i think this is worth posting...i hope it is
http://msn.com.com/2100-1107-852767.html
Printable View
i think this is worth posting...i hope it is
http://msn.com.com/2100-1107-852767.html
Should hackers be jailed: I really feel that this depends on the crime. If damage is done that harms someone, then yes some kind of punishment should occur. Should it be jail? I guess that depends on the person's criminal history and how damaging the crime was. As this article has mentioned, I think in a lot of cases hackers are younger kids looking for a quick thrill, and think they won't get caught. I think that in most cases if this youngin gets caught, then gets some fines along with some community service he will then realize he isn't invincible and won't be doing his malicious hacking anytime soon again. If the person has a criminal history, and continues to do harm by hacking then yes it should lead to jail eventually... Not because he is hakcing, but because he is causing harm to someone or something.
Should ISPs be held responsible for users actions? No they should not! You don't hold the phone company responsible for crime that is organized through telephone conversations. The ISPs are not doing anything wrong, and SHOULD NOT be held responsible. period. If the ISP is working with the person knowingly causing some kind of damage, that is another story. But if someone is causing trouble using the ISPs services, and the ISP is unaware of the illegal activity, then NO they should NOT be held responsible.
Those are my thoughts. What does everyone else think?
if its malicious, yes, if no damage was done, and the people that are hacked are told how to fix things, then no.
I agree if you hack a system and tell the people in charge how you did it and how to fix it then they should thank you. If you screw something up that’s a different story.
If hacking is defined as breaking into a computer system to which you do not have access I definetly think hacking should be punishable. Wether to send people to jail or not should depend on the circumstances.
Often access is restricted due to the nature of the data. If the data is sensitive I think the hacker shouldn do some time. If information is edited or stolen the hacker should *always* go to jail.
So in general, hackers should always be punished for their trespassing and sent to jail if they fiddle around while trespassing.
I think it is naive to say that you should thank hackers that let you know of their weaknesses.
It's like saying that you should thank people that wake you up in the middle of the night, in your own bedrom, for pointing out that your locks can easily be picked.
But that is just my two cents
I'm starting to get tired of hearing the famous "breaking into a house is the same as breaking into a computer system" analogy.
Consider this, someone is walking up the street. They notice a key on the ground next to someone's parked car. The person picks up the key, put's it in the key hole of the car and sees that the key is clearly the owner of that car's. He doesn't steal the car, he doesn't open the car door, he just checks to make sure that the key fit's the key hole. He then takes the key, knocks on the person's door and say "Hey, here's your key". Sure he tried the key on the car. So does this person deserve to be charged for touching that person's property? In my opinion, he did the right thing.
When a computer is vulnerable 99% of the time, the only way to confirm this is to see if you can access the system. It is the same as testing the key.
Notifying someone that you found their car key is one thing, stealing the car radio is another. So what if you checked to make sure the key fit the hole. You didn't hurt anyone, you didn't steal anything, and you helped the person by telling them they dropped their key. If anything you just saved them from the head aches of getting their car stolen.
If your intentions are good, and nothing was hurt then you should be getting praised for responsibly notifying the system admin.
I have found major flaws in web sites. I came across a web site that had a directly listing of all their databases in the /database/ directory of their web site. Now did I break the law by simply going to the /database/ directoy of their web site using IE? Did I notify the company about this flaw? Hell No... I bet they would love to know, but because of all this "you go to jail stuff" I'm not risking my ass to tell them. I didn't hurt anything, but yes I did access that directory listing. No hacking was involved, only pointing your browser to a directory.
Where do we draw the line at what should be punished and what shouldn't? Again, to me it seems if your intentions are good, and you did not hurt anything, then you should be praised for notifying the web master responsibly of the flaw in their system.
Does that make me a terrorist?
You have to consider the time and expense of fixing the damage caused by so called "hackers"....that kinda cost can sky-rocket quickly. Even if all you do is look around, it can cost the company quite a tidy sum...
