Firewall Wizards mailing list archives
RE: OK, I've been hacked, now what?
From: sedwards () sedwards com
Date: Thu, 6 May 1999 14:01:31 -0700 (PDT)
Quoted bits below are from replies already posted. Attribution has been discarded to help keep this from becoming personal -- let's put this flame-fest to bed soon :) First off, hackers are not white knights saving damsels in distress. They are thugs who use keyboards instead of clubs. Hackers do not perform a public service -- they exploit people and property to feed their own egos and wallets. Yes, I know the difference between a "cracker" and a "hacker." Let me clue you in -- that linguistic war has already been lost. You have as much chance restoring "honor" to the title "hacker" as you would trying to restore "gay" to mean "happy." The individuals who earned "the title formerly known as hacker" follow a more ethical road -- beat on systems they own or have permission to access, discover flaws and notify vendors. Oh, and publicly embarrass the vendor if they are unresponsive :) They don't break into other people's systems or publish scripts to allow other ethically challenged individuals to do so.
Now I am not aware of the hacking incident, more information maybe more helpful here.
I'll silently note that a lack of facts hasn't impeded your rush to the soap box and use this incident to spread the word on Kevin Mitnick :)
what injustices are happening. In fact go take a look now... http://www.kevinmitnick.com/home.html
Been there, done that, didn't get the T-shirt. Kevin is a criminal. He may be getting more than he bargained for, he may be getting more that he should, but he chose his "career path." Posts have stated that the hacker has done no real damage to his victim because the insurance company will pick up the tab. Whether the victim is insured for the loss or not is not relevant -- it's still a crime. If the victim is insured, the loss is transferred to the insurance company who will then attempt to recover. It's clear in their mind who is liable. Many of the justifications of hackers ignore the fact that they cause real economic damage to real people. Even when their victim is a faceless corporation it affects people. Ask the newly unemployed security officer. Ask yourself the next time you write a check for your insurance premiums. If I was the victim of the attack that started this discourse, the $7,500 in hard, cold, un-inflated, out of pocket costs would definitely impact my ability to pay my mortgage! Posts have stated that it is the victim's fault that they didn't protect their assets better. Whether the victim (through ignorance, lack of resources, or lack of care) protected its assets or not is irrelevant. Even if I leave my car in my driveway with the keys in the ignition and the engine running, this does not give you the right to steal it. The police will say I was stupid but they will investigate. The District Attorney will say I was stupid but they will prosecute. The insurance company (if any) say I was stupid but they will still pay the claim and they will still attempt to recover their loss if the criminal is apprehended. Analogies are frequently used to help us understand this new cyber community that we are building. I'll try these two to help illustrate my views. 1) Let's turn back the clock a couple of hundred years. Instead of making our living tapping on keyboards we raise chickens. Our friendly hacker has discovered that if you open the unlocked gate to your coop and put a freshly slaughtered lamb in the doorway, the coyotes will eat all your chickens. Imagine the look of surprise on the hacker's face when he is publicly executed for demonstrating (without permission) this to all of his neighbors. 2) Our friendly hacker walks in through your unlocked door one evening and confronts your significant other whom he rapes and then he leaves. Since he did not break in and did not take anything tangible or damage any property, has he committed no crime? Posts have said that since the victim failed to take what the hacker defines as appropriate measures to prevent loss, that it is the victim's fault and they got what they deserved. This is ignorant and displays a basic character flaw in the speaker - they don't know right from wrong. Trespassing is wrong. Invasion of privacy is wrong. We, as in most civilized communities, believe in a basic right to life, liberty and the pursuit of happiness. That includes nobody messing with your stuff without your permission.
In fact is breaking in to a system as bad as murder? To what extent is computer crime on par with?
I think I prefer the rape analogy. Nothing tangible was broken or stolen, but everyone knows a crime has been committed.
It makes perfect sense to me that the cost of identifying and eliminating a security hole is not the fault of the hacker. I'm curious why you think it is the hacker's fault that you have a vulnerability?
