Re: Recent Attacks

[David LeBlanc <dleblanc () mindspring com>]

At 03:43 PM 2/22/00 -0500, Matthew_S_Cramer () armstrong com wrote:

> David LeBlanc <dleblanc () mindspring com> wrote:

> > I have a lot of problem with this
> > approach.  So what you're saying is that if I don't install a Lowjack
> > system, and someone puts my car on a tow truck and steals it, that it was
> > my fault for not protecting myself?

> Well, like with automobiles, there is "best practice".  A best practice of
> automobiles is to not leave them running and unattended in a high crime area.

Actually, best practice is to lock the door, and take the key with you.  A
decent car thief can overcome that very, very quickly.  The analogy is very
close - most systems on the internet don't have extremely dumb stuff -
blank root or admin passwords, etc (though there are plenty of these) -
what they do have are flaws that a skilled person can exploit.

> So that is a better analogy: you leave your car running and unattended for 7
> days in a high crime area and then want sympathy when you find out is stolen?
> You'll get none from me......

We still throw people in jail for stealing cars that have the keys in them.
 I don't think you understand how easily and quickly an ordinary vehicle
can be stolen, even without a key and the doors locked. 

> > Next, we can start blaming the people who wrote the software because
> > they're human and make mistakes, too.

> Actually, I find the "Disclaimer: we make no promise that this software will
> actually work and make no claim that it will not totally destroy your system"
> nauseating.

So you're saying that all programmers ought to start buying malpractice
insurance, like doctors.  Fun, fun, fun.  The cure may be worse than the
disease.

>  I'd like to see some liability for crap software.  Give the M$
> lawyers something to do......

They seem rather busy at the moment.  I see a lot of software that has
flaws, from a lot of different people.  Show me an app with no bugs, and
I'll show you "hello world"**. Marcus had a bug in NFR a while back - would
you turn the lawyers loose on him, bankrupt him with legal fees, and cause
the company to disappear?  Is this going to really make anything better? I
understand the problem, but I don't have a good solution.  Keeping anyone's
lawyers busy is usually not a good solution.

> > The vast majority of them had no idea that there
> > was a problem.  It is obviously prudent to check your systems, and stay up
> > to date on patches,

> Yep, that's my point.  It is "common sense".  The fact that certain people
are
> ignorant of common sense is never an excuse.

Yeah, but most people don't have much, and even those that do are sometimes
running on not enough coffee, so...

> See, the .gov and many .com's would like to see this problem solved with
> legislation: "throw the script kiddies in jail".  Yeah, make them serve more
> time than convicted hitmen or mafiosos.  NOT.

I wouldn't go overboard, but at the moment computer crime goes almost
completely unprosecuted.  I think if more script kiddies ended up in jail,
maybe some otherwise good kids might make fewer mistakes.  I'm a big fan of
making people responsible for their actions - you break into my house,
steal my stuff, and you go to jail, and pay restitution.  No restitution?
Go to jail, do not pass go.  Same thing with my computers.  Maybe I did
leave a patch off - whups.  Send me mail or something, I'll say thanks.
Break in?

Real-world issue - we found a wallet in the parking lot the other day.  The
guy dropped it getting out of his car.  He screwed up.  Taking the money
out of it, and going on a credit-card fraud spree is still illegal.  Just
because no one mugged the man to get his wallet doesn't mean he deserves to
be stolen from.

> This is a technical problem, there are technical solutions.  

It is a technical, ethical, and behavioral problem.  The social norms for
activity on the internet are different than in the rest of the world, and
we have a problem.

> People are ignoring
> the technical solutions (the info is OUT THERE ALREADY) 

Maybe the technical solutions don't work very well.  Right now, if you want
to really know what's going on, you have to subscribe to about 3-4 highly
technical, very geeky security lists, and wade through HUGE amounts of
noise.  This isn't a viable solution for the masses.

If it isn't working, we must be doing it wrong.

> and proposing
> legislation and criminal solutions.  If people need motivations to use the
> technical solutions, I say throw some liability their way, that's all.

I think there are adequate laws in place - the real problem is that law
enforcement is way behind the curve.  How many people do you know who call
the cops when they get hacked?  There are good reasons why they don't, and
that needs to be fixed.

> > but assigning blame to the owners of the system is
> > wrong in most cases.

> All I say is apply the same rigours as we do in other industries.  If you go
> against the best practices of an industry, you have to expect some liability.

Honestly, I think we've all got a lot of work to do - ISPs need to make a
lot of changes, both to try and help good customers do the right thing, and
to prevent the script kiddies from using their facility to do the wrong
thing.  Law enforcement needs to get more effective.  Programmers need to
pay more attention to security.  People who write software and OS's need to
make security user-friendly.  There's no silver bullet.

> Throwing some script kiddies in jail, even with harsh penalties, won't fix
> things.  

No, but not ever throwing them in jail will indeed make it worse.  I think
if you're being realistic, you have to acknowledge that law enforcement is
part of the solution, but can't be the whole solution.  It's like just
about anything - too much is bad, too little is bad, and we usually
oscillate between too little and too much trying to find just right.

> Look at the example of the drug war.....

Well - considering that I graduated high school in 1977, and that at the
time, it was pretty common to see people walking around on FSU campus
smoking a joint in broad daylight.  Far too many people were using far too
many drugs.  There was a reaction, law enforcement got a bit more vigorous,
and fewer people walk around stoned.  Personally, I think it is mostly a
medical problem, and shouldn't be a legal problem, but let's not go off on
that tangent.  I did want to point out that increased law enforcement did
have an overall positive effect, but didn't eliminate the problem - and
that a lack of law enforcement led to the problem becoming worse.


David LeBlanc
dleblanc () mindspring com