Immunizing the Internet 181
jonny4001 writes "The Harvard Law Review has published a student-written article that argues that hackers, worms, and viruses are good for network security and that the law and public policy should encourage 'beneficial' hacking. From the article: 'Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security [...] Current federal law, however, does not properly value such strategic goals.'"
Does this work for offline crime? (Score:5, Insightful)
What is the special magic about technology that makes people give opposite answers to "Is X sensible?" and "Is X sensible using a computer?" for just about all values of X?
Ame
Viscious Circle (Score:1, Insightful)
The reason Virii and Worms etc are good for the security of a network, is because they prompt us to tighten security for future attacks based on historic ones.
"Nessesscity is the mother of invention" But the irony is...if the Virii/Worms didn't exist in the first place, then we wouldn't NEED to improve security against such attacks.
Oh the confusion.
Re:Wow! Who knew? (Score:5, Insightful)
In general being exposed to a lot of germs (typically harmless) trains up your immune system. buggers catch a lot of local bacteria and allows for exposure in a safe and weakened form.
-- Just because it's correct. Doesn't make you want to do it.
Yeah... (Score:1, Insightful)
I'm sorry if I don't buy the whole "we're writing viruses and trying to break in to teach you people to do better" excuse. If someone's tresspassing I'm going to shoot them anyway, regardless of whether they think they're teaching me a lesson.
Used to be the world was a friendlier place, and there are parts of the U.S. where you still can leave your door unlocked at night. Doesn't mean that robbers are to be rewarded though...they're still bad guys.
Hey, it works for living creatures (Score:2, Insightful)
Comment removed (Score:3, Insightful)
Re:Wow! Who knew? (Score:2, Insightful)
Don't bet on it.
Re:Why Shouldn't it :-P (Score:3, Insightful)
Yeah, because we all know that insurers are not part of the system at all; unlike the rest of us, they have access to magic money-making machines powered by pixie dust.
oh, there should be penalties (Score:3, Insightful)
As for "hackers", they should be held responsible under existing fraud laws if they commit fraud; the mere act of "breaking into" a computer system should not be a violation of law.
Re:Yeah... (Score:1, Insightful)
Virii, worms and the like, are products of malicious intent from malicious people motivated by a desire for destructive and harmful ends.
The article in question, at least to me, appeals to people that have the technical knowledge to be able to find these vulnerabilities, and implores them to apply those skills in a positive manner. They're not encouraging these people to exploit said vulnerabilities to any detrimental end. The idea is to foster an environment where people that possess the talent to find security holes do so, and report them to developers so that these potentially damaging flaws can be fixed.
There is a very large difference between uncovering and exploiting new vulnerabilities for personal gain, as opposed to uncovering them for the sake of improving the general state of security. Your analogy is entirely flawed, as it assumes anyone that has the knowledge to uncover these security holes only does so for the sake of personal gain and cannot operate in an ethical fashion.
I did my fair share of 'hacking' when I was younger, and when I found critical security flaws in my school's network, I demonstrated them to the system administrator and worked with him to try and get the problems fixed. Those security issues affected me just as much as anyone else, and with a sizable student body such as the one that school housed, I wanted to see to it that my data, along with everyone elses' was going to be safe. It's simply a matter of encouraging the right people with the right motivations to identify problems and assist in solving them before the wrong people can discover and leverage those vulnerabilities to do any serious damage.
A little knowledge is a dangerous thing... (Score:5, Insightful)
The paper (or article, or whatever) is actually quite well-nuanced and fairly even-handed. However, it suffers from a fatal flaw of many legal articles: a fundamental ignorance of the subject matter itself.
It's a paper written by (wannabe) lawyers, who, while they site large rafts of supposedly corroberating papers and "experts", don't understand what they (the exports and sited papers) are talking about.
This kind of approach is eminently practical (and effective) when attempting to try a case, or negotiate a settlement. However, it is absolutely the wrong way to do things when attempting to write a Public Policy piece. If one is attempting to educate the populance (or some subsection of it) about an issue, you have to actually understand the subject, not just quote others' ideas.
They are correct in the supposition that cybercrime has a different nature than that of "real world" crime. But they completely misunderstand how this difference affects people.
