Slashdot Mirror
Immunizing the Internet
jonny4001 writes "The Harvard Law Review has published a student-written article that argues that hackers, worms, and viruses are good for network security and that the law and public policy should encourage 'beneficial' hacking. From the article: 'Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security [...] Current federal law, however, does not properly value such strategic goals.'"
Totally telling the FBI slashdot said it was 'ok'.
Darwin operates perfectly online! Now all we need is to set up the digital version of the Darwin Awards. Now, granted, idiot users aren't permanently removed from the gene pools, but if they ram enough computers into the dirt, they'll be dirt-poor and thus unsuitable as mates, hence they won't reproduce. Right?
More than a quarter of a century ago I inadvertently found a hole in a UNIX based bulletin board system, went in and fixed the code, called the operator to tell him what I'd done and how to fix the rest of the problems, and ended up with a series of contracts.
A few years later I wouldn't have considered it. People who'd not done much more had spent time in court and been threatened with jail. Not much later, you had people actually doing jail time for simply "knocking on doors".
What happened?
The whole "ethical intruder" meme had spread, and people had started cracking into systems and then claiming they were just "rattling doorknobs" to "help security". Of course you couldn't tell an "ethical hacker" from a crook, and the crooks could claim they were just trying to help.
It's the "ethical hackers" themselves that have made it impossible for this kind of activity to be condoned.
The link is directly to a .pdf file. This should link to the Google html cache.
I reserve the write to mangle english.
I'm sure plenty won't click the link, so you are missing out on the great title that was left out of the summary:
IMMUNIZING THE INTERNET, OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE WORM
So bank robbery is good for their security and should be encouraged? Everyone who moves to a new city should be immediately mugged so they can learn valuable lessons about personal security? Perhaps there should be an official quota of licensed murders so people don't get too lax about their own safety?
What is the special magic about technology that makes people give opposite answers to "Is X sensible?" and "Is X sensible using a computer?" for just about all values of X?
Ame
Its a bit of a viscious cirlce this idea though...
The reason Virii and Worms etc are good for the security of a network, is because they prompt us to tighten security for future attacks based on historic ones.
"Nessesscity is the mother of invention" But the irony is...if the Virii/Worms didn't exist in the first place, then we wouldn't NEED to improve security against such attacks.
Oh the confusion.
>>>Scanning for I.D.I.O.T.S. >>>
>>>I.D.I.O.T.S. FOUND! >>>
I, for one, wellcome our friendly inmunicers hax05ss :D
Wait, I am hacker soo.. I am now overlord! niiiiice..
My first command will be.. all womens of slashdot serve me and go here at once!.
Looks like I found a new Taquila drinking buddy.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
I'm sorry if I don't buy the whole "we're writing viruses and trying to break in to teach you people to do better" excuse. If someone's tresspassing I'm going to shoot them anyway, regardless of whether they think they're teaching me a lesson.
Used to be the world was a friendlier place, and there are parts of the U.S. where you still can leave your door unlocked at night. Doesn't mean that robbers are to be rewarded though...they're still bad guys.
.... too late. It doesn't even have to be a real security issue. It can be something as simple as good security practices. Here are ideas I would recommend e-mail providers, for example, to implement.
Dual passwords. A master password which can change anything in the account, and a secondary password which can change anything but the master password. The idea is that if your secondary password is stolen, you clean your machine (just incase you were infected), log in with your master password, change your secondary password, and everything is fine.
Freezing expired accounts for 10 year periods to prevent someone from grabbing it up and gaining mail-forgotten-password privledges from other sites. Got a bank account? Got online banking? Got an account which you can easily send your password to your e-mail address? Oh wait! Your e-mail address expired! Someone else registered it, went to a bunch of bank websites and such, just to see if your former e-mail address has an account there.
