In the majority of countries where I've been it IS a crime to break into a system (i.e. access it without due authorization). There are a few grey zones there (unsecured web directories - you screw up and you can't prosecute) but in general, if it has a password and you don't have it, gaining access regardless is deemed unauthorized. In some countries adding a logon notice greatly enhances your standing in court.
The outcry is about the severity of the proposed sentence.
Yes, he needs a very serious rap on the knuckles, probably with a cluebat so he won't be able to type for a couple of months (and other things). What I don't agree with is a criminal record, that is OTT.
What are you going to do with a black hat hacker when you find him? Death row?
I don't think anyone condones what he did (at least not the depth of it) but a sense of proportion is lacking here. Hence the discussion..
Most of the people convicted of hacking (or at least those I have heard of) actually did not do those things. They just broke in to prove that they could, looked around in the systems and used them as a base for hacking into more systems.
That they proved something was already on the edge (IMHO it's already slightly over if they got in). Then preceding to (AB)USE those systems (ande the possible trust they have inherited if the setup isn't well done) is firmly in the black camp.
Let me make it simple. You hack my systems and tell me, I'm going to be pissed off (mainly with myself, but you'll probably catch the edges of it) but also glad you took the trouble to tell me, and it'll even things out for me. If I get a call from another sysadmin asking me why I've hacked into their systems and I find it's you, you'll discover just how creative I can get. And when I'm annoyed I don't rank very high on the list of nice people unless you hold that list upside down.
I will not care if you're a teenage member of a cultural minority who was orphaned when 6 years old and now supports a family of 10 and a charity, have a gangrenous leg and hand coded 60% of the Linux kernel before helping DVD Jon. You used my resources to do something illegal, and I won't be nice.
I get the feeling the guy in Canada never exposed a vulnerability before so he did it wrong - what's more, IMHO he went too far (keyloggers and swipe readers are not "standard" tools). I have, however, yet to see evidence of actual damage and I don't read what he did as malicious, he could have kept his mouth shut and sold access to a porn or spam gang. As a matter of fact, I wouldn't be surprised if someone did that now as a reaction.
IMHO, the smart thing for the Uni would be to say "We've cooled down now. We're still not impressed, but we checked that no damage has been done so we won't press charges, and IT staff has been tasked with reviewing the way we run things. We do, however, consider the process by which we were told less than impressive so we will hand out academic punishment, details of which are under discussion."
That acknowledges that they overreacted a bit (we're all human), still maintains there are better way to report issues and doesn't let the guy get away with going beyond the white edge into black hat territory. I don't think you'll hear much of him after this.
For those who didn't RTFA, he has a possibly Arabic name
I think that may be irrelevant. It would be a bit unfair to throw racism at them, it's a stupid enough case without it and I don't see that suggestion justified. But that's just me..
AFAIK see he first indeed contacted those responsible, and it appears he then later did this distribution of information which may or may not have contained more than logon details of each recipient - this suggests he didn't get much of a response.
I think the guy has been a mild idiot, but I would reserve the jail terms for people who deserve it. The smart thing for the Uni to do would be to can the charges in exchange for student service work like cleaning the toilets for a month. That won't give him glory points, and I'm pretty sure he'll remember having been on the edge of a conviction.
I don't think he's dumb, just not very socially aware..
If I recall correctly, someone else who was jealously guarding router passwords is now facing jail..
And I would not hire him until he's had his fingers slapped first. Without permission it may be a nice initiative but it IS illegal, and I'd just wanted to make sure he remembers that. However, to ruin his life for then not using his insights for personal gain is stupid, unproductive and likely to keep the problems in place.
Mr Smith forgot to tell the authorities that he had a history of forgetting to lock his door, because otherwise he would have a slightly harder time getting the insurance to pay out for his losses. Mr Smith was thus incredibly pissed off with Mr Johnson for showing him up to his insurance, especially since he had a similar heads up a few months back and didn't do anything about it then either.
No doubt Mr Smith would have also been the first to yell at the police for not sufficiently fighting crime if he got burgled because Mr Smith is of the type that is never at fault himself, and doesn't consider himself responsible for his own conduct. And hell, those kids are a pest anyway so if someone did something to them while they were in the house that would be a bonus. Maybe put up a sign "Kids here", just in case?
