Re: Vulnerabilites in new laws on computer hacking

[Paul Schmehl <pauls () utdallas edu>]

--On Saturday, February 11, 2006 16:35:20 +0000 
self-destruction () itsbest com wrote:

> It'd be interesting to see if this post gets approved by the moderators
> of bugtraq.
>
> As all of you know, this forum (bugtraq) is constantly monitored not only
> by crackers and infosec professionals, but also by government and
> law-enforcement agencies.
>
> The reason why I'm posting this message is because I'd like to bring
> attention to the new laws on hacking.
>
> As everyone knows, laws on computer hacking are going tougher. There are
> however, some negative consequences.
>
> "Advanced societies" are updating computer crime laws faster than the
> rest of the world. This means that new generations of these more
> "advanced societies" will have no clue about how remote computer attacks
> are carried out. Future generations of security "experts" will be among
> the most ignorant in the history of computer security.
That's silly.  Researchers know full well how to do this without ever 
breaking any laws.  In fact, most of the best researchers who are finding 
the bugs and weaknesses in systems never breakin to any system not owned by 
them.

> New generations of teenagers will be scared of doing online exploration.
> I'm not talking about damaging other companies' computer systems. I'm
> talking about accessing them illegally *without* revealing private
> information to the public or harming any data that has been accessed. To
> me, there is a big difference between these two types of attacks but I
> don't think that judges feel the same way. Furthermore, I don't even
> think that judges understand the difference.
To me there is not.  They're my systems.  Stay out, thank you very much.

If you want to learn how to hack, set up your own network, install some 
OSes, with various patch levels, and hack away.  You can learn everything 
you need to know without ever touching a system you do not own.  Get your 
buddies involved.  Hack each other's boxes.  But do not hack into systems 
that do not belong to you.  That *should* be illegal and you *should* be 
prosecuted.

> Now, I'm not saying that I support accessing computer systems illegally.

Yes, you are.  You're talking about breaking in to systems that you do not 
have permission to enter.

> All I'm saying is that by implementing very strict laws on "hacking", we
> will create a generation of ignorant security professionals. I think to
> myself, how the hell will these "more advanced societies" protect
> themselves against cyber attacks in the future?
And you're wrong.  I don't have to hack into someone else's equipment to 
know how to hack into things.

> These new tougher computer laws will, in my opinion, have a tremendous
> negative impact in the defense of these "advanced societies". It almost
> feels to me like we're destroying ourselves.
That's because you have tunnel vision.  You think the only way to learn to 
hack is to attempt to break in to someone else's equipment.

Do locksmiths break in to random houses to learn their craft?

> I know what you're thinking. You can learn about security attacks by
> setting up you're own controlled environment and attacking it yourself.
> Well, what I say is that this approach *does* certainly make you a better
> attacker, but nothing can be compared to attacking systems in real world
> scenarios.
>
> Now, I personally know many pentesters and I can say that most of them
> *do* cross the line sometimes when doing online exploration in their own
> free time. However, these guys would *never* harm anything or leak any
> sensitive information to the public. That's because they love what they
> do, and have very strong ethical values when it comes to privacy.
Oh, well that gives me great comfort.  Never mind that I can be prosecuted 
for the breakin because I've violated a law such as GLB, HIPAA, etc. by 
"allowing" a breakin.  I'm glad your friends are so "ethical".  If you only 
think about what's in it for you, you'll always be slanted toward violating 
the law.  Try thinking about the poor victim whose systems you're breaking 
in to.  Put yourself in their shoes and ask yourself, how would I feel if I 
discovered that someone had entered my systems without my knowledge?  Or 
bettter yet, how about if I reach in your pocket and take the keys to your 
car, take it out for a spin, then return it?  Are you OK with that?  No 
hard feelings?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/