Immunizing the Internet 181
jonny4001 writes "The Harvard Law Review has published a student-written article that argues that hackers, worms, and viruses are good for network security and that the law and public policy should encourage 'beneficial' hacking. From the article: 'Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security [...] Current federal law, however, does not properly value such strategic goals.'"
The well is poisoned. (Score:5, Interesting)
A few years later I wouldn't have considered it. People who'd not done much more had spent time in court and been threatened with jail. Not much later, you had people actually doing jail time for simply "knocking on doors".
What happened?
The whole "ethical intruder" meme had spread, and people had started cracking into systems and then claiming they were just "rattling doorknobs" to "help security". Of course you couldn't tell an "ethical hacker" from a crook, and the crooks could claim they were just trying to help.
It's the "ethical hackers" themselves that have made it impossible for this kind of activity to be condoned.
Too often companies ignore problems until it's.... (Score:4, Interesting)
Dual passwords. A master password which can change anything in the account, and a secondary password which can change anything but the master password. The idea is that if your secondary password is stolen, you clean your machine (just incase you were infected), log in with your master password, change your secondary password, and everything is fine.
Freezing expired accounts for 10 year periods to prevent someone from grabbing it up and gaining mail-forgotten-password privledges from other sites. Got a bank account? Got online banking? Got an account which you can easily send your password to your e-mail address? Oh wait! Your e-mail address expired! Someone else registered it, went to a bunch of bank websites and such, just to see if your former e-mail address has an account there.
open source hacking (Score:3, Interesting)
Article summary - rewritten... (Score:5, Interesting)
Makes sense now, don't you think?
Why Shouldn't it :-P (Score:2, Interesting)
Of course, real-life doesn't work like that. Just look how every little imaginery threat is currently used by the PTBs to further clamp down on the innocent general public.
Good idea, but doesn't work out (Score:4, Interesting)
The reality looks different.
In reality, people don't want to be bothered with this pesky thing called security. They want their machines to do the magic by themselves and not worry about it. So they created laws where it becomes illegal to even look for a security hole. Because, what you can't see isn't there.
Take you average user. Just enough smarts to turn on the PC, updating with an automatically generated and even transfered script is beyond their capabilities. When (not if, when) their computer is turned into a spamslugger, who will they blame? Themselves for not being able to keep their machines secure?
Keep on dreaming.
The laws are a reflection of the general unconsciousness. People don't want to be hacked, so it must not be done. Yes, the machines are insecure, yes, there are billions of trojans and viruses out there trying to break in (and succeeding, most of the time), but as long as we don't see them, they're not there.
La la la, I can't hear you...
Lawmakers out of touch (Score:5, Interesting)
Most judges, seeing a bank had implented very poor physical security - so poor that a lone teenager could fairly easily get into the bank without help - would be lenient on the teenager for breaking into that bank and bank would be in lots of legal trouble for having lax security. But when the internet is involved the teenager becomes an evil hacker in the eyes of both our lawmakers and much of society, and it's off to jail for the teen and no punishment for the bank.
I really worry about the next generation. All kids do stupid stuff and talk about stupid things as they are growing up. Only now, much of that stupid talk is done via electronic communications, and much of the stupid stuff is easier to trace.
I can see in the near future (maybe it's happening already?) that when a misdemeanour with a youth occurs one of the first steps a law enforcer will take will be to get access to the youths electronic communications. Then they'll uncover all kinds of stuff that will look terrible in the eyes of a law enforcer and the parents - and be extremely embarrassing or worrying for the youth. But in reality will just be the stupid things people do and say when they are growing up. We'll have youngers going to jail and being ostracized by their parents and society just for doing and saying the stupid things that we all did when we were young.
What is the special magic about technology (Score:4, Interesting)
I don't agree with it, for what it's worth, in either case.
Re:The well is poisoned. (Score:5, Interesting)
I've seen a student here report a security hole (the muppet that originally developed the web app they were using tracked currently logged in user by putting their username in the CGI parameters. Change the name, and you can be whoever you want), and some members of staff still wanted to seem the kicked out (we did manage to talk some sense into them, though). Point is, if it had just gone to the person maintaining the system at the time (me), I'd have patched up the code, thanked them, and forgotten about it.
Re:For those who won't RTFA (Score:5, Interesting)
Realistically this is the history repeating itself. Many times.
Prior to Edward Jenner discovering the vaccination the people tried to instill immunity to Smallpox in their children by a process known as variolation. The difference from vaccination was that people were deliberately infecting children with the real virus hoping that they have it in a milder form. Well... and if not, that was just a child, one more, one less who cares. In some more awkward and less developed parts of the world this is still done with Varicella, and less frequent Rubella, Measles and Mumps.
Society attitudes have changed since. The majority no longer consideres normal to infect children with the real viruses. Still, even now, there are idiots who insist that "having child diseases is good for the children as it improves their character" (or other such bollocks).
Similarly, infecting networks with real worms is not dissimilar to variolation. There are plenty of security tools out there nowdays which can detect the vulnerabilities that can be used by the worm and force the user to fix them. There is no real need to weed out the "weak" (yeah, I know, I am tempted myself to weed out the idiotz sometimes).
And as far as jo average user it will take some time for them to grow up, but it will end up the same as with vaccination. People were reluctant to do it initially. That is not the case now.
As Good As It Gets (Score:2, Interesting)
The world is always in a sort of "Ok on the count of three, we all drop our guns" state.
