Firewall Wizards mailing list archives

Re: Recent Attacks

From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 18 Feb 2000 20:35:02 -0800 (PST)



On Fri, 18 Feb 2000, David LeBlanc wrote:

It is all a matter of usage.  If I use a hammer to build a building, I get
paid.  If I use it to smash windshields, I get thrown in jail.  There isn't
any law against checking security of your own systems.  There is a law
against breaking into other people's systems.  At least ISS made a good
faith effort to keep the Scanner's licensing such that it at least slowed
the crackers down for a while before they could use it.  That's more than I
can say for several other auditing tool vendors.


Then you think Mixter doesn't deserve punishment, or he does and ISS
doesn't because IS is a "good" tool?  A few other folks say Mixter
deserves ...well, something.. they're not specific.  We don't even know
for sure his stuff was used.  We also don't know the attacker didn't use
IS to break into the zombie systems.  I've used IS to break into other
people's systems.  It works real well.


This really has nothing to do that I can see with the current discussion.


If you advocate harsh penalties for malicious "hackers", and then you
happen to get classified as one due to some idiotic legal wording, where
does that leave you?  My example is an attempt to personalize the
situation for the readers of this list.

How about releasing the "firewall" toolkit full of holes?


I have no idea what you're talking about.  fwtk?  ISS' 'firewall scanner'
stuff?


That's a poke at marcus.

$100M
each?


I hope you're joking.  If so, you should have put <g> liberally.


It should be obvious that I wouldn't seriously advocate an action against
people who release tools of any sort, buggy or otherwise.  

However, say it was discovered that the attackers were using ISS's
Internet Scanner.  Let's say the feds get away with nailing him with 1.2B
or more in damages.  Wouldn't that leave a nice path open for suits
against Mixter and ISS?  Wouldn't 10% of the damages (or a little less) be
a reasonable amount to nail them with?  Especially ISS who actually has
the money?

Be careful about advocating huge amounts of damages, especially if you
work in the security industry.  There are a lot of scary laws up for vote
right now, and not a lot of sympathy for anyone who wants to use the title
"hacker" for anything.

                                        Ryan

Current thread:

Re: Recent Attacks, (continued)
- - - Re: Recent Attacks Reverend Chris Cappuccio (Feb 17)
    - Re: Recent Attacks Ge' Weijers (Feb 19)
    - Re: Recent Attacks Malcolm Holser (Feb 17)
    - Re: Recent Attacks Brad Van Orden (Feb 17)
    - Re: Recent Attacks Philip J. Koenig (Feb 17)
    - Message not available
    - Re: Recent Attacks David LeBlanc (Feb 17)
    - Re: Recent Attacks Philip J. Koenig (Feb 17)
    - Re: Recent Attacks Ryan Russell (Feb 19)
    - Message not available
    - Re: Recent Attacks David LeBlanc (Feb 19)
    - Message not available
    - Re: Recent Attacks David LeBlanc (Feb 19)
    - Re: Recent Attacks Ryan Russell (Feb 19)
    - Re: Recent Attacks Philip J. Koenig (Feb 23)
    - Message not available
    - Re: Recent Attacks Marcus J. Ranum (Feb 19)
    - Re: Recent Attacks Darren Reed (Feb 20)
    - Message not available
    - Re: Recent Attacks Marcus J. Ranum (Feb 20)
    - Re: Recent Attacks Ryan Russell (Feb 21)
    - Re: Recent Attacks Ryan Russell (Feb 23)
    - Re: Recent Attacks Marcus J. Ranum (Feb 20)
    - RE: Recent Attacks Chris Crozier (Feb 21)
    - Re: Recent Attacks Claudio Telmon (Feb 24)
    - Re: Recent Attacks Ryan Russell (Feb 21)

(Thread continues...)