RE: How hackers cause damage... was Vulnerabilites in new laws on computer hacking

I know at least 15 folks that would let me bang away at their
systems (without permission)

If you *know* that they will *let* you, that IS "permission"
(in the rest of the English-speaking world). PROVING that you
knew, without something in writing, is left as an exercise for
the defendant.

David Gillett


-----Original Message-----
From: dave [mailto:fla.linux@xxxxxxxxx]
Sent: Wednesday, March 01, 2006 6:50 AM
To: gillettdavid@xxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: How hackers cause damage... was Vulnerabilites
in new laws on computer hacking

David Gillett wrote:

1) If it's your friend's machine, you should be able to get
authorization from him/her.

whats the fun in that! If it's a friend and you arent going
to do anything serious you shouldnt need permission. Once
again: choose your targets wisely. My grandfather owns a
business...nothing much but pretty successfull. I craked
their companies servers without permission, I didnt do
anything but place a note on the managers desktop saying I
was there...so what! I know at least 15 folks that would let
me bang away at their systems (without permission)....if you
want to practice breaking into computers and you MUST have
permission then get together with a few buddies with the same
interest and see what you can all put together. We found a
number of computers in trash after christmas. Yea...they were
a bit old but 2 of them were good P4 systems that just needed
some virus / spyware removed. We used these FREE machines to
set up a small wargames network with various servers IIS,
apache, ssh etc... If you have a server ask your friends to
hack your server and ask them to share their results. This
not only makes you a more skilled cracker it makes you more
skilled at reacting to attacks and gives you first hand
experience on how to set up IDS and other ways to secure
various systems from attacks.

Do you really know what 153.18.19.33
is?

Does 1.2.3.4 matter...my friends server is at www.?.com. I'll
let the dns find the ip...besides all my friends use static
IP for their servers and internet gateways. Yea..if your
blindly scanning 1.2.3.4-1.2.3.255 then you are looking to
get into something you prob. shouldnt.

Does knowing what it was yesterday tell you what it is today?
Do you know that it's not monitoring oxygen levels and
anaesthetic flow
during surgery?

I know for a fact that it is not...if the machine is that
easily available over the internet I am pretty certain that
it isnt keeping someones heart pumping. Most hospitals still
use DOS based systems for these tasks sometimes. I am most
certain that NONE of these machines have direct internet
connection with an internet IP address. You would have to be
poking around deep inside their internal network...no script
kiddie can do this (if they can, or if admin connected life
support (or any critical) system to internet, once again, he
should be fired. The admin(even the company that hired him)
that put such a critical system in such an insecure area
should also be sued for liability if someones life was lost
due to a security breach). This is not soley the crackers
error. Stupid admins are responsible for their stupidity too.

Answers: No.

2) Same answer as above.

As far as "ability to bring down" -- there are legacy boxes
out there
which may crash when subjected to fairly simple probe code.
(No, I will not volunteer details.) How do I know that you're not
hunting for them? Answer: I *have to* assume that you are.


I hunt for no one...I couldnt care less what is out there.
Yes...please keep quiet about how to crash an old DOS box.
I'm sure it is real tricky.

If you have permission, this whole thread doesn't apply to
you. If you
don't have permission -- THEN you don't have permission.

Yes..this thread was about kids trying to learn computers cracking.

A weasel "but I only meant to ..." *might* get you a lighter
sentence,
but it won't change that you broke the law. Nor should it.


A weasel..hahaha. Some reading comprehension there! I never
said one should be excused for breaking a law. I said the
extent of the punishment dealt out by the law is to extreme
for minor cases. Once again..if you kill someone you should
face appropriate charges...if you bring down a production
server then you should pay for your crime accordingly. If you
do no harm you should do know time, no 'weaseling'
necessary. Class B and C misdomeanors should recieve fine
maybe probation. I have said this 10 times already and still
you think I am saying that by not damaging anything it is not
breaking a law...listen, spitting on the sidewalk is breaking
the law...you shouldnt do time for it! As far as saying.."how
do I know if they did harm"...well if you work at that
companies IT/security department its your job to know. If you
cant fullfil your job responsibilities then you should not have one.
If I owned a company and we got hacked and the admin tells me
he doesnt know what happened or what the guy did then what
use is he to me? If the admin is worrying about losing his
job then he needs to learn how to do his job. Anyone can just
reinstall from original media at the first sign of an incedent.

Years ago me and my little brother cracked a network for a
flower shop down the street. We knew a girl that worked there
and wanted to goof on her. We cracked the companies web
server and worked our way in etc... We had no permission. We
did no damage to the machine(s). business was not interupted
and no customers data was at risk at anytime (at least from
us). Should we do prison time? Has anyone here ever actually
been to a state prison? Get real!

I have read reports (on security focus.com) of people who
have done time for others actions. Example: Lets say I wrote
a trojan horse program and published it. If someone else were
to use that program for ill means then I could face charges
for writing and publishing the program. This HAS happened
before. A man wrote a trojan and posted it on Astalavista.
Another person used this program to commit a crime (tried to
hack government computer if I remember correctly). The actual
author was charged. This is another crazy computer based
law....but in some places it is the *law*.