Re:Does this work for offline crime? (Score:2, Interesting)
People taping their keys next to their door.
Banks where you just state a different name and get full access to the corresponding accounts.
People stating that they don't bother if other people can access everything in their house as long as they don't do anything that actually harms them ("i don't care if someone can read my mail")
I and probably everyone on slashdot know people who don't give a shit about IT security and if the only way to get them to care is a decent kick in the ass then so be it. A bank robbery now and then is good for *my* security because it keeps banks everywhere concerned about their security measures. Three years ago people laughed when i told them about the stuff they now experience and suddenly they care to take responsibility and secure their PC.
Certified Ethical Hacker (Score:4, Interesting)
Introduce a properly run certification scheme for "Certified ethical hacker". Base it on a course taking in relevant law, security techniques etc., and make damn sure it is vendor-agnostic. Only make the course available to persons who have no criminal convictions, are on the voter's list, member of a professional body, and pass FBI checks or your national alternative. It will be free to qualified applicants.
Now issue those people with a set of official paper forms, with proper security marking and tied to the individual. When they encounter a security issue, they issue a paper based advisory (because it is still traceable, and because you do not then leave a trail on the net that might enable the black hats to find and target you.) copy to some official body who every year will report the statistics, and list the companies that failed to respond to security advisories.
So now you have it on your resume when you write in for the bank job: Certified Ethical Hacker, 42 confirmed alerts (or whatever).
Before anybody tells me this is simply fantasy, consider that there are already volunteer public security forces. In the UK we have Special Constables and the Territorial Army, and there are equivalents in many other countries. We have a Health and Safety Executive who can walk into any company at any time it is operating and demand immediately to observe what is going on. So why not a properly trained volunteer Internet security force?
Open doors vs Closed doors. (Score:2, Interesting)
Its that good?
I think yes. but need:
1) The white hat attitude. Complete morons are discarded.
2) Its a hole, and not a feature. Maybe the users want the system this way, and know enough about the tradeoff.
3) The hole being fixed. If is imposible to fix holes, maybe because lack or resources, this help nothing. Of course, the problem here is the lack of resources.
On real world, some people want to live with his doors unlocked, mostly on rural areas. Its that a "hole"?. Its not. What safety expert AND ha4xors fail to realice, its that the world is not about of safety for everyone. Some people like his doors unlocked, thanks. Other people dont know about that, and will love to know about a hole, and fix it.
Re:Does this work for offline crime? (Score:2, Interesting)
"So how safe is your house? Enter It Takes a Thief, a unique new Discovery Channel series that offers viewers something they've never seen before: a home burglary performed by convicted former thieves that is taped as it happens, followed by a lesson in what steps to take to prevent such a violation from occurring again."
Too late (Score:3, Interesting)
Re:A little knowledge is a dangerous thing... (Score:2, Interesting)
This measure of loss is overinclusive, however, because much of the cost of restoring system integrity is money that one should reasonably expect users to spend anyway. Whenever security flaws are discovered, users spend time and money to patch them, regardless of whether their systems have been attacked. Yet these same costs, when borne by the actual victim of a breach, count as losses under the current Guidelines even when the hacked system suffers no damage. It is as if a mere trespasser who entered a doorway with no lock were held liable for the cost of installing a lock afterwards.
So this statement indicates that a patch is as expensive as restoring a system? And as others mentioned, this shows how people love to create real-world examples about things those simply do not work in the IT world that way.
Finally, as discussed above, an attack's benefits generally correlate with its novelty. Exploitation of a known security hole usually offers little benefit beyond raising awareness. A novel attack, however, reveals much more valuable information that could preempt a more damaging surprise attack. Therefore, a redesigned system might punish attacks that are novel more lightly, and punish attacks that are not novel more harshly.
Great, any real intruders, who will most likely not rely on old exploits, get less punishment. Nice perspective: hack a few systems, do nothing obvious but set up a backdoor allowing another attack to be even more untraceable, and claim you are a "benevolent hacker". Therefore, you are getting less (or no?) punishment (and possibly making the victims prone to leave the system[s] unchanged apart from patching what you do not care about any longer), and finally complete the real crime later. Great concepts in this work, really. But he (they?) should have asked some security guys first, I guess.
Uninvited entry should be punished. (Score:2, Interesting)
Re:The well is poisoned. (Score:2, Interesting)
That's like a jewel thief or bank robber claiming they were "just trying to help out" when relieving a bank or jewelry store of its goods. Breaking and entering is breaking and entering -- if you do not belong in a place and you enter that place without authorization, you're breaking the law.
In that case, using your metaphor, what happens to the person who walks by the jewelry store and calls the owner (or the authorities) to inform them that the door has been left open. In a real jewelry store, the owner will probably be very grateful that he was informed of this mistake. And even if he finds out some things were stolen you wouldn't be a major suspect. Why, becuase criminals aren't usually very helpful to those they've stolen from.
If you do exactly the same thing on the internet however, everyone immediately assumes the worst. The question a company which uses it's website to store sensitive information should ask itself is; If a well meaning person notices a flaw in passing (not becuase they are trying to crack it but becuase it was an extremely obvious, like the one in the GP), do they want that person to come forward and inform them of it, or should that person hide and ignore it so that he isn't considered a criminal and wait until an actual criminal comes along and uses the same vulnerability to steal billions from them?
(Shucks I've forgotten my password)