Posted on 09/17/2008 11:15:26 AM PDT by Domandred
How about if you had been told time and time again that the brand of locks you use were of poor quality and could be opened by a good thump?
What percentage of blame would you have then for ignoring the problem?
Thanks for the education... So why the “wiki”pedia? Is it because of the software they use?
Yep short for Wiki Encyclopedia. Wikipedia.
I Love to learn! Thanks :)
I did not say “no need”. I said “less need”. Or are you going to argue that laws and penalties do not reduce crime / have no deterrent effect?
It seems to me that if someone “takes apart something to see how it works”, and that something does not belong to them personally, or they do not have explicit permission to do so, from the owner, then that someone is in the wrong.
Not necessarily.
For instance, I have several machines in my server rack that run Apache web server. If I find an security problem on one of those and report it, every Apache web server of that same version on the Internet will have the same problem, just now everyone is aware of it.
Also, if a web server is publicly available, sending it commands and looking at the responses is exactly what your web browser does. Your web browser simply formats the responses into what you are used to seeing. What your web browser receives is very different to what you are used to seeing. A hacker will typically examine those raw responses directly rather than letting the web browser format them.
It is not a direct relationship. Are you going to argue that laws and penalties banning alcohol didn't increase violent crime?
Laws and penalties simply provide a method of punishment. If people are willing to risk the penalties or are already criminals they have very little effect especially in areas that are difficult to police effectively.
And U.S. laws and penalties have zero deterrent effect on people in other countries the effect of strong laws against something on the Internet is not especially effective. As a web site on the public Internet is just as reachable from China as it is from Wichita, all you've done is criminalize U.S. activity. This is not necessarily a good thing. For instance:
When the U.S. enacted the ITAR regulations, they categorized strong encryption as a munition and banned its export. The result was that U.S. programmers stopped working on strong encryption. If someone from overseas downloaded your encryption software you could go to jail for 20 years.
For a long time if you wanted strong encryption you had to download it from an overseas system and apply it to your systems here manually.
The result? American's stopped developing encryption technology. The current U.S. encryption standard, AES, was developed outside the U.S.
If you are looking into a problem on hardware or software you own, then I have no problem with that. That is exactly what you describe. Ditto if the equipment / software belongs to someone you work for, or a customer, and they have asked you to check it out. Heck, I do THAT sort of thing (though in a much different area of electronics) all the time. If you inform the hardware / software provider that there is a problem, and then they do not respond after several such attempts, then ok: If you feel that you should alert others so that they can take appropriate safeguards, that’s fine too. What I have a problem with is people who try to “break in”, so to speak, where they have not been invited, where they have no ownership, etc.
Now, if you send commands to a web server in order to view what’s on someone’s website, such as in response to an implied invitation, of course that’s ok. Ie., “Come check out our cool products” is essentially the message if someone puts up a web site with their products listed therein. If that website generates so much legitimate traffic that it crashes, well, that’s a good problem to have! (And a better one to solve.) But if someone starts sending that website strings of data that can throw a monkey wrench into the works, INTENDING that result or possible result, uninvited, then that someone is in the wrong. So far as I know, my web browser sends out a lot of “inquiries”, but does not intentionally try to break into other’s accounts uninvited, throw that proverbial monkey wrench into the works just to see sparks fly, etc.
Put another way, it is one thing for someone to come to my door and knock, to request to come in. It’s quite another for them to pick the lock and come in without my permission.
As an aside, I would mention that not so many years ago, in probably the majority of the land area of the U.S., most people found it unnecessary to lock their house or car during the day. Robert Heinlein postulated much the same thing in a future society he described in “The Moon Is A Harsh Mistress.” I think it has to do both with self respect / honor, and with respect for others.
Hmmm... That’s an interesting point. Are you postulating that the desire to do harmful hacking (to be specific and not indict all hackers) is comparable to alcohol or drug addiction?