Keep someone in a clean room all their life and then one day let them out. With an immune system that has never had the chance to "practice" they guy wouldn't last a week. On the other hand its been proven that eating your own boogers will boost your immune system. Just extend the same logic to a network.
does anyone know where you can get open source hacking tools to use against your own system? I would like to know if my password could stand up to a traditional brute force crack, or if it would be possible to use remote ssh login to get contol of my computer...
*''I can't believe it's not a hyperlink.''
What's with people being lazy? Or is it just an attempt at some karma whorage?
Your hair look like poop, Bob! - Wanker.
Hackers, worms, and viruses are good for network security ("Security Software firms such as Symantec) and that the law and public policy should encourage 'beneficial' hacking (Legislation must ensure we keep such firms running). From the article: 'Exploitation of security holes prompts users and vendors to close those holes (Makes people believe that such defects are inevitable, and can only be solved by continuous updates) , vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security (reliance on vendors for updates) reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security (any negative impact on suspect business practices OR bottom-lines)
Makes sense now, don't you think?
If you keep throwing chairs, one day you'll break windows....
Harry Harrison makes exacly this argument in his Stainless Steel Rat series. As long as no-one gets physically hurt, the banks pass on the loss to their insurers, the police have what to do, the media what to report, the general public is entertained and the money is put back into circulation. So in theory, "everybody benefits".
Of course, real-life doesn't work like that. Just look how every little imaginery threat is currently used by the PTBs to further clamp down on the innocent general public.
The idea that finding a hole and reporting it leads to more security works in a "perfect" setup. Perfect in a sense that the one finding it reports it instead of abuses it, and the one informed about it fixes it instead of ignoring it.
The reality looks different.
In reality, people don't want to be bothered with this pesky thing called security. They want their machines to do the magic by themselves and not worry about it. So they created laws where it becomes illegal to even look for a security hole. Because, what you can't see isn't there.
Take you average user. Just enough smarts to turn on the PC, updating with an automatically generated and even transfered script is beyond their capabilities. When (not if, when) their computer is turned into a spamslugger, who will they blame? Themselves for not being able to keep their machines secure?
Keep on dreaming.
The laws are a reflection of the general unconsciousness. People don't want to be hacked, so it must not be done. Yes, the machines are insecure, yes, there are billions of trojans and viruses out there trying to break in (and succeeding, most of the time), but as long as we don't see them, they're not there.
La la la, I can't hear you...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I forgot to mention IP flags. When someone logs into their account, list the last 3 IP addresses.
I think this raises a fundamental issue - most of our lawmakers and enforcers are people who have not grown up with these new technologies and have little understanding of them, both from a technology point of view, but also their social context.
Most judges, seeing a bank had implented very poor physical security - so poor that a lone teenager could fairly easily get into the bank without help - would be lenient on the teenager for breaking into that bank and bank would be in lots of legal trouble for having lax security. But when the internet is involved the teenager becomes an evil hacker in the eyes of both our lawmakers and much of society, and it's off to jail for the teen and no punishment for the bank.
I really worry about the next generation. All kids do stupid stuff and talk about stupid things as they are growing up. Only now, much of that stupid talk is done via electronic communications, and much of the stupid stuff is easier to trace.
I can see in the near future (maybe it's happening already?) that when a misdemeanour with a youth occurs one of the first steps a law enforcer will take will be to get access to the youths electronic communications. Then they'll uncover all kinds of stuff that will look terrible in the eyes of a law enforcer and the parents - and be extremely embarrassing or worrying for the youth. But in reality will just be the stupid things people do and say when they are growing up. We'll have youngers going to jail and being ostracized by their parents and society just for doing and saying the stupid things that we all did when we were young.
Hey pal, I had quite a few funnies over the last week, I can be lazy for a day. :)
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Imagine if this was the so-manieth discussion about music or video copyright infringement. Now ask again: "What is the special magic about technology". I think you'll find your answer.
I don't agree with it, for what it's worth, in either case.