Now did you mean to cost them money? No.... Should they have had better security up there? Maybe.... But you still stuck your nose where it wasn't welcome, so if they had to spend money, you need to pay it... IMHO
jcmcb, yes, of course... If you cost them money or cause them damage then you get what you have coming to you.
But if no damage is done, and you didn't cost them anything, and something so simple as having directory browsing enabled is found... Should you get in trouble for notifying the company? Having directory browsing enabled for a database directory is chaos waiting to happen.
I would be extemely happy if someone notifyed me of this before someone downloads the databases and use my customer's credit cards. That's why I say "where is the line drawn".
In a society where people are getting sued for giving someone the heimlic (sp?) manuver to save their life, but in the process accidently hurting them... I choose to keep my mouth shut about what I find.
compleatly agreed. Keep my mouth shut.
how does it cause the company money if you diddent do anything. all it makes them do if fix what they shouldhave in the first place.
no,they shouldn't,hackers are of two types 1.for their enjoyment,2.for others enjoyment
1-> they do just for fun
2->they do for revenge
2nd grade hackers must be punished
actually a hacker 's worth is priceless,think once how much he must have known to hack others ,first hatsoff for his knowledge ,then others come into consedaration...
IMNHO -
Just becuase someone is stupid and leaves a gapping hole in there site doesn't mean you are allowed to explore it. If you do, that forced them to examine and then fix it, and that costs moeney. That is cost, and that is why you can go to jail or get sued. Why? Cause you took an affirmative action by intruding into that system...hence you are culpable for those damanges!
Heres the problem, just becuase you didn't mean to cost the company money doesn't mean you didn't. That kinda cost can cripple a small or starting biz (which maybe why they have crappy security). Should those people and there investors be penalized because you want to check out there security univited?
Just playing devils advocate to the normal "If I didn't make money than whats the harm" view that we normally find on AO...
jcmcb, so what you are trying to say is if you notify a company about a security flaw with their site, and since it costs the company money to pay whoever to fix the flaw, YOU are then costing the company money? I guess theoretically, that is true.
In that case, I think it is a sad, no scratch that, GREEDY world where some company would take you to court for that.
jcmb, i think your missing the bigger picture...if you find a hole and without doing any distruction notify them, you SAVE them money. think about what would happen if sombody found it and exploited the hole for their own gain. then the company not only has to fix the hole, but the have to fix whatever damnage was caused by the malicious guy who got in. then, they might have to deal with a loss of buisness because other people dont want to deal with them because they got hacked...all of which could have been stoped by you simply finding a hole and telling them...
if you see a hole, i say it is your duty to check it out and inform the owners of the box. if you dont, that is when i say you are responcible, because you could have stoped all that extra damnage from occuring by just sending a little email.
jared_c - I am with you about the greedy bit, but (with all respect to James Brown) this is a Capitalist world, and thanks to the US (and Prez Reagan, curse him) Greed is now a virtue...
8*B@LL - I think your are missing the bigger picture. It doesn't matter why a person finds a flaw, it still costs that company real money to fix it, and they are going to blame you for the cost of repair, especially if you are going to announce the flaw. Now I think that finding flaws and reporting them is a good thing, but not if your not invited/asked. I think if you (not you specifically 8, but you then general hacking community) were to offer there services for free to small companies, I think you would find a receptive audience, who might even pay you to fix it. But I object (and as a small biz owner I think I can speak for some of us) to unwelcome persons telling me about my vulernabilities. Why? Because I don't know who you are! For all I know your some guy who is going to blackmail me for the security of my data. Paranoid? Maybe, but these small biz are the lifes work/dream/goal for people, and they take them seriously.
I don't want anyone to think I am saying that alturistic hacking is a bad thing, just that it can and will be perceived as a bad thing, and possibly get you in trouble...
jcmcb, I too am a small business owner. If someone found a security vulnerability on one of my web servers, whether I asked them to or not, I would be very happy if they notified me about it. If intentions were good, and no damage was done, I would definitely thank them for letting me know about the problem.