At any rate, IF the vast majority of the populace had been willing to support whatever penalties were necessary to make Prohibition effective, it would have been successful. Certainly there are countries in which this has been done, with general success. Prohibition failed in the U.S. because the vast majority of the U.S. populace was not so inclined.
That’s not to say no one would ever get their hands on an alcoholic beverage, given my “IF”. There are always some cracks. (Oh, BTW, I am not a tee-totaler. I am just commenting on your example. )
Now, in the case of the Internet, you are correct: You’d probably have to get some sort of essentially world-wide treaty going (with real penalties for countries unwilling to go along with it) to crack down on harmful hacking. But, I think this problem will eventually become so big, and cost everyone so much money, that it will come to pass. Once it does, you don’t have to find every offender. You find a few, and administer Saudi Arabian style justice. Even that would not end the problem. But it would lessen it.
Then again... Back in my college days, when I was studying Electrical Engineering, I was too doggone busy to get into such trouble. (The story of my life!) Maybe there is an answer there... ?
Well, that's the problem. Internet protocols are designed for flexibility. What today might be a string of data that horks up a system, tomorrow might be accepted as a new, useful feature.
As such, servers on the Internet are supposed to accept all data sent to them, discard the stuff they don't know what to do with and properly process the rest.
It a web server takes a string of data and does something harmful, that's a bug. There are people that intentionally search for such things. And there are times when such things are found by accident.
Put another way, it is one thing for someone to come to my door and knock, to request to come in. It’s quite another for them to pick the lock and come in without my permission.
Quite true. If someone disables the locks on your house, that person is a criminal. That person should be prosecuted.
However, if you've been told time and time again that there is a bug in your brand of locks, and a good thump will disable them, then you are at fault for not doing something about it. It's not something you should be prosecuted for, and it doesn't negate the fact that the person doing the bumping is a criminal, but expect to be chastised for not taking the vulnerability seriously.
Not at all. The analogy was about the effectiveness of laws to control behavior, not about the behavior itself.
Then again... Back in my college days, when I was studying Electrical Engineering, I was too doggone busy to get into such trouble.
Not really. The people that do the hacking are often professional programmers. Because so much Internet software is made up of layers of software from different sources, testing will often indicate a bug when testing how one layer of software interacts with another.
As an example:
Let's say I have a store on the Internet. I use a piece of software that the web server interacts with. A user connects to the web server and enters data. The web server passes that data to the application that processes the order.
When a new version of the web server software comes out, the manufacturer of the store software tests his application to make sure that it works properly with the new web server.
He finds a bug. Normally, the field where you type your credit card number in expects only numbers. You find that if you put in a string of hex code, it causes the application to crash.
In the previous version of the web server software, the web server properly read in the HTML instructions and filtered out anything that wasn't a number. The new version doesn't.
He found the bug by deliberately sending out-of-scope data to the web server, but the bug could be triggered accidentally by having, say, your cat jump on your keyboard while you were ordering from my site.
One person, a professional, found the bug. So can someone else, sometimes by accident.
And a third party may be looking for a way to crash my server.
All three of these people can find the same bug. You can't assume that just because someone finds an exploit that they intend harm.
For years, conservatives have resisted the idea of the UN being our police. And Internet police force would have much the same mandate. And it would suck.
Rather than that, how about we leave the Internet alone. People that have broken software should fix it, assume there are still more bugs that haven't been found yet and take action accordingly.
Because you are never, even with an Internet Police force, going to be able to stop systems from being exploited. It's too easy to hide, it's too easy to have a plausible answer for doing what you did and it's too much of a burden on regular, everyday Internet users to subject them to layers of UN-style corruption just to catch a few system exploiters. The cure would be worse than the disease.
But here’s the thing, the thug who broke into her account got off. I’ve seen lives ruined by less egregious computer crimes.
My guess is he found some really incriminating stuff but the Cops, & McCain cut him a deal - he keeps his mouth shut - he stays out of prison.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.