Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Vulnerabilites in new laws on computer hacking

from [Paul Schmehl] Network Security [Permanent Link]
Subject: Re: Vulnerabilites in new laws on computer hacking
Date: Wed, 15 Feb 2006 12:22:07 -0600
--On Saturday, February 11, 2006 16:35:20 +0000 self-destruction@itsbest.com wrote:

It'd be interesting to see if this post gets approved by the moderators
of bugtraq.

As all of you know, this forum (bugtraq) is constantly monitored not only
by crackers and infosec professionals, but also by government and
law-enforcement agencies.

The reason why I'm posting this message is because I'd like to bring
attention to the new laws on hacking.

As everyone knows, laws on computer hacking are going tougher. There are
however, some negative consequences.

"Advanced societies" are updating computer crime laws faster than the
rest of the world. This means that new generations of these more
"advanced societies" will have no clue about how remote computer attacks
are carried out. Future generations of security "experts" will be among
the most ignorant in the history of computer security.

That's silly. Researchers know full well how to do this without ever breaking any laws. In fact, most of the best researchers who are finding the bugs and weaknesses in systems never breakin to any system not owned by them.

New generations of teenagers will be scared of doing online exploration.
I'm not talking about damaging other companies' computer systems. I'm
talking about accessing them illegally *without* revealing private
information to the public or harming any data that has been accessed. To
me, there is a big difference between these two types of attacks but I
don't think that judges feel the same way. Furthermore, I don't even
think that judges understand the difference.

To me there is not.  They're my systems.  Stay out, thank you very much.

If you want to learn how to hack, set up your own network, install some OSes, with various patch levels, and hack away. You can learn everything you need to know without ever touching a system you do not own. Get your buddies involved. Hack each other's boxes. But do not hack into systems that do not belong to you. That *should* be illegal and you *should* be prosecuted.

Now, I'm not saying that I support accessing computer systems illegally.

Yes, you are. You're talking about breaking in to systems that you do not have permission to enter.

All I'm saying is that by implementing very strict laws on "hacking", we
will create a generation of ignorant security professionals. I think to
myself, how the hell will these "more advanced societies" protect
themselves against cyber attacks in the future?

And you're wrong. I don't have to hack into someone else's equipment to know how to hack into things.

These new tougher computer laws will, in my opinion, have a tremendous
negative impact in the defense of these "advanced societies". It almost
feels to me like we're destroying ourselves.

That's because you have tunnel vision. You think the only way to learn to hack is to attempt to break in to someone else's equipment.

Do locksmiths break in to random houses to learn their craft?

I know what you're thinking. You can learn about security attacks by
setting up you're own controlled environment and attacking it yourself.
Well, what I say is that this approach *does* certainly make you a better
attacker, but nothing can be compared to attacking systems in real world
scenarios.

Now, I personally know many pentesters and I can say that most of them
*do* cross the line sometimes when doing online exploration in their own
free time. However, these guys would *never* harm anything or leak any
sensitive information to the public. That's because they love what they
do, and have very strong ethical values when it comes to privacy.

Oh, well that gives me great comfort. Never mind that I can be prosecuted for the breakin because I've violated a law such as GLB, HIPAA, etc. by "allowing" a breakin. I'm glad your friends are so "ethical". If you only think about what's in it for you, you'll always be slanted toward violating the law. Try thinking about the poor victim whose systems you're breaking in to. Put yourself in their shoes and ask yourself, how would I feel if I discovered that someone had entered my systems without my knowledge? Or bettter yet, how about if I reach in your pocket and take the keys to your car, take it out for a spin, then return it? Are you OK with that? No hard feelings?

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Windows Media Player BMP Heap Overflow (MS06-005), atmaca
Next by Date:  [Full-disclosure] Critical SQL Injection PHPNuke <= 7.8 - Your_Account module, SecurityReason - sp3x
Previous by Thread:  Vulnerabilites in new laws on computer hacking, self-destruction
Next by Thread:  Re: Vulnerabilites in new laws on computer hacking, Ansgar -59cobalt- Wiechers
Indexes:  [Date] [Thread] [Top] [All Lists]