Perhaps paying attention to actual people & not their stereo types for awhile might do you some good.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
They should be against companies running buggy or insecure servers and end up exposing customer data or causing hassles to their customers.
As for "hackers", they should be held responsible under existing fraud laws if they commit fraud; the mere act of "breaking into" a computer system should not be a violation of law.
Buggers ? I thought the term was boogers (USA) or bogies (UK). Buggers has a http://dictionary.reference.com/browse/buggerssome what different meaning where I come from. Apologies in advance if I'm just not familiar with your local dialect.
Some of your post may still be true.
The paper (or article, or whatever) is actually quite well-nuanced and fairly even-handed. However, it suffers from a fatal flaw of many legal articles: a fundamental ignorance of the subject matter itself.
It's a paper written by (wannabe) lawyers, who, while they site large rafts of supposedly corroberating papers and "experts", don't understand what they (the exports and sited papers) are talking about.
This kind of approach is eminently practical (and effective) when attempting to try a case, or negotiate a settlement. However, it is absolutely the wrong way to do things when attempting to write a Public Policy piece. If one is attempting to educate the populance (or some subsection of it) about an issue, you have to actually understand the subject, not just quote others' ideas.
They are correct in the supposition that cybercrime has a different nature than that of "real world" crime. But they completely misunderstand how this difference affects people.
A classic example of not really understanding the subject matter occurs when they claim that a compromised system actually causes very little economic damage, as the system itself is not physically damaged, and the effort to repair it is theoretically comparable to a periodic security audit/update of the machine. What they perceive is a JoyRide in a "stolen" car - someone took my car out for a whirl, and if they've returned it in good shape, all I (the owner) have to do is sweep out a few of the crumbs (and maybe fix the door lock) before it is ready to go again. This isn't the true case. Rather, it is closer to the case that I, the owner, would have to completely dissassemble the entire car, and put it back together again from its component parts, just to make sure that the kids didn't screw something up (or wire a bomb to the ignition). There is a HUGE economic cost to cleaning up after even a minor intrusion. Because, frankly, there is no way to determine if something was a minor or a major intrusion, until a complete postmortem is done. And the risk associated with keeping a compromised system working is far too great to NOT do the full rebuild. In many ways, the risk analysis looks a lot like empidemiology: when a herd of cows is found to contain one case of Mad Cow, we kill the entire herd and check them all, rather than just kill the sick cow, and say "oh, we found the problem, and it is fixed now".
The real solution is not to allow "ethical hackers", but rather to provide economic incentives for companies to protect their data. If this were the case, then companies would take security seriously, and there would be a whole thriving sector of legal security probing companies (which exists in a very tiny manner today). If companies were held to multimillion dollar fines every time private data was compromised, you could be damned well sure that security would rank somewhere above "oh, and empty the trash before you leave tonight", which is where it currently resides. And security checks would be done by true professionals, complete with after-incident reports and improvement suggestions.
-Erik
There are always four sides to every story: your side, their side, the truth, and what really happened.
So to use this same idea, y'all have no problem if I discover your back door to your house is unlocked and I come in just to look around and make sure there are no other 'security issues', right? I promise I won't steal or damage anything, I just want to look around...
Sorry, it don't work that way, and just because computers are computers doesn't make it any different. If you want to come in to my computer and inspect, I expect you to ask, just like I would for my house.
When Microsoft is caught sniffing around anyone's computer without permission, even if they don't damage or alter anything, everyone here wants Bill Gates' head on a pike for public display and criminal charges against Microsoft. But if its a white-hat hacker, that's okay, and we should have the law allow them in. Funny how that works.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
From another perspective, the author's ideas have some merit. In biological systems, it is only after one has been infected and their immune system fights off a disease that they are impervious to repeat infections. In this way entire societies build up resistances to deadly diseases. For example, Jared Diamond believes 95% of Native Americans were killed off by diseases carried by European settlers who were largely immune to said diseases. (link)
In a way, as different portions of the computer systems and software are attacked, the flaws that allow for such attacks are, in general, corrected. Problems identified in one attack can be applied to other areas, and as such, can affect system-wide changes toward a better system (think buffer overruns), as well as more security-minded design (think security developments in IE7 and Vista).