This topic is old and quickly getting stale...move on. It
appears as if the reading comprehension here is pretty
low...over half of the reponses showed that the reader didnt
understand what I said.

The law has differnet degrees of crimes and punishment.
Simply cracking a computer should not be that serious...I
will not say it again. I will not read any more responses
from people telling me that it IS breaking the law..I know, I
have said this 10 times myself...I think everyone is in
agreement there. The question is, how much punishment a kid
should receive for looking around some computer (without
permission). According to this group we should burn him at
the stake for his evil deed. You know, burning people alive
for speaking against the church was *law* too at one point in
time, even then you had those who walked around and praised
the law and tried to sound important. Good thing man as a
whole doesnt put up with over extreme and nonesense laws
forever. Once we get over our fear of technology (and we get
over the bull*** fear of "hackers" that the media has
created...same as JAWS and going to the beach...its
nonsense!) the laws will need to be rewritten to incude some
sanity / reasoning.

David Gillett




-----Original Message-----
From: dave [mailto:fla.linux@xxxxxxxxx]
Sent: Saturday, February 25, 2006 8:20 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Cc: ROB DIXON
Subject: Re: How hackers cause damage... was Vulnerabilites in new
laws on computer hacking

Good points???



1 Loss of human life (though systems damage)


How can a kid trying to crack his friends server cost someone their
life?



2 Insolvancy and the resultant human costs (lost jobs, etc)


Pretty much same answer as above

I think a point was missed...We were initially talking
about some kid
who is trying to learn about computers by cracking various
machines.
Not some *super hacker* with the ability to bring down serious
systems. I think the point I made was also overlooked...

If you are hell bent for leather and you simply must learn how to
break into computers then at the very least be wise about
what systems
you try to crack into! Dont mess with production
systems...dont mess
with bank, hospitals, any big corporate company. Dont ever
mess with
any real businesses period. Dont think about government or law
enforcment systems etc... Dont run "untested" exploits on otherwise
important servers where crashing would be serious problem.
As far as
someone losing their life...please give a (realistic)
example or two
of how a human life was lost cause a kid tried to crack his friends
web server or exploit some unpatched SSH deamon on some
machine at his
dinky little job. As far as someone losing his job...in an extreme
scenario this could happen but not if the newbie cracker is wise in
his choice of targets (if you can not be wise regarding
your targets
then you shouldnt be cracking computers). And as harsh as this may
sound I will say it anyway...If some otherwise unskilled script
kiddie, can break into your *important* system and do something bad
enough to cause someone to possibly lose their life then you as the
admin should be fired!

I also mentioned the financial burden 'Non malicous'
attacks imposes
on companies in resonding to the break-in. Once again...be
wise about
your targets...think small and realistic. You are NOT Aleph one or
Mitnick or who ever...You are a script kiddie just trying
to learn how
it works. If you are at the point where your are bored with basic
servers and want to venture into mainframe or otherwise corporate
hacking then you are really no longer just some kid trying to learn
and therefore you no longer are the point of this topic.

#### Kids trying to learn about computers who break into
small scale
targets and do no harm should do NO time!
#### skilled crackers/hackers who cause harm (be it
intential or not)
on important/critical systems should know better and should be
prosicuted/punished accordingly. If someone lost their life
due to a
careless cracker then manslaughter charges should follow etc...



ROB DIXON wrote:



Well put Craig.
You made some good points regarding the so called


"NON-Malicous attacks".



Robert L. Dixon, CSO
CHFI A+
State of West Virginia's
West Virginia Office of Techonology
Infrastructure Applications
Netware/GroupWise Administrator
Telephone: (304)-558-5472 ex.4225
Email:rdixon@xxxxxxxxxxxxxxx




"Craig Wright" <cwright@xxxxxxxxxxxxx> >>>




Hello,
There have been a large number of ill-informed posts


regarding damage caused by cyber-trespass. This is for the
purpose of this post described as breaking into a system with
no clear intent to cause damage i.e. no Mens Rea or guilty
mind. I will exclude all references to intention to damage or
wilful damage and limit this to reckless damage alone.


Next, I will exclude Mens Rea as it may pertain to the fact


that the act of committing a computer crime is by definition
illegal. We all seem to understand that breaking into a
computer without permission is a breach of the law so I shall
not explore this avenue of argument.


The term in law refers to "actus non facit reum nisi mens


sit rea", which means that "the act will not make a person
guilty unless the mind is also guilty. This is a common
defence in criminal cases though it will not help you in a
civil tort case (i.e. civil damages).


With the seeming ignorant state that exists (not to all


reading) to the levels of damage caused by breaking into
systems and committing cyber-trespass I will endeavour to
detail the resultant state of affairs.


