Re: How hackers cause damage... was Vulnerabilites in new laws on computer hacking

[dave <fla.linux () gmail com>]

David Gillett wrote:

> 1)  If it's your friend's machine, you should be able to get 
> authorization from him/her.  
whats the fun in that! If it's a friend and you arent going to do 
anything serious you shouldnt need permission. Once again: choose your 
targets wisely. My grandfather owns a business...nothing much but pretty 
successfull. I craked their companies servers without permission, I 
didnt do anything but place a note on the managers desktop saying I was 
there...so what! I know at least 15 folks that would let me bang away at 
their systems (without permission)....if you want to practice breaking 
into computers and you MUST have permission then get together with a few 
buddies with the same interest and see what you can all put together. We 
found a number of computers in trash after christmas. Yea...they were a 
bit old but 2 of them were good P4 systems that just needed some virus / 
spyware removed. We used these FREE machines to set up a small wargames 
network with various servers IIS, apache, ssh etc... If you have a 
server ask your friends to hack your server and ask them to share their 
results. This not only makes you a more skilled cracker it makes you 
more skilled at reacting to attacks and gives you first hand experience 
on how to set up IDS and other ways to secure various systems from attacks.

> Do you really know what 153.18.19.33 
> is?  
Does 1.2.3.4 matter...my friends server is at www.?.com. I'll let the 
dns find the ip...besides all my friends use static IP for their servers 
and internet gateways. Yea..if your blindly scanning 1.2.3.4-1.2.3.255 
then you are looking to get into something you prob. shouldnt.

> Does knowing what it was yesterday tell you what it is today?
> Do you know that it's not monitoring oxygen levels and anaesthetic
> flow during surgery?  
I know for a fact that it is not...if the machine is that easily 
available over the internet I am pretty certain that it isnt keeping 
someones heart pumping. Most hospitals still use DOS based systems for 
these tasks sometimes. I am most certain that NONE of these machines 
have direct internet connection with an internet IP address. You would 
have to be poking around deep inside their internal network...no script 
kiddie can do this (if they can, or if admin connected life support (or 
any critical) system to internet, once again, he should be fired. The 
admin(even the company that hired him) that put such a critical system 
in such an insecure area should also be sued for liability if someones 
life was lost due to a security breach). This is not soley the crackers 
error. Stupid admins are responsible for their stupidity too.

> Answers:  No.
>
> 2)  Same answer as above.
>
> As far as "ability to bring down" -- there are legacy boxes out 
> there which may crash when subjected to fairly simple probe code.
> (No, I will not volunteer details.)  How do I know that you're not
> hunting for them?  Answer:  I *have to* assume that you are.
>  
I hunt for no one...I couldnt care less what is out there. Yes...please 
keep quiet about how to crash an old DOS box. I'm sure it is real tricky.

> If you have permission, this whole thread doesn't apply to you.  If
> you don't have permission -- THEN you don't have permission. 
Yes..this thread was about kids trying to learn computers cracking.

> A weasel "but I only meant to ..." *might* get you a lighter sentence,
> but it won't change that you broke the law.  Nor should it.
>  
A weasel..hahaha. Some reading comprehension there! I never said one 
should be excused for breaking a law. I said the extent of the 
punishment dealt out by the law is to extreme for minor cases. Once 
again..if you kill someone you should face appropriate charges...if you 
bring down a production server then you should pay for your crime 
accordingly. If you do no harm you should do know time, no 'weaseling' 
necessary. Class B and C misdomeanors should recieve fine maybe 
probation. I have said this 10 times already and still you think I am 
saying that by not damaging anything it is not breaking a law...listen, 
spitting on the sidewalk is breaking the law...you shouldnt do time for 
it! As far as saying.."how do I know if they did harm"...well if you 
work at that companies IT/security department its your job to know. If 
you cant fullfil your job responsibilities then you should not have one. 
If I owned a company and we got hacked and the admin tells me he doesnt 
know what happened or what the guy did then what use is he to me? If the 
admin is worrying about losing his job then he needs to learn how to do 
his job. Anyone can just reinstall from original media at the first sign 
of an incedent.

Years ago me and my little brother cracked a network for a flower shop 
down the street. We knew a girl that worked there and wanted to goof on 
her. We cracked the companies web server and worked our way in etc... We 
had no permission. We did no damage to the machine(s). business was not 
interupted and no customers data was at risk at anytime (at least from 
us). Should we do prison time? Has anyone here ever actually been to a 
state prison? Get real!

