RE: How hackers cause damage...

["Craig Wright" <cwright () bdosyd com au>]

> For one last time: why do you believe it would be helpful to prosecute
the person that *exploited* a vulnerability rather than the person that
*created* the vulnerability?

I believe that there are two parts to this.

1       The person who "created" the vulnerability may or may not be
responsible based on the particular case. They may be liable to
prosecution and in SOME cases they at least should be and in some they
are charged. This comes to an issue of due care.
        You have to separate the responsible party. Was it the company
who designed the software? Was it the company who installed it. Was it
the computer administrator? Etc. This is a far more complex answer than
point 2 and comes down to the individual case/incident.
        The creator of a virus IS responsible.
        "Security Companies" that do not lock down systems or give
"half-assed" vulnerability assessments and/or audits SHOULD be liable.
SHOULD be criminally liable. I have no argument here.

2       The person who "exploited" the vulnerability has consciously and
deliberately with full intention gone out of the way to do something
that is considered wrong by the majority of society. This is again
intent. If it was an accident (truly) than there is no Mens Rea and none
of the "hacking" offences are strict liability (I do not know German
law, but I would assume not as they come under the EC conventions). Thus
"accidentally" doing something does not make you liable contrary to what
you may think.

As for "not that there aren't enough clueful people" have a think about
the time to secure a system v the number of systems v the number of
people trained in IT in total (i.e. not just IT Security).

How long does it take to complete a full (not just a quickie pen test)
audit of a system? By this I mean a complete file level analysis of all
binaries as well. Don't get me wrong, it would be good for profitability
:) but it is not realistic.

Next experienced IT Security people cost money. Every hospital has a
large number of systems. Having enough people to completely secure all
the systems to the idea is not economically feasible. Take this up with
government if you like- I have nothing to do with medical funding. Every
IT Security person is 2-3 nurses that could be employed by the hospital.


Regards
Craig


-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
Sent: 3 March 2006 11:08
To: Craig Wright
Subject: Re: How hackers cause damage...

On 2006-03-03 Craig Wright wrote:
> > That's pretty obvious, because if life was more important, measures
> > would have been taken *before* an incident could have happened
>
> Assuming all people know and understand IT let alone IT security. This

> is not the case. Even where there are clear lines of criminal
> responsibility for negligence - systems are not always secured.

I didn't say they were. I said they should be.

> HIPPA in the US, NPP4 in Australia etc etc give provision for criminal

> responsibility for systems administrators who have failed to
> adequately secure systems, but this is of little comfort to the
> families of somebody who gets to sue them. Most of these people do not

> know what they have to do.

Fire them and get someone who does. Again, contrary to your belief there
are enough people who know (or can be trained to know) what to do. I
don't believe things are so much worse in Australia than they are here
in Germany.

> For all your belief Ansgar there are not enough *trained* and
> *experienced* security people to do everything. The opinion "It's just

> that there are too many clueless people." is true I am sorry to say.
> This is one of the flaws in your argument/thesis. There can not be
> both too many people who do not understand and also enough people to
> secure everything.

Why, of course there can. Having too many clueless people just means
that you have a harder time finding a clueful one, not that there aren't
enough clueful people.

> PS Try not to get upset. You lose weight of argument to emotion.

I'm getting annoyed, not upset, because you seem to continually ignore
most anything I'm saying. For one last time: why do you believe it would
be helpful to prosecute the person that *exploited* a vulnerability
rather than the person that *created* the vulnerability?

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------