Immunizing the Internet

jonny4001 writes "The Harvard Law Review has published a student-written article that argues that hackers, worms, and viruses are good for network security and that the law and public policy should encourage 'beneficial' hacking. From the article: 'Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security [...] Current federal law, however, does not properly value such strategic goals.'"

Finally!

Totally telling the FBI slashdot said it was 'ok'.

Wow! Who knew?

[Heavyporker]

Darwin operates perfectly online! Now all we need is to set up the digital version of the Darwin Awards. Now, granted, idiot users aren't permanently removed from the gene pools, but if they ram enough computers into the dirt, they'll be dirt-poor and thus unsuitable as mates, hence they won't reproduce. Right?

Re:Wow! Who knew?

[Tatarize]

It turns out while your a child, you will turn out better if you touch everything and pick your nose and eat your buggers.

In general being exposed to a lot of germs (typically harmless) trains up your immune system. buggers catch a lot of local bacteria and allows for exposure in a safe and weakened form.

-- Just because it's correct. Doesn't make you want to do it.

The well is poisoned.

[argent]

More than a quarter of a century ago I inadvertently found a hole in a UNIX based bulletin board system, went in and fixed the code, called the operator to tell him what I'd done and how to fix the rest of the problems, and ended up with a series of contracts.

A few years later I wouldn't have considered it. People who'd not done much more had spent time in court and been threatened with jail. Not much later, you had people actually doing jail time for simply "knocking on doors".

What happened?

The whole "ethical intruder" meme had spread, and people had started cracking into systems and then claiming they were just "rattling doorknobs" to "help security". Of course you couldn't tell an "ethical hacker" from a crook, and the crooks could claim they were just trying to help.

It's the "ethical hackers" themselves that have made it impossible for this kind of activity to be condoned.

Re:The well is poisoned.

[Xugumad]

I think also, as systems stop being maintained by one person, and are covered by a group, it has become a lot less easy to simply go "Ah, they meant well, I'll just ignore it". Instead, the entire group has to come to a decision, and no-one wants to be seen as lazy at maintaining security.

I've seen a student here report a security hole (the muppet that originally developed the web app they were using tracked currently logged in user by putting their username in the CGI parameters. Change the name, and you can be whoever you want), and some members of staff still wanted to seem the kicked out (we did manage to talk some sense into them, though). Point is, if it had just gone to the person maintaining the system at the time (me), I'd have patched up the code, thanked them, and forgotten about it.

Re:The well is poisoned.

[vistic]

I'll have you know that Dr. Bunsen Honeydew is a very good coder!

Re:The well is poisoned.

[jaclu]

One problem is accountabilitty,

While I do agree with you, that a kid reporting an error and perhaps even a sugested solution, would be regarded as helpful and something of a "white-hat" on a private perspective

However one thing that has changed since the early eighties is that now there is usually quite a bit more money involved.

Now accountability is a big concern.

If that kid was into a system I admin, I must realize that even if he propably just is helpful, I still cant be sure, after all he was in there, where he shouldnt have been, who knows what he did and discover but not tell me about.

And thats what its all about, ne one side I have a complete stranger who claims that he has been in one of my systems, found a few bugs, and have a few suggestions, one the other side is that the only way to be sure of system integrity is to asume that the system is completely penetraded, and do a very expensive security checkup, to see how much damage that _could_ have occured.

If I trust the kid, and he happens to be a black-hat - poof - there goes my job

If he turns out to be a white-hat, well in that case he was nice and not much won for either me or my clients (since we have to do an expensive audit anyhow)

So I would asume he was a black-hat, cause if he wasnt, I havent lost much... Maybe synical, but thats how it works. /Jacob Lundqvist

PDF WARNING!

[Maelwryth]

The link is directly to a .pdf file. This should link to the Google html cache.

For those who won't RTFA

I'm sure plenty won't click the link, so you are missing out on the great title that was left out of the summary:
IMMUNIZING THE INTERNET, OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE WORM

Re:For those who won't RTFA

[arivanov]

Well...

Realistically this is the history repeating itself. Many times.

Prior to Edward Jenner discovering the vaccination the people tried to instill immunity to Smallpox in their children by a process known as variolation. The difference from vaccination was that people were deliberately infecting children with the real virus hoping that they have it in a milder form. Well... and if not, that was just a child, one more, one less who cares. In some more awkward and less developed parts of the world this is still done with Varicella, and less frequent Rubella, Measles and Mumps.

Society attitudes have changed since. The majority no longer consideres normal to infect children with the real viruses. Still, even now, there are idiots who insist that "having child diseases is good for the children as it improves their character" (or other such bollocks).

