When is hacking a crime?

Printable View

September 23rd, 2002, 09:24 PM
allenb1963

When is hacking a crime?

I found this to be a very interesting read. It seems that the DMCA has produced quite a conundrum that seems to only grow larger with each passing day. On one hand, you have software companies who churn out products that are the equivilent of swiss cheese from a security standpoint. These companies are becoming more inclined to cry 'foul' when someone discovers a vulnerability in one of their products and use the DMCA as a prosecution vehicle. Then there are the white hats, who act in a responsible manner and report these flaws to the software companies, only to have their findings ignored a large part of the time. Now throw the greyhats into the mix, who are prone to expose these flaws in a manner that forces the developers to acknowledge and patch the flaws. Then of course you have the black hats....the ones who give 'hackers' a bad name in general, who just go ahead and exploit the flaws for personal or financial gain, thus evoking the 'shoot first, ask questions later' mentality that the software companies are beginning to develop towards those who discover flaws in their products. Over here on the sidelines, completely out of the game, are the consumers of these products. I, for one, am standing here in amazement as I watch the very people who are striving for improvement being threatened with litigation for their efforts. What, pray tell, do the rest of you think about this situation?
September 23rd, 2002, 10:01 PM
cross

I think the DMCA, like most consumers, do not know what the difference between white, grey, and black hat hackers. Furthermore, they do not have a good understanding of what a hacker is or does based on their catergory. Now the media has a role in this, taking the definition of 'hacker' and making it synonymous with 'cracker' or just black hat activities in general. I think the first step twords acceptance of white (mabey even greay) hat hackers, is to work on the reputation of hackers as a whole. Get more media attention to those who are trying to help technology. Remember, hackers started the computer world, now we are being prosecuted for doing the very thing that started it all. This is called irony. You create a world only to be banned from it. Personally, i will never stop playing with new technology, tweaking it to do this or that. It is great to do something that everyone says is impossable!

enough rambling, I guess the point is that the DMCA sucks

Cross
September 23rd, 2002, 10:05 PM
SodaMoca5

Crime

I read the article with great interest.

My personal thoughts are that companies that ignore input and then have a knee jerk reaction when information is posted are cutting off their own noses to spite their face. In the listed incident HP says its developers were nearing completion of the patches, did they relay this at all? If so then I think Fisterre acted badly, if not then HP did. Even if they were actively working on them if they don't communicate that fact then what do they expect?

It has been a fairly accepted tradition that even white hats inform the company and then if nothing is done they force the issue. A better example of this is the recent discovery of the hole in the encryption verification used by many browsers. Most of the browsers affected admitted the problem after it was demonstrated and quickly fixed it. M$ initially denied the problem until they investigated it, castigated person who reported it for not contacting then privately (even though it affected many people possibly), and then took an inordinate amount of time to patch the problem. I defend the term inordinate since other browsers were fixed in days not weeks.

However, the guidelines listed at the end of the article do give some hope. I think the second proposal of 7 days to show good faith effort and 30 days to fix before the vulnerability is released seems fair. Then the finder should be able to publish the vulnerability which the company should have already fixed. The finder gets recognition but the company gets time and the users get better protection. If this is accepted they I think a violation of that agreement would be considered straying into illegality. How far would be determined by motivation and results just like it is in every other area of crime.
September 23rd, 2002, 10:20 PM
allenb1963

Quote:

Originally posted here by cross
I think the DMCA, like most consumers, do not know what the difference between white, grey, and black hat hackers. Furthermore, they do not have a good understanding of what a hacker is or does based on their catergory.

Uhmmmm....the DCMA stands for the Digital Millenium Copyright Act....which is a piece of legislation, not a group or 'body' that can have an opinion one way or another.
September 23rd, 2002, 10:25 PM
cross

I was refering to the people behind it, not 'dmca' itself. It was written by people who have an incorrect perceptoin of what a hacker is and does , sorry if i was unclear, but i was typing fast and trying to get a point out. I assumed some things were already known
September 23rd, 2002, 10:29 PM
allenb1963

n/p...the DCMA is very poorly written and it's vagueness allows for some VERY loose interpretations to be sure. I just wanted to point it out not so much as a correction aimed at you, but to make sure that those who are unfamilier with the DMCA are clear on exactly what it truely is.

Click here to view a DMCA synopsis in pdf format.
September 23rd, 2002, 10:37 PM
xmaddness

Again we are faced with a damned if you do, damned if you don't scenario. The only thing I can think of to remedy this situation is to push a bill through congress for security specialists, aka hackers.

What this bill would do is to set guidelines on how a "security specialist" is to present the flaws to the company. If the bills requirements are met, then the bill will completly protect the "security specialist" from any backlashes from the software company. This guideline will also bring software companies to be forced to look at these security flaws and acknowledge them after a timly investigation of the claim. Failure to do so would bring about a seperate investigation into the claim by a government funded "Cyber Security Task force" (internet security cops). Depending on the outcome of their investigation, proper requirements will be forced upon the software company.

Computer Security is not something that is just going to go away. It is becoming more and more of a factor in business and will only continue to grow until cyber warefare is a true threat to society. I think if a bill is passed thru congress here or thru a worldwide type audience, we can ensure the safty and security of the internet in the future. I think I may even right up the bill myself and begin to investigate the proper channels to get it into consideration.