I think the problem is that a lot of companies would be embarrassed if put in that position. I remember a client sent me a virus. It was one of those viruses that forward to everyone in your address book. I called up the client and told them that they were infected and that they sent it out to everyone in their address book. The person was quite rude about it and didn't even say thank you. My guess is it was because he was embarrassed that he was foolish enough to get the virus.
Now my question is: Since I called this person and notified them that they had a virus, am I now responsible for the time it takes for them to fix their system? According to your theory I would be.
The fact is if the vulnerability is there, it is there whether I tell him about it or not. If I notify the person about it, it is their decision whether or not to fix it. Not my decision. I shouldn't be held responsible for the cost of their decision to secure their server.
jcmcb, just so you know this post isn't meant in any way to offend you. I'm just saying how I would handle the situation, and what I think.
Well if you're hacking and causing problems, then yes, there needs to be punishment. And as was previously said, depending on how much damage or how many problems you cause should depend on whether or not you get jail time. As for finding security holes...if you come across them on accident thats one thing. If you are trying to hack and finally get in, I can see how companies would get mad. If people didn't try then they wouldn't need to worry. Once a hole is found it can be exploited and then a new security system needs to go into place, which does indeed cost a lot of money. If you want to hack legally, get a job working for securing a company's network. If you find a hole, you might get a promotion instead of a fine. Just my two cents.
exactally as i said. if you dont do anything wrong, and do something good by telling them, why be punished?
i dont know how putting a hacker in jail helps stop hacking. if the government thinks that arresting a hacker for 1s and 0s will make fear in the hacker community they are so *****ing wrong. although i think if the hacker was a script kid then he should be put banned from using a computer for a reasonable amount of time. (resonable being less than a month)
as far as deleting files goes, i know if a real hacker hacked into micros0ft.com he will tend to crash the system. while on the other hand if any of you hacked into linux.com you probably wont because you know that *nixes have helped hackers spread, and you will most likely report the flaw, unless you have a beef against Linus T.
erm...that is so wrong...a "real" hacker wouldnt crash ANY system they got into, just explore it. ever heard of ethics?
I must agree with jared_c on this conversation. If it was my system I would be happy that someone pointed out the problem to me before any real damage was done.
ccKid
That's very true 8*B@LL, a true hacker never damages a system only explores.
I have 2 points:
1.What would the difference be between hacking a system and "looking around" and breaking into a company and "looking around"? Both involve an unautorized entry, regardless of intentions or amount of damage caused.
2.This isn't necessarily true. ISPs also must share information pursuant to a subpoena. They also may share users information if simply asked to do so, so long as they have outlined this in their TOS with a dislaimer like "we will always fully cooperate with law enforcement officials...privacy is not guaranteed..." Just thought I'd let you know.Quote:
Smith further proposes that Internet Service Providers (ISPs) freely share information obtained from their customers' e-mails with authorities. Currently ISPs cannot share such information without a warrant.
I can say this... NO - because here is whats going to eventually happen, if it hasn't already.
Throwing hackers in jail is going to expose them to other criminals whi you don't wnat to have the information they have. Jaila are Universities of Crime. Hackers are just going to teach other criminals their skills. This kind of information is going to be available to the very people you DONT want.
Think about it.... SOme young kid, thrown to the wolves, is going to be forced to "tell all" or they might wind up as eome bruisers "sex slave". Certainly enough incentive to "tell all".
Sure, most people in jail are dumb, and few have computer skills, but there ARE people in there that could pick up on this technology and make for some damaging prospects.
I can see it now... Al Quada rag heads get first hand exposure to some hacker, learns the techniques or how to download DDOS attack tools, and when his visitor visits him, he gives them the URL link on where to download the latest DDOS tools, and they spread it around and around...
