On Thu, 17 Jan 2002 [EMAIL PROTECTED] wrote: > Sorry, but Government facts and science research journals would dispute what > you say. Most hackers are not experienced in the intricacies of software > engineering nor do they have backgrounds in computer science. Most of them
Citations please? While most "script kiddies" fall into the clueless category, there are certainly a large number of people writing malicious software, and a larger number capable of doing so. Most of those have backgrounds in computer science of some sort or other. In some cases, the fact that everyone isn't writing their own versions is an advantage to the defenders, especially in detection technologies. > buy their tools: sniffers, port scanners, war dialers, root kits, from > underground websites I would not dare visit for fear of who might be lurking "Buy" is completely wrong. Most malicious tools are available for free- in fact I don't think I've seen anything purely malicous available for anything other than the cost of downloading it. > there. They do not write their own code for these tasks and they do not have > to, and THAT is the problem, so I am afraid I am indeed "with it." While "lurking" and Web sites sounds dramatic- the two concepts are orthagonal- perhaps you could articulate this better? Since I've never been afraid of a Web site, I'm curious as to what would prompt such a fear. > No one would seriously contemplate making it illegal for firemen training > novice firemen to set fires at some Fire Academy to see if the apprentice > firemen can effectively put it out. Neither do I suggest that security > specialists, if you indeed are one, and Network Administrators should be > barred from using hacking tools to check the security of some network. The > malicious hackers are the people who should not have this software. Were that lines were so clearly drawn, but indeed many "hacking" tools have legitimate uses, and many lines are blurry; since I can deface poorly secured Web sites with my browser, does that make it a "hacking tool." Telnet clients? Traffic shapers? PC Anywhere? WindowsXP? Debuggers? Compilers? How do you account for the (unfortunately) numerous IT professionals who engage in malicous activity? How do you account for job changes? Consultants? How do you account for education? "I'm between jobs, can you hold my copy of nmap for me?" seems to be a little silly. Want to start thinking about what happens when trojans of "illegal" software get installed on someone's PC? Suddenly your grandmother is a criminal without much recourse. Surely she's not going to be able to prove that someone else put that copy of crack on her ME machine, let alone the new PVR. > So what does this paragraph above mean? Neither the hacker nor the vendor > has the PC user's interests at heart. One's motive is to violate a computer > user's privacy, the other's motive is profit. And do you think it is only > the Department of Defense or the FBI that can be victims of hackers? A > cancer patient in a hospital ward whose vital signs must be checked every > hour via computer can be a victim of a hacker, many of whom are not such > "benign white hatters" as you were in your scenario above. That doesn't mean that the issue should remain unaddrssed. While I'm strongly behind more appropriate disclosure methods than "send an exploit to the world," if it's made illegal, then obviously there needs to be some sort of culpability or redress assigned to vendors and authors. > Any invasion of privacy is an obscenity, whether it is Big Brother, or a > malicious hacker probing someone's network or PC for personal information. So you're saying that court approved subpoenas and warrants are obscene? Searching the computers of missing people for evidence of their disappearance is obscene? Checking a criminal's computer for evidence of other victims a brash and vulgar act? > It is the height of arrogance and an abuse of power; actually it is > "cyberrape", and should not be tolerated. Nor should naiievity and pseudo-solutions. (snipping the irrelevant portions of the digest would be helpful.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
