Re: Computer crime: Changing the public's perception (fwd)

[security curmudgeon <jericho () ATTRITION ORG>]

[My comments are in brackets. - Brian]

Forwarded By: kelley <kwalker2 () gte net>

http://www.herald.com/content/mon/business/tech/digdocs/076302.htm

You remember Jonathan James? He made national news a couple of weeks
ago. You know, he's that nice 16-year-old young man convicted of
hacking into computers at the Pentagon, NASA, BellSouth, the
Miami-Dade school system and many other places. That's pretty funny.
Right?

Can you imagine that some nasty judge put him in jail? Young Jonathan
put it so well when he said, ``I don't think they should be putting a
kid in jail because he proved they don't have very good security.''

Fortunately, poor misunderstood Jonathan didn't delete files or infect
any computers with viruses while he was engaged in his youthful
mischief. As his father put it, ``All he did was go look at top secret
government information.''

Hey, you know what they say -- values come from the home. I can see
where Jonathan learned his.

[wrong or not, the point is valid. what morons running these systems are
allowing even *sensitive*, let alone *secret*, let alone *TOP SECRET* to
remain on public connected machines? why aren't the admins and managers
who are violating US Law and military regulations being put in jail too?
why do they continue to draw tax payer funded income when they are
violating US Law, just like this hacker did? yes, the hacker broke the
law. yes, he may deserve to be in jail. yes, the people that put the
sensitive information there in the first place should be sharing the cell
with young Jonathan.]

His father described his son as contrite. I guess that the obscene
gesture he made at the courthouse to a photographer was yet another
minor aberration.

Jonathan was lucky I wasn't the judge.

Computer crime isn't a joke. This attitude that he did them a favor by
showing them that their security was bad is warped -- absolutely and
completely warped.

I suppose that Daddy James would be the first one thanking the burglar
for breaking into his poorly secured home if the burglar only looked
at his most private and personal possessions, but didn't take
anything.

We're at a point where computers are an essential part of our
society's infrastructure. Any crime that touches the infrastructure of
our society is by definition a significant crime.

[Ok, so apply this same standard to ALL the people involved that made this
crime possible. Apply the same standards to Jonathan, the admin of the
system that did not secure it, the managers and the powers that be who
determined the information  should be online at all. It is a nice luxury
for short sighted and malicious journalists to use double standards here.]

The ``ILOVEYOU'' virus a few months ago is yet another example of the
types of problems that can come from computer crime. ``ILOVEYOU''
disrupted businesses, governments, and people worldwide. We cannot
permit these sorts of things to happen.

``ILOVEYOU'' demonstrates that every computer has the capability of
being a weapon of mass disruption, even destruction. As we become even
more dependent on computers, hackers will have even more opportunities
to cause mass disruption or destruction.

[Oh, this isn't overly dramatic, no... It is amusing to see that you
don't point out that these 'weapons of mass destruction' were ALL Windows
systems. Why don't you  hold the creators of Windows even marginally
responsible? Oh can't do that, gotta blame those evil hacker types. Great
scape goat and all.]

``Wasn't it cool when I turned off the air traffic control system?''
``Wasn't it great when I turned off all the respirators in the
hospital from home?'' I assure you that it's just a matter of time
before the things hackers do become even more outrageous and
dangerous.

Hey why not? As young Jonathan put it, ``All the girls thought it was
cool.'' If you're a male over about age 14, what more reason do you
need to do something really stupid.

The problem with security, whether it's hi-tech computer security or
physical security is that ``perfect'' is an impossible goal. The goal
is reasonable security.

[Really? Seems to me people have proven computer systems can get pretty
damn close to 'perfect'. The problem is that the end user is naive and
scared of computers. They demand point and drool interfaces that require
an IQ two points above a lemming. Because of this, security is sacrificed
for the masses.]

Everybody can and should implement three basic security concepts. You
should start by controlling physical and logical access to sensitive
information. Your methods could include passwords and encryption.

[Wow. You just condemned the right person and didn't even know it. Where
was the good passwords and encryption on the sensitive files Jonathan
accessed? Oops.]

Next, you should require individual accountability for sensitive
information and identify those with access. Finally, you need to have
audit trails that show who accessed what information. Your audit trail
should be able to answer the basic who, what, where, when, why, and
how questions.

[Wait, you condemned Jonathan for these breakins, calling him a computer
crirminal who deserved jail time. Here you flat out say that the admins of
the machines hacked should be accountable. Why don't you mention this in
your misguided and opinionated rant above?]

All too often, we see computer crime as not that big a deal. While the
Computer Abuse Act of 1984 imposes a $250,000 fine or a five-year
prison sentence, or both, for each offense, it just doesn't often work
that way.

[Much  like the people that are convicted of murder or rape only serving
four years in prison? But wait, that's ok, just burn the hackers.]

While I don't have any formal study to cite, experience has taught me
that computer crime is generally not sternly punished.

[No formal study to cite? There is an abundance of computer crime
statistics out there. Statistics on computer intrusion is easy to find
(CERT, Attrition, etc). Information on hacker cases and convictions is
avaiilable (DOJ). Why can't you cite a study to back your claims?]

We need to have a basic change in attitude about computer crime. What
we must do is use harsh punishment along with reasonable security as
deterrents. We have to deliver the message that hacking and other
computer crimes are so difficult to prevent and the dangers that come
from them are so great that our society simply won't tolerate them.

[Computer crime is not difficult to prevent as a general rule. There are
thousands of networks out there that have suffered no external intrusion
to date. What, are thousands of competant admins all just lucky?]

What Jonathan did wasn't a childish prank. Saying that there were no
horrible consequences from what he did is like justifying drunk
driving by saying, ``But I got home and I didn't have an accident.''

If I'd been the judge in a world with perfect laws, Jonathan wouldn't get
out of jail until he was 21 and would never, never, never earn a living in
any job involving computers or programming. That's punishment. That's a
message to others.

Mark Grossman is a shareholder and chairs the Computer and E-Commerce
Law Group of Becker & Poliakoff, P.A. His website is
http://www.EcomputerLaw.com and his e-mail address is
techlaw () ecomputerlaw com. Research assistant is Andrew Chulock.

[Ahh, the true motivation. Convict them all.. because I am a lawyer and
get paid to do it. I hear sirens, better run Mark.]

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".