If you would be interested in doing this Private message me and I will start a conference room to discuss this idea.

Something has to be done now to ensure the future of the security for the internet. Who better to do it than the people who deal with these issues on a daily basis.
September 23rd, 2002, 11:17 PM
allenb1963

I'm in xmaddness, as you have probably already seen. I just want to caution everyone who might be interested that this is going to be a serious discussion and we need you to bring your 'brilliance' with you!!
September 23rd, 2002, 11:44 PM
MrLinus

I'm also in. I'm interested in this discussion for sure eventhough I'm in Canada. Rules created in other countries are sometimes used as precendents elsewhere. It may also help fuel the Security IT need here (it's vastly understaffed overall in Canada).

In looking at the article, Finisterre might have made a glaring mistake. When working as a security consultant often you sign a confidentiality agreement on whatever is found. I wonder if he did the same for the employee that released the vulnerability with the exploit. If not, then unfortunately Finisterre is responsible. It's unfortunate that the article doesn't ask a question like that. Contract law is pretty much a sticklier on that kind of thing.

A little further to that is ethics. I personally would be questioning the ethics (and intelligence) of the employee who released that info. Why would they do that? To what gain? If HP releases updates or fixes the vulnerabilities before they are an issue, then whats the point?
September 23rd, 2002, 11:51 PM
xmaddness

Well everyone, it has begun. PM me and I will send you a key to the room. Again this is a serious discussion on the future of the security for the US and other nations. We welcome all that are interested in helping this idea come to a reality. Look for furthur updates on this thread as we continue towards our goals.
September 24th, 2002, 02:00 AM
4MidgetHitmen

I am in also xmaddness... I have an uncle in the Legislature of Texas who may be able to help us with the way to write and introduce legislation, etc... I can not promise he will but I don't see him saying no either... I am well liked by Uncle Leo and Auntie Lou :D
September 24th, 2002, 05:09 PM
SodaMoca5

The Xmadness Bill

AP Newsflash November 2005:

In a first test of the Security Specialists Protection Act, known as the Xmadness bill, members of the Cybercrime Investigative Services have surrounded the Microsoft headquarters after their failure to respond to numerous violations. Microsoft has barricaded their Redmond offices and sworn to hold off the "corrupt officials of an imperialistic conspiracy to restrain their rights to free trade." In a statement released earlier Microsoft officially denied that there were any security holes in their operating system. The evidence, however, appears overwhelming from the piles of documentation released by various Network Security specialists around the country.

Xmadness (whose full name and address can be found at Antionline), speaking on assurance of anonymity, said, "We have been trying to warn Microsoft for years. We have sent them information, posted on the boards, and tried to help them. Now that we have the law on our side maybe they will actually patch their software seriously."

Currently though it is a standoff between the CIS and M$. Bill Gates has warned that any attempt to break into the compound will be met with force, he has alluded to having something called a BFG but we have yet to find out what that means.

If you recall Microsoft fought the SSPA both politically and legally claiming that it was unnecessary. "At Microsoft security is our primary concern. Our new Operating System has no security flaws.", said Bill Gates, CEO of Microsoft, in response to questions as to why Microsoft opposed the SSPA. "This protection of hackers only furthers the danger of our software being broken into." Mr. Gates had no comment when asked how hackers could break into software with no security flaws. In an amazing turn of events it was found that a kindergarten student playing a game at school was able to download all of the credit card numbers and passwords used at a popular online banking site. Microsoft said it was a fluke and could not happen again. The game the child was playing has become the most popular download for the past five days. This event finally prompted the CIS to act.

More as this story breaks.

PLEASE NOTE: This story is ficticious, meant to be humorous, and.........OMG There is a M$ rep at my door, wonder what he wants
September 24th, 2002, 06:44 PM
xmaddness

WE INTURUPT THIS THREAD FOR SOME BREAKING NEWS....

We have just learned that Linux Opeating systems (M$'s greatest competition) have been being downloaded by the millions in an attempt to secure the entire banking industry.

We have had no comments from any M$ officials as of yet. Redhat officials have released the following statement although, "We have been trying to tell the world that this was bound to happen. Perhaps once the banking and e-commerce industry stops their CEO's from taking M$'s perks, the worlds online customers can take a sigh of relief."

More to come as we are recieveing constant updates on this incredible victory for the public's safety.

We know return you to your regularly scheduled thread....
September 24th, 2002, 08:18 PM
4MidgetHitmen

FAUX NEWS SERVICE-REDMOND CA

Faux News Service has learned that negotiations wiith M$ founder Bill Gates have failed. Gates stands by his statement that his popular operating system "is not a security risk." When authorities first attempted to bring the flaws in his OS to his attention Mr. Gates was quoted as saying, "what you call a flaw I call job security." When asked what he meant by that comment he said, "Imagine all the people I would have to let go if I put out a product that actually did all I said would."

Authorities have given Mr. Gates until 12 o'clock midnight (pacific time) to surrender peacefully. A security source who spoke on condition of anonimity said, "We are prepared to use force if nessesary... As a matter a lot of my boys want to use force."

Faux News Service will keep you up to date on this breaking story...

We now return you to the regular thread...

(This is fiction... Wishful thinking... Not real... ) :D