I'm not advocating that the world governments should let virus writers and crackers have free reign of the Internet. A balanced response would allow for leniency for those who have no malice in their intentions. Of course, this is difficult to prove, and from personal experience, I have yet to meet a virus writer with purely altruistic intentions. Also there are corporate interests to deal with as well. How embarrassing must it have been for Symantic to have their flagship product meant to help secure a computer be the source of insecurity? While Symantic handled the situation extremely well, many other companies do not have a large security minded staff on hand to deal with security problems. For them it is easier to accuse the attacker than acknowledge a problem they cannot deal with.
I haven't lost my mind!
It is backed up on disk...somewhere...
... but going in jail is may be a worse option.
... with success so far.
It is true that bad hackers will pretend to be ethical hackers but by putting everone in jail you end up creating a less secure world. Only the bad hackers will find the security hole and they won't tell anyone.
Full discolure is the only solution and it is not popular: companies get bad press for having security holes, they might loose some business and thus try to shoot the messenger
However, full discolure is a necessary evil it we want to have a safer online life.
I don't think the world can ever be truely secure.
The world is always in a sort of "Ok on the count of three, we all drop our guns" state.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
While we're at it let's make bankrobbing legal because of its role in beefing up safe security.
So many people depend on 'the Internet', and assume it will 'just work'. But it's rapidly coming to the point where you can't use it, without someone getting upset about what you're doing and sending the police round to lock you up.
And of course it doesn't 'just work'. It's a 'best-effort' network for carrying sequences of 0's and 1's around, which neither knows nor cares what the 0's and 1's mean.
Just because *you* think it's a virus, doesn't mean *I* think so. It might be 500 DVDs per second of 'star noise' from the radiotelescope, just doing its job in the normal way.
Breaking in to something is a physical act as far as I am concerned. So it would cover the act op opening the computer or something like it.
This whole metaphor has gone to far. People don't break in to computers, they communicate with them.
If I ask someone (or a computer) for a copy of X and the other side sends me this is this then a crime? Was the sender authorized to allow me access?
if I send something to someone and they accept it is this a crime? Maybe, if the thing, I was sending was a bomb or something else equally nasty.
What I cannot create, I do not understand
Exactly, but there is a time and a place for full disclosure, and the situation is easily complicated. Even just the act of disclosure is uncertain. Publish to widely and be accused of helping hackers. Publish too narrowly, and be accused of not informing the public. Its a messy job.
Right right..just like having someone try to break into your house makes you safer. I swear, do liberals just get up in the morning and leave brain cells on the pillow?
Even old-fashioned e-mail worms, which rely primarily on user ignorance, can spread to hundreds of thousands of computers.
Now, I always thought a worm is "self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers."
Geez people - if you can't cromulize your terminology, I have little faith in your article..
Introduce a properly run certification scheme for "Certified ethical hacker". Base it on a course taking in relevant law, security techniques etc., and make damn sure it is vendor-agnostic. Only make the course available to persons who have no criminal convictions, are on the voter's list, member of a professional body, and pass FBI checks or your national alternative. It will be free to qualified applicants.
Now issue those people with a set of official paper forms, with proper security marking and tied to the individual. When they encounter a security issue, they issue a paper based advisory (because it is still traceable, and because you do not then leave a trail on the net that might enable the black hats to find and target you.) copy to some official body who every year will report the statistics, and list the companies that failed to respond to security advisories.
So now you have it on your resume when you write in for the bank job: Certified Ethical Hacker, 42 confirmed alerts (or whatever).