I have read reports (on security focus.com) of people who have done time 
for others actions. Example: Lets say I wrote a trojan horse program and 
published it. If someone else were to use that program for ill means 
then I could face charges for writing and publishing the program. This 
HAS happened before. A man wrote a trojan and posted it on Astalavista. 
Another person used this program to commit a crime (tried to hack 
government computer if I remember correctly). The actual author was 
charged. This is another crazy computer based law....but in some places 
it is the *law*.

This topic is old and quickly getting stale...move on. It appears as if 
the reading comprehension here is pretty low...over half of the reponses 
showed that the reader didnt understand what I said.

The law has differnet degrees of crimes and punishment. Simply cracking 
a computer should not be that serious...I will not say it again. I will 
not read any more responses from people telling me that it IS breaking 
the law..I know, I have said this 10 times myself...I think everyone is 
in agreement there. The question is, how much punishment a kid should 
receive for looking around some computer (without permission). According 
to this group we should burn him at the stake for his evil deed. You 
know, burning people alive for speaking against the church was *law* too 
at one point in time, even then you had those who walked around and 
praised the law and tried to sound important. Good thing man as a whole 
doesnt put up with over extreme and nonesense laws forever. Once we get 
over our fear of technology (and we get over the bullshit fear of 
"hackers" that the media has created...same as JAWS and going to the 
beach...its nonsense!) the laws will need to be rewritten to incude some 
sanity / reasoning.

