Slashdot Mirror
Clean Needles for Hackers
scubacuda writes "Jon Lasser of the Register opines that we should "give up on the notion that computer security can be improved by putting more people in prison." He argues that a "harm reduction" approach (similar to that of "clean needle" campaign in the War on Drugs) might be more productive. If we, say, wrote in safer programming languages, used tools like Immunix's StackGuard, ProPolice, or OpenBSD 3.3, chroot and UML, we could reduce the damage a malicious hacker might do without damaging our civil liberities."
How does punishing people who commit crimes reduce our civil liberties?
So making people write good code isn't impacting people's civil liberties? Considering most of the developers I know, that'd put most of them out of work...
Drug addition is a physical additiction. The idea of the needle exchange program is to prevent reduce the spread of a FATAL disease. The purpose of the laws against needles is to cut the use of drugs, but the drugs are still illegal.
Here, this guy is proposing something along the lines of eliminating car locks so that noone will be arrested for carrying burgulary tools.
Fight Spammers!
Since when are we putting hackers behind bars just for hacking? We put people in jail for breaking the law, and usually first time convicted hackers just get probation. The only hackers we put in jail are repeat offenders or those whose crimes escalated into other higher crimes. If you root a banks server and send $100 million to your swiss bank account you're a bank robber, not a hacker. If you steal code, you're commiting an act of industrial espionage, not hacking. I think alot of people take the stance that if you commit a crime through a computer, it's just harmless hacking, and not worthy of jail time. Basically my point is there is a huge difference b/w DoSing some jerk on IRC and releasing the next big superworm that causes billion in damages and could possibly cost lives.are NOT the same thing. One thing is "hacking" (Cracking! Damnit.) the other is just being a criminal.
Everyone is entitled to their own opinion. It's just that yours is stupid.
People who break into other people's computers are trespassing. This represents an initiation of force -- a "natual crime" if you will -- because there is an actual breach of property rights. There is no question whether it is just to take action against these people.
People who use or trade drugs, on the other hand, have initiated no force. There is no breach of property rights. Drug "crimes" represent, at best, a breach of government-mandated conformity -- an "artificial crime" if you will.
To compare the two is not only illogical, but dangerously misleading.
Hackers are not dying of really horrid diseases and passing these diseases onto non-hackers, are they? Maybe we should give clean needles to the hackers, and then let the war-on-drugs folks deal with them.
Firstly, I doubt this is entirely workable. There's too much unsecured legacy code that no one's going to want to rewrite.
But mainly, this is simply the wrong attitude. If someone breaks into your house, it is the burglar's fault. It isn't your fault for not surrounding your house with barbed wire and a pack of rabid dogs. While I agree that penalties for hackers are often overly harsh, that doesn't change the fact that they knowingly committed a crime of their own free will, and should be punished for it. Hackers are responsible for their own actions. It's that simple.
Whoa, what a concept! Improve systems security making them more secure!
h@hh@hh@...@.&.... "You shall not pass!"
They are talking about User Mode Linux, not the markup language. With a nick like that, I can see how you could make that mistake.
Everyone is entitled to their own opinion. It's just that yours is stupid.
Clean needles for hackers? What sort of analogy is that?
Addicts get clean needles in drug programs so they don't catch AIDS and start costing society even more.
In the case of hackers, a program on the same lines would give them money so they don't commit fraud and cost society even more.
If you wanted to find an analogy to writing more secure code in drug solutions it would be making it physically impossible for heroin addicts to take their drug (Cut their arms off? Lock them up?)
I just don't see the relationship between needle programs and software security. Its a very weak analogy.
A better analogy might be that giving up on IT security is like giving up on transportation security.
SCO to Hell
It's unclear whether your question is one of morality, or deterrence. I'll assume deterrence for the moment. A punishment is only a credible deterrent if it is actually likely that the criminal will get caught. The false-positive rate of the deterrence (innocent people punished, or merely innocent people spending weeks demonstrating their innocence in court) and the surveillance infrastructure needed to improve the accuracy of the punishment both reduce our freedom.
They are talking about User Mode Linux, not Unified Markup Language. How ridiculous.
Everyone is entitled to their own opinion. It's just that yours is stupid.
The 'clean needle' approach basically involves making life easier for the criminal group (drug addicts) so that they don't need to commit so many troublesome crimes -- thus making life easier for everyone.
The approach advocated in the Register involves making life harder for the criminal group (hackers) so that they aren't able to commit troublesome crimes.
There is no similarity, and furthermore, while the 'clean needle' thing is hightly controversial and frequently shades into a program of government-subsidised drug abuse, writing software more securely is obviously beneficial and should be a no-brainer.