A classic example of not really understanding the subject matter occurs when they claim that a compromised system actually causes very little economic damage, as the system itself is not physically damaged, and the effort to repair it is theoretically comparable to a periodic security audit/update of the machine. What they perceive is a JoyRide in a "stolen" car - someone took my car out for a whirl, and if they've returned it in good shape, all I (the owner) have to do is sweep out a few of the crumbs (and maybe fix the door lock) before it is ready to go again. This isn't the true case. Rather, it is closer to the case that I, the owner, would have to completely dissassemble the entire car, and put it back together again from its component parts, just to make sure that the kids didn't screw something up (or wire a bomb to the ignition). There is a HUGE economic cost to cleaning up after even a minor intrusion. Because, frankly, there is no way to determine if something was a minor or a major intrusion, until a complete postmortem is done. And the risk associated with keeping a compromised system working is far too great to NOT do the full rebuild. In many ways, the risk analysis looks a lot like empidemiology: when a herd of cows is found to contain one case of Mad Cow, we kill the entire herd and check them all, rather than just kill the sick cow, and say "oh, we found the problem, and it is fixed now".
The real solution is not to allow "ethical hackers", but rather to provide economic incentives for companies to protect their data. If this were the case, then companies would take security seriously, and there would be a whole thriving sector of legal security probing companies (which exists in a very tiny manner today). If companies were held to multimillion dollar fines every time private data was compromised, you could be damned well sure that security would rank somewhere above "oh, and empty the trash before you leave tonight", which is where it currently resides. And security checks would be done by true professionals, complete with after-incident reports and improvement suggestions.
-Erik
Re:Does this work for offline crime? (Score:5, Insightful)
This isn't the equivalent of bank robbery (nobody gets potentially harmed, and no real damage done). Rather, a far better example would be the instances of journalists repeatedly and successfully smuggling weapons through TSA security, onto commercial flights. Absolutely no real harm is done by it, and success leads to very important good things (increasing security where it is lacking).
The more they will find security holes, and make the system safer against the real threat, the truely malicious professionals. Of course, the analogy isn't perfect, but it's far closer than bank robbery and murder.
Probably because of people like you... People who can't relate the computer world to the proper real-world equivalents, and therefore have a really warped and twisted misunderstanding of the computer world.
Honest, officer, I was just checking the doors (Score:4, Insightful)
Sorry, it don't work that way, and just because computers are computers doesn't make it any different. If you want to come in to my computer and inspect, I expect you to ask, just like I would for my house.
When Microsoft is caught sniffing around anyone's computer without permission, even if they don't damage or alter anything, everyone here wants Bill Gates' head on a pike for public display and criminal charges against Microsoft. But if its a white-hat hacker, that's okay, and we should have the law allow them in. Funny how that works.
Re:Full disclosure is a necessary evil (Score:3, Insightful)
It is true that bad hackers will pretend to be ethical hackers but by putting everone in jail you end up creating a less secure world. Only the bad hackers will find the security hole and they won't tell anyone.
Full discolure is the only solution and it is not popular: companies get bad press for having security holes, they might loose some business and thus try to shoot the messenger
However, full discolure is a necessary evil it we want to have a safer online life.
Re:Does this work for offline crime? (Score:5, Insightful)
This is where the analogy breaks down catastrophically. There is no simple, familiar motivation for anyone to try getting into a house as an intellectual exercise, or even as a challenge. Either the house is wide open - in which case it would be legal to enter in some jurisdictions, while in others the householder could legitimately shoot an intruder anyway - or it is secured, in which case any attempt to gain entry is almost certainly of a criminal nature.
Computers are different, in that trying to understand and improve on software mechanisms is a universal impulse among (good) programmers. Bill Gates, and many other people who came to be famous, hacked in his youth. The sainted Richard Feynman confessed openly to having made a hobby of getting into as many locked areas and safes as he could, while working on the Manhattan Project. He had absolutely no ill intentions, although he was well aware that the military bosses would be hard to convince of that. Incidentally, he told of a valuable spin-off, when a senior official left the project and his immense safe was found to be secured. No one had the combination, and they were thinking of explosives and thermic lances until Feynman came along and casually opened it.
Please don't accuse me of trying to excuse genuine criminals - I am the last person to do that. But do realize that many people who experiment with software do so from motives of genuine curiosity and intellectual challenge, which can be very useful if properly harnessed. And let's get over the crude physical analogy of "breaking into" a computer. A computer is a machine that executes instructions. When some sets of instructions are executed, the computer can display words, numbers, and pictures meaningful to humans, and accept human input through keyboards and other devices. A computer does not have a mind of any sort, and thus cannot be deceived, pleased, annoyed, or educated. Moreover, the idea of the computer as a structure or territory that could be broken into is simply an analogy that helps us to think about it; it does not correspond to anything real.