Before anybody tells me this is simply fantasy, consider that there are already volunteer public security forces. In the UK we have Special Constables and the Territorial Army, and there are equivalents in many other countries. We have a Health and Safety Executive who can walk into any company at any time it is operating and demand immediately to observe what is going on. So why not a properly trained volunteer Internet security force?
Pining for the fjords
If you want to hack into systems to make the world a better place, hack into your own systems and report your findings or get a job with an organization that hacks into systems for pay.
The predictable liberal-nonsense point that has been wrenched from the article is that people in general are too stupid to figure things out on their own and in order to protect them from theselves we must strip them of their rights (temporarily, mind you) so we, the brilliant ones, can shine the true light on things. Unfortunately, this is a viewpoint many Shlashdotters embrace.
I used to fear clowns...but I'm discovering that chimps are far, far, worse.
Imagine a white hat h4xo that found a dangerous hole, send info about that to admins, and that hole is fixed.
Its that good?
I think yes. but need:
1) The white hat attitude. Complete morons are discarded.
2) Its a hole, and not a feature. Maybe the users want the system this way, and know enough about the tradeoff.
3) The hole being fixed. If is imposible to fix holes, maybe because lack or resources, this help nothing. Of course, the problem here is the lack of resources.
On real world, some people want to live with his doors unlocked, mostly on rural areas. Its that a "hole"?. Its not. What safety expert AND ha4xors fail to realice, its that the world is not about of safety for everyone. Some people like his doors unlocked, thanks. Other people dont know about that, and will love to know about a hole, and fix it.
-Woof woof woof!
Actually, most major corporations nowadays, especially banks, hire ethical hackers to try to break into their systems to prove how safe it is, and if they can get in, mke recommendations on how to fix it, or have them fix it themselves.
Microsoft has 'educated' an entire generation of users that you have to run with full root privileges to get anything useful done at all. This is completely independent from how they respond to security issues raised by third parties. The damage is so pervasive that it can't be undone. MS stands as the village idiot of software companies for such a stupid design paradigm, and the single biggest problem on the Internet, as well as the single biggest problem in the IT industry for so completely dumbing down so many people. I wouldn't look to vista to cure the ill either. The more MS talks about security, the more evident it is that they can't pull their head out of their ass, and they'll keep dumbing down their 'customers'.
"We are all geniuses when we dream"
- E.M. Cioran
The intent of Gen. Grove's safe was to protect the data of the Manhatten Project. By breaking in, Feynmann improved security.
Think global, act loco
Does no one else here see the glaring hole in this person's argument? There is no such thing as a beneficial virus, worm, or trojan, period, end of story, thank you, have a nice day. Information Security is commonly accepted as a three-part problem: Confidentiality, Integrity, Avalability. Even seemingly innocuous viruses carry huge costs, mostly in the form of hindering Availability. Further, as a System Administrator, how can you ever be completely sure a virus that compromised a system was 'benign?' Answer: You can't. The only safe bet is to restore the system from the last safe backup.
The problem is akin to the broken window problem in economics. Sure, exploiting security holes leads to more fixes, but you have to take into account the costs. Further, this does not mean Information Security itself is improving, it simply means virus, trojan, and worm writers have to become more creative.
In short -- if this is what Harvard is producing these days, maybe it's time we re-asses the "Ivy League."
Government's view of the economy: If it moves, tax it. If it keeps moving,regulate it. If it stops moving, subsidize it.
[Puts on tin foil hat to keep war drivers from reading his thoughts.]
Information wants a fueled airplane waiting at the hangar and no one gets hurt.
This is an actual quote from another member of congress: "What gives consumers the right to choice?" This was followed by a rant about people not deserving choices in telecommunications.
Information wants a fueled airplane waiting at the hangar and no one gets hurt.
... just kick all the homeless people off of it.
So bank robbery is good for their security and should be encouraged? Everyone who moves to a new city should be immediately mugged so they can learn valuable lessons about personal security? Perhaps there should be an official quota of licensed murders so people don't get too lax about their own safety?