Sure - it is possible they may find it without the hackers help, but perhpas the hacker may have led them to a more sinister program.
By the way, I'm speaking from experience...
Capn Crunch
That is a valid point John, I don't believe that first time offenders should be jailed for any malicious hacking/virus activity. However they should be heavily fined to, hopefully, deter them from doing this again. The laws that I have heard about hackers being treated as terrorists however I am completely against! Why sentence a young person to life in prison for hacking, I feel that is ridiculous.
ccKid
I totally agree with you. That Cybercrime initiative is way too broad and harsh and draconian. Technical solutions are always better then political ones.
After I read that initiative I wrote all my government reps just to let them know that I disagreed with it. If the parents of these "script kiddies" actually taught their children some ethics and basic morals we wouldn't have to worry about having laws threatening jail time for what the common people call hacking and most real hackers call exploring.
ccKid
erm...hacking in IS breaking in.Quote:
Originally posted here by 11001001
I have 2 points:
1.What would the difference be between hacking a system and "looking around" and breaking into a company and "looking around"? Both involve an unautorized entry, regardless of intentions or amount of damage caused.
the difference is what you do once in. the rush alot of people get from hacking is from exploration. let me give you an example:
my college has all the dorms wired on a LAN, and alot of people have network shares. while most of the boxes are win9x/me, there are a few 2k. one such box has the network name "playboy". well, its a 2k box, so, as most people here know, there is a c$ share available, but only to admins on that box. 3 guesses what that pc's administrator password is. yep, his administrator pass is "playboy".
now, having that knoledge i have full access to his c drive, as well as his registry(network reg in regedit) and some other things through the computer management util. i could trojan him, i could do anything i like to him, but i dont, that doesnt do anything for me. what do i do? i look arround his box. i delete nothing. hell, i havent even copy'd anything, just looked arround. have i caused any harm? i dont think so. i should really contact him and get him to change that admin password, but i'm not really sure how to do that without scaring the crap outta him. i still consider what i have done atleast mostly ethical, with the exception of the fact that i havent notified him to change the pass.
now, the differance i was trying to point out is this:
i did no damnage to his system. if i went in and deleted files/trojaned him/whatever, that would clearly be wrong, and i would be liable for such damnages, but sense i have caused no damnages i dont see how i could be liable.
Captain Crunch wrote:
"I totally agree with you. That Cybercrime initiative is way too broad and harsh and draconian."
IMO, the draconian penalties found in CSEA are contrary to logic, reason, and the prior law of this land.
Puts in my little bit on this. This is just my personnel opinion. Which is close to several of the opinions stated earlier.
Someone used the analogy of martial arts in a post once, I love this analogy and will use it here I’m sorry I can’t remember whom but if you read this, was a good one.
Firstly the term hacker needs to be defined there is a lot of chat and posts upon this so will not go into it all here. I will use hacking as a skill, as martial arts are a skill. Skills can be applied in a multitude of different ways. Teach someone how to kill with a single strike does not mean that that person will go out see someone he/she don’t like and get into a stupid bar fight and kill someone with it, but does mean that if a situation arises where deadly force is required and the person applies there skill to defend themselves that is not considered illegal. Now taking this to hacking, there will always be computers, there will always be IT, and in so there will always be hacking. Learning of the skill of hacking and practising them should NEVER be illegal, much as the practice of martial arts should NEVER be illegal even though you are equipping people with these skills that can be used to cause harm/damage. If the practice of hacking became illegal it would just be pushed more underground would not ever stop it. The act of causing harm with the skills should be however. What I mean to say is if someone learns the skills and uses them inappropriately then they should be legislated against. Back to the martial arts, if a student goes out and becomes a bully applying his/her skills to harm others that is there choice, the teacher (sensei) should not be made responsible for his students’ actions. This applied to ISP, because a person uses an ISP to commit act of harm against other computers the ISP should not be responsible to there act. However they should be responsible in trying to implement procedures to deal with persons that commit these acts, perhaps a VERY VERY limited liability, where if it can be proved that there ISP knew of this use and did nothing to prevent it or