Similarly, infecting networks with real worms is not dissimilar to variolation. There are plenty of security tools out there nowdays which can detect the vulnerabilities that can be used by the worm and force the user to fix them. There is no real need to weed out the "weak" (yeah, I know, I am tempted myself to weed out the idiotz sometimes).

And as far as jo average user it will take some time for them to grow up, but it will end up the same as with vaccination. People were reluctant to do it initially. That is not the case now.

Does this work for offline crime?

[amelith]

So bank robbery is good for their security and should be encouraged? Everyone who moves to a new city should be immediately mugged so they can learn valuable lessons about personal security? Perhaps there should be an official quota of licensed murders so people don't get too lax about their own safety?

What is the special magic about technology that makes people give opposite answers to "Is X sensible?" and "Is X sensible using a computer?" for just about all values of X?

Ame

Re:Does this work for offline crime?

[evilviper]

So bank robbery is good for their security and should be encouraged?

This isn't the equivalent of bank robbery (nobody gets potentially harmed, and no real damage done). Rather, a far better example would be the instances of journalists repeatedly and successfully smuggling weapons through TSA security, onto commercial flights. Absolutely no real harm is done by it, and success leads to very important good things (increasing security where it is lacking).

The more they will find security holes, and make the system safer against the real threat, the truely malicious professionals. Of course, the analogy isn't perfect, but it's far closer than bank robbery and murder.

What is the special magic about technology that makes people give opposite answers to "Is X sensible?" and "Is X sensible using a computer?" for just about all values of X?

Probably because of people like you... People who can't relate the computer world to the proper real-world equivalents, and therefore have a really warped and twisted misunderstanding of the computer world.

Re:Does this work for offline crime?

[Archtech]

Every time computer security is discussed, someone immediately trots out the "burglar" analogy. I have nothing against analogies - they are very useful for getting insight into unfamiliar situations - but every analogy has its limits. In this case, a burglar is someone whose only purpose is to steal property for his own gain. Some people who hack into computers have this motivation, but many do not.

This is where the analogy breaks down catastrophically. There is no simple, familiar motivation for anyone to try getting into a house as an intellectual exercise, or even as a challenge. Either the house is wide open - in which case it would be legal to enter in some jurisdictions, while in others the householder could legitimately shoot an intruder anyway - or it is secured, in which case any attempt to gain entry is almost certainly of a criminal nature.

Computers are different, in that trying to understand and improve on software mechanisms is a universal impulse among (good) programmers. Bill Gates, and many other people who came to be famous, hacked in his youth. The sainted Richard Feynman confessed openly to having made a hobby of getting into as many locked areas and safes as he could, while working on the Manhattan Project. He had absolutely no ill intentions, although he was well aware that the military bosses would be hard to convince of that. Incidentally, he told of a valuable spin-off, when a senior official left the project and his immense safe was found to be secured. No one had the combination, and they were thinking of explosives and thermic lances until Feynman came along and casually opened it.

Please don't accuse me of trying to excuse genuine criminals - I am the last person to do that. But do realize that many people who experiment with software do so from motives of genuine curiosity and intellectual challenge, which can be very useful if properly harnessed. And let's get over the crude physical analogy of "breaking into" a computer. A computer is a machine that executes instructions. When some sets of instructions are executed, the computer can display words, numbers, and pictures meaningful to humans, and accept human input through keyboards and other devices. A computer does not have a mind of any sort, and thus cannot be deceived, pleased, annoyed, or educated. Moreover, the idea of the computer as a structure or territory that could be broken into is simply an analogy that helps us to think about it; it does not correspond to anything real.

Too often companies ignore problems until it's....

.... too late. It doesn't even have to be a real security issue. It can be something as simple as good security practices. Here are ideas I would recommend e-mail providers, for example, to implement.

Dual passwords. A master password which can change anything in the account, and a secondary password which can change anything but the master password. The idea is that if your secondary password is stolen, you clean your machine (just incase you were infected), log in with your master password, change your secondary password, and everything is fine.

Freezing expired accounts for 10 year periods to prevent someone from grabbing it up and gaining mail-forgotten-password privledges from other sites. Got a bank account? Got online banking? Got an account which you can easily send your password to your e-mail address? Oh wait! Your e-mail address expired! Someone else registered it, went to a bunch of bank websites and such, just to see if your former e-mail address has an account there.

Article summary - rewritten...