I will aim solely at corporate systems for the critique


following. This is not to state that Government, privately
run or organisational systems have any lesser effects
resultant from attack, but that this is a post and not a
dissertation (though it is moving in that direction).


First we have the argument that has been fielded that at


worst a system would just need to be rebuilt. A prior poster
stated that he would analyse his system and track the
incident. For the majority of the world this is not so
simple. Most people are not skilled in either incident
response techniques or digital forensic science (please note
computer forensics is a misnomer and grammatically
incorrect). Nor are most companies able to afford to rebuild
systems on a regular basis for the fun of it.


Cyber-trespass leaves one in a state of doubt. It is


commonly stated that the only manner of recovery from a
system compromise is to rebuild the host. I will resist
quoting a voluminous amount of material at this point (unless
somebody wishes to dispute this :). It is needless to say
that documents, working papers and processes on this topic
are widely available. SANS, CERT and the CIS all recommend
that a compromised system be rebuilt, not from backup, but
from scratch.


Further one must "Resist the temptation of restoring from


backups" *1 and complete an "entire system install be
performed from read-only distribution media".


So here, we have to look to the cost of both rebuilding the


system and recreating the data. In the modern corporation,
the primary assets are often vested in the intellectual
capital of the firm.


First, the system needs to be rebuilt as was listed above.


There is no argument here (though I am willing to engage in
one) over the need to rebuild the system. The people at the
company that was attacked do not and cannot know your
motives. They cannot assume you are benign, but have to
assume that you are malignant being that you are willing to
break the law, that you are willing to face gaol.


If they assume otherwise they will suffer again. How do they


know that you have not installed a rootkit? How is it known
that there is no timebomb on the server. You as the attacker
have already demonstrated that you are not bound my
conventional morality and ethics. You have violated property
rights, entered and penetrated a system, breached the
defences and raped the security of the site you choose as
just "practice".


Every attacker that does this makes it easier for the truly


malicious attacker to succeed.


On top of this, add the loss due the unavailability,


reputation and compliance costs. Let us for the moment forget
the costs of tort against the company. The costs of action
for a violation of privacy rights. The costs from a violation
of PCI-DSS. HIPPA Violations or the effects to the companies
share price.


Costs. They seem to be all over the place when you actually


think about it. Each of these costs is damage. This damage
needs to be recovered. We all pay.


Now most organisations do not have, not can afford to retain


skilled incident response professionals. They need to employ
external parties at a cost. Even when they do have internal
staff there is a cost, but the accounting process is not so simple.


At rates (and this is based in Sydney, Australia) hiring


personal from a respected firm (and it is not likely to be
less in the case of fear from an attack driving firms to a
position of trust) will have a charge out rate in the order
of $ 250-450 per hour. The investigation will take 10 -100
hours (and in some cases longer though rare).


Is the cost of damages when placed against the risk worth


it. I hope not, but this is a personal risk decision for the
individual to decide. I can do little to stop you committing
cyber-trespass just as I can do little to stop you robbing a
7-11. Mind you however, I am a bit of an a*8hole. If I get
involved I will (in my personal time if needs be) map out
every piece of information that you have done and ensure that
every lie you tell to try to worm out (aimed at those who
still try to do this act) of the consequences is proved
beyond a reasonable doubt in court.


Animus nocendi or a mind to harm reference the precise


familiarity of illegal content of behaviour, and of its
possible consequences. Now that you have read this post, it
may be argued that you have come to understand that there are
consequences for your actions if you choose to still attack a
system (aimed at those who do). Please feel free to flame me
as reading this post effectively provides the essential
condition to give a penal condemnation if you still choose to
violate the law by breaking into systems and causing damage.


Regards,

Craig



PS

So called.. NON-Malicous attacks have caused the following


events to occur


1 Loss of human life (though systems damage)

2 Insolvancy and the resultant human costs (lost jobs, etc)

so much for no damage... PPS even longer rant as to each of


these with statistical data available ;)


Liability limited by a scheme approved under Professional


Standards Legislation in respect of matters arising within
those States and Territories of Australia where such
legislation exists.


DISCLAIMER
The information contained in this email and any attachments


is confidential. If you are not the intended recipient, you
must not use or disclose the information. If you have
received this email in error, please inform us promptly by
reply email or by telephoning +61 2 9286 5555. Please delete
the email and destroy any printed copy.


Any views expressed in this message are those of the


individual sender. You may not rely on this message as advice
unless it has been electronically signed by a Partner of BDO
or it is subsequently confirmed by letter or fax signed by a
Partner of BDO.


BDO accepts no liability for any damage caused by this email


or its attachments due to viruses, interference,
interception, corruption or unauthorised access.


-------------------------------------------------------------


--------------


EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec


management


education and the case study affords you unmatched


consulting experience.


Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business


Continuity Planning,


Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
-------------------------------------------------------------


--------------







--------------------------------------------------------------
-------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business
Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------
-------------





-------------------------------------------------------------
--------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec
management
education and the case study affords you unmatched
consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business
Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
-------------------------------------------------------------
--------------







---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------