When is hacking a crime?
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: When is hacking a crime?

  1. #1
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658

    Question When is hacking a crime?

    I found this to be a very interesting read. It seems that the DMCA has produced quite a conundrum that seems to only grow larger with each passing day. On one hand, you have software companies who churn out products that are the equivilent of swiss cheese from a security standpoint. These companies are becoming more inclined to cry 'foul' when someone discovers a vulnerability in one of their products and use the DMCA as a prosecution vehicle. Then there are the white hats, who act in a responsible manner and report these flaws to the software companies, only to have their findings ignored a large part of the time. Now throw the greyhats into the mix, who are prone to expose these flaws in a manner that forces the developers to acknowledge and patch the flaws. Then of course you have the black hats....the ones who give 'hackers' a bad name in general, who just go ahead and exploit the flaws for personal or financial gain, thus evoking the 'shoot first, ask questions later' mentality that the software companies are beginning to develop towards those who discover flaws in their products. Over here on the sidelines, completely out of the game, are the consumers of these products. I, for one, am standing here in amazement as I watch the very people who are striving for improvement being threatened with litigation for their efforts. What, pray tell, do the rest of you think about this situation?
    Al
    It isn't paranoia when you KNOW they're out to get you...

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    500
    I think the DMCA, like most consumers, do not know what the difference between white, grey, and black hat hackers. Furthermore, they do not have a good understanding of what a hacker is or does based on their catergory. Now the media has a role in this, taking the definition of 'hacker' and making it synonymous with 'cracker' or just black hat activities in general. I think the first step twords acceptance of white (mabey even greay) hat hackers, is to work on the reputation of hackers as a whole. Get more media attention to those who are trying to help technology. Remember, hackers started the computer world, now we are being prosecuted for doing the very thing that started it all. This is called irony. You create a world only to be banned from it. Personally, i will never stop playing with new technology, tweaking it to do this or that. It is great to do something that everyone says is impossable!


    enough rambling, I guess the point is that the DMCA sucks



    Cross
    Ron Paul: Hope for America
    http://www.ronpaul2008.com/

  3. #3
    Senior Member SodaMoca5's Avatar
    Join Date
    Mar 2002
    Posts
    236

    Crime

    I read the article with great interest.

    My personal thoughts are that companies that ignore input and then have a knee jerk reaction when information is posted are cutting off their own noses to spite their face. In the listed incident HP says its developers were nearing completion of the patches, did they relay this at all? If so then I think Fisterre acted badly, if not then HP did. Even if they were actively working on them if they don't communicate that fact then what do they expect?

    It has been a fairly accepted tradition that even white hats inform the company and then if nothing is done they force the issue. A better example of this is the recent discovery of the hole in the encryption verification used by many browsers. Most of the browsers affected admitted the problem after it was demonstrated and quickly fixed it. M$ initially denied the problem until they investigated it, castigated person who reported it for not contacting then privately (even though it affected many people possibly), and then took an inordinate amount of time to patch the problem. I defend the term inordinate since other browsers were fixed in days not weeks.

    However, the guidelines listed at the end of the article do give some hope. I think the second proposal of 7 days to show good faith effort and 30 days to fix before the vulnerability is released seems fair. Then the finder should be able to publish the vulnerability which the company should have already fixed. The finder gets recognition but the company gets time and the users get better protection. If this is accepted they I think a violation of that agreement would be considered straying into illegality. How far would be determined by motivation and results just like it is in every other area of crime.
    SodaMoca5
    \"We are pressing through the sphincter of assholiness\"

  4. #4
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    Originally posted here by cross
    I think the DMCA, like most consumers, do not know what the difference between white, grey, and black hat hackers. Furthermore, they do not have a good understanding of what a hacker is or does based on their catergory.

    Uhmmmm....the DCMA stands for the Digital Millenium Copyright Act....which is a piece of legislation, not a group or 'body' that can have an opinion one way or another.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  5. #5
    Senior Member
    Join Date
    Feb 2002
    Posts
    500
    I was refering to the people behind it, not 'dmca' itself. It was written by people who have an incorrect perceptoin of what a hacker is and does , sorry if i was unclear, but i was typing fast and trying to get a point out. I assumed some things were already known
    Ron Paul: Hope for America
    http://www.ronpaul2008.com/

  6. #6
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    n/p...the DCMA is very poorly written and it's vagueness allows for some VERY loose interpretations to be sure. I just wanted to point it out not so much as a correction aimed at you, but to make sure that those who are unfamilier with the DMCA are clear on exactly what it truely is.

    Click here to view a DMCA synopsis in pdf format.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  7. #7
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    Again we are faced with a damned if you do, damned if you don't scenario. The only thing I can think of to remedy this situation is to push a bill through congress for security specialists, aka hackers.

    What this bill would do is to set guidelines on how a "security specialist" is to present the flaws to the company. If the bills requirements are met, then the bill will completly protect the "security specialist" from any backlashes from the software company. This guideline will also bring software companies to be forced to look at these security flaws and acknowledge them after a timly investigation of the claim. Failure to do so would bring about a seperate investigation into the claim by a government funded "Cyber Security Task force" (internet security cops). Depending on the outcome of their investigation, proper requirements will be forced upon the software company.

    Computer Security is not something that is just going to go away. It is becoming more and more of a factor in business and will only continue to grow until cyber warefare is a true threat to society. I think if a bill is passed thru congress here or thru a worldwide type audience, we can ensure the safty and security of the internet in the future. I think I may even right up the bill myself and begin to investigate the proper channels to get it into consideration.

    If you would be interested in doing this Private message me and I will start a conference room to discuss this idea.

    Something has to be done now to ensure the future of the security for the internet. Who better to do it than the people who deal with these issues on a daily basis.

  8. #8
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    I'm in xmaddness, as you have probably already seen. I just want to caution everyone who might be interested that this is going to be a serious discussion and we need you to bring your 'brilliance' with you!!
    Al
    It isn't paranoia when you KNOW they're out to get you...

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I'm also in. I'm interested in this discussion for sure eventhough I'm in Canada. Rules created in other countries are sometimes used as precendents elsewhere. It may also help fuel the Security IT need here (it's vastly understaffed overall in Canada).

    In looking at the article, Finisterre might have made a glaring mistake. When working as a security consultant often you sign a confidentiality agreement on whatever is found. I wonder if he did the same for the employee that released the vulnerability with the exploit. If not, then unfortunately Finisterre is responsible. It's unfortunate that the article doesn't ask a question like that. Contract law is pretty much a sticklier on that kind of thing.

    A little further to that is ethics. I personally would be questioning the ethics (and intelligence) of the employee who released that info. Why would they do that? To what gain? If HP releases updates or fixes the vulnerabilities before they are an issue, then whats the point?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #10
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    Well everyone, it has begun. PM me and I will send you a key to the room. Again this is a serious discussion on the future of the security for the US and other nations. We welcome all that are interested in helping this idea come to a reality. Look for furthur updates on this thread as we continue towards our goals.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •