Slashdot Mirror
Immunizing the Internet
jonny4001 writes "The Harvard Law Review has published a student-written article that argues that hackers, worms, and viruses are good for network security and that the law and public policy should encourage 'beneficial' hacking. From the article: 'Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security [...] Current federal law, however, does not properly value such strategic goals.'"
Totally telling the FBI slashdot said it was 'ok'.
Darwin operates perfectly online! Now all we need is to set up the digital version of the Darwin Awards. Now, granted, idiot users aren't permanently removed from the gene pools, but if they ram enough computers into the dirt, they'll be dirt-poor and thus unsuitable as mates, hence they won't reproduce. Right?
More than a quarter of a century ago I inadvertently found a hole in a UNIX based bulletin board system, went in and fixed the code, called the operator to tell him what I'd done and how to fix the rest of the problems, and ended up with a series of contracts.
A few years later I wouldn't have considered it. People who'd not done much more had spent time in court and been threatened with jail. Not much later, you had people actually doing jail time for simply "knocking on doors".
What happened?
The whole "ethical intruder" meme had spread, and people had started cracking into systems and then claiming they were just "rattling doorknobs" to "help security". Of course you couldn't tell an "ethical hacker" from a crook, and the crooks could claim they were just trying to help.
It's the "ethical hackers" themselves that have made it impossible for this kind of activity to be condoned.
The link is directly to a .pdf file. This should link to the Google html cache.
I reserve the write to mangle english.
I'm sure plenty won't click the link, so you are missing out on the great title that was left out of the summary:
IMMUNIZING THE INTERNET, OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE WORM
So bank robbery is good for their security and should be encouraged? Everyone who moves to a new city should be immediately mugged so they can learn valuable lessons about personal security? Perhaps there should be an official quota of licensed murders so people don't get too lax about their own safety?
What is the special magic about technology that makes people give opposite answers to "Is X sensible?" and "Is X sensible using a computer?" for just about all values of X?
Ame
Looks like I found a new Taquila drinking buddy.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
.... too late. It doesn't even have to be a real security issue. It can be something as simple as good security practices. Here are ideas I would recommend e-mail providers, for example, to implement.
Dual passwords. A master password which can change anything in the account, and a secondary password which can change anything but the master password. The idea is that if your secondary password is stolen, you clean your machine (just incase you were infected), log in with your master password, change your secondary password, and everything is fine.
Freezing expired accounts for 10 year periods to prevent someone from grabbing it up and gaining mail-forgotten-password privledges from other sites. Got a bank account? Got online banking? Got an account which you can easily send your password to your e-mail address? Oh wait! Your e-mail address expired! Someone else registered it, went to a bunch of bank websites and such, just to see if your former e-mail address has an account there.
Keep someone in a clean room all their life and then one day let them out. With an immune system that has never had the chance to "practice" they guy wouldn't last a week. On the other hand its been proven that eating your own boogers will boost your immune system. Just extend the same logic to a network.
Uh, before you start stocking up on ammunition, you might want to look at case law for people who have shot trespassers. Except for when the trespasser was threatening physical harm, those who shot them usually got indicted for murder. You can't shoot someone just because they are on your property, especially if they are hundreds or thousands of feet from any houses. The whole "Trespassers will be shot" sign meme doesn't really mean anything in court.
does anyone know where you can get open source hacking tools to use against your own system? I would like to know if my password could stand up to a traditional brute force crack, or if it would be possible to use remote ssh login to get contol of my computer...
*''I can't believe it's not a hyperlink.''
What's with people being lazy? Or is it just an attempt at some karma whorage?
Your hair look like poop, Bob! - Wanker.
Hackers, worms, and viruses are good for network security ("Security Software firms such as Symantec) and that the law and public policy should encourage 'beneficial' hacking (Legislation must ensure we keep such firms running). From the article: 'Exploitation of security holes prompts users and vendors to close those holes (Makes people believe that such defects are inevitable, and can only be solved by continuous updates) , vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security (reliance on vendors for updates) reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security (any negative impact on suspect business practices OR bottom-lines)
Makes sense now, don't you think?
If you keep throwing chairs, one day you'll break windows....
Harry Harrison makes exacly this argument in his Stainless Steel Rat series. As long as no-one gets physically hurt, the banks pass on the loss to their insurers, the police have what to do, the media what to report, the general public is entertained and the money is put back into circulation. So in theory, "everybody benefits".