I therefore conclude, your honor, that the phrase 'clean needle' was only introduced because it's eyecatching -- perhaps because the original submitter was caught in a fringe eddy of the Really Rather Silly Field (RRSF) that usually surrounds The Register.
Whence? Hence. Whither? Thither.
This isn't about letting hackers go free. It's about making systems more secure without having to violate civil liberties by enforcing draconian security measures.
Or, to put it another way, alleviating a symptom (rampant hacking) of a problem (programs with security holes) by actually solving the problem (using safer programming methods to close the security holes) while still punishing those who continue to try to hack, who, with these lower-level holes closed, will have to resort to higher-visibility methods where they are easy to catch using ethical (i.e. strictly-reactive) methods of law enforcement, rather than violating the rights of 10,000 innocent people for the sake of catching a single wrongdoer.
If you lock your systems down tight, you still have to worry about social attacks. Unless something is done, social engineering will always be one of the most effective, least difficult methods for gaining access.
One of the biggest needs of improvement is in employee education. Most people just do not understand why the password "Snoopy", or "office", or their name, their username, etc. is bad. They don't see why locking their desktop when they go to lunch is important. They're happy to tell you their username and password if you ask them (perhaps while throwing some confusing technical terms at them).
Some of the energy being spent (and there's a lot of energy people are putting into technical security measures) should be devoted to educating users on good security practices.
.sigs are for post^Hers.
I find it disturbing the number of people that are posting saying things like "but these people break the law, so they deserve what they get".
Come on Americans, what's happened to you recently? Where's your spirit gone? The spirit of justice, fairness, freedom? Is it right that teenagers get sent to jail for "hacking" when the state of IT security is so poor? If your bank left sacks of money outside it's doors, when they got stolen by a couple of kids would you think it was the kids were guilty of a crime, or the bank?
In the old America, the kids would get a stern telling off and the bank manager would be accused of negligence. These days the kids would be looking at a long jail sentence, and the bank would be pressing the government to pass laws waiving them of any responsibility.
If we, say, wrote in safer programming languages, used tools like Immunix's StackGuard, ProPolice, or OpenBSD 3.3, chroot and UML, we could reduce the damage a malicious hacker might do without damaging our civil liberities.
Hmm... why does this sound like "it's the victim's fault"? C'mon! Nobody would say that to a woman who was dragged into an alley, beaten and raped.
If anything, it seems to me that prison time puts out a loud and clear message to crackers that what they do is indeed a crime and will be treated as such.
Don't enough people get slapped on the wrist by the justice system already anyway?
-A
is not the hackers. Or viruses. Or trojans. Or bugs. It's the money.
Most software still is propietary and someone wants to make money with it. So he wants to see it protected. He doesn't want his software to be secure since that costs money. Having someone thrown into jail costs less money, so that's the preferred way.
At least this is my experience with the thoughts of suits. Many think of software like it would be, say, a car: with enough brute force you can get into any car you like easily. They don't realize that this is not how software works. You don't hack software (i.e. servers) by using brute force attacks but by cleverly exploiting weak spots, like the lock or the window seal.
But since many suits don't get this they think no matter what, their software can be hacked by Joe Average and thus that they need fierce laws that prevent them from doing so instead of securing their software in the first place.
I personally think the plethora or virii and other exploits loose on the net today is a very good thing.
Picture your computer as your faithful dog, man's best friend.
Now say your neighbor has one too.
Your neighbor lets his dog run free, and it tends to play in the local junkyard, picking up god knows what.
You on the other hand, keep your dog nice and sheltered, only letting it outside on a leash when you walk it.
Now which dog do you think will have a more robust immune system, if they both get sick which is more likely to survive?
The septic environment that is today's internet forces us to make decisions that increase security, strengthening our digital immune systems.
Imagine if there had been far less malicious hacking over the last decade or so. Imagine a world where there are no effective anti-virus programs because there are no particularly effective viruses. Where all those security holes we've read about over the years are still exploitable because we never found out about them the hard way.
Now imagine how vulnerable such a world's systems would be if some person or organization decided to try to take them down.
"The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
From the article:
Most individuals can control themselves, but there is a substantial group of people for whom no legal penalties will be enough to discourage their behavior.
That's true of every crime I can think of. That's why we like to keep people who have demonstrated that legal penalties don't discourage them in prison, where they can do no further harm. Legal penalties may not aways be a deterent to crime, but they sure as hell can be an impediment to it.
This idea misunderstands things. It's widely and openly acknowledged that security can never be perfectly impenetrable. You therefore make security as best as you can, and make it illegal to breach security, and then punish breaches of security when you catch those responsible for them.
Where this all gets hazy and crazy is when people with wide-open systems can prosecute someone for "hacking" them when all they did was walk in through an open door. Open doors are good for public places; if you don't want your computer systems to be public, don't allow it. Put a lock on it. If someone breaks and enters, that's prosecutable. But that should be the line drawn.
