john@bovine.ati.com (John Higdon) (02/22/90)
In TELECOM Digest Volume 10 : Issue 118 you write: > People just can't seem to grasp the fact that a group of 20 year old > kids just might know a little more than they do, and rather than make > good use of us, they would rather just lock us away and keep on > letting things pass by them. I've said this before, you cant stop > burglars from robbing you when you leave the doors unlocked and merely > bash them in the head with baseball bats when they walk in. You need > to lock the door. But when you leave the doors open, but lock up the > people who can close them for you another burglar will just walk right > in. I heartily agree. The standard mode is to develop new technology, or new uses for existing technology and give little or no thought how you keep it secure for the users. In the early days of any new procedure, the security rests in the reality that few people even know that such a thing exists. But this form of "security" is fleeting, since it takes little time for the curious to discover it and to find its weaknesses. Then phase two of the standard mode kicks in, and the developers and users manage to convince law enforcement authorities that criminal minds are at work when their technology is breached. Can you imagine the indignation and anger of someone who has discovered that his small business is being answered after hours by an outgoing announcement on the machine that is full of obscenities? The business owner would certainly be thinking to himself, "There ought to be a law...". But what he should be reflecting upon is the silliness of relying on two-digit "security" code to protect him from such pranking. This applies to computers, telephone systems, in fact everything. Those who leave their systems "open" to the public should expect the curious to enter and look around. Banks don't keep their negotiable instruments in a closet secured with a hasp and padlock, then expect the police to go after everyone that makes off with the goods. They use concrete and steel vaults secured with sophisticated time locks. Sure, even these can be broken into, but it requires the resources beyond the casual criminal. Likewise, there are computer systems that are, indeed, relatively secure, and entry to these systems is beyond the means of the average hacker. I don't for one minute think that any hacker would be interested in any of my stuff, but I take reasonable precautions to prevent casual entry. My client's DISA is protected with a seven-digit code that allows one attempt and then hangs up if unsuccessful. Likewise my Watson is protected with a long code. I review the logins on my computers daily and change the root passwords regularly. For any commercial or government entity to do less is in itself criminal. To then go after "hackers" for simply walking in the relatively open door and prosecute them is an offense. A little story: A few years ago, I was dialing around in the "test number" area looking for interesting test numbers and happen to stumble on one that returned this message: "Your number has been recorded and you will be billed for this call. Also, your parents will be notified." I didn't stop laughing for a week. John Higdon | P. O. Box 7648 | +1 408 723 1395 john@bovine.ati.com | San Jose, CA 95150 | M o o !
klg@dukeac.UUCP (Kim Greer) (02/28/90)
In article <4262@accuvax.nwu.edu> John Higdon <john@bovine.ati.com> writes: X-Telecom-Digest: Volume 10, Issue 123, Message 2 of 5 >In TELECOM Digest Volume 10 : Issue 118 you write: >> People just can't seem to grasp the fact that a group of 20 year old >> kids just might know a little more than they do, and rather than make >For any commercial or government entity to do less is in itself >criminal. To then go after "hackers" for simply walking in the >relatively open door and prosecute them is an offense. Dumb - maybe. Negligent - yeah, ok. Criminal ? I don't think so. Obligatory net analogy: If I sit a briefcase down on the sidewalk while I fumble with keys to unlock a car door, and some jerk heists the brief- case, then you are telling me _I'm_ the criminal? Get real. I'm fed up with lame excuses and garbaged reasoning from these idiots (crackers or whatever name they want to call themselves - I'm not referring to you, John) to somehow justify their illegal deeds. They have no right or privilege bestowed upon them to legitiately do their childish, though dangerous (in several categories - property, lives, copyrights, and yes, maybe even national security) "pranks". Its an offense to prosecute someone because the victim had a "relatively open door"?? Tell me that same thing should one ever bust into one of your systems. I won't hold my breath. K. Greer klg@orion.mc.duke.edu [Moderator's Note: Like yourself, I am tired of hearing the notion that *I* must be restricted and/or inconvenienced because *they* never learned to respect the private property of others. Its all too common these days, isn't it: the victim is made into the guilty party, and the guilty party becomes a folk hero persecuted by a government out to get him. The best thing in the world that could have been done for some of the crackers would have been for their parents to slap the fire out of them a little more often. PT]
john@bovine.ati.com (John Higdon) (03/02/90)