Of course, real-life doesn't work like that. Just look how every little imaginery threat is currently used by the PTBs to further clamp down on the innocent general public.
The idea that finding a hole and reporting it leads to more security works in a "perfect" setup. Perfect in a sense that the one finding it reports it instead of abuses it, and the one informed about it fixes it instead of ignoring it.
The reality looks different.
In reality, people don't want to be bothered with this pesky thing called security. They want their machines to do the magic by themselves and not worry about it. So they created laws where it becomes illegal to even look for a security hole. Because, what you can't see isn't there.
Take you average user. Just enough smarts to turn on the PC, updating with an automatically generated and even transfered script is beyond their capabilities. When (not if, when) their computer is turned into a spamslugger, who will they blame? Themselves for not being able to keep their machines secure?
Keep on dreaming.
The laws are a reflection of the general unconsciousness. People don't want to be hacked, so it must not be done. Yes, the machines are insecure, yes, there are billions of trojans and viruses out there trying to break in (and succeeding, most of the time), but as long as we don't see them, they're not there.
La la la, I can't hear you...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I think this raises a fundamental issue - most of our lawmakers and enforcers are people who have not grown up with these new technologies and have little understanding of them, both from a technology point of view, but also their social context.
Most judges, seeing a bank had implented very poor physical security - so poor that a lone teenager could fairly easily get into the bank without help - would be lenient on the teenager for breaking into that bank and bank would be in lots of legal trouble for having lax security. But when the internet is involved the teenager becomes an evil hacker in the eyes of both our lawmakers and much of society, and it's off to jail for the teen and no punishment for the bank.
I really worry about the next generation. All kids do stupid stuff and talk about stupid things as they are growing up. Only now, much of that stupid talk is done via electronic communications, and much of the stupid stuff is easier to trace.
I can see in the near future (maybe it's happening already?) that when a misdemeanour with a youth occurs one of the first steps a law enforcer will take will be to get access to the youths electronic communications. Then they'll uncover all kinds of stuff that will look terrible in the eyes of a law enforcer and the parents - and be extremely embarrassing or worrying for the youth. But in reality will just be the stupid things people do and say when they are growing up. We'll have youngers going to jail and being ostracized by their parents and society just for doing and saying the stupid things that we all did when we were young.
Imagine if this was the so-manieth discussion about music or video copyright infringement. Now ask again: "What is the special magic about technology". I think you'll find your answer.
I don't agree with it, for what it's worth, in either case.
They should be against companies running buggy or insecure servers and end up exposing customer data or causing hassles to their customers.
As for "hackers", they should be held responsible under existing fraud laws if they commit fraud; the mere act of "breaking into" a computer system should not be a violation of law.
The paper (or article, or whatever) is actually quite well-nuanced and fairly even-handed. However, it suffers from a fatal flaw of many legal articles: a fundamental ignorance of the subject matter itself.
It's a paper written by (wannabe) lawyers, who, while they site large rafts of supposedly corroberating papers and "experts", don't understand what they (the exports and sited papers) are talking about.
This kind of approach is eminently practical (and effective) when attempting to try a case, or negotiate a settlement. However, it is absolutely the wrong way to do things when attempting to write a Public Policy piece. If one is attempting to educate the populance (or some subsection of it) about an issue, you have to actually understand the subject, not just quote others' ideas.
They are correct in the supposition that cybercrime has a different nature than that of "real world" crime. But they completely misunderstand how this difference affects people.
A classic example of not really understanding the subject matter occurs when they claim that a compromised system actually causes very little economic damage, as the system itself is not physically damaged, and the effort to repair it is theoretically comparable to a periodic security audit/update of the machine. What they perceive is a JoyRide in a "stolen" car - someone took my car out for a whirl, and if they've returned it in good shape, all I (the owner) have to do is sweep out a few of the crumbs (and maybe fix the door lock) before it is ready to go again. This isn't the true case. Rather, it is closer to the case that I, the owner, would have to completely dissassemble the entire car, and put it back together again from its component parts, just to make sure that the kids didn't screw something up (or wire a bomb to the ignition). There is a HUGE economic cost to cleaning up after even a minor intrusion. Because, frankly, there is no way to determine if something was a minor or a major intrusion, until a complete postmortem is done. And the risk associated with keeping a compromised system working is far too great to NOT do the full rebuild. In many ways, the risk analysis looks a lot like empidemiology: when a herd of cows is found to contain one case of Mad Cow, we kill the entire herd and check them all, rather than just kill the sick cow, and say "oh, we found the problem, and it is fixed now".