What we need is for the law to say that an open door is good as an invitation, but that breaching a locked door with a sign on it that says Authorized Access and Use Only is a criminal offense -- the equivalent of tresspassing, breaking and entering, robbery, or destruction of property, as is appropriate to what actually takes place.
You see? You see? Your stupid minds! Stupid! Stupid!
If we, say, wrote in safer programming languages, used tools like Immunix's StackGuard, ProPolice, or OpenBSD 3.3, chroot and UML, we could reduce the damage a malicious hacker might do without damaging our civil liberities.
You're saying that developers should take responsibility for what they write to ensure it's secure? You're kidding, right? I mean, who the hell wants to be responsible in this day and age?
This kind of thing will never happen because businesses (plenty of them out there that would rahter sue than write solid code) are too lazy. I've been told "secure code doesn't make business sense -- it costs money".
Question: when a company/whatever gets hacked, who handles the prosecution? Do you just turn it over to the FBI and they go and nail the little bastard? If that's the case, what this story discusses will never happen.
Why bother.
Sure, clean needles are a harm reduction tactic, but the harm that is being reduced is the harm to the drug user. No matter how many drugs a user puts in their arm, it doesn't affect my health.
.
How exactly can we "harm reduce" the effects of hacking? These guys aren't hacking their own servers, they are hacking production boxes.
Here's a harm reduction suggestion. The register can pay to maintain honeypots to lure hackers away from real production boxes on the internet....but I doubt they have the time or money to pull that off.
Of course, if you use a honeypot while trying to protect yourself you might actually go to jail
-ted
So, the article posting is basically opining that, if programs were completely secure, there would be not security breaches. Very nice thinking, but the sky is blue in the world I live in.
Manipulate the moderator system! Mod someone as "overrated" today.
Dmitry Skylarov.
'nuff said.
My beliefs do not require that you agree with them.
I'm of mixed minds about this idea. It sounds too much like a blame the victim mentality.
"You used Windows, it's your fault your server was hacked. You should only use XXX."
"She was wearing a sexy blouse, she was asking to be raped. Women should only wear burkas."
"You left your car door unlocked, you were asking for it to be stolen. Everyone should lock their car doors and buy a Club (tm)."
If you want to use the clean needle program as an analogy, what we should do is provide public honeypots for people to test their skills against. Something along these lines:
"Hey Kids, try and crack Kevin Mitnick's computer. This is a special setup for you to test your skills against."
"It's the Call Captain Crunch from the Vatican challenge! Captain Crunch has enabled caller id on his phone. Your job is to determine the Pope's private phone number and get it to appear as the originating phone number on the good Captain's caller id box."
But vandalism, and that's what we're talking about here, is different than drug use. Drug use is at it's most basic, a crime against yourself. A consensual crime. Yes, addicts steal and kill, but the act of taking the drug itself only harms the user. That's why drug give away programs are supposed to work -- they eliminate the addicts need to commit a crime to feed the habit.
People in IT, especially consultants won't like to hear this, but if you hire a consultant to manage your server and it gets broken into, you should go after both the criiminal for the vandalization and the consultant for malpractice. Madonna should have a cause of action for malpractice against whoever designed her site so poorly that it was easily cracked. And the vandal, like all vandals, should be punished.
And not having 10' high barbed wire fences around your property is invitation to trespass.
Just because someone shoul dknow better than to leave things open does not lessen the crime at all. The intent of the transgresso is important however. If the trespass or computer intrusion was accidental, then that's different but if the transgressor's intention was to hack the computer, it doesn't matter if they broke a 128 bit key or tapped the spacebar twice.
Rich
Clean needles for hackers??? (First, I'll assume you meant the unethical cracker type) That comparison would have us giving better tools to UCT hackers to attack systems and then allow some leway for it to happen. Of course, in the case of the druggie, he's only "cracking" (pardon the pun) himself.
Is it a crime to break into systems unnounced? I'll accept that. Is it a crime to see an insecure system and notify the owner? No, but then there's the paradox - defining "breaking in" and "noticing insecurity" to be mutually exclusive.
Yes, if you leave your front door unlocked, the theif still committed the crime of theft. But your own stupidity made it easy for him.
Now having your neighbor arrested for saying "Dude, I saw your door open while you were out. Better close it before something bad happens" is idiotic at the least.
Give the masses safer programming languages and/or execution environments. Make them open so that they can be suited to the needs of the many. But if arrogance on the installer's part ("I'll never get hacked with this in place", "This feature is dumb so let's comment it out", "here's my own great new feature") allows the network/system/application to be hacked...well, stupidity isn't illegal.
