Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Panel Debates Hacker Amnesty
Kevin Poulsen, SecurityFocus 2002-03-25

Should hack-and-tell intruders who warn companies about security holes do time with hardened criminals? Security experts probe the ethics of hacking.

Comments Mode:
Panel Debates Hacker Amnesty 2002-03-26
hobo
The very fact that this debate is taking place serves to illustrate the unique relationship between security professionals and hackers. No other profession or industry has a parallel that can be drawn. Most computer professionals do not condone your run of the mill web defacers, virii writers, or DD...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-26
Anonymous (2 replies)
The arguement that beneficial hackers should not be prosecuted because they improve security seems a bit silly to me. If there was a 'good' criminal who broke into your home and rearranged your belongings, but left a note suggesting you purchase a better lock before he left, would that be OK? Not in...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-26
Anonymous (1 replies)
Yes, and I rather like this analogy. If came up to my home in broad daylight with a ski mask and crowbar, then proceeded to check every door and window on my home, I would be more than a little upset. And it doesn't make it any difference if they tell me that my back 2nd floor window is unlocked...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-26
Mel
Problem is (from my understanding) this isn't what Lamo does. He doesn't do buffer overflows or any of those sort of exploits. He simply types in a URL in his web browser and accesses supposedly private web pages that are wide open to the public.

The breaking and entering analogy is kinda weak th...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-26
hobo
This post serves to illustrate yet ANOTHER idiosyncrocy of the technological age. We had better get down to brass tacks pretty quickly and start defining what level of criminality these criminals are at. A few attempts at illustration:

Major metropolitan areas like New York and Chicago spend mil...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-26
Anonymous
There is no question that this activity should be illegal, and people who defend it can't call themselves security professionals. If Lamo is serious about making a positive contribution, he should have contracted with companies for penetration testing before hacking them. He might have even found th...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-26
Surreal (1 replies)
Gawd, it never changes. Hobo, I agree with what you wrote. Anonymous.A and Anonymous.B, replace your blindfolds or bury your heads in the sand and revel in your superior level of security once it becomes a felony to disclose vulnerabilities....

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-26
Anonymous
This gets to the heart of it, though. There is nothing wrong with testing a lock you have a legal right to use. If you find its quality lacking, you have the FREEDOM OF SPEECH to inform others (see www.consumerreports.org). However, others have PROPERTY RIGHTS which prohibit you from testing the loc...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-26
Robert P (1 replies)
Are they seriously trying to put Adrian Lamo in prison? Has anyone looked at his resume lately? He has helped so many companies fix their networks and secure their data that their should be no doubt to where his loyalties are. Someone earlier pointed out that he wouldn't like it if a robber broke in...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-26
Anonymous
If you knock, and the door swings open, you are still legally prohibited from entering. If you come across such an obvious gaping security hole, a legitimate professional would contact the owner, report the problem, and offer their further services. It is not your right to exploit the problem.

Th...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-26
Matt
I think we need to be VERY careful with how we define 'hacking' especially if there are going to be dire consequences attached. I, personally, went thru a circus wherein I disclosed a security problem with a closely related organization's server that was simply (and inexcusably) misconfigured. All I...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-27
FlorX
Say a system is vulnerable.

A "bad" hacker stumbles upon it, hacks it an damages/abuses/sells important information of the server.

Then the company will have to pay a large amount of money to recover what was lost without tracing back the hacker (if he was a good one).

else

A "good" hacker...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-27
Martin
So..you've just started walking away from your car and a stranger taps you on the shoulder and says "Hi, I see you've just left your car unlocked and the keys are in the ignition."

Do you turn around, slap them in the face and get your keys?

I think the normal response would be "thanks" and to...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-27
Anonymous
While the jury may be out in the case of mr. Lamo, mr. Ranum can only be described as a bloody effin moron. The point that he chose to present in the article is that if something is against the law it should be punnished swiftly and surely, and that society isn't comfortable with anything that is a...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-27
Xest
The irony of this whole situation in the US whereby they want to bring long term prison sentences to friendly hackers is that by doing so they'll leave hundreds of companies blind to the fact they have security holes so that black hats can exploit them and not own up to it and thus not get caught.

