Firewall Wizards mailing list archives
RE: OK, I've been hacked, now what?
From: Chris Tobkin <tobkin () tobkin com>
Date: Mon, 10 May 1999 11:05:28 -0500 (CDT)
Here's my two cents..
Posts have stated that it is the victim's fault that they didn't protect their assets better. Whether the victim (through ignorance, lack of resources, or lack of care) protected its assets or not is irrelevant. Even if I leave my car in my driveway with the keys in the ignition and the engine running, this does not give you the right to steal it. The police will say I was stupid but they will investigate. The District Attorney will say I was stupid but they will prosecute. The insurance company (if any) say I was stupid but they will still pay the claim and they will still attempt to recover their loss if the criminal is apprehended.
No, I'm sorry, but the insurance company will not pay your claim if they find the keys in the recovered car.. This is because Insurance companies do not want to pay out if you were dumb enough to do something like leave your keys in your car. Actually I was told by a patrolman that this is a felony, but I don't trust him any farther than I can kick him.
2) Our friendly hacker walks in through your unlocked door one evening and confronts your significant other whom he rapes and then he leaves. Since he did not break in and did not take anything tangible or damage any property, has he committed no crime?
He won't be charged with breaking and entering, but with rape, yes, he will be prosecuted. How about this 3) You buy a car with a remote keyless entry system. A few months, maybe a year later you get a recall notice from the manufacturer saying that a fault in the keyless entry system will allow a person to open your car doors and take stuff out of your car. You don't go in for the recall because you just didn't have the time to spare. A few months later your laptop is stolen out of your car and you somehow find the cause to be faulty remote keyless entry system. I think this would be your fault since you were a) made aware of the problem; b) given time to correct it; and c) since you disregarded the notice you assumed the liability. Yes, if the police find the person that took your laptop they would be likely to prosecute the person, but they would be very unhelpful un finding the person due to a large cause of the problem being your carelessness.
Posts have said that since the victim failed to take what the hacker defines as appropriate measures to prevent loss, that it is the victim's fault and they got what they deserved. This is ignorant and displays a basic character flaw in the speaker - they don't know right from wrong. Trespassing is wrong. Invasion of privacy is wrong. We, as in most civilized communities, believe in a basic right to life, liberty and the pursuit of happiness. That includes nobody messing with your stuff without your permission.
But we also have little sympathy for those that do stupid things such as leave their keys in their cars and then complain when it gets stolen. This is common sense. If you don't have that common sense then this was a learning experience, and potentially a costly one.
In fact is breaking in to a system as bad as murder? To what extent is computer crime on par with?I think I prefer the rape analogy. Nothing tangible was broken or stolen, but everyone knows a crime has been committed.
I agree with this with the exception that it has to be malicious hacking. If someone uses a well-known exploit breaks in and looks around but doesn't do anything malicious, then there has really been no harm done that didn't exist in the first place. If the person breaking in sends mail to the sysadmin and says 'you have a problem, look at this', then the person should not be prosecuted, but thanked.
It makes perfect sense to me that the cost of identifying and eliminating a security hole is not the fault of the hacker. I'm curious why you think it is the hacker's fault that you have a vulnerability?I don't think it is the hacker's fault that the victim had that particular security hole. The fact that he exploited it and caused financial harm to the victim makes him guilty of a crime and liable for the victim's expenses. He didn't pick up the phone or drop an email, he chose to feed his ego at the victim's expense.
Again, you assume that this is a mailicious hacking. I don't find any new financial expense being made after someone breaks into a system and just changes the homepage and leaves a link to the old default page.
In physical terms, if my home is broken into and my stereo is nicked, the criminal is liable for the cost of the stereo, the cost of identifying the point of entry and the cost of repairing or replacing (to its original state) the point of entry. He is not liable for the cost differential when I choose to replace the no-name hollow-core door with a "Stanley" steel door and a self contained cesium based time lock.
