At 08:35 PM 2/18/00 -0800, Ryan Russell wrote: >Then you think Mixter doesn't deserve punishment, or he does and ISS >doesn't because IS is a "good" tool? That's a very difficult legal and ethical question that I personally could argue more than one way. A security auditing tool does have some legitimate uses. I don't think what Mixter wrote has very many (if any) legitimate uses, nor does it appear the author's intent is to do anything other than be destructive. If I were called to judge him, then I'd say that what he's doing isn't something that I consider right, but I do think it is legal. >A few other folks say Mixter deserves ...well, something.. they're not >specific. _I_ did not say that, so don't treat me as if I did. I do think the people who ran the tool and cost people $$ should be held responsible for their actions. >We don't even know for sure his stuff was used. Even if it was, I don't think he's legally liable, unless he gave it to someone, and said 'run this', in which case he's an accomplice, and could probably be charged with conspiracy. >We also don't know the attacker didn't use >IS to break into the zombie systems. I've used IS to break into other >people's systems. It works real well. It doesn't do all that well at actually breaking into UNIX systems, though it is effective at showing you which systems are vulnerable to which exploit. There are exceptions, such as default logins. It is also a great way to get yourself caught - the thing is horrendously noisy - leaves BIG tracks. I doubt it was used - no one has been arrested yet. >> This really has nothing to do that I can see with the current discussion. >If you advocate harsh penalties for malicious "hackers", and then you >happen to get classified as one due to some idiotic legal wording, where >does that leave you? My example is an attempt to personalize the >situation for the readers of this list. It is worth thinking about. The day I break into a system that I don't have a legal right to attack is the day I'll be really worried. I haven't done that yet, and see no reason to start now. The law enforcment community is getting a bit hyperactive, talking about invoking the racketeering laws, which is probably the biggest breach of our constitutional rights I'm aware of - the thing strips you of all your assets unless you can prove you obtained them legally. What would bother me is if they tried to make writing penetration testing tools illegal, but the precedent in the 'real' world doesn't make me think this is likely - locksmith tools aren't illegal, and 'slim jim' kits for cars are normally sold on most mechanic's tool trucks. OTOH, some tools that have no real legal use (e.g., phreaking tools) are illegal to even posess. OTOH, law enforcement does tend to get hyperactive in the face of a community that wants to blame the victim. "They deserved to be hacked." "It is their fault for not applying patches." Somehow that seems to be tolerated in this arena, wheras "She had a short skirt - she was asking to be raped" doesn't fly virtually anywhere. The old days of people cruising around networks not hurting anything are long gone. We're in a different era now - the script kiddies have spoiled the fun. ANY intruder is likely to be viewed as malicious. >It should be obvious that I wouldn't seriously advocate an action against >people who release tools of any sort, buggy or otherwise. >However, say it was discovered that the attackers were using ISS's >Internet Scanner. Let's say the feds get away with nailing him with 1.2B >or more in damages. Wouldn't that leave a nice path open for suits >against Mixter and ISS? No, I don't think so. I think ISS could probably add software piracy to the list of charges - yet another felony. If the miscreant legally had a scanner key, then the license covers ISS against misuse pretty thoroughly. >Wouldn't 10% of the damages (or a little less) be >a reasonable amount to nail them with? Especially ISS who actually has >the money? I'm not a lawyer, but I'm not worried about ISS. >Be careful about advocating huge amounts of damages, especially if you >work in the security industry. There are a lot of scary laws up for vote >right now, and not a lot of sympathy for anyone who wants to use the title >"hacker" for anything. Considering that all the machine I hack belong to Microsoft, and it is my job to go hack them, I'm not overly concerned. I do think the potential for legislative over-reaction is huge, but that's why we have courts - checks and balances. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:05:16 PDT