Re: Recent Attacks

[David LeBlanc <dleblanc () mindspring com>]

At 08:35 PM 2/18/00 -0800, Ryan Russell wrote:

> Then you think Mixter doesn't deserve punishment, or he does and ISS
> doesn't because IS is a "good" tool?  

That's a very difficult legal and ethical question that I personally could
argue more than one way.  A security auditing tool does have some
legitimate uses.  I don't think what Mixter wrote has very many (if any)
legitimate uses, nor does it appear the author's intent is to do anything
other than be destructive.

If I were called to judge him, then I'd say that what he's doing isn't
something that I consider right, but I do think it is legal.

> A few other folks say Mixter deserves ...well, something.. they're not
> specific.  

_I_ did not say that, so don't treat me as if I did.  I do think the people
who ran the tool and cost people $$ should be held responsible for their
actions.

> We don't even know for sure his stuff was used.  

Even if it was, I don't think he's legally liable, unless he gave it to
someone, and said 'run this', in which case he's an accomplice, and could
probably be charged with conspiracy.

> We also don't know the attacker didn't use
> IS to break into the zombie systems.  I've used IS to break into other
> people's systems.  It works real well.

It doesn't do all that well at actually breaking into UNIX systems, though
it is effective at showing you which systems are vulnerable to which
exploit.  There are exceptions, such as default logins.  It is also a great
way to get yourself caught - the thing is horrendously noisy - leaves BIG
tracks.  I doubt it was used - no one has been arrested yet.

> > This really has nothing to do that I can see with the current discussion.

> If you advocate harsh penalties for malicious "hackers", and then you
> happen to get classified as one due to some idiotic legal wording, where
> does that leave you?  My example is an attempt to personalize the
> situation for the readers of this list.

It is worth thinking about.  The day I break into a system that I don't
have a legal right to attack is the day I'll be really worried.  I haven't
done that yet, and see no reason to start now.

The law enforcment community is getting a bit hyperactive, talking about
invoking the racketeering laws, which is probably the biggest breach of our
constitutional rights I'm aware of - the thing strips you of all your
assets unless you can prove you obtained them legally.  What would bother
me is if they tried to make writing penetration testing tools illegal, but
the precedent in the 'real' world doesn't make me think this is likely -
locksmith tools aren't illegal, and 'slim jim' kits for cars are normally
sold on most mechanic's tool trucks.  OTOH, some tools that have no real
legal use (e.g., phreaking tools) are illegal to even posess.

OTOH, law enforcement does tend to get hyperactive in the face of a
community that wants to blame the victim.  "They deserved to be hacked."
"It is their fault for not applying patches."  Somehow that seems to be
tolerated in this arena, wheras "She had a short skirt - she was asking to
be raped" doesn't fly virtually anywhere.

The old days of people cruising around networks not hurting anything are
long gone.  We're in a different era now - the script kiddies have spoiled
the fun.  ANY intruder is likely to be viewed as malicious.

> It should be obvious that I wouldn't seriously advocate an action against
> people who release tools of any sort, buggy or otherwise.  

> However, say it was discovered that the attackers were using ISS's
> Internet Scanner.  Let's say the feds get away with nailing him with 1.2B
> or more in damages.  Wouldn't that leave a nice path open for suits
> against Mixter and ISS?  

No, I don't think so.  I think ISS could probably add software piracy to
the list of charges - yet another felony.  If the miscreant legally had a
scanner key, then the license covers ISS against misuse pretty thoroughly.

> Wouldn't 10% of the damages (or a little less) be
> a reasonable amount to nail them with?  Especially ISS who actually has
> the money?

I'm not a lawyer, but I'm not worried about ISS.

> Be careful about advocating huge amounts of damages, especially if you
> work in the security industry.  There are a lot of scary laws up for vote
> right now, and not a lot of sympathy for anyone who wants to use the title
> "hacker" for anything.

Considering that all the machine I hack belong to Microsoft, and it is my
job to go hack them, I'm not overly concerned.  I do think the potential
for legislative over-reaction is huge, but that's why we have courts -
checks and balances.


David LeBlanc
dleblanc () mindspring com