There are two sides to every story.
The "hacker" was stupid by taking it too far, the college is blatantly moronic by not providing a real bit of education out of this experience (thanks, but do this next time, and you're to clean the college kitchen for a month - with a toothbrush). Giving this wannabee a conviction (read: something that will follow him for life) is overkill, and is likely to prompt much worse things to happen soon (action creates reaction, hash action creates a lot of trouble). I'd be surprised if someone isn't already using resources for hosting malware.
On the upside, yes, that's a real life experience. Do someone a favour, get solidly shafted. The moral of the story: forget about being a citizen, down there it's everyone for himself, and educational values be damned. Standard politics, basically.
I look at motivation. On balance of what I know (and that's just the article, there may be more left untold) I can't see malice.
Here's your every day problem. Law and moral justice are drifting very far apart..
To the morons that are in the process of ruining someone's future, two questions:
- what did YOU do when you were at college? - what would you do if this was your own kid? Sure, I'd give him hell but I wouldn't even remotely considering getting him a rap sheet.
I mean, it's easy to blame MS and.NET for the problem (and include me in the people that wouldn't be surprised if it was something like WGA failing:-), but SEVEN hours?
AFAIK that's plenty of time to reboot (cough) so that must have been pretty catastrophic. I have a feeling it's going to cost them more than just compensation, not being able to trade at one of the most active days must cause a whole lot of people to walk. The timing couldn't have been worse.
Interesting point, actually: it it Windows itself that has problems, or is it thanks to that illusion management has that it's easier and thus doesn't require as many skills?
As a matter of fact, in that same building there's another outfit which (AFAIK) still runs all its operational business on Unix (it was AIX when I last looked but that's a few years ago).
You can glorify Windoze for all you want, but I don't think I've ever heard someone say "Yeah, we'll probably bounce the machines in November to clear out possible dead processes etc" when it's still APRIL. Sure, it has gotten better but it still has a loooong way to go before it comes close to what a stock exchange needs.
Failure is NOT an option (it comes as standard with some products).
Oh, and I was involved in building a whole trading environment abroad. It used RedHat, Solaris and HP-UX. It also used Windows - which is where all the problems were..
You can keep Windows for desktop use. Just don't pretend it's capable to stand up to real life use without significant more expenses.
disappeared down the toilet faster than a lead burrito
I don't have much personal experience with lead burritos (none, actually), but I think it won't make it round the bend. So it will just sit there at the bottom, never quite going away.
And THERE you are 100% correct - it's a project that will never quite die. There will always be someone who'll resurrect it for a few weeks, like a zombie, with many (returning to your analogy) flushing for all it's worth.
Anyone any idea when they invented the concept of a system blue screening? They must have patented that because no other OS crashes quite at such a frequency and with such a profound impact on productivity..:-)
With all due respect, what iTunes makes of a DRM locked song when it writes to CD is a bit like going from DAB stereo to mono playback of a 78rpm record using a rusty bent nail as needle.
And they got the naming wrong. iTunes should be iTunes minus, and iTunes plus should be iTunes.
I now have a list of about 300 records I would have bought on the fly if they had been availeble in unlocked format - so the loss for them is mounting up. Hell, I may even go back to CDs, at least it gives me something to throw at the RIAA if they ever mistake me for a file sharer (I sooo wish, they wouldn't know what hit them). I am NOT going to mess around again the next time I upgrade a system, it has started to piss me off so much I'm seriously considering ditching the whole iScam altogether, i.e. iProd Nano, I-collect-more-fingerprints-than-the-UK-government-iPod Touch and I-really-don't-know-what-multitasking-is-iPhone 3G, although getting rid of the latter may be a bit more complex as it's a company phone. Which is a pain because under the glossy interface lies a great void of usability unexplored, my Sony Ericsson P1i beats the crap out of it in terms of functionality and security (for some work we do we need the graphics, but even that we had to fix because its Javascript and Flash support either does't exist or is crap, can't remember - and that too was a load of rubbish where our dev guys gave up waiting and coded on some hacked phones until Apple finally deemed the planet worthy to receive its product).
