From: "fiji": So you are saying that it should be illegal to sell password cracking > software? HAve you thought of the implications of this at all? Does this > mean that ISS and Cybercop should be illegal too? They attack networks and > they try to brute force passwords. Do you really think that > "hackers/crackers" go out and buy password cracking software? Come on, get > with it. They write their own code to do these tasks. The software that is > for sale is for administrators and auditors to use some of these tools to > get a glimpse of their own security. Why do you believe it would be in the > best interest of security to limit these administrators? You are implying > that nobody should be able to audit their password security. What if all of > these tools were free? Then are they ok? >
Sorry, but Government facts and science research journals would dispute what you say. Most hackers are not experienced in the intricacies of software engineering nor do they have backgrounds in computer science. Most of them buy their tools: sniffers, port scanners, war dialers, root kits, from underground websites I would not dare visit for fear of who might be lurking there. They do not write their own code for these tasks and they do not have to, and THAT is the problem, so I am afraid I am indeed "with it." No one would seriously contemplate making it illegal for firemen training novice firemen to set fires at some Fire Academy to see if the apprentice firemen can effectively put it out. Neither do I suggest that security specialists, if you indeed are one, and Network Administrators should be barred from using hacking tools to check the security of some network. The malicious hackers are the people who should not have this software. "fiji" So let's assume that I break an encryption scheme and notify the vendor. The > vendor doesn't do anything about it. Should I release this information in > the form of code? My guess is that you would say no. Well let me give you a > scenario. I have broken an encryption scheme that is used in a major > product. The vendor has known about it for almost a year and they haven't > notified anybody nor do they plan to. This came directly from the CEO. This > companies largest customer is the Department of Defense. In the meantime, I > recently learned of a large bank that is migrating a lot of funtionality to > this product. So if I release my findings, you would probably believe that I > am the criminal and the vendor is poor wretch who is just another victim. > So what does this paragraph above mean? Neither the hacker nor the vendor has the PC user's interests at heart. One's motive is to violate a computer user's privacy, the other's motive is profit. And do you think it is only the Department of Defense or the FBI that can be victims of hackers? A cancer patient in a hospital ward whose vital signs must be checked every hour via computer can be a victim of a hacker, many of whom are not such "benign white hatters" as you were in your scenario above. Any invasion of privacy is an obscenity, whether it is Big Brother, or a malicious hacker probing someone's network or PC for personal information. It is the height of arrogance and an abuse of power; actually it is "cyberrape", and should not be tolerated. Robert Betts ----- Original Message ----- From: "fiji" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, January 17, 2002 11:52 PM Subject: Re: From the Morris worm to Nimda > > > > I do not know all the details, but computer viruses originally began when > a > > Computer Scientist/Programmer inadvertantly allowed his self-replicating > > program to get loose in some university setting. Since then malicious > people > > have been designing the nasty self-replicating bugs for a variety of > > reasons: personal spite against the victim, political extremism and social > > causes, and in some cases, just plain mischief, in this latter case the > > hacker is usually very young, either a high school or college student. > > > > > > > Although it is perfectly legal to sell crowbars, it should NOT be legal to > > sell malware and anything else that can be used for malicious hacking, > such > > as password cracking software, etc. websites that sell malware should be > > shut down permanently and known hackers should be prevented from having > > access to ISPs. > > > > So you are saying that it should be illegal to sell password cracking > software? HAve you thought of the implications of this at all? Does this > mean that ISS and Cybercop should be illegal too? They attack networks and > they try to brute force passwords. Do you really think that > "hackers/crackers" go out and buy password cracking software? Come on, get > with it. They write their own code to do these tasks. The software that is > for sale is for administrators and auditors to use some of these tools to > get a glimpse of their own security. Why do you believe it would be in the > best interest of security to limit these administrators? You are implying > that nobody should be able to audit their password security. What if all of > these tools were free? Then are they ok? > > So let's assume that I break an encryption scheme and notify the vendor. The > vendor doesn't do anything about it. Should I release this information in > the form of code? My guess is that you would say no. Well let me give you a > scenario. I have broken an encryption scheme that is used in a major > product. The vendor has known about it for almost a year and they haven't > notified anybody nor do they plan to. This came directly from the CEO. This > companies largest customer is the Department of Defense. In the meantime, I > recently learned of a large bank that is migrating a lot of funtionality to > this product. So if I release my findings, you would probably believe that I > am the criminal and the vendor is poor wretch who is just another victim. > > I have been involved in technical security for almost 10 years. I think it > is a serious disservice to ignore the tools out there and burry one's head > in the sand as you suggest by shutting down these sites. There is a thing > called the underground. Right now the underground seems to be on every > website and media medium. Let's not actually make it truly underground > because then we are all screwed. > > -Jeff Fay > > > You mentioned that there were computer security specialists who had no > > credible computer background. Perhaps computer scientists at the > university > > level should study malicious hacking in depth, particularly the methods > they > > use and effective ways to combat them. By that I mean theorems and proofs > of > > theorems. Obviously the best antivirus software and effective firewalls > are > > the best bet, but I think computer viruses can be rendered ineffective at > > some more fundamental level in the very code written by the OS software > > people at Microsoft, and by those software engineers familiar with how > UNIX > > and Linux were developed. > > > > Robert Betts > > > > > > > > > > > > > > Today's Topics: > > > > > > 1. Re: The Morris worm to Nimda, how little we've learned or gained > > (Gene Spafford) > > > 2. Re: fw-1 config (Volker Tanger) > > > 3. 1:1 NAT desing question (=?iso-8859-1?Q?Bruno_Negr=E3o?=) > > > 4. Re: Off-topic or not? Is your son a computer hacker (Herman Van > > Keer) > > > 5. RE: Netscreen 5xp 3Des Keys (long, crypto geeky) (Ben Nagy) > > > 6. Re: Off-topic or not? Is your son a computer hacker (Mike > > Fetherston) > > > 7. Re: 1:1 NAT desing question (Magic Phibo) > > > 8. Article: Security Hole in SmoothWall (Meritt James) > > > 9. Re: The Morris worm to Nimda, how little we've learned or gained > > > (fwd) (Paul D. Robertson) > > > > > > --__--__-- > > > > > > Message: 1 > > > Date: Tue, 15 Jan 2002 00:00:52 -0500 > > > To: [EMAIL PROTECTED] > > > From: Gene Spafford <[EMAIL PROTECTED]> > > > Subject: Re: The Morris worm to Nimda, how little we've learned or > gained > > > Cc: [EMAIL PROTECTED] > > > > > > Hi. Someone recently passed along your essay (I don't subscribe to > > > the firewalls list). There were a couple of comments I wanted to > > > make. > > > > > > 1) You quoted Ian Goldberg's 1995 article where he stated that buffer > > > overflows were "pretty new" in 1988. This is not true. Buffer > > > overflows were used to compromise security on systems in the 1960s > > > and 70s. An early paper explained how Robert Morris's father broke > > > into an early version of Unix by overflowing the password buffer in > > > the login program many years before 1988 (I'm sure the younger Robert > > > was familiar with that paper, too). Many earlier papers also > > > described buffer overflows. > > > > > > Unfortunately, we have a lot of people who are working in security > > > with various levels of claimed expertise who have little or no > > > knowledge of the history or underlying principles of what they are > > > doing. (And no, that is not intended to make any suggestion about > > > Mr. Goldberg -- I do not know him, nor do I know his background. > > > I'm reacting to the quote and my knowledge of other "experts" in the > > > field.) > > > > > > 2) The comments I wrote in 1988 applied to the Internet arena of > > > 1988. There were no significant viruses, worms, root kits, or the > > > like. There was no WWW. There was no history of widespread > > > computer abuse. The majority of systems were running a Unix variant. > > > Pretty much every system administrator of the time had a college > > > degree, usually in computing or a related science. > > > > > > That was the context of my comments at that time that it was not > > > appropriate to blame the administrators for what happened. I still > > > believe