[jkrise]

Hackers, worms, and viruses are good for network security ("Security Software firms such as Symantec) and that the law and public policy should encourage 'beneficial' hacking (Legislation must ensure we keep such firms running). From the article: 'Exploitation of security holes prompts users and vendors to close those holes (Makes people believe that such defects are inevitable, and can only be solved by continuous updates) , vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security (reliance on vendors for updates) reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security (any negative impact on suspect business practices OR bottom-lines)

Makes sense now, don't you think?

Lawmakers out of touch

[pubjames]

I think this raises a fundamental issue - most of our lawmakers and enforcers are people who have not grown up with these new technologies and have little understanding of them, both from a technology point of view, but also their social context.

Most judges, seeing a bank had implented very poor physical security - so poor that a lone teenager could fairly easily get into the bank without help - would be lenient on the teenager for breaking into that bank and bank would be in lots of legal trouble for having lax security. But when the internet is involved the teenager becomes an evil hacker in the eyes of both our lawmakers and much of society, and it's off to jail for the teen and no punishment for the bank.

I really worry about the next generation. All kids do stupid stuff and talk about stupid things as they are growing up. Only now, much of that stupid talk is done via electronic communications, and much of the stupid stuff is easier to trace.

I can see in the near future (maybe it's happening already?) that when a misdemeanour with a youth occurs one of the first steps a law enforcer will take will be to get access to the youths electronic communications. Then they'll uncover all kinds of stuff that will look terrible in the eyes of a law enforcer and the parents - and be extremely embarrassing or worrying for the youth. But in reality will just be the stupid things people do and say when they are growing up. We'll have youngers going to jail and being ostracized by their parents and society just for doing and saying the stupid things that we all did when we were young.

Re:Why Shouldn't it :-P

[badfish99]

No, it's trickle-down economics in action. The banks recover the cost from their customers, who are mostly rich businessmen. So some of the wealth of those rich people ends up having trickled down to the poor robbers. Isn't that how things are supposed to work?

The rich people were probably just going to donate their spare wealth to charity to help the poor: robbery saves them the trouble of having to do that, too. It's a win-win situation!

Re:Taquila Sunrise

[Joebert]

I'm drinking a bottle of rotted juice, with a worm in it, & you expect me to know how to spell it ?!

A little knowledge is a dangerous thing...

[trims]

The paper (or article, or whatever) is actually quite well-nuanced and fairly even-handed. However, it suffers from a fatal flaw of many legal articles: a fundamental ignorance of the subject matter itself.

It's a paper written by (wannabe) lawyers, who, while they site large rafts of supposedly corroberating papers and "experts", don't understand what they (the exports and sited papers) are talking about.

This kind of approach is eminently practical (and effective) when attempting to try a case, or negotiate a settlement. However, it is absolutely the wrong way to do things when attempting to write a Public Policy piece. If one is attempting to educate the populance (or some subsection of it) about an issue, you have to actually understand the subject, not just quote others' ideas.

They are correct in the supposition that cybercrime has a different nature than that of "real world" crime. But they completely misunderstand how this difference affects people.

A classic example of not really understanding the subject matter occurs when they claim that a compromised system actually causes very little economic damage, as the system itself is not physically damaged, and the effort to repair it is theoretically comparable to a periodic security audit/update of the machine. What they perceive is a JoyRide in a "stolen" car - someone took my car out for a whirl, and if they've returned it in good shape, all I (the owner) have to do is sweep out a few of the crumbs (and maybe fix the door lock) before it is ready to go again. This isn't the true case. Rather, it is closer to the case that I, the owner, would have to completely dissassemble the entire car, and put it back together again from its component parts, just to make sure that the kids didn't screw something up (or wire a bomb to the ignition). There is a HUGE economic cost to cleaning up after even a minor intrusion. Because, frankly, there is no way to determine if something was a minor or a major intrusion, until a complete postmortem is done. And the risk associated with keeping a compromised system working is far too great to NOT do the full rebuild. In many ways, the risk analysis looks a lot like empidemiology: when a herd of cows is found to contain one case of Mad Cow, we kill the entire herd and check them all, rather than just kill the sick cow, and say "oh, we found the problem, and it is fixed now".

The real solution is not to allow "ethical hackers", but rather to provide economic incentives for companies to protect their data. If this were the case, then companies would take security seriously, and there would be a whole thriving sector of legal security probing companies (which exists in a very tiny manner today). If companies were held to multimillion dollar fines every time private data was compromised, you could be damned well sure that security would rank somewhere above "oh, and empty the trash before you leave tonight", which is where it currently resides. And security checks would be done by true professionals, complete with after-incident reports and improvement suggestions.

-Erik