> David Gillett
>
>
>  
>
> > -----Original Message-----
> > From: dave [mailto:fla.linux () gmail com] 
> > Sent: Saturday, February 25, 2006 8:20 AM
> > To: security-basics () securityfocus com
> > Cc: ROB DIXON
> > Subject: Re: How hackers cause damage... was Vulnerabilites 
> > in new laws on computer hacking
> >
> > Good points???
> >
> >    
> >
> > > 1   Loss of human life (though systems damage)
> > >      
> > How can a kid trying to crack his friends server cost someone 
> > their life?
> >
> >    
> >
> > > 2   Insolvancy and the resultant human costs (lost jobs, etc)
> > >      
> > Pretty much same answer as above
> >
> > I think a point was missed...We were initially talking about 
> > some kid who is trying to learn about computers by cracking 
> > various machines. Not some *super hacker* with the ability to 
> > bring down serious systems. I think the point I made was also 
> > overlooked...
> >
> > If you are hell bent for leather and you simply must learn 
> > how to break into computers then at the very least be wise 
> > about what systems you try to crack into! Dont mess with 
> > production systems...dont mess with bank, hospitals, any big 
> > corporate company. Dont ever mess with any real businesses 
> > period. Dont think about government or law enforcment systems 
> > etc... Dont run "untested" exploits on otherwise important 
> > servers where crashing would be serious problem. As far as 
> > someone losing their life...please give a (realistic) example 
> > or two of how a human life was lost cause a kid tried to 
> > crack his friends web server or exploit some unpatched SSH 
> > deamon on some machine at his dinky little job. As far as 
> > someone losing his job...in an extreme scenario this could 
> > happen but not if the newbie cracker is wise in his choice of 
> > targets (if you can not be wise regarding your targets then 
> > you shouldnt be cracking computers). And as harsh as this may 
> > sound I will say it anyway...If some otherwise unskilled 
> > script kiddie, can break into your *important* system and do 
> > something bad enough to cause someone to possibly lose their 
> > life then you as the admin should be fired! 
> >
> > I also mentioned the financial burden 'Non malicous' attacks 
> > imposes on companies in resonding to the break-in. Once 
> > again...be wise about your targets...think small and 
> > realistic. You are NOT Aleph one or Mitnick or who ever...You 
> > are a script kiddie just trying to learn how it works. If you 
> > are at the point where your are bored with basic servers and 
> > want to venture into mainframe or otherwise corporate hacking 
> > then you are really no longer just some kid trying to learn 
> > and therefore you no longer are the point of this topic.
> >
> > #### Kids trying to learn about computers who break into 
> > small scale targets and do no harm should do NO time!
> > #### skilled crackers/hackers who cause harm (be it intential 
> > or not) on important/critical systems should know better and 
> > should be prosicuted/punished accordingly. If someone lost 
> > their life due to a careless cracker then manslaughter 
> > charges should follow etc...
> >
> >
> >
> > ROB DIXON wrote:
> >
> >    
> >
> > > Well put Craig.
> > > You made some good points regarding the so called 
> > >      
> > "NON-Malicous attacks".
> >    
> >
> > > Robert L. Dixon,  CSO
> > > CHFI A+
> > > State of West Virginia's
> > > West Virginia Office of Techonology
> > > Infrastructure Applications
> > > Netware/GroupWise Administrator
> > > Telephone: (304)-558-5472 ex.4225
> > > Email:rdixon () workforcewv org
> > >
> > >
> > >      
> > >
> > > > > > "Craig Wright" <cwright () bdosyd com au>  >>>
> > > > > >       
> > > > > >
> > > > > >            
> > > Hello,
> > > There have been a large number of ill-informed posts 
> > >      
> > regarding damage caused by cyber-trespass. This is for the 
> > purpose of this post described as breaking into a system with 
> > no clear intent to cause damage i.e. no Mens Rea or guilty 
> > mind. I will exclude all references to intention to damage or 
> > wilful damage and limit this to reckless damage alone.
> >    
> >
> > > Next, I will exclude Mens Rea as it may pertain to the fact 
> > >      
> > that the act of committing a computer crime is by definition 
> > illegal. We all seem to understand that breaking into a 
> > computer without permission is a breach of the law so I shall 
> > not explore this avenue of argument.
> >    
> >
> > > The term in law refers to "actus non facit reum nisi mens 
> > >      
> > sit rea", which means that "the act will not make a person 
> > guilty unless the mind is also guilty. This is a common 
> > defence in criminal cases though it will not help you in a 
> > civil tort case (i.e. civil damages).
> >    
> >
> > > With the seeming ignorant state that exists (not to all 
> > >      
> > reading) to the levels of damage caused by breaking into 
> > systems and committing cyber-trespass I will endeavour to 
> > detail the resultant state of affairs.
> >    
> >
> > > I will aim solely at corporate systems for the critique 
> > >      
> > following. This is not to state that Government, privately 
> > run or organisational systems have any lesser effects 
> > resultant from attack, but that this is a post and not a 
> > dissertation (though it is moving in that direction).
> >    
> >
> > > First we have the argument that has been fielded that at 
> > >      
> > worst a system would just need to be rebuilt. A prior poster 
> > stated that he would analyse his system and track the 
> > incident. For the majority of the world this is not so 
> > simple. Most people are not skilled in either incident 
> > response techniques or digital forensic science (please note 
> > computer forensics is a misnomer and grammatically 
> > incorrect). Nor are most companies able to afford to rebuild 
> > systems on a regular basis for the fun of it.
> >    
> >
> > > Cyber-trespass leaves one in a state of doubt. It is 
> > >      
> > commonly stated that the only manner of recovery from a 
> > system compromise is to rebuild the host. I will resist 
> > quoting a voluminous amount of material at this point (unless 
> > somebody wishes to dispute this :). It is needless to say 
> > that documents, working papers and processes on this topic 
> > are widely available. SANS, CERT and the CIS all recommend 
> > that a compromised system be rebuilt, not from backup, but 
> > from scratch.
> >    
> >
> > > Further one must "Resist the temptation of restoring from 
> > >      
> > backups" *1 and complete an "entire system install be 
> > performed from read-only distribution media".
> >    
> >
> > > So here, we have to look to the cost of both rebuilding the 
> > >      
> > system and recreating the data. In the modern corporation, 
> > the primary assets are often vested in the intellectual 
> > capital of the firm.
> >    
> >