The real solution is not to allow "ethical hackers", but rather to provide economic incentives for companies to protect their data. If this were the case, then companies would take security seriously, and there would be a whole thriving sector of legal security probing companies (which exists in a very tiny manner today). If companies were held to multimillion dollar fines every time private data was compromised, you could be damned well sure that security would rank somewhere above "oh, and empty the trash before you leave tonight", which is where it currently resides. And security checks would be done by true professionals, complete with after-incident reports and improvement suggestions.
-Erik
There are always four sides to every story: your side, their side, the truth, and what really happened.
So to use this same idea, y'all have no problem if I discover your back door to your house is unlocked and I come in just to look around and make sure there are no other 'security issues', right? I promise I won't steal or damage anything, I just want to look around...
Sorry, it don't work that way, and just because computers are computers doesn't make it any different. If you want to come in to my computer and inspect, I expect you to ask, just like I would for my house.
When Microsoft is caught sniffing around anyone's computer without permission, even if they don't damage or alter anything, everyone here wants Bill Gates' head on a pike for public display and criminal charges against Microsoft. But if its a white-hat hacker, that's okay, and we should have the law allow them in. Funny how that works.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
From another perspective, the author's ideas have some merit. In biological systems, it is only after one has been infected and their immune system fights off a disease that they are impervious to repeat infections. In this way entire societies build up resistances to deadly diseases. For example, Jared Diamond believes 95% of Native Americans were killed off by diseases carried by European settlers who were largely immune to said diseases. (link)
In a way, as different portions of the computer systems and software are attacked, the flaws that allow for such attacks are, in general, corrected. Problems identified in one attack can be applied to other areas, and as such, can affect system-wide changes toward a better system (think buffer overruns), as well as more security-minded design (think security developments in IE7 and Vista).
I'm not advocating that the world governments should let virus writers and crackers have free reign of the Internet. A balanced response would allow for leniency for those who have no malice in their intentions. Of course, this is difficult to prove, and from personal experience, I have yet to meet a virus writer with purely altruistic intentions. Also there are corporate interests to deal with as well. How embarrassing must it have been for Symantic to have their flagship product meant to help secure a computer be the source of insecurity? While Symantic handled the situation extremely well, many other companies do not have a large security minded staff on hand to deal with security problems. For them it is easier to accuse the attacker than acknowledge a problem they cannot deal with.
I haven't lost my mind!
It is backed up on disk...somewhere...
... but going in jail is may be a worse option.
... with success so far.
It is true that bad hackers will pretend to be ethical hackers but by putting everone in jail you end up creating a less secure world. Only the bad hackers will find the security hole and they won't tell anyone.
Full discolure is the only solution and it is not popular: companies get bad press for having security holes, they might loose some business and thus try to shoot the messenger
However, full discolure is a necessary evil it we want to have a safer online life.
I don't think the world can ever be truely secure.
The world is always in a sort of "Ok on the count of three, we all drop our guns" state.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Exactly, but there is a time and a place for full disclosure, and the situation is easily complicated. Even just the act of disclosure is uncertain. Publish to widely and be accused of helping hackers. Publish too narrowly, and be accused of not informing the public. Its a messy job.
Even old-fashioned e-mail worms, which rely primarily on user ignorance, can spread to hundreds of thousands of computers.
Now, I always thought a worm is "self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers."
Geez people - if you can't cromulize your terminology, I have little faith in your article..
Introduce a properly run certification scheme for "Certified ethical hacker". Base it on a course taking in relevant law, security techniques etc., and make damn sure it is vendor-agnostic. Only make the course available to persons who have no criminal convictions, are on the voter's list, member of a professional body, and pass FBI checks or your national alternative. It will be free to qualified applicants.
Now issue those people with a set of official paper forms, with proper security marking and tied to the individual. When they encounter a security issue, they issue a paper based advisory (because it is still traceable, and because you do not then leave a trail on the net that might enable the black hats to find and target you.) copy to some official body who every year will report the statistics, and list the companies that failed to respond to security advisories.
So now you have it on your resume when you write in for the bank job: Certified Ethical Hacker, 42 confirmed alerts (or whatever).