I don't think it is the hacker's fault that the victim had that particular security hole. The fact that he exploited it and caused financial harm to the victim makes him guilty of a crime and liable for the victim's expenses. He didn't pick up the phone or drop an email, he chose to feed his ego at the victim's expense. In physical terms, if my home is broken into and my stereo is nicked, the criminal is liable for the cost of the stereo, the cost of identifying the point of entry and the cost of repairing or replacing (to its original state) the point of entry. He is not liable for the cost differential when I choose to replace the no-name hollow-core door with a "Stanley" steel door and a self contained cesium based time lock. My original guestimate of the cost of the intrusion did not include any costs for anything unrelated to restoring the site to its previous state: restoring the site from tape, determining the extent of the intrusion, identifying the point of entry, and deleting the offending CGI. If you read any insurance policy you will see that one of the conditions of compensation is that the insured take reasonable steps to prevent further loss -- my actions were reasonable. The only component of my guestimate that I would have expected anyone to question is the replacement cost of the disk drives -- they have been set aside to be retained as evidence so they are as good as dead to me :)
OK, were these CGI's from a vendor or not? If they are, why not prosecute the vendor too?
I like this idea. However, I'm willing to bet lunch that if I haven't already given up this "right," some lawyer is busy working on it right now.
You are adding development costs of increasing security in to the cost of the break in.
I think your original estimate of the scope of recovery: "cp original.html index.html" approximates my actual scope for "increasing security:" "rm cgi-bin/handler" The cost is not the cost of pushing the button, its figuring out which button to push :)
Assumption: One's site is insecure always. It's like a team developing software, if bugs are found it's to be expected, if you place a site on the internet, I would happily expect some attempt at the sight, and would advocate that to the project team.
An interesting approach to security I doubt is shared by your employer. We took every step we had the resources to implement -- we were tripped up by an admin propagating a script from an SGI staging host to a Sun production host. Now that the value of security has been demonstrated, I have more resources. (Please don't suggest that in some twisted way the hacker did me a favor.)
Just think of a hacker who did target you machine, entered it, and left, everything remain the same, would you have ground to prosecute? Would you? Or would you be more likey to discuss the break in with the hacker who may wish to share with you your weaknesses?
Yes, yes, and yes.
So who is responsible for the cost of these actions?Insurance company ;-)
Bzzt -- wrong, but thank you for playing. The correct answer is: the criminal is liable. If there weren't criminals breaking into systems, we wouldn't need to waste money on insurance.
I wouldn't feel sorry if Microsoft kept NT5 on a machine on the Internet, without it being protected and it was stolen. That's stupidity.
Again, stupidity does not justify crime.
Why not just leave you doors open to your car?
If I choose to do so, it is not an engraved invitation for you to steal it. Hey, I've got a great idea, let's go down to the local biker bar. I'm sure we'll find an appreciative audience there. We can show them how easy it was to hot-wire their hogs. Wait a second -- I hear the phone ringing. You go ahead, I'll just be a few minutes :) Has this horse taken its last breath? Thanks in advance, ------------------------------------------------------------------------ Steve Edwards sedwards () sedwards com Voice: +1-760-723-2727 PST Newline Pager: +1-760-740-1220 Fax: +1-760-731-3000
Current thread:
- RE: OK, I've been hacked, now what? Scott, Richard (May 04)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 05)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- Re: OK, I've been hacked, now what? Bluefish [@ home] (May 16)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- <Possible follow-ups>
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 07)
- RE: OK, I've been hacked, now what? Scott, Richard (May 07)
- RE: OK, I've been hacked, now what? Chris Tobkin (May 10)
- RE: OK, I've been hacked, now what? kevin . sheldrake (May 11)
- RE: OK, I've been hacked, now what? dbell (May 12)
- RE: OK, I've been hacked, now what? Peter Mayne (May 12)
- FW: OK, I've been hacked, now what? kevin . sheldrake (May 13)
- Re: FW: OK, I've been hacked, now what? Asmodeus (May 16)
- Re: FW: OK, I've been hacked, now what? Joseph S D Yao (May 16)
- Re: FW: OK, I've been hacked, now what? Crispin Cowan (May 16)
- Re: FW: OK, I've been hacked, now what? Lance Spitzner (May 16)
(Thread continues...)