I've just gotten very comfortably rid of one Redmond based Hitler in my IT, I am unliky to walk into the shiny halls of Apple with the same control freakery in place, rollneck or no rollneck sweater. I rather have rough, ready and working for me than all shiny pretend and at the whim of someone else, in that respect the iPhone has been ginormous disappointment.
If you need the gloss, fine. I don't, I prefer to spend my money on stuff that works for ME. Call me funny, but I consider the premise of putting down good money for something an indication that I have a certain desire to see something do work for me, and nobody else. I don't need it to work as an advertising panel for someone else (unless they pay me, of course), I don't need it to act as a US industrial espionage node and I don't need it to act like a cop who assumes I will break the law the moment he turns his head.
MS has already demonstrated that it can't get WGA right. In addition, they are not exactly helping by making it compulsory to stick the license code holo on a system so that an average passerby can take a picture of it so you end up with a pirated serial number.
So, if I run legit copies of Windows and this crap appears, I won't be embarrassed. I'll go after them for defamation and computer intrusion (their license cannot change applicable laws), and get as many people to join as I can manage. I'm sick and tired of having to prove that I'm not using pirated software. I wish they would spend as much energy on getting the code even remotely safe. Vista sucked like no vacuum cleaner will ever manage.
That's also why most of our stuff now runs on Linux. They asked for it.
I can't believe there are that many admins who have that little respect for themselves that they'd be willing to steal passwords.
That's only an issue if you are willing to trust this survey. Which I don't, from practical experience I know most of the guys I have worked with are ethical to a point when it stops their career advancing so whatever the study say does not correlate with my own experiences - over 15 years.
I think it may be worth examining what the study is trying to sell.
You may want to check what she likes first (traditionally you deploy her friends for that, and if you're close to *the* question you should by now have at least some idea), and see if you can afford that (important fact: rings cost money, and you want something left to buy her other things:-). Oh, and maybe don't mention that you have been checking with the rest of the planet if it's a good idea either - it should be yours.
It's your heart, and hers, start tuning in to that:-)
The first question you should ask is how a rep can change a customer password without his permission and knowledge. All you need is one with criminal connections and he'd be able to start messing with accounts for a while. Do this for a month, hit a couple of big ones at the end and disappear.
If I were the customer I'd go after the bank re. diligence failure. I couldn't care less about the pettiness (as ex Lloyds customer I agree 100% with the sentiment expressed), but I would raise serious questions about the processes involved, from HR to account management.
If I were the customer I would now insist on choosing a new password (as the entire planet knows the old one) and I think something like "You are all complete morons" would be suitable:
"What is yous password, Sir?" "You are all complete morons" "That is correct, Sir, thank you":-)
Legally the bank is in a rotten place (actually, the contractor even more so). If this was original data someone would have missed it by now given the volume, but it is a copy. He bought the system as-is, so he did not establish a provable record of intention.
He has been honest in reporting the find, but the fact is that the hardware is still his. If the bank wants to do ANYTHING with that data they will have to compensate him, and the nature of that compensation is very much a matter of debate.
It's a difficult balance, though. The bank can't be too happy with the disclosure, but to get it out of the media spotlight they can't wait too long either. He shouldn't give it to them for free (IMHO), but he can't be asking too much for it either. If I were the bank I'd give the guy a brand spanking new top-of-the-line system in exchange - the bank buys it cheap and the guy gets a lot of kit for his ebay spend.
However, there is at least one happy party here, they must be thanking the bank on their knees for taking over the headlines..
They now have these cameras that apparently time you going from A to B. That could be fun with cloned licenses - especially if you yourself are somewhere with a good alibi..
The likelihood of this happening already must be high given that plate cloning is rife since they put this congestion charge in London..
Slashdot Mirror
Apart from guiding the bus, the system will also stop your change from rolling too far..
Which "damage" are you talking about?
In the majority of countries where I've been it IS a crime to break into a system (i.e. access it without due authorization). There are a few grey zones there (unsecured web directories - you screw up and you can't prosecute) but in general, if it has a password and you don't have it, gaining access regardless is deemed unauthorized. In some countries adding a logon notice greatly enhances your standing in court.
