internet worm

0 views
Skip to first unread message

Rob J. Nauta

unread,
May 20, 1993, 4:39:08 PM5/20/93
to
cow...@csuslip4.csuohio.edu (Syscrusher) writes:

->This, of course, led very rapidly to rampant infestations of most
->hosts on the internet circla late 1988, bringing down most infested hosts
->and costing over $100,000 in damages.

>I am curious about this part. If the damage was only software, requiring
>time to fix, where did the damage figure come from, just labor to correct?

I wonder about this too. In Holland two young persons were arrested
after breaking in to a few desktop SUNs in Amsterdam in january 1992.
The management of the university in question claimed $50.000 worth
of labor had to be spent to secure them again !!

What can be done about such outrageous claims that are unfortunately
impossible to check or verify, and give the general public the
impression that hackers/crackers really cause the damage, without realising
it's just a fictional amount of money.

Rob
--
/-----------------------------------------------\ Never ,==.
| Rob J. Nauta, UNIX computer security expert. | Apologize, /@ |
| r...@wzv.win.tue.nl, Phone: +31-40-837549 | Never /_ <
| r...@hacktic.nl -- Email me for UNIX advice | Explain. =" `g'

Andy Bolton

unread,
May 21, 1993, 4:44:11 AM5/21/93
to
r...@wzv.win.tue.nl (Rob J. Nauta) writes:

>I wonder about this too. In Holland two young persons were arrested
>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>The management of the university in question claimed $50.000 worth
>of labor had to be spent to secure them again !!

>What can be done about such outrageous claims that are unfortunately
>impossible to check or verify, and give the general public the
>impression that hackers/crackers really cause the damage, without realising
>it's just a fictional amount of money.

It may be an exaggerated figure, but not fictional. Somebody has to pay to
correct systems damaged by crackers. Whether it is only the OS needs reinstall
-ing, or valuable research data is lost, it still has to be paid for.

In the Cuckoos Egg, Cliff Stoll tells of Physics experiments data lost during
intrusions. How much do you think it costs to run a CAT scanner, or particle
accelerator ?

Maybe the answer to this is "They should have had backups and better security",
but because you leave your back door open one day, does that give anyone the
RIGHT to burgle you ?

That some crackers may have the best intentions in the world I do not doubt,
but they still cause damage to the security and trust of the net.

Cheers,

Andy.

---

#include <std/disclaimer> 'Opinions are mine, not my Employers'
________________________________________________________________________________
|
Andy_...@sbd-e.rx.xerox.com | Rank Xerox Technical Centre
abo...@cix.compulink.co.uk | Welwyn Garden City, Herts.
| ENGLAND
________________________________________L_______________________________________

Democracy: The worship of Jackals by Jackasses. H.L. Mencken.

Goldman of Chaos

unread,
May 21, 1993, 9:27:43 AM5/21/93
to
In article <1tgq9c$j...@wzv.win.tue.nl> r...@wzv.win.tue.nl (Rob J. Nauta) writes:
>What can be done about such outrageous claims that are unfortunately
>impossible to check or verify, and give the general public the
>impression that hackers/crackers really cause the damage, without realising
>it's just a fictional amount of money.

Get your sled back into reality Santa. Fictional amount of money? I
think not.
1) Time to backup the current state of the system
2) Backup media
3) Cost to move backup media to offsite storage
4) Cost to move previous backups from offsite storage
5) System administrator time to reload the operating system
6) System administrator time to reload user files
7) System administrator time to close security problems
8) Time to backup the current state of the system
9) Backup media
10) Cost to move backup media to offsite storage
11) Cost of offsite storage
12) Costs of time explaining to management what went wrong

Matt

--
Matthew Goldman E-mail: gol...@orac.cray.com Work: (612) 683-3061

Buddy: "Why do I always have to go first?"
Sally: "Because you're expendable."

M Darrin Chaney

unread,
May 21, 1993, 10:58:26 AM5/21/93
to
In article <1tgq9c$j...@wzv.win.tue.nl> r...@wzv.win.tue.nl (Rob J. Nauta) writes:
>I wonder about this too. In Holland two young persons were arrested
>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>The management of the university in question claimed $50.000 worth
>of labor had to be spent to secure them again !!
>
>What can be done about such outrageous claims that are unfortunately
>impossible to check or verify, and give the general public the
>impression that hackers/crackers really cause the damage, without realising
>it's just a fictional amount of money.

