mailing list archives
Re: Rate Stratfor's Incident Response
From: Benjamin Kreuter <ben.kreuter () gmail com>
Date: Fri, 13 Jan 2012 11:57:41 -0500
On Fri, 13 Jan 2012 11:57:27 +0100
Ferenc Kovacs <tyra3l () gmail com> wrote:
On Thu, Jan 12, 2012 at 10:46 PM, Benjamin Kreuter
<ben.kreuter () gmail com>wrote:
On Thu, 12 Jan 2012 16:06:53 -0500
Valdis.Kletnieks () vt edu wrote:
On Thu, 12 Jan 2012 15:16:19 EST, Benjamin Kreuter said:
Really, calling it "breaking in" is a stretch. You connected a
computer to a publicly accessible computer network, where
anyone can send anything to your computer. If hacking such a
system is "breaking in," you might as well claim that shouting
across your neighbor's yard is "breaking in."
Bad analogy. Closer would be if you have a house that's got a
driveway on a public street, and you claim it's not breaking and
entering if you walk up the driveway, try the doorknob, find it
unlocked, and let yourself in without the permission of the
residents. Saying that "anybody could walk up and let themselves
in the door" doesn't make it legal.
Would you say that we should arrest the person who walks into the
house, takes a picture of themselves standing next to an expensive
television and leaves the picture next to a note that says "your
door was unlocked?"
yeah, it would still be an offence in most country.
Except that we do not arrest people for every violation of the law; if
we did, almost the entire population would have to be arrested. We do
not even convict every guilty person e.g. abolitionists who were
acquitted despite having clearly broken fugitive slave laws prior to the
civil war. Intent is an important part of criminal cases, and courts
do at least try to do what is in the best interests of society.
Are society's interests really served by arresting people who point out
security problems? I suppose that it is a matter of debate and that we
could discuss ad infinitum what the appropriate way to bring attention
to a vulnerability or exploit might be.
Really though, it is still a terrible analogy. You can disconnect a
computer from the Internet; you cannot disconnect a building from a
street. A hacker in a foreign country might be attacking your
computer system from that country, and could be outside the
jurisdiction of any relevant law enforcement agency; a person who
breaks into a building is committing a crime in whatever
jurisdiction the building is in.
the crime would still be a crime in the country where the
building/computer is located, you just can't get the offender
prosecuted, just like if he would flee the country after trespassing
into your house.
Except that in this case, the offender was never physically present in
the country where the computer is located. Suppose I criticize the
Thai monarchy from my desk here in Virginia; I have violated the laws of
Thailand, but I am not in Thailand, and the situation would be no
different if I were to email the offending statement to someone who is
located in Thailand. What analogy would you draw there? That I spat
on the faces of people in the Thai royal family, then fled the country
and hid in Virginia?
Analogies are nice and they help non-technical folks understand what
is going on, but let's not get carried away with them. Someone who
attacks a computer system over the Internet (or any other network)
is sending unwanted/malicious messages. This is not the same as
physically breaking into a building, locker, or computer. It may be
illegal, but it is still very different from other crimes.
why is it different? the only difference imo is that the whole
IT/networking stuff is relatively new, and the law was lagging
behind, and some people still that it is, when it isn't really
anymore. you can get the same amount of fine/years in prison whether
you stole the money/confidential info through physical or
Suppose I download a database of customer records, complete with bank
account information. Have I stolen something? No, I have not, aside
from a tiny about of bandwidth and electrical power. If this were not
a different sort of crime, there would be no need to pass laws to
criminalize it; yet that is exactly what we did. Having a confidential
document in your possession is not theft, nor is downloading the
document from a computer system. What you do with the confidential
document is what matters.
Given a database of credit card numbers, someone can do a variety of
things. You could make unauthorized, fraudulent payments with the
credit accounts. You could print it out and make some wallpaper. You
could just let it sit on your hard drive. Some of these things are
clearly criminal without any special computer crimes laws, while others
one would be hard-pressed to call immoral (is it really immoral to
simply have credit card numbers on your hard drive?).
If anything, the closest
type of criminal would be a con man, which seems fitting given how
many of today's attacks have an element of social engineering.
of course social engineering can be compared to Confidence trick,
because it is a Confidence trick.
but social engineering is only one vulnerability from the many, and
usually it is used together with other methods (you get the
credentials using that, then you proceed and access the system using
those credentials, which is the gaining unauthorized access to the
I did not say that it was the same as a confidence trick, I said it was
similar. Con men do not use force (usually), they just dress
themselves up a certain way and say the right things to convince people
to lower their defenses. Cracking computer security systems (without
social engineering -- with social engineering, you basically are a con
man) is similar in that you are simply sending the right combination of
messages to a computer system to get to it do something it would not
normally do. Perhaps you spoof an address, or send a message that would
normally be sent by an user that was authorized, or send messages too
quickly, or send messages that are too big, or send messages from many
different sources, or send a message with an unknown format, or
politely ask some other computer or user to send messages for you --
all things that are common in confidence tricks (with a little
adjustment in terminology).
Benjamin R Kreuter
UVA Computer Science
brk7bx () virginia edu
"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/