The outcry is about the severity of the proposed sentence.
Yes, he needs a very serious rap on the knuckles, probably with a cluebat so he won't be able to type for a couple of months (and other things). What I don't agree with is a criminal record, that is OTT.
What are you going to do with a black hat hacker when you find him? Death row?
I don't think anyone condones what he did (at least not the depth of it) but a sense of proportion is lacking here. Hence the discussion..
Just blending in there :-)
Most of the people convicted of hacking (or at least those I have heard of) actually did not do those things. They just broke in to prove that they could, looked around in the systems and used them as a base for hacking into more systems.
That they proved something was already on the edge (IMHO it's already slightly over if they got in). Then preceding to (AB)USE those systems (ande the possible trust they have inherited if the setup isn't well done) is firmly in the black camp.
Let me make it simple. You hack my systems and tell me, I'm going to be pissed off (mainly with myself, but you'll probably catch the edges of it) but also glad you took the trouble to tell me, and it'll even things out for me. If I get a call from another sysadmin asking me why I've hacked into their systems and I find it's you, you'll discover just how creative I can get. And when I'm annoyed I don't rank very high on the list of nice people unless you hold that list upside down.
I will not care if you're a teenage member of a cultural minority who was orphaned when 6 years old and now supports a family of 10 and a charity, have a gangrenous leg and hand coded 60% of the Linux kernel before helping DVD Jon. You used my resources to do something illegal, and I won't be nice.
I get the feeling the guy in Canada never exposed a vulnerability before so he did it wrong - what's more, IMHO he went too far (keyloggers and swipe readers are not "standard" tools). I have, however, yet to see evidence of actual damage and I don't read what he did as malicious, he could have kept his mouth shut and sold access to a porn or spam gang. As a matter of fact, I wouldn't be surprised if someone did that now as a reaction.
IMHO, the smart thing for the Uni would be to say "We've cooled down now. We're still not impressed, but we checked that no damage has been done so we won't press charges, and IT staff has been tasked with reviewing the way we run things. We do, however, consider the process by which we were told less than impressive so we will hand out academic punishment, details of which are under discussion."
That acknowledges that they overreacted a bit (we're all human), still maintains there are better way to report issues and doesn't let the guy get away with going beyond the white edge into black hat territory. I don't think you'll hear much of him after this.
Just my $0,03 (inflation corrected).
For those who didn't RTFA, he has a possibly Arabic name
I think that may be irrelevant. It would be a bit unfair to throw racism at them, it's a stupid enough case without it and I don't see that suggestion justified. But that's just me ..
AFAIK see he first indeed contacted those responsible, and it appears he then later did this distribution of information which may or may not have contained more than logon details of each recipient - this suggests he didn't get much of a response.
I think the guy has been a mild idiot, but I would reserve the jail terms for people who deserve it. The smart thing for the Uni to do would be to can the charges in exchange for student service work like cleaning the toilets for a month. That won't give him glory points, and I'm pretty sure he'll remember having been on the edge of a conviction.
I don't think he's dumb, just not very socially aware..
If I recall correctly, someone else who was jealously guarding router passwords is now facing jail..
And I would not hire him until he's had his fingers slapped first. Without permission it may be a nice initiative but it IS illegal, and I'd just wanted to make sure he remembers that. However, to ruin his life for then not using his insights for personal gain is stupid, unproductive and likely to keep the problems in place.
It's not like they didn't have a warning before..
Mr Smith forgot to tell the authorities that he had a history of forgetting to lock his door, because otherwise he would have a slightly harder time getting the insurance to pay out for his losses. Mr Smith was thus incredibly pissed off with Mr Johnson for showing him up to his insurance, especially since he had a similar heads up a few months back and didn't do anything about it then either.
No doubt Mr Smith would have also been the first to yell at the police for not sufficiently fighting crime if he got burgled because Mr Smith is of the type that is never at fault himself, and doesn't consider himself responsible for his own conduct. And hell, those kids are a pest anyway so if someone did something to them while they were in the house that would be a bonus. Maybe put up a sign "Kids here", just in case?
There are two sides to every story.