Force these dicisions on anyone? No way. If you do, you're no better than the liberty-hating terrorists everyone's been complaining about lately...
We all agree that robbing a bank is a serious crime (... I hope). If a bank is robbed, we blame the robber 100%.
So how would you feel if the bank kept all your money in a paper bag on a shelf behind the teller, where any 8 year-old standing on a chair could get at it? Would you still blame the robber 100% if your money was stolen? or would you at least partially blame the bank for not providing enough security?
Bank robbery is a crime, but we still expect the banks to have effective security and protection of our money. Servers and software must also provide reasonable protection against hacking.
It's complicated because language is complicated. As always, the goals of lawmakers is to make the spirit of the law match the letter of it. Obviously, there have been times when we have failed (the "separation of church and state" concept was brought into law and has caused religious persecution despite the fact that the purpose was to stop religious persecution). Interesting that the bill of rights is rather short to the point and uncomplicated, isn't it?
:)
Making language meet an arbitrary level of precision - the same precision as the spirit of the law - is difficult. That is why it is necessary for the system to be complicated.
I think a better, less complicated approach to law would be to require all lawyers and people who wanted to use the law to learn and speak a limited subset of language that has absolute precision (for example, there would have to not be any words that mean "very" "much" or "too").
The law has gotten so complicated that having another language that everyone had to learn would actually simplify it. George Orwell got it right with newspeak - not that we should have it, but that limiting language limits how you think - and certianly law requires a particular pattern of thinking of it's own, which, if enforced in this manner, would naturally limit the complexity of laws.
The law would certainly be against the DMCA then, since all programmers would readily be able to become lawyers.
Mod me down and I will become more powerful than you can possibly imagine!
Let's say a group of men are shipwrecked on an island and one runs out and picks all the fruit from the few life-sustaining trees on the island while the others tend to the wounded. He now insists he owns the fruit, and demands payment of all the tools and materials which washed up from the wreck, plus a year's labor from anyone who doesn't wish to starve. Consider also the case in which he doesn't pick the fruit, but runs out and finds all the fruit trees, blazes the trails to them, and carves his initials in them, then claims perpetual total ownership over the trees.
Now, let's say each person carries a Law Giver weapon, which is perfectly effective, but only when defending natural property. In these situations who will the weapon side with?
Territory - claimed, defended, and expanded by violence and threat of violence - is natural. Claiming territory can be an act of aggression against the common welfare. Property is territory formalized with artificial rules. Rules for transactions of existing property might be considered natural and simple, but rules for the origin of property are entirely arbitrary. No matter how far down the chain of "natural" voluntary transactions, it is anchored in and tainted by an artificial and arbitrary government decision about the allocation of natural capital.
This is how, "securing your property rights screws over somebody for the benefit of somebody else" is true. It's not all of the picture, but it's a significant part of it. Defending the fruitbaskets of the man who runs out and picks all the fruit before anyone else can get to it screws over those who would have picked it themselves. There isn't one man in ten who'd agree that a just government would give this opportunistic weasel exclusive rights to nature's bounty in this situation.
Government's core function is not to secure "natural property rights." It is to minimize violence by easing the pressures that promote it. A large part of this is encouraging stability and voluntary interactions, but it's not the only part. Government is a balancing act, a series of compromises, and couldn't work according to simple, inflexible rules.
Ok, so let me see if I got this right. Current (intensely clumsy) law enforcement deterrents are not working. So we should instead decriminalize hacking, and place the burden upon the victims to mitigate their vulnerability? How much more are you going to burden them than already is the case?
To me this is like responding to a rise in shootings by decriminalizing assault with intent to kill, and instead demanding that doctors and paramedics do a better job.
For your security, this post has been encrypted with ROT-13, twice.
I can see it now . . .
Please . . . I don't want to be a bother, but can you help a brother out? I'm hurting, man . . . I just need five more dollars to buy some safer software . . .
I'm not tense. I'm just terribly, terribly, alert.
On the other, people need to do a much better job of security. The number of people I know who just load up a "cool" piece of software they've been sent by a mate is shocking. Often, it's a .exe showing an animation, when it could have been put into one of a number of 'sandboxed' formats like Shockwave or Flash.
No-one out there seems to think - they just install something that could wreck their hard drive or open up ports.
Personally, I don't download anything sent as a .EXE. I want to know the address of the website I can get it from to ensure it's reasonably reputable, and then check it's been up there for long enough to be safe.
we should "give up on the notion that computer security can be improved by putting more people in prison."
The big thing to me is whose definition of computer security are we going to use? I think there's a big difference between hacking into somebody else's system and destroying things, and reverse engineering something to work better or downloading a software crack. However, in the eyes of the governement, and their new tough on computer crimes approach, this can be treated as practically the same thing!
Most people would die sooner than think; in fact, they do.