RE: OK, I've been hacked, now what?

[sedwards () sedwards com]

Quoted bits below are from replies already posted. Attribution has been
discarded to help keep this from becoming personal -- let's put this
flame-fest to bed soon :)

First off, hackers are not white knights saving damsels in distress. They
are thugs who use keyboards instead of clubs.

Hackers do not perform a public service -- they exploit people and
property to feed their own egos and wallets.

Yes, I know the difference between a "cracker" and a "hacker." Let me clue
you in -- that linguistic war has already been lost. You have as much
chance restoring "honor" to the title "hacker" as you would trying to
restore "gay" to mean "happy."

The individuals who earned "the title formerly known as hacker" follow a
more ethical road -- beat on systems they own or have permission to
access, discover flaws and notify vendors. Oh, and publicly embarrass the
vendor if they are unresponsive :)

They don't break into other people's systems or publish scripts to allow
other ethically challenged individuals to do so.

> Now I am not aware of the hacking incident, more information maybe
> more helpful here.

I'll silently note that a lack of facts hasn't impeded your rush to the
soap box and use this incident to spread the word on Kevin Mitnick :)

> what injustices are happening. In fact go take a look now...
> http://www.kevinmitnick.com/home.html

Been there, done that, didn't get the T-shirt. Kevin is a criminal. He may
be getting more than he bargained for, he may be getting more that he
should, but he chose his "career path."

Posts have stated that the hacker has done no real damage to his victim
because the insurance company will pick up the tab. Whether the victim is
insured for the loss or not is not relevant -- it's still a crime. If the
victim is insured, the loss is transferred to the insurance company who
will then attempt to recover. It's clear in their mind who is liable.

Many of the justifications of hackers ignore the fact that they cause real
economic damage to real people. Even when their victim is a faceless
corporation it affects people. Ask the newly unemployed security officer.
Ask yourself the next time you write a check for your insurance premiums.
If I was the victim of the attack that started this discourse, the $7,500
in hard, cold, un-inflated, out of pocket costs would definitely impact my
ability to pay my mortgage!

Posts have stated that it is the victim's fault that they didn't protect
their assets better. Whether the victim (through ignorance, lack of
resources, or lack of care) protected its assets or not is irrelevant.
Even if I leave my car in my driveway with the keys in the ignition and
the engine running, this does not give you the right to steal it. The
police will say I was stupid but they will investigate. The District
Attorney will say I was stupid but they will prosecute. The insurance
company (if any) say I was stupid but they will still pay the claim and
they will still attempt to recover their loss if the criminal is
apprehended.

Analogies are frequently used to help us understand this new cyber
community that we are building. I'll try these two to help illustrate my
views.

1) Let's turn back the clock a couple of hundred years. Instead of making
our living tapping on keyboards we raise chickens. Our friendly hacker has
discovered that if you open the unlocked gate to your coop and put a
freshly slaughtered lamb in the doorway, the coyotes will eat all your
chickens. Imagine the look of surprise on the hacker's face when he is
publicly executed for demonstrating (without permission) this to all of
his neighbors.

2) Our friendly hacker walks in through your unlocked door one evening and
confronts your significant other whom he rapes and then he leaves. Since
he did not break in and did not take anything tangible or damage any
property, has he committed no crime?

Posts have said that since the victim failed to take what the hacker
defines as appropriate measures to prevent loss, that it is the victim's
fault and they got what they deserved. This is ignorant and displays a
basic character flaw in the speaker - they don't know right from wrong.
Trespassing is wrong. Invasion of privacy is wrong. We, as in most
civilized communities, believe in a basic right to life, liberty and the
pursuit of happiness. That includes nobody messing with your stuff without
your permission.

> In fact is breaking in to a system as bad as murder? To what extent is
> computer crime on par with?

I think I prefer the rape analogy. Nothing tangible was broken or stolen,
but everyone knows a crime has been committed.

> It makes perfect sense to me that the cost of identifying and
> eliminating a security hole is not the fault of the hacker. I'm
> curious why you think it is the hacker's fault that you have a
> vulnerability?

I don't think it is the hacker's fault that the victim had that particular
security hole. The fact that he exploited it and caused financial harm to
the victim makes him guilty of a crime and liable for the victim's
expenses. He didn't pick up the phone or drop an email, he chose to feed
his ego at the victim's expense.

In physical terms, if my home is broken into and my stereo is nicked, the
criminal is liable for the cost of the stereo, the cost of identifying the
point of entry and the cost of repairing or replacing (to its original
state) the point of entry. He is not liable for the cost differential when
I choose to replace the no-name hollow-core door with a "Stanley" steel
door and a self contained cesium based time lock.

My original guestimate of the cost of the intrusion did not include any
costs for anything unrelated to restoring the site to its previous state:
restoring the site from tape, determining the extent of the intrusion,
identifying the point of entry, and deleting the offending CGI. If you
read any insurance policy you will see that one of the conditions of
compensation is that the insured take reasonable steps to prevent further
loss -- my actions were reasonable. The only component of my guestimate
that I would have expected anyone to question is the replacement cost of
the disk drives -- they have been set aside to be retained as evidence so
they are as good as dead to me :)

> OK, were these CGI's from a vendor or not?  If they are, why not
> prosecute the vendor too?

I like this idea. However, I'm willing to bet lunch that if I haven't
already given up this "right," some lawyer is busy working on it right
now.

> You are adding development costs of increasing security in to the cost
> of the break in.

I think your original estimate of the scope of recovery:

        "cp original.html index.html"

approximates my actual scope for "increasing security:"

        "rm cgi-bin/handler"

The cost is not the cost of pushing the button, its figuring out which
button to push :)

> Assumption: One's site is insecure always. It's like a team developing
> software, if bugs are found it's to be expected, if you place a site
> on the internet, I would happily expect some attempt at the sight, and
> would advocate that to the project team.

An interesting approach to security I doubt is shared by your employer. We
took every step we had the resources to implement -- we were tripped up by
an admin propagating a script from an SGI staging host to a Sun production
host. Now that the value of security has been demonstrated, I have more
resources. (Please don't suggest that in some twisted way the hacker did
me a favor.)

> Just think of a hacker who did target you machine, entered it, and
> left, everything remain the same, would you have ground to prosecute?  
> Would you?  Or would you be more likey to discuss the break in with
> the hacker who may wish to share with you your weaknesses?

Yes, yes, and yes.

> > So who is responsible for the cost of these actions?
> Insurance company ;-)

Bzzt -- wrong, but thank you for playing. The correct answer is: the
criminal is liable. If there weren't criminals breaking into systems, we
wouldn't need to waste money on insurance.

> I wouldn't feel sorry if Microsoft kept NT5 on a machine on the
> Internet, without it being protected and it was stolen. That's
> stupidity.

Again, stupidity does not justify crime.

> Why not just leave you doors open to your car?

If I choose to do so, it is not an engraved invitation for you to steal
it.

Hey, I've got a great idea, let's go down to the local biker bar. I'm sure
we'll find an appreciative audience there. We can show them how easy it
was to hot-wire their hogs. Wait a second -- I hear the phone ringing. You
go ahead, I'll just be a few minutes :)

Has this horse taken its last breath?

Thanks in advance,
------------------------------------------------------------------------
Steve Edwards      sedwards () sedwards com      Voice: +1-760-723-2727 PST
Newline            Pager: +1-760-740-1220           Fax: +1-760-731-3000