On 2006-02-21 Crispin Cowan wrote:
Ansgar -59cobalt- Wiechers wrote:
while I agree with you that for learning and practicing it would
suffice to build your own systems to tamper with, I have to disagree
on the part that hacking into other people's systems *without* doing
any damage should be illegal.
But an intrusion that causes no other privacy or integrity violations
DOES do damage. The sys admin has no way of knowing that you did no
damage, and so they have to commit large resources to either auditing
the box, or wiping it and starting over. Both are hugely expensive.
But if there really *was* a hole that allowed an actual break-in they
would have to do that anyway, because they wouldn't know if anyone had
broken in before and just wiped his tracks, would they?
I agree with Paul; people who want to learn to hack can quite easily
do so with their own computers,
Crispin, please, I expressly said that I do agree with Paul on that
part.
and people who break into machines that they are not authorized to use
should be prosecuted to the full extent of the law.
I do not (fully) agree on this part, though. I already gave some reasons
why, e.g. when is one authorized to use a machine? Plus, I do not
believe that companies which won't secure their servers properly (thus
putting themselves and/or their customers at risk) should be protected
by the law in this way. This kind of jurisdiction would encourage people
to care less about security than they already do, because if someone
breaks in, they will be able to sue him.
[...]
In addition to that some vulnerabilities can be discovered only ITW,
simply because you cannot rebuild that environment in your lab. Two
years ago we had a case like that over here in Germany [2] (the
article is in german, but maybe an online translator will help). The
OBSOC (Online Business Solution Operation Center) system of the
Deutsche Telekom AG did not do proper authentication, so by
manipulating the URL you could access other customers' data. How
would you detect such a vulnerability without actually hacking the
system? Is one supposed to not notice these things? Will that really
make them go away?
This is an example of the hole. The proper thing for the defender to
do would be to put up a test system with fake accounts and invite
attack against the test system. If the site operator chooses not to do
so, then it is at the expense of their customer's risk. But under no
circumstances is it proper for researchers to deliberately hack
production servers that they do not own.
The OBSOC system is AFAIK closed source and the Deutsche Telekom would
not go to the trouble of putting up a test system for public testing.
The person who broke in was an actual customer. I repeat my question: Do
you really believe that this person should be prosecuted? Should he have
ignored the problem instead, leaving the other customers at risk?
Regards
Ansgar Wiechers
--
"Der Computer ist da, um zu rechnen, nicht um Ausreden wie 'Kann nicht
durch Null teilen' auf den Bildschirm zu schreiben."
--Marco Haschka in de.org.ccc