The "hacker" was stupid by taking it too far, the college is blatantly moronic by not providing a real bit of education out of this experience (thanks, but do this next time, and you're to clean the college kitchen for a month - with a toothbrush). Giving this wannabee a conviction (read: something that will follow him for life) is overkill, and is likely to prompt much worse things to happen soon (action creates reaction, hash action creates a lot of trouble). I'd be surprised if someone isn't already using resources for hosting malware.
On the upside, yes, that's a real life experience. Do someone a favour, get solidly shafted. The moral of the story: forget about being a citizen, down there it's everyone for himself, and educational values be damned. Standard politics, basically.
I look at motivation. On balance of what I know (and that's just the article, there may be more left untold) I can't see malice.
Here's your every day problem. Law and moral justice are drifting very far apart..
To the morons that are in the process of ruining someone's future, two questions:
- what did YOU do when you were at college?
- what would you do if this was your own kid? Sure, I'd give him hell but I wouldn't even remotely considering getting him a rap sheet.
Yes, I said morons. I meant it, too.
I mean, it's easy to blame MS and .NET for the problem (and include me in the people that wouldn't be surprised if it was something like WGA failing :-), but SEVEN hours?
AFAIK that's plenty of time to reboot (cough) so that must have been pretty catastrophic. I have a feeling it's going to cost them more than just compensation, not being able to trade at one of the most active days must cause a whole lot of people to walk. The timing couldn't have been worse.
Interesting point, actually: it it Windows itself that has problems, or is it thanks to that illusion management has that it's easier and thus doesn't require as many skills?
I call it the "I have a PC at home" effect..
As a matter of fact, in that same building there's another outfit which (AFAIK) still runs all its operational business on Unix (it was AIX when I last looked but that's a few years ago).
You can glorify Windoze for all you want, but I don't think I've ever heard someone say "Yeah, we'll probably bounce the machines in November to clear out possible dead processes etc" when it's still APRIL. Sure, it has gotten better but it still has a loooong way to go before it comes close to what a stock exchange needs.
Failure is NOT an option (it comes as standard with some products).
Oh, and I was involved in building a whole trading environment abroad. It used RedHat, Solaris and HP-UX. It also used Windows - which is where all the problems were..
You can keep Windows for desktop use. Just don't pretend it's capable to stand up to real life use without significant more expenses.
disappeared down the toilet faster than a lead burrito
I don't have much personal experience with lead burritos (none, actually), but I think it won't make it round the bend. So it will just sit there at the bottom, never quite going away.
And THERE you are 100% correct - it's a project that will never quite die. There will always be someone who'll resurrect it for a few weeks, like a zombie, with many (returning to your analogy) flushing for all it's worth.
No THAT is class. I must try that next time, just for the hell of it.
Sadly, most of the people at my ISP appear to have a clue. Maybe I'll try it with my bank instead.
"No, no, I think you need to restart the mainframe. Trust me on this".
Anyone any idea when they invented the concept of a system blue screening? They must have patented that because no other OS crashes quite at such a frequency and with such a profound impact on productivity.. :-)
With all due respect, what iTunes makes of a DRM locked song when it writes to CD is a bit like going from DAB stereo to mono playback of a 78rpm record using a rusty bent nail as needle.
And they got the naming wrong. iTunes should be iTunes minus, and iTunes plus should be iTunes.
I now have a list of about 300 records I would have bought on the fly if they had been availeble in unlocked format - so the loss for them is mounting up. Hell, I may even go back to CDs, at least it gives me something to throw at the RIAA if they ever mistake me for a file sharer (I sooo wish, they wouldn't know what hit them). I am NOT going to mess around again the next time I upgrade a system, it has started to piss me off so much I'm seriously considering ditching the whole iScam altogether, i.e. iProd Nano, I-collect-more-fingerprints-than-the-UK-government-iPod Touch and I-really-don't-know-what-multitasking-is-iPhone 3G, although getting rid of the latter may be a bit more complex as it's a company phone. Which is a pain because under the glossy interface lies a great void of usability unexplored, my Sony Ericsson P1i beats the crap out of it in terms of functionality and security (for some work we do we need the graphics, but even that we had to fix because its Javascript and Flash support either does't exist or is crap, can't remember - and that too was a load of rubbish where our dev guys gave up waiting and coded on some hacked phones until Apple finally deemed the planet worthy to receive its product).
