RE: How hackers cause damage...




For one last time: why do you believe it would be helpful to prosecute
the person that *exploited* a vulnerability rather than the person that
*created* the vulnerability?

I believe that there are two parts to this.

1 The person who "created" the vulnerability may or may not be
responsible based on the particular case. They may be liable to
prosecution and in SOME cases they at least should be and in some they
are charged. This comes to an issue of due care.
You have to separate the responsible party. Was it the company
who designed the software? Was it the company who installed it. Was it
the computer administrator? Etc. This is a far more complex answer than
point 2 and comes down to the individual case/incident.
The creator of a virus IS responsible.
"Security Companies" that do not lock down systems or give
"half-assed" vulnerability assessments and/or audits SHOULD be liable.
SHOULD be criminally liable. I have no argument here.

2 The person who "exploited" the vulnerability has consciously and
deliberately with full intention gone out of the way to do something
that is considered wrong by the majority of society. This is again
intent. If it was an accident (truly) than there is no Mens Rea and none
of the "hacking" offences are strict liability (I do not know German
law, but I would assume not as they come under the EC conventions). Thus
"accidentally" doing something does not make you liable contrary to what
you may think.

As for "not that there aren't enough clueful people" have a think about
the time to secure a system v the number of systems v the number of
people trained in IT in total (i.e. not just IT Security).

How long does it take to complete a full (not just a quickie pen test)
audit of a system? By this I mean a complete file level analysis of all
binaries as well. Don't get me wrong, it would be good for profitability
:) but it is not realistic.

Next experienced IT Security people cost money. Every hospital has a
large number of systems. Having enough people to completely secure all
the systems to the idea is not economically feasible. Take this up with
government if you like- I have nothing to do with medical funding. Every
IT Security person is 2-3 nurses that could be employed by the hospital.


Regards
Craig


-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq@xxxxxxxxxxxxxxxx]
Sent: 3 March 2006 11:08
To: Craig Wright
Subject: Re: How hackers cause damage...

On 2006-03-03 Craig Wright wrote:
That's pretty obvious, because if life was more important, measures
would have been taken *before* an incident could have happened

Assuming all people know and understand IT let alone IT security. This

is not the case. Even where there are clear lines of criminal
responsibility for negligence - systems are not always secured.

I didn't say they were. I said they should be.

HIPPA in the US, NPP4 in Australia etc etc give provision for criminal

responsibility for systems administrators who have failed to
adequately secure systems, but this is of little comfort to the
families of somebody who gets to sue them. Most of these people do not

know what they have to do.

Fire them and get someone who does. Again, contrary to your belief there
are enough people who know (or can be trained to know) what to do. I
don't believe things are so much worse in Australia than they are here
in Germany.

For all your belief Ansgar there are not enough *trained* and
*experienced* security people to do everything. The opinion "It's just

that there are too many clueless people." is true I am sorry to say.
This is one of the flaws in your argument/thesis. There can not be
both too many people who do not understand and also enough people to
secure everything.

Why, of course there can. Having too many clueless people just means
that you have a harder time finding a clueful one, not that there aren't
enough clueful people.

PS Try not to get upset. You lose weight of argument to emotion.

I'm getting annoyed, not upset, because you seem to continually ignore
most anything I'm saying. For one last time: why do you believe it would
be helpful to prosecute the person that *exploited* a vulnerability
rather than the person that *created* the vulnerability?

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!
    ... it has to do only with ultimate responsibility. ... might not know better when it comes to doing timely security updates, ... Most malware uses some sort of buffer overflow exploit. ... How many patches will it take to make my XP OX as secure as my ...
    (microsoft.public.security.virus)
  • RE: How hackers cause damage...
    ... "Fire them and get someone who does. ... but HOW do we achieve security everywhere? ... secure everything. ... be helpful to prosecute the person that *exploited* a vulnerability ...
    (Security-Basics)
  • Re:[Full-Disclosure] (AUSCERT AA-2004.02) AUSCERT Advisory - Denial of Service Vulnerability in IEEE
    ... > Denial of Service Vulnerability in IEEE 802.11 Wireless Devices ... > Information Security Research Centre for the information contained ... AusCERT would like to thank all vendors that participated ... > described is the responsibility of each user or organisation. ...
    (Full-Disclosure)
  • Re: Anybody use Linux? For old hardware, which distro?
    ... triggered one of my pet hates - the myth that to keep a system secure you need the latest software with the latest patches and updates on everything, along with anti-virus, software firewalls, anti-spyware programs, etc. ... I have spent far more time helping people who have had problems with windows add-on "security" programs than I have spent chasing down or removing malware. ... Security is a process, not an absolute state of the system, and so is vulnerability. ...
    (comp.os.linux.setup)
  • Re: Spyware and Adware affect every internet user
    ... security incidents related to the web browser in years. ... Security is a process not a piece fo software or hardware. ... insecure the next when a new 'critical' vulnerability is discovered. ... It's always a moving target and to say that A is more secure than B may ...
    (comp.security.misc)