Slashdot Mirror
Immunizing the Internet
jonny4001 writes "The Harvard Law Review has published a student-written article that argues that hackers, worms, and viruses are good for network security and that the law and public policy should encourage 'beneficial' hacking. From the article: 'Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security [...] Current federal law, however, does not properly value such strategic goals.'"
So bank robbery is good for their security and should be encouraged? Everyone who moves to a new city should be immediately mugged so they can learn valuable lessons about personal security? Perhaps there should be an official quota of licensed murders so people don't get too lax about their own safety?
What is the special magic about technology that makes people give opposite answers to "Is X sensible?" and "Is X sensible using a computer?" for just about all values of X?
Ame
Its a bit of a viscious cirlce this idea though...
The reason Virii and Worms etc are good for the security of a network, is because they prompt us to tighten security for future attacks based on historic ones.
"Nessesscity is the mother of invention" But the irony is...if the Virii/Worms didn't exist in the first place, then we wouldn't NEED to improve security against such attacks.
Oh the confusion.
>>>Scanning for I.D.I.O.T.S. >>>
>>>I.D.I.O.T.S. FOUND! >>>
It turns out while your a child, you will turn out better if you touch everything and pick your nose and eat your buggers.
In general being exposed to a lot of germs (typically harmless) trains up your immune system. buggers catch a lot of local bacteria and allows for exposure in a safe and weakened form.
-- Just because it's correct. Doesn't make you want to do it.
It is no longer uncommon to be uncommon.
I'm sorry if I don't buy the whole "we're writing viruses and trying to break in to teach you people to do better" excuse. If someone's tresspassing I'm going to shoot them anyway, regardless of whether they think they're teaching me a lesson.
Used to be the world was a friendlier place, and there are parts of the U.S. where you still can leave your door unlocked at night. Doesn't mean that robbers are to be rewarded though...they're still bad guys.
Keep someone in a clean room all their life and then one day let them out. With an immune system that has never had the chance to "practice" they guy wouldn't last a week. On the other hand its been proven that eating your own boogers will boost your immune system. Just extend the same logic to a network.
Don't bet on it.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
"the banks pass on the loss to their insurers"
Yeah, because we all know that insurers are not part of the system at all; unlike the rest of us, they have access to magic money-making machines powered by pixie dust.
They should be against companies running buggy or insecure servers and end up exposing customer data or causing hassles to their customers.
As for "hackers", they should be held responsible under existing fraud laws if they commit fraud; the mere act of "breaking into" a computer system should not be a violation of law.
The paper (or article, or whatever) is actually quite well-nuanced and fairly even-handed. However, it suffers from a fatal flaw of many legal articles: a fundamental ignorance of the subject matter itself.
It's a paper written by (wannabe) lawyers, who, while they site large rafts of supposedly corroberating papers and "experts", don't understand what they (the exports and sited papers) are talking about.
This kind of approach is eminently practical (and effective) when attempting to try a case, or negotiate a settlement. However, it is absolutely the wrong way to do things when attempting to write a Public Policy piece. If one is attempting to educate the populance (or some subsection of it) about an issue, you have to actually understand the subject, not just quote others' ideas.
They are correct in the supposition that cybercrime has a different nature than that of "real world" crime. But they completely misunderstand how this difference affects people.
A classic example of not really understanding the subject matter occurs when they claim that a compromised system actually causes very little economic damage, as the system itself is not physically damaged, and the effort to repair it is theoretically comparable to a periodic security audit/update of the machine. What they perceive is a JoyRide in a "stolen" car - someone took my car out for a whirl, and if they've returned it in good shape, all I (the owner) have to do is sweep out a few of the crumbs (and maybe fix the door lock) before it is ready to go again. This isn't the true case. Rather, it is closer to the case that I, the owner, would have to completely dissassemble the entire car, and put it back together again from its component parts, just to make sure that the kids didn't screw something up (or wire a bomb to the ignition). There is a HUGE economic cost to cleaning up after even a minor intrusion. Because, frankly, there is no way to determine if something was a minor or a major intrusion, until a complete postmortem is done. And the risk associated with keeping a compromised system working is far too great to NOT do the full rebuild. In many ways, the risk analysis looks a lot like empidemiology: when a herd of cows is found to contain one case of Mad Cow, we kill the entire herd and check them all, rather than just kill the sick cow, and say "oh, we found the problem, and it is fixed now".
The real solution is not to allow "ethical hackers", but rather to provide economic incentives for companies to protect their data. If this were the case, then companies would take security seriously, and there would be a whole thriving sector of legal security probing companies (which exists in a very tiny manner today). If companies were held to multimillion dollar fines every time private data was compromised, you could be damned well sure that security would rank somewhere above "oh, and empty the trash before you leave tonight", which is where it currently resides. And security checks would be done by true professionals, complete with after-incident reports and improvement suggestions.
-Erik
There are always four sides to every story: your side, their side, the truth, and what really happened.
So to use this same idea, y'all have no problem if I discover your back door to your house is unlocked and I come in just to look around and make sure there are no other 'security issues', right? I promise I won't steal or damage anything, I just want to look around...
Sorry, it don't work that way, and just because computers are computers doesn't make it any different. If you want to come in to my computer and inspect, I expect you to ask, just like I would for my house.
