[26667] in North American Network Operators' Group
Re: Netgate.net.nz/ORBS spam colusion
daemon@ATHENA.MIT.EDU (Derek J. Balling)
Tue Jan 11 18:59:28 2000
Message-Id: <4.2.2.20000111143407.00b856d0@mail.megacity.org>
Date: Tue, 11 Jan 2000 14:54:46 -0800
To: Dean Anderson <dean@av8.com>, Randy Bush <randy@psg.com>,
David Lesher <wb8foz@nrk.com>
From: "Derek J. Balling" <dredd@megacity.org>
Cc: nanog@merit.edu (nanog list)
In-Reply-To: <3.0.32.20000111164933.00e6bbcc@odie.av8.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 04:49 PM 1/11/00 -0500, Dean Anderson wrote:
>I see the guy in Russia took his model from ORBS, and did exactly the same
>thing: He apparently used a security exploit to get data, and published
>that data. So far, it doesn't sound like he made any credit card charges.
>Sounds like he didn't actually damage the compromised system. According to
>Derek Balling and a few others, he should be free and clear.
Whoa whoa whoa... back up there. Don't even think that you get to put words
in my mouth.
What *I* have said is that a person is subject to the laws and regulations
of the country they live in (plus those they are a citizen of, if those are
not the same country), and not subject to the whims of other countries, so
that's how I see it "from a legal standpoint". If the laws of his nation
say that what he did, specifically, is a crime, then he can (and should) be
held accountable to them. That's what sovereignty is all about.
Philosophically, I disagree with "anti-cracking" laws, by and large,
because (short of password theft or confidential information and NDA
violation-style cracks) any information a cracker can access, ANYONE can
access, if they know enough about the system. What, specifically, makes the
cracker "bad"? YOU (the proverbial you, although your mail servers are a
decent example) are making (the data|your servers) available, not the
cracker. If you are stupid enough to do so, I see no moral obligation on
any user who discovers this to feel it needs to stay quiet. If you bring it
out into the light, it tends to get fixed and people realize how poor the
security at that site is. If you cover it up and go quietly about it or
(worst) tell NOBODY, then nobody knows how poor the security is, or how
little that site should be trusted with data/money/services.
>According to those few people, the cracker hasn't done anything wrong.
Never made that claim. Could you show me where I said that? I'll say it
now, that I don't think he's done much of anything wrong, because
(personally) I believe that crackers, by and large, are a good thing. They
find the holes the rest of the world overlooks and misses. They bring them
to our attention -- often in a flamboyant manner or one that some people
might consider "reckless" -- because most of the time, reporting the
problem to the people who lack security falls on deaf ears.
>According to those same people, CD Universe accepted the consequences of
>having an insecure server. Anybody could accessed the data.
So long as the Russian Cracker was not using a password or such that he
stole from someone (and using a default password is not stealing a
password, since the password is public knowledge), I would concur with
that. (I haven't read the details on how exactly the Russian cracked CD
Universe, so I can't say that for certain, but I think this fairly well
defines where I personally would draw the line).
>So it must be
>publicly available information then. He just published some publicly
>available data. US law doesn't apply to Russians. The fault here is with
>CD Universe for operating an insecure server.
Yes, in fact, the ultimate fault does lie with CD Universe. CD Universe
compromised their users' data, not a Russian hacker. The Russian Hacker
merely publicized that compromise.
>There is no fault with the
>guy who published the credit cards. He is not responsible if other people
>misuse that data.
Correct. In the same way that ancient Chinese scientists are not
responsible if you buy an Uzi and kill someone just because they invented
gunpowder. You are responsible for your own actions, just as the
perpetrators of credit-card-fraud are responsible for THEIR own actions.
>Wrong. If it wasn't already clear to reasonable people, it certainly is
>now. Those people who made those stupid assertions are clearly full of crap.
I guess I'm full of crap then. It wouldn't be the first time I've been told
that before, but coming from you, I feel much better now, since it now
very-effectively lowers the credibility of all the rest of the people who
have said that by the very nature of being lumped together with the likes
of you. :)
>Now what happens to the Russian ISP that refuses to shut down the site?
>Yep. You guessed it.
OK, I'll bite,... what do you think happens? Do you think the FBI is going
to go over there and ask the successors to the KGB (same uniform, different
TLA) "pretty please can we arrest these people"? Are you really that ignorant?
I'm suspecting the answer is "nothing" will happen to the ISP, but they
might volunteer to take it down for PR reasons, but not because anyone has
any authority or moral responsibility to make them shut it down.
My $0.02 worth, I speak for nobody but myself.
D