Look... I live in a city which has had over 300 murders last year, god knows how many rapes, and roberies are common place.
Not to exscuse the criminal, but these things happen and that is why most banks here have bullet proof glass, houses have bars over them, and you are going to be called a fool for walking around town at 2am with more than $100 of cash on you.
Think of it like this. You can't control the criminals if and when they strike, but you can minimize the damage if they try. Its like installing anti-virus programs before you get the virus or maybe just using OS X.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
This whole debate about black hats, grey hats, etc. is ridiculous. I don't give a crap about itension for the intrusion. If I didn't invite you to break into my system, then you're trespassing and should be punished. I don't care if you've told me about it or not. Now, if you stumble and only stumble (As in not go any farther than to point out a potential weakness and not go snooping), that's different. You haven't actually hacked. When you cross that line, you've screwed yourself and should be punished.
One day the toilets of the world will rise up... And I'm going to nuke them.
The problem is that threat analysis judges people by what they can do, not by what they are assumed to want to do. So someone who knows about a hole in your system is a threat! They must be STOPPED!
I can see that it might well be more rational to judge people by the damage they do or can be shown to have been attempting to do, but that requires judgement. And it's always safer to say "It's HIS fault!", then to acknowledge that you may have made a mistake.
So I don't see things getting better or saner. People with power always want to make the scape-goats suffer publically. And there are MANY who deserve no better. Commercial and espionage groups (including criminals) making use of spyware, viruses, etc. don't deserve ANY sympathy. This doesn't mean that most users fall into this category...but these days if I see an unlocked car with it's lights on...I quickly walk past. I no longer try to either turn off the lights or contact the owner. It's (seen as?) too dangerous.
So it's not just an internet phenomenon. This is happening throughout society.
I think we've pushed this "anyone can grow up to be president" thing too far.
When I saw this headline I was thinking. While it is impossible to get every host clean, it is certainly possible for a quickly reacting organization to do the following:
1.detect malware, viruses, crackers, zombie traffic, etc.
2.define an identifying pattern and critical data segments to be destroyed
3.diffuse this info to major routers and other servers on the net around the world
4.ISPs and smart individuals can also subscribe to the data feed
5.Routers and firewalls use this feed to filter out (or rewrite with random info) dangerous packets, effectively defanging all known dangerous files or communications.
6.A common ontology and method for distributed discovery and reporting is implemented to accelerate the whole thing and federate all the antivirus companies and anti-espionage agencies to try and solve the problem transparently.
This way the infrastructure becomes first line of defense,
The ISPs are the second line,
Individuals' PCs and maybe firewalls in businesses/schools/dwellings are the third line.
Researchers who have a reason to send dangerous things to each other can encrypt them.
I am eagerly looking forward to one of those forms about why this can't be done. It seems like the obvious answer to these totally disorganized, unfederated Internet storm centers and virus advisory sites.
Whatever zombie communication and malware is left on the net will then likely be focused near where it was injected, so if nothing else a filter on outgoing data could possibly even detect the workstation from which it was injected in the first place! (though this is probably a wifi hotspot anyway.)
Maybe the government is doing a little of this already? Too much to hope for, I expect they are more interested in reading people's email and using malware to engineer entry points for themselves, than to actually defang the wild. But it's a thought.
in order to make his immune system stronger because HIV, and West Nile Virus are good for him in the long run!
As computers in China and other asian countries are infested with botnet software, DNS servers and ISPs in general still don't block IP-spoofed packets.
This makes the US a perfect target for a massive DDOS attack. And don't get me started on pirated windows machines in the US, with no patches applied .
On real world, some people want to live with his doors unlocked, mostly on rural areas.
