Moronic anti-hacker law in place (probably a repost)

[Skyclad1uhm1]

AT is so slow at the moment that searching for previous posts would probably take at least half an hour, which I don't feel like at the moment.

Anyway, now no one will bother to tell companies of security holes/bugs anymore, instead they will just be abused.

WTF?

I used to hack into systems too, then mail the admin with proof and how to fix it. Now that would mean they could lock me up, and therefor I'll just keep stuff like that to myself and let a cracker figure it out and ruin their system. I rather see a cracker cause millions of damage by trashing Microsoft's websites, than me reporting a bug to them and them throwing me in jail for the next few years.

 

[Kev]

Let's say you broke into someone's house and got caught. Do you really think the owner of the house cares why you broke in, whether it was to steal things or to just show the owner that it could be done? How are they supposed to know what your intentions are? Not everyone out there has decent morals.

If they don't hire you, don't do it. Security is their problem to worry about, not yours.

 

[Descartes]

I used to hack into systems too, then mail the admin with proof and how to fix it.

I'll tell you what: I'll kick through the front door of your home and follow up with a recommendation of purchasing a heavier door.

What you've done, and what white-hats of the community do are entirely different. You took prefab exploits and ran them against vulnerable hosts. Those in the community who inform vendors of vulnerabilities do so *without* hacking into any production systems. Notifications are sent on several mailing lists, the vendor is notified, and a patch is created.

Your means of finding vulnerabilities is indeed intrusion, and anyone saying this is not illegal is obtuse. Indeed, when doing pen-tests or even vulnerability scans on client networks, I have a legal waiver they have to sign.

 

[Mr.IncrediblyBored]

You illegally hacked into a company's network, and then expect them to happily pat you on the back and say good job? Ok, we have white, gray, and black hat "hackers." As a sysadmin, would you be pleased to know that a gray hat hacker just invaded your network? Sure, they told you where the security hole was, but who knows what proprietary data or information they got from the system first?

Say you catch a hacker trying to get into your systems. If he tries to play the "gray hat" card, what do you do? You don't know his true intent. He could be telling the truth, or he may be lying.

Bottom line: You don't have any business hacking into network's that don't belong to you. You love hacking? Start a company and become a security consultant. That way you can legally hack into your client's networks.

 

[Descartes]

You love hacking? Start a company and become a security consultant.

I have a better idea: learn to create your own exploits, serve the community like every other ethical hacker and post any vulnerabilities you find. Taking prefab exploits and scanning for vulnerable hosts is child's play; does not a quality hacker make.

[edit]I can't speel; ethnical now == ethical[/edit]

 

[klah]

Don't forget, the other 6,000,000,000 people in the world do not care what laws we pass in the U.S.

 

[Skyclad1uhm1]

I wasn't a scriptkiddie, I'd think of possible bugs if I encountered a certain behavior in a site. (Novell was running their own FTP software back then, so I tried out whether using their drive mapping tricks worked on that too, and they did. All I did was change to another drive on their system, do an ls, and close the session. They could find it all in the logs if they were interested. It was fixed in the next release.)

I didn't do port scans to find open stuff, I tried out stuff as I went along. I once tried to logon to a MUD on a host and accidently forgot the port nr. I saw they ran a BSD version, and tried out the second root account, which by default had no password. They had forgotten to set it. I waited for someone to log on, and did a 'wall' telling them to get an admin there to fix it asap. Which was done.

There was a known, severe vulnerability in the web server SGI used on all their systems, and as a joke I checked the website of SGI in the Netherlands. It was wide open for attacks. I mailed the admin, and got a nice thank you mail back, explaining they had been so busy warning all their customers they had forgotten their own system

I know it is not allowed, but if you see the door of your neighbour isn't closed in the evening, do you warn them or do you ignore it?

I have had people telling me about an open relay which should have been closed again after a short test. Do I freak out? No, I thank them and fix it. Better that then someone abusing it without telling me.

 

[Descartes]

I know it is not allowed, but if you see the door of your neighbour isn't closed in the evening, do you warn them or do you ignore it?

If you live in the city, you probably ignore it for fear that they may have been burglarized. This of course depends on the city and your neighbors, and how social you are with them.

Point is: context matters. You don't drive down a foreign street and start running in every open door saying, "hey, close your door". However, if you are actively monitoring said neighbor, or you have enlisted in a neighborhood watch program, you most likely would. Apply the same idea to hacking, and the neighborhood watch program becomes their purchase of your security services; i.e. you were explicitly told to do so.

The examples you gave seemed pretty harmless, so I'm sure they were grateful. What I'm referring to, however, is the actual exploitation of vulnerable code, and the subsequent release of proof-of-concept code. On one hand, you have those in the security community who isolate exploitable bugs in software, then contact the vendor. Using the neighborhood analogy, this would be like finding a vulnerability in a locking mechanism using your own lock, notifying the manufacturer of said lock, and letting said manufacturer release fixes for all their clients. A black-hat would take this vulnerability, disseminate it to all those interested in exploiting said vulnerability, and carrying out action to do so.

There's a clear level of authoritative indirection between the hacker who finds an exploit, and the consumer of products containing said.

[edit]I don't know how much sense I made in the above, so read at your own risk. I had several thoughts going at one time, so you might see a coalescence of such...[/edit]

 

[Skyclad1uhm1]

Originally posted by: Descartes

I know it is not allowed, but if you see the door of your neighbour isn't closed in the evening, do you warn them or do you ignore it?

If you live in the city, you probably ignore it for fear that they may have been burglarized. This of course depends on the city and your neighbors, and how social you are with them.

Point is: context matters. You don't drive down a foreign street and start running in every open door saying, "hey, close your door". However, if you are actively monitoring said neighbor, or you have enlisted in a neighborhood watch program, you most likely would. Apply the same idea to hacking, and the neighborhood watch program becomes their purchase of your security services; i.e. you were explicitly told to do so.

The examples you gave seemed pretty harmless, so I'm sure they were grateful. What I'm referring to, however, is the actual exploitation of vulnerable code, and the subsequent release of proof-of-concept code. On one hand, you have those in the security community who isolate exploitable bugs in software, then contact the vendor. Using the neighborhood analogy, this would be like finding a vulnerability in a locking mechanism using your own lock, notifying the manufacturer of said lock, and letting said manufacturer release fixes for all their clients. A black-hat would take this vulnerability, disseminate it to all those interested in exploiting said vulnerability, and carrying out action to do so.

There's a clear level of authoritative indirection between the hacker who finds an exploit, and the consumer of products containing said.

[edit]I don't know how much sense I made in the above, so read at your own risk. I had several thoughts going at one time, so you might see a coalescence of such...[/edit]

I see a hacker as someone who doesn't go out to cause damage. Spreading the exploit before, at the same time or without telling the vendor is to my opinion not the sign of a hacker but a cracker. If you find a loaded gun on the street and bring it to the police I'd say you aren't doing anything bad. If you, however, give it to a few kids to play with and then, just maybe, notify the cops, you should be locked up.

Spreading the exploit (even in such a form it cannot be abused without further research) is not something I'd do (unless it was a Microsoft product of course ), unless the vendor did not take action after being warned repeatedly, and then I'd do it in such a way they'd be able to fix it before it was abused, but that customers would be warned and could put presure on them.