntary interactions, but it's not the only part. Government is a balancing act, a series of compromises, and couldn't work according to simple, inflexible rules.
Ok, so let me see if I got this right. Current (intensely clumsy) law enforcement deterrents are not working. So we should instead decriminalize hacking, and place the burden upon the victims to mitigate their vulnerability? How much more are you going to burden them than already is the case?
To me this is like responding to a rise in shootings by decriminalizing assault with intent to kill, and instead demanding that doctors and paramedics do a better job.
For your security, this post has been encrypted with ROT-13, twice.
There is a war on drugs because most (more than half) burglaries and violent crimes are committed by people looking for drug money, or who are on drugs. The attorney general of the county I live in estimated that 80% of the crimes committed in my county are committed by someone who is on drugs (including alcohol). So I don't see drug use as being a "victimless" crime.
"Victimless" crimes have no victims because you ignore the victim. It's usually quite easy to ignore them, too. The system has been ignoring victims of burglaries, assaults, rape and other violent crimes for way too long, now.
On the other, people need to do a much better job of security. The number of people I know who just load up a "cool" piece of software they've been sent by a mate is shocking. Often, it's a .exe showing an animation, when it could have been put into one of a number of 'sandboxed' formats like Shockwave or Flash.
No-one out there seems to think - they just install something that could wreck their hard drive or open up ports.
Personally, I don't download anything sent as a .EXE. I want to know the address of the website I can get it from to ensure it's reasonably reputable, and then check it's been up there for long enough to be safe.
we should "give up on the notion that computer security can be improved by putting more people in prison."
The big thing to me is whose definition of computer security are we going to use? I think there's a big difference between hacking into somebody else's system and destroying things, and reverse engineering something to work better or downloading a software crack. However, in the eyes of the governement, and their new tough on computer crimes approach, this can be treated as practically the same thing!
Most people would die sooner than think; in fact, they do.