Re: Vulnerabilites in new laws on computer hacking

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-02-21 Crispin Cowan wrote:
> Ansgar -59cobalt- Wiechers wrote:
> > while I agree with you that for learning and practicing it would
> > suffice to build your own systems to tamper with, I have to disagree
> > on the part that hacking into other people's systems *without* doing
> > any damage should be illegal.
>
> But an intrusion that causes no other privacy or integrity violations
> DOES do damage. The sys admin has no way of knowing that you did no
> damage, and so they have to commit large resources to either auditing
> the box, or wiping it and starting over. Both are hugely expensive.

But if there really *was* a hole that allowed an actual break-in they
would have to do that anyway, because they wouldn't know if anyone had
broken in before and just wiped his tracks, would they?

> I agree with Paul; people who want to learn to hack can quite easily
> do so with their own computers,

Crispin, please, I expressly said that I do agree with Paul on that
part.

> and people who break into machines that they are not authorized to use
> should be prosecuted to the full extent of the law.

I do not (fully) agree on this part, though. I already gave some reasons
why, e.g. when is one authorized to use a machine? Plus, I do not
believe that companies which won't secure their servers properly (thus
putting themselves and/or their customers at risk) should be protected
by the law in this way. This kind of jurisdiction would encourage people
to care less about security than they already do, because if someone
breaks in, they will be able to sue him.

[...]
> > In addition to that some vulnerabilities can be discovered only ITW,
> > simply because you cannot rebuild that environment in your lab. Two
> > years ago we had a case like that over here in Germany [2] (the
> > article is in german, but maybe an online translator will help). The
> > OBSOC (Online Business Solution Operation Center) system of the
> > Deutsche Telekom AG did not do proper authentication, so by
> > manipulating the URL you could access other customers' data. How
> > would you detect such a vulnerability without actually hacking the
> > system? Is one supposed to not notice these things? Will that really
> > make them go away?
>   
> This is an example of the hole. The proper thing for the defender to
> do would be to put up a test system with fake accounts and invite
> attack against the test system. If the site operator chooses not to do
> so, then it is at the expense of their customer's risk. But under no
> circumstances is it proper for researchers to deliberately hack
> production servers that they do not own.

The OBSOC system is AFAIK closed source and the Deutsche Telekom would
not go to the trouble of putting up a test system for public testing.
The person who broke in was an actual customer. I repeat my question: Do
you really believe that this person should be prosecuted? Should he have
ignored the problem instead, leaving the other customers at risk?

Regards
Ansgar Wiechers
-- 
"Der Computer ist da, um zu rechnen, nicht um Ausreden wie 'Kann nicht
durch Null teilen' auf den Bildschirm zu schreiben."
--Marco Haschka in de.org.ccc