RE: OK, I've been hacked, now what?

[Chris Tobkin <tobkin () tobkin com>]

Here's my two cents..

> Posts have stated that it is the victim's fault that they didn't protect
> their assets better. Whether the victim (through ignorance, lack of
> resources, or lack of care) protected its assets or not is irrelevant.
> Even if I leave my car in my driveway with the keys in the ignition and
> the engine running, this does not give you the right to steal it. The
> police will say I was stupid but they will investigate. The District
> Attorney will say I was stupid but they will prosecute. The insurance
> company (if any) say I was stupid but they will still pay the claim and
> they will still attempt to recover their loss if the criminal is
> apprehended.

No, I'm sorry, but the insurance company will not pay your claim if they find
the keys in the recovered car.. This is because Insurance companies do not
want to pay out if you were dumb enough to do something like leave your keys
in your car.  Actually I was told by a patrolman that this is a felony, but
I don't trust him any farther than I can kick him.

> 2) Our friendly hacker walks in through your unlocked door one evening and
> confronts your significant other whom he rapes and then he leaves. Since
> he did not break in and did not take anything tangible or damage any
> property, has he committed no crime?

He won't be charged with breaking and entering, but with rape, yes, he will 
be prosecuted.  

How about this
3) You buy a car with a remote keyless entry system.  A few months, maybe a
year later you get a recall notice from the manufacturer saying that a fault
in the keyless entry system will allow a person to open your car doors and 
take stuff out of your car.  You don't go in for the recall because you just
didn't have the time to spare.  A few months later your laptop is stolen out
of your car and you somehow find the cause to be faulty remote keyless entry
system.  I think this would be your fault since you were a) made aware of 
the problem; b) given time to correct it; and c) since you disregarded the
notice you assumed the liability. 

Yes, if the police find the person that took your laptop they would be likely
to prosecute the person, but they would be very unhelpful un finding the person
due to a large cause of the problem being your carelessness.

> Posts have said that since the victim failed to take what the hacker
> defines as appropriate measures to prevent loss, that it is the victim's
> fault and they got what they deserved. This is ignorant and displays a
> basic character flaw in the speaker - they don't know right from wrong.
> Trespassing is wrong. Invasion of privacy is wrong. We, as in most
> civilized communities, believe in a basic right to life, liberty and the
> pursuit of happiness. That includes nobody messing with your stuff without
> your permission.

But we also have little sympathy for those that do stupid things such as leave
their keys in their cars and then complain when it gets stolen.  This is common
sense.  If you don't have that common sense then this was a learning 
experience, and potentially a costly one.

> > In fact is breaking in to a system as bad as murder? To what extent is
> > computer crime on par with?
>
> I think I prefer the rape analogy. Nothing tangible was broken or stolen,
> but everyone knows a crime has been committed.

I agree with this with the exception that it has to be malicious hacking.  If
someone uses a well-known exploit breaks in and looks around but doesn't do
anything malicious, then there has really been no harm done that didn't exist
in the first place.  If the person breaking in sends mail to the sysadmin and
says 'you have a problem, look at this', then the person should not be 
prosecuted, but thanked.

> > It makes perfect sense to me that the cost of identifying and
> > eliminating a security hole is not the fault of the hacker. I'm
> > curious why you think it is the hacker's fault that you have a
> > vulnerability?
>
> I don't think it is the hacker's fault that the victim had that particular
> security hole. The fact that he exploited it and caused financial harm to
> the victim makes him guilty of a crime and liable for the victim's
> expenses. He didn't pick up the phone or drop an email, he chose to feed
> his ego at the victim's expense.

Again, you assume that this is a mailicious hacking.  I don't find any new
financial expense being made after someone breaks into a system and just
changes the homepage and leaves a link to the old default page.

> In physical terms, if my home is broken into and my stereo is nicked, the
> criminal is liable for the cost of the stereo, the cost of identifying the
> point of entry and the cost of repairing or replacing (to its original
> state) the point of entry. He is not liable for the cost differential when
> I choose to replace the no-name hollow-core door with a "Stanley" steel
> door and a self contained cesium based time lock.

I tend to think that if he nicks your stereo then he may be liable for the
cost of the stereo but that's not only someone breaking in, that could be
your best friend that's over having a few beers too.

> > OK, were these CGI's from a vendor or not?  If they are, why not
> > prosecute the vendor too?
>
> I like this idea. However, I'm willing to bet lunch that if I haven't
> already given up this "right," some lawyer is busy working on it right
> now.

I do too... This may ultimately be their fault.  Unless they have some obscure
place where they can say "he should have read the installation manual" or
"the fix was on our web site months ago."

> > You are adding development costs of increasing security in to the cost
> > of the break in.
>
> I think your original estimate of the scope of recovery:
>
>       "cp original.html index.html"
>
> approximates my actual scope for "increasing security:"
>
>       "rm cgi-bin/handler"
>
> The cost is not the cost of pushing the button, its figuring out which
> button to push :)

I see this as being part of the ongoing cost of security.  Either you pay up
front or you pay more in the end.  If you don't keep your systems secure, 
then you end up spending the money on finding the problem after the fact.  
Just as if you don't fix a conceptual problem in one of your programs early
on and then try to fix it much much later, it becomes much much harder to 
fix.

> > Assumption: One's site is insecure always. It's like a team developing
> > software, if bugs are found it's to be expected, if you place a site
> > on the internet, I would happily expect some attempt at the sight, and
> > would advocate that to the project team.
>
> An interesting approach to security I doubt is shared by your employer. We
> took every step we had the resources to implement -- we were tripped up by
> an admin propagating a script from an SGI staging host to a Sun production
> host. Now that the value of security has been demonstrated, I have more
> resources. (Please don't suggest that in some twisted way the hacker did
> me a favor.)

So the problem here was that your company was careless.  I see these types 
of things as live-and-learn.  Yes, hackers are a pain-in-the-ass, but so was
college and they both make us more knowledgable in the end.  Hackers give us
a reason to secure our systems the same way burglars make us lock our doors
at home.  If we don't lock our doors to our house and it's burglarized, the
insurance company will not pay us for our losses and I'd believe that right
or wrong, the court will find in the insurance company's favor and have 
little sympathy for us.

> > Just think of a hacker who did target you machine, entered it, and
> > left, everything remain the same, would you have ground to prosecute?  
> > Would you?  Or would you be more likey to discuss the break in with
> > the hacker who may wish to share with you your weaknesses?
>
> Yes, yes, and yes.

Doubtful.  No actual harm was done, no party is worse off than what they were
to begin with.  You'd have a hard time justifying a cost here.

> > > So who is responsible for the cost of these actions?
> > Insurance company ;-)
>
> Bzzt -- wrong, but thank you for playing. The correct answer is: the
> criminal is liable. If there weren't criminals breaking into systems, we
> wouldn't need to waste money on insurance.

In the end, yes, if they are caught.  If not, then it goes back to 'If the 
blame can be assigned to the victim beyond a reasonable doubt, the insurance
company will probably not pay.'

// chris
tobkin () tobkin com