While $50,000 is way high, the money isn't fictional. If I have to
spend 5 hours cleaning up after a hacker, my organization has lost $75.
That's not fictional. If we have to hire a consultant, the price goes
up.

Darrin
--
M Darrin Chaney, Senior Database Programmer, University Computing Services, IU
mdch...@indiana.edu 1000 E 17th St. Work: (812)855-5492
mdch...@iubacs.bitnet Bloomington, IN 47408 Home: (812)333-6311
"I want- I need- to live, to see it all..."

Rafe Colburn

unread,
May 21, 1993, 11:03:10 AM5/21/93
to
In article <1tgq9c$j...@wzv.win.tue.nl>, r...@wzv.win.tue.nl (Rob J. Nauta)
wrote:

>
> I wonder about this too. In Holland two young persons were arrested
> after breaking in to a few desktop SUNs in Amsterdam in january 1992.
> The management of the university in question claimed $50.000 worth
> of labor had to be spent to secure them again !!
>
> What can be done about such outrageous claims that are unfortunately
> impossible to check or verify, and give the general public the
> impression that hackers/crackers really cause the damage, without realising
> it's just a fictional amount of money.

It seems that all too often these kinds of outrageous claims are made. I
remember when BellSouth claimed an outrageous value (several thousand
dollars) for the ESS document that was taken by the so-called Atlanta boys,
when in fact the document could be had by any member of the public for less
than $20, just by calling an 800 number and ordering it.

I have also found that the people whose sites have been compromised expect
the crackers to pay the bill for securing the system in addition to paying
for any "damages" that have occurred. If someone robs your house, you
can't sue them to make them pay for a new lock and an alarm system to
prevent future break ins. It seems that this would hold true for cracked
systems as well. It was the admin's mistake to not have proper security in
the first place, and the cracker should not have to pay for it.

==============================================================================
Rafe Colburn : All opinions expressed are exclusively
Office of Development : mine, I don't think anyone else wants
them
University of Houston : anyway.
:
hdev...@admin.uh.edu :
==============================================================================

Davin K Hong

unread,
May 21, 1993, 11:23:54 AM5/21/93
to
Matthew Goldman says:
Get your sled back into reality Santa. Fictional amount of money? I
think not.
1) Time to backup the current state of the system
2) Backup media
3) Cost to move backup media to offsite storage
4) Cost to move previous backups from offsite storage
5) System administrator time to reload the operating system
6) System administrator time to reload user files
7) System administrator time to close security problems
8) Time to backup the current state of the system
9) Backup media
10) Cost to move backup media to offsite storage
11) Cost of offsite storage
12) Costs of time explaining to management what went wrong

-------

I agree that money is lost as system administrator must restore files
and the operating system, but a lot of the costs he lists are not really
"caused" by the crackers per se. Anything involving creating the backups
(i.e. 1, 2, 3, 8, 9, 10, 11) are included in the cost of normally managing
a system) - you should be doing, and paying for, that anyway. Furthermore,
the cost of closing up the security problem is not a cost caused by the
crackers - the problem was (apparently) there before anyone broke in.

It just irritates me when people overly inflate costs of anything, not
just cracker attacks.

Davin Hong
dav...@jhunix.hac.jhu.edu

Leonard Hermens

unread,
May 21, 1993, 12:26:55 PM5/21/93
to
In article <1tgq9c$j...@wzv.win.tue.nl> Rob J. Nauta, r...@wzv.win.tue.nl

writes:
> ->This, of course, led very rapidly to rampant infestations of most
> ->hosts on the internet circla late 1988, bringing down most infested
hosts
> ->and costing over $100,000 in damages.
>
> >I am curious about this part. If the damage was only software,
requiring
> >time to fix, where did the damage figure come from, just labor to
correct?
>
> I wonder about this too. In Holland two young persons were arrested
> after breaking in to a few desktop SUNs in Amsterdam in january 1992.
> The management of the university in question claimed $50.000 worth
> of labor had to be spent to secure them again !!
>
> What can be done about such outrageous claims that are unfortunately
> impossible to check or verify, and give the general public the
> impression that hackers/crackers really cause the damage, without
realising
> it's just a fictional amount of money.