When Microsoft is caught sniffing around anyone's computer without permission, even if they don't damage or alter anything, everyone here wants Bill Gates' head on a pike for public display and criminal charges against Microsoft. But if its a white-hat hacker, that's okay, and we should have the law allow them in. Funny how that works.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
... but going in jail is may be a worse option.
... with success so far.
It is true that bad hackers will pretend to be ethical hackers but by putting everone in jail you end up creating a less secure world. Only the bad hackers will find the security hole and they won't tell anyone.
Full discolure is the only solution and it is not popular: companies get bad press for having security holes, they might loose some business and thus try to shoot the messenger
However, full discolure is a necessary evil it we want to have a safer online life.
Like a pdf isn't a royal PITA under linux + firefox? No wonder yu posted AC (/me currently running SuSE + Firefox, and avoiding pdf files whenever possible because they're still bloated).
Now back on topic, this is just SO fucked up logically:
If it isn't your system, don't be f*cking around with it, same as if its not your car, your home, or your other sh*t. Just because it's computers doesn't make it special all of a sudden, with a suspension of all the rules.
Yes, I know, servers are just responding to queries ... but there's a difference between entering through the front door where the welcome mat is, and the door is wide open, and the host is expecting you, and trying to break in through a rear window on the second floor.
***Well... and if not, that was just a child, one more, one less who cares.***
Can you provide any sources for this statement? Every description I've ever seen of losing a child, even in the bad old days, was usually pretty painful. You probably have to exempt the usual psychopaths.
One problem is accountabilitty,
/Jacob Lundqvist
While I do agree with you, that a kid reporting an error and perhaps even a sugested solution, would be regarded as helpful and something of a "white-hat" on a private perspective
However one thing that has changed since the early eighties is that now there is usually quite a bit more money involved.
Now accountability is a big concern.
If that kid was into a system I admin, I must realize that even if he propably just is helpful, I still cant be sure, after all he was in there, where he shouldnt have been, who knows what he did and discover but not tell me about.
And thats what its all about, ne one side I have a complete stranger who claims that he has been in one of my systems, found a few bugs, and have a few suggestions, one the other side is that the only way to be sure of system integrity is to asume that the system is completely penetraded, and do a very expensive security checkup, to see how much damage that _could_ have occured.
If I trust the kid, and he happens to be a black-hat - poof - there goes my job
If he turns out to be a white-hat, well in that case he was nice and not much won for either me or my clients (since we have to do an expensive audit anyhow)
So I would asume he was a black-hat, cause if he wasnt, I havent lost much... Maybe synical, but thats how it works.
What? Are you trolling or just high? Your premises don't just fail to support your conclusion-- they would appear to support the exact opposite conclusion. You've distinguished "ethical hackers" as being separate from crooks, and then blamed the "ethical hackers" for the problem.
It's crooks who are the problem, but more commonly it just appears to be lawyers who are the major part of it, since they so often find themselves "forced" to do due-diligence and attempt to prosecute every little thing that comes along, catching the ethical hackers (who obviously aren't trying very hard to avoid being noticed, since they're not up to much, and who usually step forward and give them the information needed to send them to court thinking some sanity will prevail) and going full-tilt on them to make up for staff being utterly unable to cope with the actual criminals.
way to be sure of system integrity is to asume that the system is completely penetraded, and do a very expensive security checkup, to see how much damage that _could_ have occured.
Which, arguably, you should have done in the first place.
No sig.
Does no one else here see the glaring hole in this person's argument? There is no such thing as a beneficial virus, worm, or trojan, period, end of story, thank you, have a nice day. Information Security is commonly accepted as a three-part problem: Confidentiality, Integrity, Avalability. Even seemingly innocuous viruses carry huge costs, mostly in the form of hindering Availability. Further, as a System Administrator, how can you ever be completely sure a virus that compromised a system was 'benign?' Answer: You can't. The only safe bet is to restore the system from the last safe backup.
The problem is akin to the broken window problem in economics. Sure, exploiting security holes leads to more fixes, but you have to take into account the costs. Further, this does not mean Information Security itself is improving, it simply means virus, trojan, and worm writers have to become more creative.
In short -- if this is what Harvard is producing these days, maybe it's time we re-asses the "Ivy League."
Government's view of the economy: If it moves, tax it. If it keeps moving,regulate it. If it stops moving, subsidize it.
Except it's not ok. Glorifying "hacking" (used loosely) makes it look cool and omnipresent and makes it accepted at some level. Stupid young kids see it as a desirable activity.
.gov sites is not because they were "immunized" by constant exposure to a certain amount of malware. That's just stupid. They aren't usually hit because (a) they usually employ good security, in all its forms, and (b) because there's hasn't been a REALLY bad piece of malware to hit the fan just yet.
And claiming that a certain amount of malware going around helps security measures stay alert is silly. The analogy with living organisms and biological malware is way off. Computer malware doesn't thrive in the wild, mutating randomly. It is powered by misguided humans and by misguided blacklisting approaches to security.
Perpetuating the status quo only perpetuates those misconceptions. It doesn't prevent anything in particular. The reason nothing really big has hit
Some day somebody will write a worm that will finally do something really distructive, like spread for a year undetected and then format 75% of the world's HDD's on the same day. Then we'll actually see if real security and chastizing wannabe hackers would've perhaps been better than stupid theories, except it will be too late.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer