ACK! -- CONTINUED
Jonathan Hutchins
hutchins at tarcanfel.org
Sun Apr 20 19:05:06 CDT 2003
Quoting Bradley Miller <bradmiller at dslonramp.com>:
> That's not exactly accurate. They came in, changed how the entire
> operating system works ...
I think that's a bit of exageration. It's still Linux. Sure, it's got a
toolkit on it, but is there any function it used to perform that it doesn't do
just as well (if less securely) now? If so, you'd have found it quicker,
though it didn't take much for you to find in the end.
> If I yanked out the
> ATM from the local bank and put in my own ATM, that functioned the same but
> instead put everyone's ATM passcode into my own account . . . wouldn't that
> be stealing also?
Only if you kept the ATM you yanked. Recording information isn't stealing,
rantings of the RIAA and BSA to the contrary. Should you go to jail if you
happen to observe someone's password over their shoulder? If they USED this
information to some nefarious end (other than "stealing clock cycles"), that
could be a crime. If they just poked around, read and maybe copied a few
files? Nah.
Besides which, you're not a bank. I doubt that the purpose of the machine in
question involved much in the way of financial transactions (or it would have
been better secured, no?). People get real excited about strangers having
access to information, but ask yourself "what can they REALLY do with the
information?". For instance, some people are all agahst about their phone
numbers being revealed on-line, but never give a thought to the fact that their
phone number and address are listed in the phone book. If all they can do is
log in to your server under a false name, that's not much crime potential. Can
they deface someone's web site? Ok, that's a crime equivalent to painting
grafitti on a billboard. Misdemeanor at most, and not comitted in this case.
> As to a monetary value, between the cost of the box itself which no longer
> operates in the manner it was intended to, at probably $2500 initial cost
> or so, plus my time, plus the time of anyone else involved, plus down time
> to my customers . . .
You can't count the hardware. It's still there. It wasn't configured
properly, or it would have been defended against the hack, so you can only
count a portion of the time to reconfigure it as an actual loss. If you leave
your sunroof open, you can't blame the rain for wet seats.
> yes it could be a case that the FBI or someone should
> be investigating with whole hearted interest. Otherwise morons like this
> keep doing it and progressing on to other bigger and better things.
(This sounds like the "gateway drug" theory, related to the domino theory...)
What about persons who are responsible for the security of publicly accessible
systems who do not configure them properly and leave security holes? How shall
we punish them, lest they run Microsoft and spawn DOS attacks against us?
Look, I know people get all excited and angry and want to form a lynch mob when
they get hacked, but the truth is you didn't loose anything except some time.
You can count the time spent as a valuable lesson in disaster recovery, and a
penalty for failing to keep the system adequately secured. But calling the
cops? "Hey, officer, I left my kitchen door open and someone came in and drank
a glass of water! Call the FBI!"
---------------------------------------------------
This mail sent through tarcanfel's horde/imp system
More information about the Kclug
mailing list