It could be fictional, but at least these costs come to mind
immediately:
1. Time to find the problem (labor)
2. Time to correct the problem
3. Time to restore lost/damaged/infected files
4. Money lost due to unavailable resources
(for example, timesharing charges to outside parties)

The fees sound high, however, because included in them is
probably the time spent to discover the security hole...and
that can be expensive. It is not a direct cost attributable to
the break-in, though.

Just because a person is paid to adminster a system, that doesn!t
mean that they have the *extra* time to fix problems that
may have been caused maliciously, either.
-----
Leonard

Bear Giles

unread,
May 21, 1993, 2:23:28 PM5/21/93
to
In article <HDEVAREC-2...@kfps-2.ec-building.uh.edu> HDEV...@Admin.UH.edu (Rafe Colburn) writes:
>In article <1tgq9c$j...@wzv.win.tue.nl>, r...@wzv.win.tue.nl (Rob J. Nauta)
>wrote:
>>
>> I wonder about this too. In Holland two young persons were arrested
>> after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>> The management of the university in question claimed $50.000 worth
>> of labor had to be spent to secure them again !!
>
>I have also found that the people whose sites have been compromised expect
>the crackers to pay the bill for securing the system in addition to paying
>for any "damages" that have occurred. If someone robs your house, you
>can't sue them to make them pay for a new lock and an alarm system to
>prevent future break ins. It seems that this would hold true for cracked
>systems as well. It was the admin's mistake to not have proper security in
>the first place, and the cracker should not have to pay for it.

What about what happened here a year ago?

We were upgrading a 386 Unix system, and had to boot DOS to run a
configuration program for the new hardware.

Microsoft does not sell DOS boot disks. We _should_ have used a
clean copy of DOS on a new machine to make boot disks, but the person
doing the installation was lazy and built a DOS boot disk from a
"public" DOS system across the hall.

Too bad that system was infected, and when it booted on our Unix
system it trashed the Unix file system. Between the time required to
rebuild the Unix system, reinstall all options and our software, and
lost productivity this little virus probably cost over $5,000.
(Several people idle or rebuilding a system for several days is
expensive).

But that was a modest cost. This is a professional software lab and
none of us would _intentionally_ infect systems, but because some clown
decided he was God's Gift to Computers and didn't realize his "safe"
DOS virus would kill Unix systems our lab had a demonstrated risk and
had to disinfect _all_ of the computers in the lab. There's only
a few hundred people here, so it probably only took a couple person-months.
That's probably around $20,000 or more. Toss in the fact that many of
use had to purchase anti-virus software for our own systems, and the
cost is probably in excess of $50,000.

Your analogy to a burglar entering a house is FALSE. We _do_ have
locks on the doors; electronic locks on doors to "public" systems.

Virus writers are closer to a jerk who goes onto _private_ land to
dig holes despite knowing that the owner of this land rides his horse
across the field. When the horse breaks a leg in a hole WHICH SHOULD
NOT BE THERE and has to be destroyed, the owner has every right to
1) demand compensation for the lost horse, 2) demand the vandal
fill the holes he dug, and 3) demand compensation from the vandal
to erect sturdier fences and post yet more signs saying NO TRESPASSING.

If virus writers were competent, this would not be such a problem.
But there are a lot of "safe" viruses out there that cause extensive
damage because the writer's ego surpassed his ability to write clean
code. Therefore ANY virus must be considered destructive and removed,
even at high cost.

--
Bear Giles
be...@cs.colorado.edu/fsl.noaa.gov

Ken Arromdee

unread,
May 21, 1993, 2:33:51 PM5/21/93
to
In article <1993May21.0...@spectrum.xerox.com> bol...@rx.xerox.com writes:
>>I wonder about this too. In Holland two young persons were arrested
>>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>>The management of the university in question claimed $50.000 worth
>>of labor had to be spent to secure them again !!
>>What can be done about such outrageous claims that are unfortunately
>>impossible to check or verify, and give the general public the
>>impression that hackers/crackers really cause the damage, without realising
>>it's just a fictional amount of money.
>Maybe the answer to this is "They should have had backups and better security",
>but because you leave your back door open one day, does that give anyone the
>RIGHT to burgle you ?