I tend to think that if he nicks your stereo then he may be liable for the cost of the stereo but that's not only someone breaking in, that could be your best friend that's over having a few beers too.
OK, were these CGI's from a vendor or not? If they are, why not prosecute the vendor too?I like this idea. However, I'm willing to bet lunch that if I haven't already given up this "right," some lawyer is busy working on it right now.
I do too... This may ultimately be their fault. Unless they have some obscure place where they can say "he should have read the installation manual" or "the fix was on our web site months ago."
You are adding development costs of increasing security in to the cost of the break in.I think your original estimate of the scope of recovery: "cp original.html index.html" approximates my actual scope for "increasing security:" "rm cgi-bin/handler" The cost is not the cost of pushing the button, its figuring out which button to push :)
I see this as being part of the ongoing cost of security. Either you pay up front or you pay more in the end. If you don't keep your systems secure, then you end up spending the money on finding the problem after the fact. Just as if you don't fix a conceptual problem in one of your programs early on and then try to fix it much much later, it becomes much much harder to fix.
Assumption: One's site is insecure always. It's like a team developing software, if bugs are found it's to be expected, if you place a site on the internet, I would happily expect some attempt at the sight, and would advocate that to the project team.An interesting approach to security I doubt is shared by your employer. We took every step we had the resources to implement -- we were tripped up by an admin propagating a script from an SGI staging host to a Sun production host. Now that the value of security has been demonstrated, I have more resources. (Please don't suggest that in some twisted way the hacker did me a favor.)
So the problem here was that your company was careless. I see these types of things as live-and-learn. Yes, hackers are a pain-in-the-ass, but so was college and they both make us more knowledgable in the end. Hackers give us a reason to secure our systems the same way burglars make us lock our doors at home. If we don't lock our doors to our house and it's burglarized, the insurance company will not pay us for our losses and I'd believe that right or wrong, the court will find in the insurance company's favor and have little sympathy for us.
Just think of a hacker who did target you machine, entered it, and left, everything remain the same, would you have ground to prosecute? Would you? Or would you be more likey to discuss the break in with the hacker who may wish to share with you your weaknesses?Yes, yes, and yes.
Doubtful. No actual harm was done, no party is worse off than what they were to begin with. You'd have a hard time justifying a cost here.
So who is responsible for the cost of these actions?Insurance company ;-)Bzzt -- wrong, but thank you for playing. The correct answer is: the criminal is liable. If there weren't criminals breaking into systems, we wouldn't need to waste money on insurance.
In the end, yes, if they are caught. If not, then it goes back to 'If the blame can be assigned to the victim beyond a reasonable doubt, the insurance company will probably not pay.' // chris tobkin () tobkin com
Current thread:
- RE: OK, I've been hacked, now what? Scott, Richard (May 04)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 05)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- Re: OK, I've been hacked, now what? Bluefish [@ home] (May 16)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- <Possible follow-ups>
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 07)
- RE: OK, I've been hacked, now what? Scott, Richard (May 07)
- RE: OK, I've been hacked, now what? Chris Tobkin (May 10)
- RE: OK, I've been hacked, now what? kevin . sheldrake (May 11)
- RE: OK, I've been hacked, now what? dbell (May 12)
- RE: OK, I've been hacked, now what? Peter Mayne (May 12)
- FW: OK, I've been hacked, now what? kevin . sheldrake (May 13)
- Re: FW: OK, I've been hacked, now what? Asmodeus (May 16)
- Re: FW: OK, I've been hacked, now what? Joseph S D Yao (May 16)
- Re: FW: OK, I've been hacked, now what? Crispin Cowan (May 16)
- Re: FW: OK, I've been hacked, now what? Lance Spitzner (May 16)
- Re: FW: OK, I've been hacked, now what? Cohen Liota (May 16)
- Re: FW: OK, I've been hacked, now what? dreamwvr (May 16)