prevent the acts from continuing then there should be liable. I think ideally that the learning and practicing of hacking skills should be totally legal in fact encouraged within IT professions. This is because there will always be people out there trying to do harm with the skills, it a fact of life. I think the ethos of this site states it perfectly, how can you defend yourself against a hackers that wish to cause harm if you yourself don’t know their skills. Again in the martial art analogy, person A is a martial artist whom practices martial arts for the art itself and perhaps self defence, Person B is also a martial artist but uses his skills to cause harm, person C is someone whom experience of fighting is negligible. If person B and Person C where in a confrontation person C would not know how to defend against person B’s skills and end up harmed, take this same situation but person B starting a fight with person A, person A would know how to defend against more of person B attacks and may even prevent major harm to himself because he knows of the skills being used. Another sorter way of putting this is, building security, the best people to secure a building are the ones who have the skill to break in hence why military building are secure, they train people to break in to secure buildings, in so they know there techniques and can defend against them
However the use of this skill to cause harm/damage, corporate espionage or to gain inside information for personal gain should be dealt with. These offenders should not go to jail because as stated in an earlier post placing a person of considerable knowledge of anything within the jail community would lead to this information being passed on to other whom ethics may not be as strict as the hackers, even though the hacker has a lack of ethics because that is why they are they there. They may have boundaries that they personally will not pass. Again taking this back to the martial artist, if you have a martial art master one whom skill and understanding are great, they go out to bully and cause harm but never applies skills that cause permanent damage/death but only applies skills that cause great pain because of his/her own personnel boundaries. Pace this person within jail and he is put in a situation in which he has to teach other his skills, on of the students may not have the same personnel boundary and use the skills that cause permanent damage/death even though the original teacher and offender would never use them. Perhaps applying sanction of fines and restricted computer access at varying levels for the crime commented would be a better option, as this would prevent the knowledge of hacking reaching other people with a criminal past/mindset that might apply the skills to cause greater damage and harm. I must point out here I speaking specify of the computer crime in itself, if the computer crime was part of a large crime then of cause the operate sanctions for that crime should be enforced as well as those for the computer crime. Unfortunately I feel that the people legislating cyber crime have no REAL understanding of it, and in so are gong to cause more problems because they are going to try and do what they think is best without having all the facts information an opinions of those better informed under consideration.
Thanks for reading hope it made some sense,
Kindred69
I feel you should get permission from the owner before you do any exploring of someone's system. If they want a security analysis of their system, they should be the one to initiate it. It should be a voluntary process. What would happen if you went through the parking lot at Wal-Mart trying to open people's car doors? When the police drive up and say "What are you doing? Come down to the station with us," what would you say? "I'm just checking people's security; I wasn't going to take anything!" Would the police accept that argument? On occasions when I have had trojan placement attempts on my computer I have port scanned the attackers and found what I thought were trojans on their system. I have called or e-mailed this person's ISP or network to let them know one of their clients or machines might be compromised as a zombie. To me that's ok. On the other hand, if I found running trojans on their box and used them to go inside to explore, I would be in the wrong. There's a fine line, but once you cross it, you're in the wrong, IMO. :)
Right on Preacherman!
Just because you can do something is no reason that you should do it!
You have a valid point, Preacherman, but what concerns me is when you come across something on a website that is misconfigured and allows access to DB files or whatnot. Upon contacting the company to let them know of the problem there is a possibility of you, just trying to be a nice person, being prosecuted for trying to help. If it was my system I would be very appreciative of being told of the problem but some corps and individuals are just nasty and may try to target you as a Hacker/Cracker. I think that is just insane!
ccKid ::coffee::
I totally agree with you, Preacherman.
8*B@LL-That;s the exact point I was making. There is no difference. Intent is not even a factor.Quote:
erm...hacking in IS breaking in.