You are confusing claims that the damage is exaggerated with attempts to
justify cracking. Neither implies the other.
--
"On the first day after Christmas my truelove served to me... Leftover Turkey!
On the second day after Christmas my truelove served to me... Turkey Casserole
that she made from Leftover Turkey.
[days 3-4 deleted] ... Flaming Turkey Wings! ...
-- Pizza Hut commercial (and M*tlu/A*gic bait)

Ken Arromdee (arro...@jyusenkyou.cs.jhu.edu)

Chris Higgins - System Administrator

unread,
May 21, 1993, 4:01:40 PM5/21/93
to
In article <HDEVAREC-2...@kfps-2.ec-building.uh.edu>, HDEV...@Admin.UH.edu (Rafe Colburn) writes:
>In article <1tgq9c$j...@wzv.win.tue.nl>, r...@wzv.win.tue.nl (Rob J. Nauta)
>wrote:
>>
>> I wonder about this too. In Holland two young persons were arrested
>>
>I have also found that the people whose sites have been compromised expect
>the crackers to pay the bill for securing the system in addition to paying
>for any "damages" that have occurred. If someone robs your house, you
>can't sue them to make them pay for a new lock and an alarm system to
>prevent future break ins. It seems that this would hold true for cracked
If you buy an alarm system, and it doesn't work... Then surely it is the
company that sold it to you.... It isn't your fault that something you bought
didn't work as advertised !

>systems as well. It was the admin's mistake to not have proper security in
>the first place, and the cracker should not have to pay for it.
>

BULLSHIT !!!! (pardon my french !)
If every administrator had to spend every waking minute (and those sleeping)
patching the holes in Un*x systems. Then the users will be complaining about
the lack of time spent on *their* important pressing problems.

The Admin can never win. If you enter a shop and break something on the shelf,
then shouldn't you pay for it ? Why should the shop lose out because of your
stupidity / malicious intent ?

Excuse the tone, but I cannot abide people who believe that crackers shouldn't
be held responsible for their actions. If that responsibility extends to paying
reparations for damage, then so be it...

(Lets not have "War reparations" because the countries at war are "cracking" at
each others borders... Lets not have people sueing others, because when a brain
surgeon messes your head up, he was only "cracking" at your head.. Obviously
not his responsibility....)

>==============================================================================
>Rafe Colburn : All opinions expressed are exclusively
>Office of Development : mine, I don't think anyone else wants
>them
>University of Houston : anyway.
> :
>hdev...@admin.uh.edu :
>==============================================================================

Chris.

+ J.C. Higgins, + + If you love something, set it +
+ VMS Sys. Admin, + Ch...@csvax1.ucc.ie + free. If it doesn't come back +
+ Comp.Sc.Dept. + Ch...@odyssey.ucc.ie + to you, hunt it down and +
+ UCC, Ireland + C.Hi...@bureau.ucc.ie + KILL it. -- Me. +

Timothy Newsham

unread,
May 21, 1993, 6:45:54 PM5/21/93
to
>r...@wzv.win.tue.nl (Rob J. Nauta) writes:
>
>>I wonder about this too. In Holland two young persons were arrested
>>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>>The management of the university in question claimed $50.000 worth
>>of labor had to be spent to secure them again !!
>
>>What can be done about such outrageous claims that are unfortunately
>>impossible to check or verify, and give the general public the
>>impression that hackers/crackers really cause the damage, without realising
>>it's just a fictional amount of money.
>
>It may be an exaggerated figure, but not fictional. Somebody has to pay to
>correct systems damaged by crackers. Whether it is only the OS needs reinstall
>-ing, or valuable research data is lost, it still has to be paid for.

Often included in the damages are the cost of making the system secure.
The hacker didnt impose this on the system administrators, and if they
had spent this money before hand then more likely than not the
hacker wouldnt have gotten in. It is unfair to include these
sort of costs in the damages.

Steven Bellovin

unread,
May 21, 1993, 1:05:36 PM5/21/93
to
In article <1tgq9c$j...@wzv.win.tue.nl>, r...@wzv.win.tue.nl (Rob J. Nauta) writes:
> cow...@csuslip4.csuohio.edu (Syscrusher) writes:
>
> ->This, of course, led very rapidly to rampant infestations of most
> ->hosts on the internet circla late 1988, bringing down most infested hosts
> ->and costing over $100,000 in damages.
>
> >I am curious about this part. If the damage was only software, requiring
> >time to fix, where did the damage figure come from, just labor to correct?
>
> I wonder about this too. In Holland two young persons were arrested
> after breaking in to a few desktop SUNs in Amsterdam in january 1992.
> The management of the university in question claimed $50.000 worth
> of labor had to be spent to secure them again !!