klg@dukeac.UUCP (Kim Greer) writes: > Obligatory net analogy: If I sit a briefcase down on the sidewalk > while I fumble with keys to unlock a car door, and some jerk heists > the brief- case, then you are telling me _I'm_ the criminal? Get > real. I'm fed up with lame excuses and garbaged reasoning from these > idiots (crackers or whatever name they want to call themselves - I'm > not referring to you, John) to somehow justify their illegal deeds. Just so there is no doubt, let me be absolutely clear concerning which side of the aisle I'm on. Not long ago, I blasted a post from some hacker which netted me some "warnings"--nay, threats from inhabitants of the the "darkside", etc. Never in any of my writings have I justified hacking now or in my other life of a distant past. The rational for phreaking and hacking was lame then and it's lame now and given the potential harm should not be tolerated. Are you with me so far? > Its an offense to prosecute someone because the victim had a > "relatively open door"?? Tell me that same thing should one ever bust > into one of your systems. I won't hold my breath. I would be mightily outraged if one broke into one of my systems. However, we are at some disagreement as to prevention techniques. You seem to feel (and I don't want to put words into your mouth) that it is more effective to run around and try to put all the hackers in jail rather than simply making the systems secure. As I said in my post, I have taken some rudimentary precautions to keep the casually curious out of my various computer and telephone systems. If everyone did the same, we might have less of a "hacker" problem to begin with. Don't you feel that it is "criminal" to be easier to hack into a system such as a telco RMAC than say someone's home UNIX computer? This was my point of the post. If security at critical systems is "au casual", then my ire is directed at the administrators of those systems, not the hackers. > [Moderator's Note: Like yourself, I am tired of hearing the notion > that *I* must be restricted and/or inconvenienced because *they* never > learned to respect the private property of others. When I leave my house, I have to lock the door. I also set the alarm. It really is an inconvenience. I really shouldn't have to do that. People should just know that my stuff is mine. And I live in a virtually crimeless neighborhood. > Its all too common > these days, isn't it: the victim is made into the guilty party, and > the guilty party becomes a folk hero persecuted by a government out to > get him. The best thing in the world that could have been done for > some of the crackers would have been for their parents to slap the > fire out of them a little more often. PT] Like you, I am infuriated with the folk hero status of some of these creeps. And I also agree that some of them should have been slapped around a little as kids (figuratively, at least). But the idea here is to prevent the breach of systems and to really accomplish something, isn't it? So rather than rail about how society *should* be and how people *should* act, why not face reality and design systems that are somewhat more resistant to intruders? John Higdon | P. O. Box 7648 | +1 408 723 1395 john@bovine.ati.com | San Jose, CA 95150 | M o o !
klg@dukeac.UUCP (Kim Greer) (03/04/90)
In article <4599@accuvax.nwu.edu> John Higdon <john@bovine.ati.com> writes: X-Telecom-Digest: Volume 10, Issue 135, Message 4 of 7 >Just so there is no doubt, let me be absolutely clear concerning which >side of the aisle I'm on. Not long ago, I blasted a post from some >hacker which netted me some "warnings"--nay, threats from inhabitants >of the the "darkside", etc. Never in any of my writings have I >justified hacking now or in my other life of a distant past. The >rational for phreaking and hacking was lame then and it's lame now and >given the potential harm should not be tolerated. Are you with me so >far? I'm glad we agree on this. My intention never has been to begin a war about this kind of stuff. It's sort of funny how a common "enemy" can sometimes turn like-minded (for the most part) people against each other. >I would be mightily outraged if one broke into one of my systems. >However, we are at some disagreement as to prevention techniques. You >seem to feel (and I don't want to put words into your mouth) that it >is more effective to run around and try to put all the hackers in jail >rather than simply making the systems secure. I think it is more effective to have the laws applied to them than to NOT have the laws applied, when laws are broken and things are stolen. >rather than simply making the systems secure. That sounds ok to me, but what _do_ you do with people who insist on the "challenge" of getting into systems that _are_ secure? There are some who get a bigger charge out of the "tough" systems - after all, "any weenie can get in the insecure computers. What I'm doing is _real_ hacking. See how great I am?" Its an ego thing. The same challenge is what prompts video game makers to build in higher and higher degrees of difficulty. >rather than simply making the systems secure. ^^^^^^ What is simple for one person is far beyond the imagination of others. I think that there is no simple way to make most systems secure. I also think that most administrators, including myself, really have no uniform way of making a system secure. I cite the Robert Morris example. I would wager that most sys-adms had no idea such a loophole existed. Like most other people, I will do whatever I can, but how can anyone protect against every possible method of attack by an unknown number of intruders-to-be? >Don't you feel that it is "criminal" to be easier to hack into a >system such as a telco RMAC than say someone's home UNIX computer? >This was my point of the post. If security at critical systems is "au >casual", then my ire is directed at the administrators of those >systems, not the hackers. I agree to the point of it being dumb and negligent to some degree. I started to say that I might even go so far as to say they got what was coming to them, but ... nah. I think we are both saying sort of the same thing - security should be carried out to best of one's ability (or through the use of someone who may be more knowledgeable of such matters). Kim Greer klg@orion.mc.duke.edu