Which may not be a bad thing... in rural areas. If the system is connected to the internet, it's like an apartment in a city with a total population larger than that of the top twenty worlds largest cities combined together with the entire population of India. Oh, and with rampant street gangs, a red light district that can be seen from orbit, and residents whose average manners make a Bronx taxi driver look like Emily Post.
//Information does not want to be free; it wants to breed.
But the irony is...if the Virii/Worms didn't exist in the first place, then we wouldn't NEED to improve security against such attacks.
Well... yes, but no.
There seem two equally obvious and unlikely counterfactuals that would preclude the existance of Virii/Worms. First, that computer systems security would be improved to the point where they were no longer possible. Second, that humans would no longer be motivated to develop them.
We could get a lot closer to the first state than we are at now; requiring the use of provably correct code in everything, zero defect tolerance in hardware, perhaps other measures. It's unrealistic, and you'd still have to do provable correctness of interaction each time you added a new software component to the system. Yes, hacker attacks can be expensive... but the probable cost-benefit analysis makes proven correct systems economically impractical.
As for the second... well, pigs are more likely to fly out of my butt, and I'm not going to invest in pork futures on that basis.
TFA is trying to distinguish from the sort of mischief-makers that create the digital equivalent of the Common Cold (annoying, but seldom serious) from those who work to create the digital equivalent of Ebola. And yes, it might be worth having lower penalties for hackers who are not operating from economic motives, or for those operating from political motives who are more nuisance than harmful.
The largest part of the problem is that a lot of software is crap from a security standpoint (in part, because building good software is hard). Perhaps a set of Federal software whistleblower laws should be created for commercial products. My first pass at the idea: The law should guaranty buyers the right to reverse-engineer software to investigate it for security, regardless of any EULA (IE: you can look); create a federal clearinghouse for the reporting of any discovered security hole, with such reports being inadmissible as evidence for any civil or criminal case (IE: we won't threaten you with prosecution for reporting holes); have the federal clearinghouse report the nature of the holes found to software manufacturers; and require that for any product released within five years, manufacturers must (a) within 90 days of being formally notified, offer consumers without charge either a patch, an upgrade to a current unaffected version, or the option to return the product for refund of original purchase price, and (b) within 180 days of being notified, provide without charge a patch or a free upgrade to an unaffected version if such exists, or be required to issue a mandatory recall for the product and become legally responsible for consequential damages (IE: fix it or be f---ed, Billy).
//Information does not want to be free; it wants to breed.
Now, let us say you have a machine connected to the Internet. It is impossible, by this computer's very nature, for it to do anything that is was not programmed to do. It takes in the data that it is given, processes it according to deterministic rules, and returns output that it could not possibly have deviated from. This process may be so complex that it appears to be stochastic, but it is nonetheless deterministic and we should not pretend it is anything but. This deterministic sequencing extends far beyond just your computer. If every element in a system is deterministic, then the whole system itself is deterministic. The entire Internet is a single, uninterrupted deterministic state machine.
I present to you the Eleatic school of hacker ethics.
The Internet is public property. No establishment has a right to own it, subvert it, subject it, or rule over it. It extends beyond race, nationality, religion, or geopolitical agreement. Now that we understand that the Internet is a single deterministic machine, we may approach this situation with logic and reason as opposed to knee-jerk reactionary idiocy. When connected to the Internet, your computer becomes a part of this deterministic machine. It is impossible for your computer to execute any code which it has not been programmed to execute. If your computer has been programmed to accept my arbitrary code, then there is no moral or ethical violation committed when I introduce my code to yours.
If you download and execute my code, you have done so willingly.
If your daemon executes my code after I introduce it in a manner that is innovative and unique, then your daemon has done exactly what it has been programmed to do.
You don't want me to execute my code inside your code? Then keep your machine out of OUR deterministic state machine. Keep it on your own private network, so that someone will have to commit a real honest-to-God crime like breaking and entering to have access to it. The minute you connect it to a public network, it becomes connected to all of us through the 0 and 1.
