ACK! -- CONTINUED

[Jonathan Hutchins]

Quoting Bradley Miller <bradmiller at dslonramp.com>:

> That's not exactly accurate.  They came in, changed how the entire 
> operating system works ...

I think that's a bit of exageration.  It's still Linux. Sure, it's got a 
toolkit on it, but is there any function it used to perform that it doesn't do 
just as well (if less securely) now?  If so, you'd have found it quicker, 
though it didn't take much for you to find in the end.

> If I yanked out the 
> ATM from the local bank and put in my own ATM, that functioned the same but 
> instead put everyone's ATM passcode into my own account . . . wouldn't that 
> be stealing also?

Only if you kept the ATM you yanked.  Recording information isn't stealing, 
rantings of the RIAA and BSA to the contrary.  Should you go to jail if you 
happen to observe someone's password over their shoulder?  If they USED this 
information to some nefarious end (other than "stealing clock cycles"), that 
could be a crime.  If they just poked around, read and maybe copied a few 
files?  Nah.

Besides which, you're not a bank.  I doubt that the purpose of the machine in 
question involved much in the way of financial transactions (or it would have 
been better secured, no?).  People get real excited about strangers having 
access to information, but ask yourself "what can they REALLY do with the 
information?".  For instance, some people are all agahst about their phone 
numbers being revealed on-line, but never give a thought to the fact that their 
phone number and address are listed in the phone book.  If all they can do is 
log in to your server under a false name, that's not much crime potential.  Can 
they deface someone's web site?  Ok, that's a crime equivalent to painting 
grafitti on a billboard.  Misdemeanor at most, and not comitted in this case.

> As to a monetary value, between the cost of the box itself which no longer 
> operates in the manner it was intended to, at probably $2500 initial cost 
> or so,  plus my time, plus the time of anyone else involved, plus down time 
> to my customers . . . 

You can't count the hardware.  It's still there.  It wasn't configured 
properly, or it would have been defended against the hack, so you can only 
count a portion of the time to reconfigure it as an actual loss.  If you leave 
your sunroof open, you can't blame the rain for wet seats.

> yes it could be a case that the FBI or someone should 
> be investigating with whole hearted interest.  Otherwise morons like this 
> keep doing it and progressing on to other bigger and better things.  

(This sounds like the "gateway drug" theory, related to the domino theory...)

What about persons who are responsible for the security of publicly accessible 
systems who do not configure them properly and leave security holes?  How shall 
we punish them, lest they run Microsoft and spawn DOS attacks against us?

Look, I know people get all excited and angry and want to form a lynch mob when 
they get hacked, but the truth is you didn't loose anything except some time.  
You can count the time spent as a valuable lesson in disaster recovery, and a 
penalty for failing to keep the system adequately secured.  But calling the 
cops?  "Hey, officer, I left my kitchen door open and someone came in and drank 
a glass of water!  Call the FBI!"

---------------------------------------------------
This mail sent through tarcanfel's horde/imp system