I've just gotten very comfortably rid of one Redmond based Hitler in my IT, I am unliky to walk into the shiny halls of Apple with the same control freakery in place, rollneck or no rollneck sweater. I rather have rough, ready and working for me than all shiny pretend and at the whim of someone else, in that respect the iPhone has been ginormous disappointment.
If you need the gloss, fine. I don't, I prefer to spend my money on stuff that works for ME. Call me funny, but I consider the premise of putting down good money for something an indication that I have a certain desire to see something do work for me, and nobody else. I don't need it to work as an advertising panel for someone else (unless they pay me, of course), I don't need it to act as a US industrial espionage node and I don't need it to act like a cop who assumes I will break the law the moment he turns his head.
There. EOR (End Of Rant) :-) Now what was I doing?
MS has already demonstrated that it can't get WGA right. In addition, they are not exactly helping by making it compulsory to stick the license code holo on a system so that an average passerby can take a picture of it so you end up with a pirated serial number.
So, if I run legit copies of Windows and this crap appears, I won't be embarrassed. I'll go after them for defamation and computer intrusion (their license cannot change applicable laws), and get as many people to join as I can manage. I'm sick and tired of having to prove that I'm not using pirated software. I wish they would spend as much energy on getting the code even remotely safe. Vista sucked like no vacuum cleaner will ever manage.
That's also why most of our stuff now runs on Linux. They asked for it.
I can't believe there are that many admins who have that little respect for themselves that they'd be willing to steal passwords.
That's only an issue if you are willing to trust this survey. Which I don't, from practical experience I know most of the guys I have worked with are ethical to a point when it stops their career advancing so whatever the study say does not correlate with my own experiences - over 15 years.
I think it may be worth examining what the study is trying to sell.
You may want to check what she likes first (traditionally you deploy her friends for that, and if you're close to *the* question you should by now have at least some idea), and see if you can afford that (important fact: rings cost money, and you want something left to buy her other things :-). Oh, and maybe don't mention that you have been checking with the rest of the planet if it's a good idea either - it should be yours.
It's your heart, and hers, start tuning in to that :-)
The first question you should ask is how a rep can change a customer password without his permission and knowledge. All you need is one with criminal connections and he'd be able to start messing with accounts for a while. Do this for a month, hit a couple of big ones at the end and disappear.
If I were the customer I'd go after the bank re. diligence failure. I couldn't care less about the pettiness (as ex Lloyds customer I agree 100% with the sentiment expressed), but I would raise serious questions about the processes involved, from HR to account management.
If I were the customer I would now insist on choosing a new password (as the entire planet knows the old one) and I think something like "You are all complete morons" would be suitable:
"What is yous password, Sir?" :-)
"You are all complete morons"
"That is correct, Sir, thank you"
Legally the bank is in a rotten place (actually, the contractor even more so). If this was original data someone would have missed it by now given the volume, but it is a copy. He bought the system as-is, so he did not establish a provable record of intention.
He has been honest in reporting the find, but the fact is that the hardware is still his. If the bank wants to do ANYTHING with that data they will have to compensate him, and the nature of that compensation is very much a matter of debate.
It's a difficult balance, though. The bank can't be too happy with the disclosure, but to get it out of the media spotlight they can't wait too long either. He shouldn't give it to them for free (IMHO), but he can't be asking too much for it either. If I were the bank I'd give the guy a brand spanking new top-of-the-line system in exchange - the bank buys it cheap and the guy gets a lot of kit for his ebay spend.
However, there is at least one happy party here, they must be thanking the bank on their knees for taking over the headlines..
Are you referring to Repetitive StRain Injury or Repetitive Stain Injury?
Could get rather embarrassing if the hand motors seize up and you end up developing a firmer grip than intended :-)
They now have these cameras that apparently time you going from A to B. That could be fun with cloned licenses - especially if you yourself are somewhere with a good alibi..
The likelihood of this happening already must be high given that plate cloning is rife since they put this congestion charge in London..