[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Rate Stratfor's Incident Response



On Thu, Jan 12, 2012 at 10:46 PM, Benjamin Kreuter <ben.kreuter@xxxxxxxxx>wrote:

> On Thu, 12 Jan 2012 16:06:53 -0500
> Valdis.Kletnieks@xxxxxx wrote:
>
> > On Thu, 12 Jan 2012 15:16:19 EST, Benjamin Kreuter said:
> >
> > > Really, calling it "breaking in" is a stretch.  You connected a
> > > computer to a publicly accessible computer network, where anyone can
> > > send anything to your computer.  If hacking such a system is
> > > "breaking in," you might as well claim that shouting across your
> > > neighbor's yard is "breaking in."
> >
> > Bad analogy.  Closer would be if you have a house that's got a
> > driveway on a public street, and you claim it's not breaking and
> > entering if you walk up the driveway, try the doorknob, find it
> > unlocked, and let yourself in without the permission of the
> > residents.  Saying that "anybody could walk up and let themselves in
> > the door" doesn't make it legal.
>
> Would you say that we should arrest the person who walks into the
> house, takes a picture of themselves standing next to an expensive
> television and leaves the picture next to a note that says "your door
> was unlocked?"
>
>
yeah, it would still be an offence in most country.


> Really though, it is still a terrible analogy.  You can disconnect a
> computer from the Internet; you cannot disconnect a building from a
> street.  A hacker in a foreign country might be attacking your computer
> system from that country, and could be outside the jurisdiction of any
> relevant law enforcement agency; a person who breaks into a building is
> committing a crime in whatever jurisdiction the building is in.
>

the crime would still be a crime in the country where the building/computer
is located, you just can't get the offender prosecuted, just like if he
would flee the country after trespassing into your house.


>
> Analogies are nice and they help non-technical folks understand what
> is going on, but let's not get carried away with them. Someone who
> attacks a computer system over the Internet (or any other network) is
> sending unwanted/malicious messages.  This is not the same as physically
> breaking into a building, locker, or computer. It may be illegal, but
> it is still very different from other crimes.


why is it different? the only difference imo is that the whole
IT/networking stuff is relatively new, and the law was lagging behind, and
some people still that it is, when it isn't really anymore.
you can get the same amount of fine/years in prison whether you stole the
money/confidential info through physical or electronical means.


>  If anything, the closest
> type of criminal would be a con man, which seems fitting given how many
> of today's attacks have an element of social engineering.
>

nope.
of course social engineering can be compared to Confidence trick, because
it is a Confidence trick.
but social engineering is only one vulnerability from the many, and usually
it is used together with other methods (you get the credentials using that,
then you proceed and access the system using those credentials, which is
the gaining unauthorized access to the system.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/