that, in that context. I don't believe it was appropriate to > > > blame the OS authors, either, although there was some responsibility > > > that they bore for their sloppy coding. > > > > > > Now, if we fast-forward to today's computing arena. There are about > > > 65,000 viruses and worms (with over 95% of them for Microsoft > > > products). There are literally hundreds of rootkits, DOS kits, and > > > break-in tools available on the net. The WWW reaches hundreds of > > > millions of people. We have a decade+ history of significant, public > > > break-ins. The majority of systems in the world are running a very > > > buggy, bloated OS descended from a standalone PC monitor program. > > > Typical system administrators (and many security administrators) have > > > no training in computing, let alone security. > > > > > > If the Morris worm were to occur today -- and, as you noted variants > > > have been occurring in the guise of CodeRed, et al. -- I would place > > > a large amount of blame with the vendors for doing a shoddy job of > > > producing safer software, and a significant amount of blame on the > > > administrators of the affected sites for not taking better > > > precautions in a known dangerous environment. > > > > > > But in both cases, the primary blame goes to the people who produce > > > and employ malware. There is no excuse for doing this, and they are > > > quite obviously the primary cause of the damage. > > > > > > However, I agree with you that we need to re-evaluate the culpability > > > of the software authors, the vendors, and the administrators. I > > > have been making exactly this point in presentations and classes for > > > at least the last half-dozen years. It hasn't been well-received in > > > too many venues until very recently. > > > > > > 3) Your example of the arson victim isn't quite right. In most > > > cases, an arson victim is not criminally liable unless she did > > > something stupid and criminal to deserve it (e.g., she chained some > > > fire escapes shut). Instead, the victim may not get full payment > > > from an insurance policy, and that is the penalty for not keeping > > > current with the necessary protections. This is similar to what > > > happens when your car is stolen -- you are not charged in criminal > > > court if you left the key in the ignition, but you may not get the > > > full payment for the car from your insurance company, or your future > > > premiums could be doubled. > > > > > > Imagine Joe Clueless is running a Windows box with no patches and no > > > firewall, has no training in security, and still hooks his system up > > > to the network. If his system is hacked (and it will be, perhaps in > > > a matter of hours), he is still a victim. Whoever breaks into his > > > system, or whoever authored the virus that corrupts his disk, that is > > > the person who committed the crime and should be prosecuted. > > > > > > But is Joe blameless? Under law in most western nations, he is > > > probably not criminally liable. He may be stupid, but that isn't a > > > crime. He may be naive, but that isn't a crime either. If he has > > > insurance, he may not get a full (or any) payout. Or if has no > > > insurance, he pays another kind of penalty -- he loses his data. So > > > he does pay a price. And if Joe has a good lawyer who is > > > persistent and can convince a jury that the vendor was negligent, > > > then maybe the vendor will pay, too. > > > > > > A better scenario would be for "hack" insurance to begin to become a > > > standard business practice. Once the actuarial data comes in, the > > > companies set a standard premium. They may give a discount of 30% > > > if there is a firewall, a 15% discount if the system is based on > > > FreeBSD+Apache, and a 75% discount if the security administrator has > > > a CS degree from Purdue. :-) Meanwhile, the same company may set a > > > 25% penalty (extra premium) if the system is Windows-based, a 200% > > > penalty if it is running IIS, and there is a clause that there is no > > > payout unless there is evidence that all patches were present and > > > timely. Under this kind of scenario, market pressures would tend > > > to lead to better practices by the vendors *and* the users. That > > > would be a better solution than the government regulation you > > > suggest, although I am not hopeful it will happen any time soon. > > > > > > > > > Your might find this of interest: > > > <http://www.cstb.org/web/pub_cybersecurity>. And here are some > > > comments I have made before Congress about the shortage of security > > > professionals: > > > <http://www.cerias.purdue.edu/homes/spaf/misc/edu.pdf> (1996) and > > > <http://www.cerias.purdue.edu/homes/spaf/house01.pdf> (2001). > > > > > > Cheers, > > > --spaf > > > > > > --__--__-- > > > > > > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
