ACK! -- CONTINUED
Carl Sappenfield
CSAPPENFIELD at kc.rr.com
Sun Apr 20 20:58:49 CDT 2003
Thanks.
Sanity is under- appreciated when it comes to computer security.
----- Original Message -----
From: "Jonathan Hutchins" <hutchins at tarcanfel.org>
To: "Bradley Miller" <bradmiller at dslonramp.com>
Cc: <kclug at kclug.org>
Sent: Sunday, April 20, 2003 3:17 PM
Subject: Re: ACK! -- CONTINUED
> Quoting Bradley Miller <bradmiller at dslonramp.com>:
>
> > That's not exactly accurate. They came in, changed how the entire
> > operating system works ...
>
> I think that's a bit of exageration. It's still Linux. Sure, it's got a
> toolkit on it, but is there any function it used to perform that it
doesn't do
> just as well (if less securely) now? If so, you'd have found it quicker,
> though it didn't take much for you to find in the end.
>
> > If I yanked out the
> > ATM from the local bank and put in my own ATM, that functioned the same
but
> > instead put everyone's ATM passcode into my own account . . . wouldn't
that
> > be stealing also?
>
> Only if you kept the ATM you yanked. Recording information isn't
stealing,
> rantings of the RIAA and BSA to the contrary. Should you go to jail if
you
> happen to observe someone's password over their shoulder? If they USED
this
> information to some nefarious end (other than "stealing clock cycles"),
that
> could be a crime. If they just poked around, read and maybe copied a few
> files? Nah.
>
> Besides which, you're not a bank. I doubt that the purpose of the machine
in
> question involved much in the way of financial transactions (or it would
have
> been better secured, no?). People get real excited about strangers having
> access to information, but ask yourself "what can they REALLY do with the
> information?". For instance, some people are all agahst about their phone
> numbers being revealed on-line, but never give a thought to the fact that
their
> phone number and address are listed in the phone book. If all they can do
is
> log in to your server under a false name, that's not much crime potential.
Can
> they deface someone's web site? Ok, that's a crime equivalent to painting
> grafitti on a billboard. Misdemeanor at most, and not comitted in this
case.
>
> > As to a monetary value, between the cost of the box itself which no
longer
> > operates in the manner it was intended to, at probably $2500 initial
cost
> > or so, plus my time, plus the time of anyone else involved, plus down
time
> > to my customers . . .
>
> You can't count the hardware. It's still there. It wasn't configured
> properly, or it would have been defended against the hack, so you can only
> count a portion of the time to reconfigure it as an actual loss. If you
leave
> your sunroof open, you can't blame the rain for wet seats.
>
> > yes it could be a case that the FBI or someone should
> > be investigating with whole hearted interest. Otherwise morons like
this
> > keep doing it and progressing on to other bigger and better things.
>
> (This sounds like the "gateway drug" theory, related to the domino
theory...)
>
> What about persons who are responsible for the security of publicly
accessible
> systems who do not configure them properly and leave security holes? How
shall
> we punish them, lest they run Microsoft and spawn DOS attacks against us?
>
> Look, I know people get all excited and angry and want to form a lynch mob
when
> they get hacked, but the truth is you didn't loose anything except some
time.
> You can count the time spent as a valuable lesson in disaster recovery,
and a
> penalty for failing to keep the system adequately secured. But calling
the
> cops? "Hey, officer, I left my kitchen door open and someone came in and
drank
> a glass of water! Call the FBI!"
>
> ---------------------------------------------------
> This mail sent through tarcanfel's horde/imp system
>
>
More information about the Kclug
mailing list