Re:PDF WARNING! (Score:3, Insightful)
Like a pdf isn't a royal PITA under linux + firefox? No wonder yu posted AC (/me currently running SuSE + Firefox, and avoiding pdf files whenever possible because they're still bloated).
Now back on topic, this is just SO fucked up logically:
If it isn't your system, don't be f*cking around with it, same as if its not your car, your home, or your other sh*t. Just because it's computers doesn't make it special all of a sudden, with a suspension of all the rules.
Yes, I know, servers are just responding to queries ... but there's a difference between entering through the front door where the welcome mat is, and the door is wide open, and the host is expecting you, and trying to break in through a rear window on the second floor.
Re:For those who won't RTFA (Score:2, Insightful)
Can you provide any sources for this statement? Every description I've ever seen of losing a child, even in the bad old days, was usually pretty painful. You probably have to exempt the usual psychopaths.
Re:The well is poisoned. (Score:5, Insightful)
While I do agree with you, that a kid reporting an error and perhaps even a sugested solution, would be regarded as helpful and something of a "white-hat" on a private perspective
However one thing that has changed since the early eighties is that now there is usually quite a bit more money involved.
Now accountability is a big concern.
If that kid was into a system I admin, I must realize that even if he propably just is helpful, I still cant be sure, after all he was in there, where he shouldnt have been, who knows what he did and discover but not tell me about.
And thats what its all about, ne one side I have a complete stranger who claims that he has been in one of my systems, found a few bugs, and have a few suggestions, one the other side is that the only way to be sure of system integrity is to asume that the system is completely penetraded, and do a very expensive security checkup, to see how much damage that _could_ have occured.
If I trust the kid, and he happens to be a black-hat - poof - there goes my job
If he turns out to be a white-hat, well in that case he was nice and not much won for either me or my clients (since we have to do an expensive audit anyhow)
So I would asume he was a black-hat, cause if he wasnt, I havent lost much... Maybe synical, but thats how it works.
Re:The well is poisoned. (Score:2, Insightful)
It's crooks who are the problem, but more commonly it just appears to be lawyers who are the major part of it, since they so often find themselves "forced" to do due-diligence and attempt to prosecute every little thing that comes along, catching the ethical hackers (who obviously aren't trying very hard to avoid being noticed, since they're not up to much, and who usually step forward and give them the information needed to send them to court thinking some sanity will prevail) and going full-tilt on them to make up for staff being utterly unable to cope with the actual criminals.
Re:The well is poisoned. (Score:2, Insightful)
Which, arguably, you should have done in the first place.
Amazing... Student written huh? (Score:3, Insightful)
The problem is akin to the broken window problem in economics. Sure, exploiting security holes leads to more fixes, but you have to take into account the costs. Further, this does not mean Information Security itself is improving, it simply means virus, trojan, and worm writers have to become more creative.
In short -- if this is what Harvard is producing these days, maybe it's time we re-asses the "Ivy League."
Re:Does this work for offline crime? (Score:4, Insightful)
If I break into a computer and play a prank that hurts no one, why should I be facing hard jail time where if I had just broken into a building and played a prank the police would probably not even bother tracking down who did it?
Somehow people in the technology world have gotten it in their heads that people being curious and testing boundries deserves ass pounding federal prison time. This is incredibly destructive to some of the most important qualities in people: curiosity, cleverness, inventiveness all get squashed by this concept of "if we didn't intend for you to be able to do something and you do, you're a criminal".
This is highly destructive to real network security, the kind of security where even if people want to do something you didn't intend them to do, they can't. We need to go back to making tinkering with interfaces provided to you legal. The rule should be, if you don't want me to be able to tinker with the interface, don't provide it to me.
If hacking is a crime only criminals will hack.
Re:Finally! (Score:3, Insightful)
And claiming that a certain amount of malware going around helps security measures stay alert is silly. The analogy with living organisms and biological malware is way off. Computer malware doesn't thrive in the wild, mutating randomly. It is powered by misguided humans and by misguided blacklisting approaches to security.
Perpetuating the status quo only perpetuates those misconceptions. It doesn't prevent anything in particular. The reason nothing really big has hit
Some day somebody will write a worm that will finally do something really distructive, like spread for a year undetected and then format 75% of the world's HDD's on the same day. Then we'll actually see if real security and chastizing wannabe hackers would've perhaps been better than stupid theories, except it will be too late.