' I agree if you hack a system and tell the people in charge how you did it
and how to fix it then they should thank you.'
Look at it from another prospective: You break in a house, you broke the
guys front door down just to prove that his locks really suck
have a look around then wait for the owner to come home and tell
him how you broke his door step by step and how he could fix it.
Will he thank you and offer you a beer? I think not :(
If someone door is wide open and no one is home it's still not ok to
walk inside like what if there is a burglar or thief in the home and he's
armed with a gun? what if the cops arrive on the scene and your the one
who is mistaken for the real intruder? youll still be arrested because you
weree illegally in this guys home even if your intent was not malicious
a smart person wouldn't have gone inside they would have picked up a
pay phone and called 911 and let them handle it. It's the same with
Systems if no one authorized you to enter you don't go in period.
ah. i see, so intent is not a factor. very interesting, but perhaps next time you should take the time to actually READ the arguement you are replying to before saying and avoid making an ass of yourself. infact, i highly suggest that you go back and look over my post on the last page right now before you go on reading.Quote:
Originally posted here by 11001001
8*B@LL-That;s the exact point I was making. There is no difference. Intent is not even a factor.
anyway, i am in absolutely no way arguing "good intentions". good intentions lay the bricks in the path to hell(i love that saying :) ). anyway, im arguing actions. straight out actions. to use the(insanely stupid) comparison to a house, here is what i am saying:
you know some guys locks are absolute crap. you go down and pop the door upen using whatever method you wish then twist the handle to confirm it is indeed unlocked(or open the door slightly if you wish). here is where you have a choice. you either re-close the door and walk away, then place a phone call from a pay phone somewhere downtown saying simply "your locks are crap, here is how they can be beaten, here is how to fix them" or you walk in and start looking through stuff and throwing vases at the wall for fun; taking his money, reading his private info like bank statements...you get the idea.
now, would you have the guy who tested to see if your door could be opened then did nothing thrown in jail(btw, it can be assumed for this that you had no knoledge that you had shitty locks beforehand), or are you going to just let it go and get new locks? i mean, it is assumed that you will look arround the house and make sure that he DEFINATLY didnt get in. in this case you would probably have a camera on the front door(the equivalent of logs) to see that they just barely opened it, and didnt go in.
are you going to say thats a crime? i dont think so...it surely isnt "breaking and entering" because there was no entering, there was no theft, no damnage...nothing that i can think of about this example could be considered criminal...
I completely agree with 8*B@LL, if no damage or theft has been done why press it. I would see it as a helpfull thing.
ccKid ::coffee::
8-Ball -
Just because you don't mean any harm or intend to do damage, how does the shop keeper know that? For all he knows your some malicious mafia tpye or skript kiddy looking so score a quick buck... so now he has to spend moeny to fix his security. That costs him money, hence you just caused him damage...
Now maybe he should have had better security to begin with, but who gave you (or anyone else) the right to intrude upon him and his system. Because you stuck your vitrual nose into his system, you should have to pay his seciroty costs...
Moral of the Story: Leave people there privacy!
the thing is that many times the people will go to them and tell them, saving them from damage that COULD have been done. I know id much rather have someont tell me then they brooe in then have dsomeone break in and destroy something.
but like i said before, jcmcb, i'm not talking about the hackers intent, im talking about their actions.
anyway, your logic is a bit flawed on the whole "you caused them damnage" bit. what you are saying is basically this:
1) Their system has a security hole.
2) A hacker breaks in through the hole.
-----------------------------------------------
3) the hacker caused the security hole.
atleast thats what your arguement looks like(btw, line 3 = conclusion). now i agree that lines 1 and 2 are correct but the conclusion just isnt there. the hacker didnt cause the hole, it was already there, they just spoted it and told the system's admin about it. if anybody could be considered at fault, its the software vender for not fixing it or the admin for not keeping up with his patches.