On Fri, 13 Jan 2012 11:57:27 +0100 Ferenc Kovacs <tyra3l@xxxxxxxxx> wrote: > On Thu, Jan 12, 2012 at 10:46 PM, Benjamin Kreuter > <ben.kreuter@xxxxxxxxx>wrote: > > > On Thu, 12 Jan 2012 16:06:53 -0500 > > Valdis.Kletnieks@xxxxxx wrote: > > > > > On Thu, 12 Jan 2012 15:16:19 EST, Benjamin Kreuter said: > > > > > > > Really, calling it "breaking in" is a stretch. You connected a > > > > computer to a publicly accessible computer network, where > > > > anyone can send anything to your computer. If hacking such a > > > > system is "breaking in," you might as well claim that shouting > > > > across your neighbor's yard is "breaking in." > > > > > > Bad analogy. Closer would be if you have a house that's got a > > > driveway on a public street, and you claim it's not breaking and > > > entering if you walk up the driveway, try the doorknob, find it > > > unlocked, and let yourself in without the permission of the > > > residents. Saying that "anybody could walk up and let themselves > > > in the door" doesn't make it legal. > > > > Would you say that we should arrest the person who walks into the > > house, takes a picture of themselves standing next to an expensive > > television and leaves the picture next to a note that says "your > > door was unlocked?" > > > > > yeah, it would still be an offence in most country. Except that we do not arrest people for every violation of the law; if we did, almost the entire population would have to be arrested. We do not even convict every guilty person e.g. abolitionists who were acquitted despite having clearly broken fugitive slave laws prior to the civil war. Intent is an important part of criminal cases, and courts do at least try to do what is in the best interests of society. Are society's interests really served by arresting people who point out security problems? I suppose that it is a matter of debate and that we could discuss ad infinitum what the appropriate way to bring attention to a vulnerability or exploit might be. > > > Really though, it is still a terrible analogy. You can disconnect a > > computer from the Internet; you cannot disconnect a building from a > > street. A hacker in a foreign country might be attacking your > > computer system from that country, and could be outside the > > jurisdiction of any relevant law enforcement agency; a person who > > breaks into a building is committing a crime in whatever > > jurisdiction the building is in. > > > > the crime would still be a crime in the country where the > building/computer is located, you just can't get the offender > prosecuted, just like if he would flee the country after trespassing > into your house. Except that in this case, the offender was never physically present in the country where the computer is located. Suppose I criticize the Thai monarchy from my desk here in Virginia; I have violated the laws of Thailand, but I am not in Thailand, and the situation would be no different if I were to email the offending statement to someone who is located in Thailand. What analogy would you draw there? That I spat on the faces of people in the Thai royal family, then fled the country and hid in Virginia? > > > > > Analogies are nice and they help non-technical folks understand what > > is going on, but let's not get carried away with them. Someone who > > attacks a computer system over the Internet (or any other network) > > is sending unwanted/malicious messages. This is not the same as > > physically breaking into a building, locker, or computer. It may be > > illegal, but it is still very different from other crimes. > > > why is it different? the only difference imo is that the whole > IT/networking stuff is relatively new, and the law was lagging > behind, and some people still that it is, when it isn't really > anymore. you can get the same amount of fine/years in prison whether > you stole the money/confidential info through physical or > electronical means. Suppose I download a database of customer records, complete with bank account information. Have I stolen something? No, I have not, aside from a tiny about of bandwidth and electrical power. If this were not a different sort of crime, there would be no need to pass laws to criminalize it; yet that is exactly what we did. Having a confidential document in your possession is not theft, nor is downloading the document from a computer system. What you do with the confidential document is what matters. Given a database of credit card numbers, someone can do a variety of things. You could make unauthorized, fraudulent payments with the credit accounts. You could print it out and make some wallpaper. You could just let it sit on your hard drive. Some of these things are clearly criminal without any special computer crimes laws, while others one would be hard-pressed to call immoral (is it really immoral to simply have credit card numbers on your hard drive?). > > > If anything, the closest > > type of criminal would be a con man, which seems fitting given how > > many of today's attacks have an element of social engineering. > > > > nope. > of course social engineering can be compared to Confidence trick, > because it is a Confidence trick. > but social engineering is only one vulnerability from the many, and > usually it is used together with other methods (you get the > credentials using that, then you proceed and access the system using > those credentials, which is the gaining unauthorized access to the > system. I did not say that it was the same as a confidence trick, I said it was similar. Con men do not use force (usually), they just dress themselves up a certain way and say the right things to convince people to lower their defenses. Cracking computer security systems (without social engineering -- with social engineering, you basically are a con man) is similar in that you are simply sending the right combination of messages to a computer system to get to it do something it would not normally do. Perhaps you spoof an address, or send a message that would normally be sent by an user that was authorized, or send messages too quickly, or send messages that are too big, or send messages from many different sources, or send a message with an unknown format, or politely ask some other computer or user to send messages for you -- all things that are common in confidence tricks (with a little adjustment in terminology). -- Ben -- Benjamin R Kreuter UVA Computer Science brk7bx@xxxxxxxxxxxx -- "If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them." - George Orwell
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/