From the article: “Hackers should be given incentives to reveal the security vulnerabilities they find in a responsible manner.”
Responsible? The security vulnerability is not the fault of the person who discovers it! It is the vendor's fault. Security will not improve if we continue to keep information secret and shield vendors from their mistakes. Security holes are not some kind of naturally-ocurring phenomena, nor are they something to hide from. They are the fault of vendors who do not invest the necessary effort to develop secure software. Publishing security holes publicly punishes these vendors, and gives them an incentive to improve their practices. Yes, there may be short-term pain as a result. But it's the only way to improve security in the long-term.
Except Rob Malda ("Remember the days when "getting Slashdotted" was every sysadmin's worst nightmare? Referrals from the "News for Nerds" website would send so much traffic to websites that many crashed. But for those that survived the flood, it was the online equivalent of a papal benediction. Today, the buzz has moved elsewhere. Slashdot's editor-driven story selection model is being supplanted by user-generated systems such as Digg. According to recent Alexa data, Digg already has more daily reach and generates more page views than Slashdot. Malda knows his subject, and he's a good editor, but in the end, he's just no match for the power of the multitudes."). He's on there. But the rest of us I suppose are a bit more important. Ain't it nice to be appreciated?
It's a girl!
It's true that what doesn't kill you may make you stronger. But that's not much consolation if it manages to kill you.
So no, I'm not going to go around stepping on rusty nails in the hope that it won't kill me and will make me stronger, thank you very much.
And claiming that a certain amount of malware going around helps security measures stay alert is silly. The analogy with living organisms and biological malware is way off. Computer malware doesn't thrive in the wild, mutating randomly. It is powered by misguided humans and by misguided blacklisting approaches to security.
The analogy with living organisms an excellent one. More and more research shows that immune systems or rats and humans (and probably other organisms) are stronger as they exposed to infections. Children and rats who grow up in conditions too clean are more likely to get allergies and asthma as adults.
Whether the malware is human created or mutated randomly in the wild is inconsequential. It makes our systems stronger.
And I believe that throwing a rock through a window is good for business too since it employs the windowmaker, the policeman, and also creates publicity for the store that has a broken window.
Who is this Jimmy character, and why was he cracking corn in the first place?
how did you make it through life.
why don't you tell us your addy so we can break in, without telling you, since that would apparently please you as much as someone tipping you off about an open door.
your the kind of nut we'll read about, who shoots an innocent citizen neighborhood watch group volunteer, for trying your door, finding it open, with you having pieces of ham sandwhiches and potatoes chips bouncing off your humongous beer belly, while you quickly draw your penis extention (pistle) and shoot the poor bastard.
btw, don't answer, i'm not interested.
--
I will gladly loose all of life's battles.. in order to win the war..
Yes, just like giving someone small doses of poisons to build up immunities should be encouraged for their own safety. This guy is an idiot...
Right right..just like having someone try to break into your house makes you safer.
NO it is NOT just like that... at all, child.
-- Sorry for feeding the troll everyone, someone has to
I will gladly loose all of life's battles.. in order to win the war..
The real solution is not to allow "ethical hackers", but rather to provide economic incentives for companies to protect their data. If this were the case, then companies would take security seriously, and there would be a whole thriving sector of legal security probing companies (which exists in a very tiny manner today)
Uhhh, I thought companies, by nature, have an 'incentive' already? Called: Profit?
You are trying to say we need laws, even tho there already are laws!
And there IS already a 'whole thriving sector' of security probing people out there, but the Feds are trying to stop them!!
Well imagine that, companies WON'T handle security, the pigs (Feds) CAN'T, but they don't want white hat hackers showing the world this fact!!
Geee, another post that was mispelled when modded, should have been: Score: -5 InCiteful.
-- The Jewish-Mafia, must be and will be, stopped, at all cost, bar nothing.
I will gladly loose all of life's battles.. in order to win the war..