...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-27
Ichinin (Ichinin (at) suespammers (dot) org [email concealed], TEXT messages only NO HTML)
Ferenghi rules of aquisition 285: "No good deed ever goes unpunished" - Why give away security audits to corporations for free when they can darn well pay for it?

...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-27
Brian
It's about time there's some serious discussion into 'ethical hacking', thank you Adrian! When it's all analyzed in retrospect, the question is how much damage was done, and who left the servers unsecured? A simple crime of trespass does not necessarily deem a sentence murders receive, or that the...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-27
To the armchair sec analysts
First off I belive Renum is in no position to offer up any opinion while his poor company practices poor habits on their own website. Go ahead and take a swing @ his site....there is no acceptable use policy. Who's to say what is allowed or not.

His company is selling products for security p...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-27
Anonymous
I think waiting a few weeks to tell is a little extreme. I think 3 days max is sufficient to truly know if a problem exists in the system. If someone intruded a network just for finding bugs, I dont think they should be prosecuted if they caused no harm, but if its for good, the company should be ...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-27
Andy Richmond
I don't think putting someone away for life is equal punishment for hacking a computer if there is NO damage. That would mean no financial loss, intellectual theft, identity theft, or invasion of privacy.

I do think that if there is damage done, charges should be filed, and the persons who commi...

[ more ]  [ reply ]
If the lady (or guys) pants are unzipped - should we notify? 2002-03-27
How do we handle with care? (1 replies)
Chew on this one folks...

If some network admin forgets to button up...

then, we should notify asap (of course) and we should not think that it is ok to reach in and play around with what is inside (no matter how tempting the thought)!

We just can't have all our private stuff left just hangin...

[ more ]  [ reply ]
If the lady (or guys) pants are unzipped - should we notify? 2002-04-01
Andy Richmond
The concept is nice (button up) but it doesn't translate: You don't just pass in the night and see that someone has a vulnerability. In most cases, and with most vulnerabilities, it happens because people are looking in the first place. If they weren't looking, they wouldn't know it was there eit...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-27
Patrick
The following of Adrian's footsteps has already reached the east coast...as in, Philadelphia. "One bad apple ruins the bunch."...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-28
RST
Imagine that you are an admin who detects someone snooping in your network servers. You call in the suits who track the intruder, trace him, then actually make an arrest. Only the guy claims that he is is a 'friendly' hacker. Well maybe he is and maybe he isn't, but you know if there is a hole in th...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-28
Dimitri Sinchovich
I am going to play devil's advocate here because personally i believe mr lamo should be put in prison. I must say i find all your posts amusing within the context of this discussion. I was especially amused by the anonymous poster who noted that Mr Lamo exhbited a lack of ethics. I personally believ...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-28
Anonymous
I don't understand why this is even open for discussion! If you left your front door to your house unlocked, then I were to go in and dig around in it for 4 to 5 weeks, then casually point out to you what you could do to prevent me from coming back, would you really be rushing over to thank me for n...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-28
Anonymous
Wow, Marcus Ranum calls someone a sociopath. Well, usually in my experience the only people who call other people sociopaths are either psychiatric professionals and other sociopaths. To limit this, we can say that the only people who call other people sociopaths are sociopaths. To limit this fur...

[ more ]  [ reply ]
Times IT Department got its EGO bruised!!! 2002-03-29
John
Sounds like the head of the IT department at Times got their EGO bruised. The biggest thing I see in this industry at allot of large corporations is allot of IT department heads who refuse to even think about their networks being insecure. Even when you point out flagrant know issues, they argue wit...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-29
Snagnbytz
I say the more you struggle the tighter the grip we will have with your networks. Keep trying to hold us back from the very thing which brought you a job in the first place. We will be waiting..........................

[ more ]  [ reply ]
NYT Should Prosecute... 2002-03-29
Brian Powell (1 replies)
This is binary...

Unauthorised Access is unauthorised access, playing with other people's computer systems is against the law, people who break the law should be punished.

People who come forward and say 'I broke the law, look how clever I am' should be made an example of.

I'm amazed that res...

[ more ]  [ reply ]
NYT Should Prosecute... 2002-04-01
Anonymous
With that kind of additude you must be a heck of a saint or hypocrite: Ever "borowed" things from your siblings/mom/dad/friends with out asking? Ever get a traffic ticket? No fights growing up? Never EVER? Such a godly person, go ahead throw the first stone....

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-31
Anonymous
Discussing this stuff is so stupid. EVERYONE knows, that breaking into someones property is illegal. There are passwords set for a reason, aren't they? If you exploit something, and make your way around it - it's a crime. It doesn't matter if you notify about the holes. It's simple as it is, and say...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-03-31
Anonymous
It depends on the perspective.

If some guy hacked my box and told me about it, and helped me patch it up, sure; I wouln't mind, and I'll even thank the guy. And it should apply to companies which have secure information that would be worth millions maybe.

Putting good hackers into jail would be st...

[ more ]  [ reply ]
Damn the man! 2002-04-01
RK2K
Well isn't this a bitch. LAMO gets to hack into companies gather all the information that he wants (for whatever reason!!!) a then gets to walk away with the confidence that he is not going to jail for his actions. I bet that Kevin Mitnick wishes this were the way the law was wrote. Hell, one better...

[ more ]  [ reply ]
What else did he get in to? 2002-04-01
CrazyNetworkGuy
I wonder if he told his "clients" everything that he found. I'll bet he discovered some other holes in their network that he didn't address. Who knows if he and his buddies have a file of all of the vulns on all of the networks that they have been screwin' round on. Bribery anyone? Just plain T...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-04-02
Hamster1
Someone should set up a web site, and a 1(800) phone line,

so real-time reporting of discovered security flaws could be logged, and sent out ASAP, so the parties who host the flawed site, and or network can get the info, and the people who find the flaws can do so "incognito".:)

...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-04-02
Scorp
Lets face it, Security Analysts and Hackers share the same culture. Many Security Analysts themselves started out as hackers so of course they are going to feel sympathy for hackers. But that aside. Besides it being against the law, what is wrong with non-malicious hacks. People will say it is simil...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-04-02
John in Virginia
Plain and simple, Hackers and Crackers are breaking and entering. Let's say that I break into you house and get caught, it is NOT defensible to say, "I was just showing you your flaws in home security. I jimmied your window with ease, looked around your house, and as a favor, wrote on your wall th...

[ more ]  [ reply ]
After reading these posts... 2002-04-02
Robert Perriero (1 replies)
After reading a lot of these posts, i've got to say: It's no wonder that Adrian Lamo found all of those security holes in companies networks. If the networks are run by people like you, who are not open to the free (and judging from a lot of the posts that i've seen) more experienced help, then we ...

[ more ]  [ reply ]
I agree completely 2002-04-02
Scorp
Is Adrian Lamo really doing something wrong by helping other people? It's really that simple, he hasn't hurt anyone and has help companies fix security holes...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-04-02
John P.
If Lamo had broken into the physical NYT building there would be very little debate about whether to prosecute or not. However, because his break in was virtual and "caused no harm" there is a desire to treat this as a badge of honor. However, harm was done to the reputation of the NYT in the gene...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-04-02
Anonymous Lady
A little history here: Mittnick was a criminal who used his computer knowledge to defraud the phone company of $$$, and he did his "best work" using social engineering. A con game is still a con game, even if the pigeon deserved the loss.

We don't really know how Lamo got in, do we? Someone men...

[ more ]  [ reply ]
Panel Debates Hacker Amnesty 2002-04-03
Anonymous
I've read about Lamo's activities before. As I understand it all he is doing is useing a web browser in a nonstandard way to explore the extent of what he can see. The NYT placed a computer on a public access point and invited the public in via http port 80 access, ie a standartd web browser. If a...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus