On Fri, 18 Feb 2000, David LeBlanc wrote: > It is all a matter of usage. If I use a hammer to build a building, I get > paid. If I use it to smash windshields, I get thrown in jail. There isn't > any law against checking security of your own systems. There is a law > against breaking into other people's systems. At least ISS made a good > faith effort to keep the Scanner's licensing such that it at least slowed > the crackers down for a while before they could use it. That's more than I > can say for several other auditing tool vendors. Then you think Mixter doesn't deserve punishment, or he does and ISS doesn't because IS is a "good" tool? A few other folks say Mixter deserves ...well, something.. they're not specific. We don't even know for sure his stuff was used. We also don't know the attacker didn't use IS to break into the zombie systems. I've used IS to break into other people's systems. It works real well. > > This really has nothing to do that I can see with the current discussion. If you advocate harsh penalties for malicious "hackers", and then you happen to get classified as one due to some idiotic legal wording, where does that leave you? My example is an attempt to personalize the situation for the readers of this list. > > >How about releasing the "firewall" toolkit full of holes? > > I have no idea what you're talking about. fwtk? ISS' 'firewall scanner' > stuff? That's a poke at marcus. > > >$100M > >each? > > I hope you're joking. If so, you should have put <g> liberally. > It should be obvious that I wouldn't seriously advocate an action against people who release tools of any sort, buggy or otherwise. However, say it was discovered that the attackers were using ISS's Internet Scanner. Let's say the feds get away with nailing him with 1.2B or more in damages. Wouldn't that leave a nice path open for suits against Mixter and ISS? Wouldn't 10% of the damages (or a little less) be a reasonable amount to nail them with? Especially ISS who actually has the money? Be careful about advocating huge amounts of damages, especially if you work in the security industry. There are a lot of scary laws up for vote right now, and not a lot of sympathy for anyone who wants to use the title "hacker" for anything. Ryan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:05:11 PDT