putting keyloggers on PCs you have physical access to exposes "vulnerabilities in your system?" That's news to me.
Of course it does. SECURID cards and PKI login cards are designed specifically to avoid capture by keyloggers. Systems which don't use them do have a vulnerability. However it's a vulnerability which may be justifiable to accept since protecting against it has a high cost. Systems which don't have such a vulnerability (or rather limit it much more) have to have dedicated physical terminals which it is impossible for the user to alter. Think dedicated military terminals with a proper secure attention key. Think ATMs.
an interesting question with a wierd answer. This of course depends on what information is on the computer and what the unknown unauthorized person does with it. In most cases, they do nothing or very little. Assuming that's true, then they cause no damage and the system will probably eventually be reinstalled leaving no effect at all. In this case, the person who tells you that they had access causes more damage than the person who didn't.
The reason it works like this is a bit wierd. The mechanism for the damage is your legal and moral obligation to take account of things you know about. When you don't know about an unauthorized access then you don't need to do anything about it. When you do know about it, you have an obligation to verify that what you are told is true.
Now, some people are arguing "oh, but he showed that the system can be broken into". Well, we already knew that. Systems that "can't" be broken into involve many tonnes of concrete and large amounts of military grade surrounding space with people with guns. Even there, I'm doubtful. To show something useful he needs to show that the security measures used were inappropriate for the threat environment. It sounds to me that if he had to use a key logger and mag-card reader software to break in, he would be able to find lots of other places with bigger problems and more to protect.
Also, that he did this as a student meant that lots of other protection wouldn't trigger. For example, if he tried to break in with his "illegal" magnetic card, probably the security guard would recognise him and hold the door open whilst he did so. That's not a breach. It's just politeness.
He broke in. He caused damage. If you know that a system has been under control of an unauthorised person, any competent system administrator will tell you that the only thing you can do is a) reinstall and b) treat the data on the system as potentially compromised from that point on. That takes work
Now, he has many potential arguments
the damage was justified since they weren't taking the care they should do
they had such insecure systems that should treat them as compromised anyway
the damage was less than the damage they did to him by keeping his data on insecure systems
the damage was much less than they claim
but the argument that he didn't do damage isn't one of them
Reading between the lines, it seems there's an ongoing investigation into the incident and they aren't allowed to communicate. I'll wait until I know much more about this before I make my final decision on how RedHat behaved.
Slashdot Mirror
Of course it does. SECURID cards and PKI login cards are designed specifically to avoid capture by keyloggers. Systems which don't use them do have a vulnerability. However it's a vulnerability which may be justifiable to accept since protecting against it has a high cost. Systems which don't have such a vulnerability (or rather limit it much more) have to have dedicated physical terminals which it is impossible for the user to alter. Think dedicated military terminals with a proper secure attention key. Think ATMs.
an interesting question with a wierd answer. This of course depends on what information is on the computer and what the unknown unauthorized person does with it. In most cases, they do nothing or very little. Assuming that's true, then they cause no damage and the system will probably eventually be reinstalled leaving no effect at all. In this case, the person who tells you that they had access causes more damage than the person who didn't.
The reason it works like this is a bit wierd. The mechanism for the damage is your legal and moral obligation to take account of things you know about. When you don't know about an unauthorized access then you don't need to do anything about it. When you do know about it, you have an obligation to verify that what you are told is true.
Now, some people are arguing "oh, but he showed that the system can be broken into". Well, we already knew that. Systems that "can't" be broken into involve many tonnes of concrete and large amounts of military grade surrounding space with people with guns. Even there, I'm doubtful. To show something useful he needs to show that the security measures used were inappropriate for the threat environment. It sounds to me that if he had to use a key logger and mag-card reader software to break in, he would be able to find lots of other places with bigger problems and more to protect.
Also, that he did this as a student meant that lots of other protection wouldn't trigger. For example, if he tried to break in with his "illegal" magnetic card, probably the security guard would recognise him and hold the door open whilst he did so. That's not a breach. It's just politeness.
He broke in. He caused damage. If you know that a system has been under control of an unauthorised person, any competent system administrator will tell you that the only thing you can do is a) reinstall and b) treat the data on the system as potentially compromised from that point on. That takes work
Now, he has many potential arguments
but the argument that he didn't do damage isn't one of them
Reading between the lines, it seems there's an ongoing investigation into the incident and they aren't allowed to communicate. I'll wait until I know much more about this before I make my final decision on how RedHat behaved.