Before anybody tells me this is simply fantasy, consider that there are already volunteer public security forces. In the UK we have Special Constables and the Territorial Army, and there are equivalents in many other countries. We have a Health and Safety Executive who can walk into any company at any time it is operating and demand immediately to observe what is going on. So why not a properly trained volunteer Internet security force?
Pining for the fjords
Imagine a white hat h4xo that found a dangerous hole, send info about that to admins, and that hole is fixed.
Its that good?
I think yes. but need:
1) The white hat attitude. Complete morons are discarded.
2) Its a hole, and not a feature. Maybe the users want the system this way, and know enough about the tradeoff.
3) The hole being fixed. If is imposible to fix holes, maybe because lack or resources, this help nothing. Of course, the problem here is the lack of resources.
On real world, some people want to live with his doors unlocked, mostly on rural areas. Its that a "hole"?. Its not. What safety expert AND ha4xors fail to realice, its that the world is not about of safety for everyone. Some people like his doors unlocked, thanks. Other people dont know about that, and will love to know about a hole, and fix it.
-Woof woof woof!
Microsoft has 'educated' an entire generation of users that you have to run with full root privileges to get anything useful done at all. This is completely independent from how they respond to security issues raised by third parties. The damage is so pervasive that it can't be undone. MS stands as the village idiot of software companies for such a stupid design paradigm, and the single biggest problem on the Internet, as well as the single biggest problem in the IT industry for so completely dumbing down so many people. I wouldn't look to vista to cure the ill either. The more MS talks about security, the more evident it is that they can't pull their head out of their ass, and they'll keep dumbing down their 'customers'.
"We are all geniuses when we dream"
- E.M. Cioran
Does no one else here see the glaring hole in this person's argument? There is no such thing as a beneficial virus, worm, or trojan, period, end of story, thank you, have a nice day. Information Security is commonly accepted as a three-part problem: Confidentiality, Integrity, Avalability. Even seemingly innocuous viruses carry huge costs, mostly in the form of hindering Availability. Further, as a System Administrator, how can you ever be completely sure a virus that compromised a system was 'benign?' Answer: You can't. The only safe bet is to restore the system from the last safe backup.
The problem is akin to the broken window problem in economics. Sure, exploiting security holes leads to more fixes, but you have to take into account the costs. Further, this does not mean Information Security itself is improving, it simply means virus, trojan, and worm writers have to become more creative.
In short -- if this is what Harvard is producing these days, maybe it's time we re-asses the "Ivy League."
Government's view of the economy: If it moves, tax it. If it keeps moving,regulate it. If it stops moving, subsidize it.
... just kick all the homeless people off of it.
This whole debate about black hats, grey hats, etc. is ridiculous. I don't give a crap about itension for the intrusion. If I didn't invite you to break into my system, then you're trespassing and should be punished. I don't care if you've told me about it or not. Now, if you stumble and only stumble (As in not go any farther than to point out a potential weakness and not go snooping), that's different. You haven't actually hacked. When you cross that line, you've screwed yourself and should be punished.
One day the toilets of the world will rise up... And I'm going to nuke them.
Your original premise has a few flaws:
No, its not. Its neither single, nor uninterrupted, nor deterministic.
Its not a single state machine, because its not a single machine. By definition, the Internet is a collection of machines.
If you tried to push that analogy in any other field, the BS quotient would set alarms off immediately. For example, if you tried to say that people are a single person because all their interactions are connected, people would go, "yeah, whatever ..."
Its not an uninterrupted state machine, nor a deterministic state machine
As an aggregate of hosts, it literally ceases to exist in its current form as individual hosts drop off or connect. The fashion in which this happens is far from deterministic, since its under the control of all sorts of people - from the bubble-gum-chewing pop-tart-wannabe on myspace to the parv stalking same. Since the individual components actions are non-deterministic, the Internet is non-deterministic. Noboday can determine, even with a snapshot of the WHOLE Internet at point T in time, what will be happening at T+5 seconds.
Your argument, on the other hand, is a good example of GIGO - start with a flawed premise, produce a flawed result.
You even make my point when you state this:
Your last argument also makes the point that people are the true owners of the net - when you say "OUR" machine - and people have the right to say how they want their property to be used, even in public spaces. If you don't believe that, please give everyone your address - I'm sure someone will be happy to rob you when you're in public, then present your own arguments as justification that you gave implicit permission by your very presence in public.