> > > First, the system needs to be rebuilt as was listed above. 
> > >      
> > There is no argument here (though I am willing to engage in 
> > one) over the need to rebuild the system. The people at the 
> > company that was attacked do not and cannot know your 
> > motives. They cannot assume you are benign, but have to 
> > assume that you are malignant being that you are willing to 
> > break the law, that you are willing to face gaol.
> >    
> >
> > > If they assume otherwise they will suffer again. How do they 
> > >      
> > know that you have not installed a rootkit? How is it known 
> > that there is no timebomb on the server. You as the attacker 
> > have already demonstrated that you are not bound my 
> > conventional morality and ethics. You have violated property 
> > rights, entered and penetrated a system, breached the 
> > defences and raped the security of the site you choose as 
> > just "practice".
> >    
> >
> > > Every attacker that does this makes it easier for the truly 
> > >      
> > malicious attacker to succeed.
> >    
> >
> > > On top of this, add the loss due the unavailability, 
> > >      
> > reputation and compliance costs. Let us for the moment forget 
> > the costs of tort against the company. The costs of action 
> > for a violation of privacy rights. The costs from a violation 
> > of PCI-DSS. HIPPA Violations or the effects to the companies 
> > share price.
> >    
> >
> > > Costs. They seem to be all over the place when you actually 
> > >      
> > think about it. Each of these costs is damage. This damage 
> > needs to be recovered. We all pay. 
> >    
> >
> > > Now most organisations do not have, not can afford to retain 
> > >      
> > skilled incident response professionals. They need to employ 
> > external parties at a cost. Even when they do have internal 
> > staff there is a cost, but the accounting process is not so simple.
> >    
> >
> > > At rates (and this is based in Sydney, Australia) hiring 
> > >      
> > personal from a respected firm (and it is not likely to be 
> > less in the case of fear from an attack driving firms to a 
> > position of trust) will have a charge out rate in the order 
> > of $ 250-450 per hour. The investigation will take 10 -100 
> > hours (and in some cases longer though rare).
> >    
> >
> > > Is the cost of damages when placed against the risk worth 
> > >      
> > it. I hope not, but this is a personal risk decision for the 
> > individual to decide. I can do little to stop you committing 
> > cyber-trespass just as I can do little to stop you robbing a 
> > 7-11. Mind you however, I am a bit of an a*8hole. If I get 
> > involved I will (in my personal time if needs be) map out 
> > every piece of information that you have done and ensure that 
> > every lie you tell to try to worm out (aimed at those who 
> > still try to do this act) of the consequences is proved 
> > beyond a reasonable doubt in court.
> >    
> >
> > > Animus nocendi or a mind to harm reference the precise 
> > >      
> > familiarity of illegal content of behaviour, and of its 
> > possible consequences. Now that you have read this post, it 
> > may be argued that you have come to understand that there are 
> > consequences for your actions if you choose to still attack a 
> > system (aimed at those who do). Please feel free to flame me 
> > as reading this post effectively provides the essential 
> > condition to give a penal condemnation if you still choose to 
> > violate the law by breaking into systems and causing damage.
> >    
> >
> > > Regards,
> > >
> > > Craig
> > >
> > >
> > >
> > > PS
> > >
> > > So called.. NON-Malicous attacks have caused the following 
> > >      
> > events to occur
> >    
> >
> > > 1   Loss of human life (though systems damage)
> > >
> > > 2   Insolvancy and the resultant human costs (lost jobs, etc)
> > >
> > > so much for no damage... PPS even longer rant as to each of 
> > >      
> > these with statistical data available ;)
> >    
> >
> > > Liability limited by a scheme approved under Professional 
> > >      
> > Standards Legislation in respect of matters arising within 
> > those States and Territories of Australia where such 
> > legislation exists.
> >    
> >
> > > DISCLAIMER
> > > The information contained in this email and any attachments 
> > >      
> > is confidential. If you are not the intended recipient, you 
> > must not use or disclose the information. If you have 
> > received this email in error, please inform us promptly by 
> > reply email or by telephoning +61 2 9286 5555. Please delete 
> > the email and destroy any printed copy.  
> >    
> >
> > > Any views expressed in this message are those of the 
> > >      
> > individual sender. You may not rely on this message as advice 
> > unless it has been electronically signed by a Partner of BDO 
> > or it is subsequently confirmed by letter or fax signed by a 
> > Partner of BDO.
> >    
> >
> > > BDO accepts no liability for any damage caused by this email 
> > >      
> > or its attachments due to viruses, interference, 
> > interception, corruption or unauthorised access.
> >    
> >
> > > -------------------------------------------------------------
> > >      
> > --------------
> >    
> >
> > > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > > The Norwich University program offers unparalleled Infosec 
> > >      
> > management 
> >    
> >
> > > education and the case study affords you unmatched 
> > >      
> > consulting experience. 
> >    
> >
> > > Tailor your education to your own professional goals with degree 
> > > customizations including Emergency Management, Business 
> > >      
> > Continuity Planning, 
> >    
> >
> > > Computer Emergency Response Teams, and Digital Investigations. 
> > >
> > > http://www.msia.norwich.edu/secfocus
> > > -------------------------------------------------------------
> > >      
> > --------------
> >    
> >
> > >      
> >
> > --------------------------------------------------------------
> > -------------
> > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > The Norwich University program offers unparalleled Infosec management 
> > education and the case study affords you unmatched consulting 
> > experience. 
> > Tailor your education to your own professional goals with degree 
> > customizations including Emergency Management, Business 
> > Continuity Planning, 
> > Computer Emergency Response Teams, and Digital Investigations. 
> >
> > http://www.msia.norwich.edu/secfocus
> > --------------------------------------------------------------
> > -------------
> >
> >    
>
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Tailor your education to your own professional goals with degree 
> customizations including Emergency Management, Business Continuity Planning, 
> Computer Emergency Response Teams, and Digital Investigations. 
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>
>
>  


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------