I can't speak to that example, but $100K in *total* damages seems
reasonable for the Internet worm. How many sites do you think it it?
300? That means only about $333 per site, which is not many staff
hours. And that doesn't even include lost productivity, time that
people couldn't work because their machines were either unusable or
unable to speak to the outside world.

$100K in direct costs? Probably not. And one shouldn't count time to
install security fixes that needed to be in anyway. But I don't think
that $100K is out of line for the total damage, worldwide, for that
particular incident. It may be high, but not grossly so.

Steven J Tucker

unread,
May 22, 1993, 1:53:41 AM5/22/93
to

In a previous article, r...@wzv.win.tue.nl (Rob J. Nauta) says:

>cow...@csuslip4.csuohio.edu (Syscrusher) writes:
>
>->This, of course, led very rapidly to rampant infestations of most
>->hosts on the internet circla late 1988, bringing down most infested hosts
>->and costing over $100,000 in damages.
>
>>I am curious about this part. If the damage was only software, requiring
>>time to fix, where did the damage figure come from, just labor to correct?
>
>I wonder about this too. In Holland two young persons were arrested
>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>The management of the university in question claimed $50.000 worth
>of labor had to be spent to secure them again !!

Claiming damages to "secure them again" does not seem viable, since just
"securing them again" might involve changing a password where the $50,000
comes in is IMPROVING the security that was never there to begin with.

Does this seem right?
--
Steven J Tucker | \|/ \|/ \|/ \|/ \|/ \|/ | dh...@cleveland.Freenet.edu
P.o.Box 33475 | Visit the Atari 8Bit Sig |-------------------------------
North Royalton | Cleveland Free-Net | " There is no right or wrong
Ohio 44133-0475 | /|\ /|\ /|\ /|\ /|\ /|\ | only thinking makes is so "

Angel at large

unread,
May 22, 1993, 2:20:12 AM5/22/93
to
In article <C7E7M...@curia.ucc.ie> ch...@csvax1.ucc.ie writes:
>Excuse the tone, but I cannot abide people who believe that crackers shouldn't
>be held responsible for their actions. If that responsibility extends to paying
>reparations for damage, then so be it...
>
>(Lets not have "War reparations" because the countries at war are "cracking" at
>each others borders... Lets not have people sueing others, because when a brain
>surgeon messes your head up, he was only "cracking" at your head.. Obviously
>not his responsibility....)
>
I think it all depends on what kind of cracking we're talking about here. For
example, if I break into your system and send you a message that your system
has been compromized, and log off, I shouldn't pay for the time it takes to up
the security. In fact, I don't think the person who breaks into systems like
that even increases paranoia on the net. On the other hand if I login and
delete data, or mangle the system in some other manner, it's entirely different
matter.
Thats my cent and a half.
--
* Angel@foghorn_leghorn.coe.northeastern.edu
* * * * BTW: These are my opinions, and not that of any other entity
- * * * * * * ------------------------------------------------------------*
* * * My god, its full of stars! - Dave
* I don't know about you, but we've got company! - Epidemic

R.v.Kampen

unread,
May 21, 1993, 11:06:21 PM5/21/93
to
In article <C7DtL...@usenet.ucs.indiana.edu> mdch...@fractal.ucs.indiana.edu (M Darrin Chaney) writes:
>In article <1tgq9c$j...@wzv.win.tue.nl> r...@wzv.win.tue.nl (Rob J. Nauta) writes:
>>I wonder about this too. In Holland two young persons were arrested
>>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>>The management of the university in question claimed $50.000 worth
>>of labor had to be spent to secure them again !!
>>
>>What can be done about such outrageous claims that are unfortunately
>>impossible to check or verify, and give the general public the
>>impression that hackers/crackers really cause the damage, without realising
>>it's just a fictional amount of money.
>
>While $50,000 is way high, the money isn't fictional. If I have to
>spend 5 hours cleaning up after a hacker, my organization has lost $75.
>That's not fictional. If we have to hire a consultant, the price goes
>up.
>
Maybe you should see it as the kind of maintenance done on equipment
that wears out due to friction, old age etc...
computer systems when left alone don't wear out due to software
getting old (maybe when te century turns) So hackers cause the
friction which causes computer systems wear out, so that way they will
continuously be updated and improved.

In a couple of years there will be oldtimers clubs where all ancient
computers are still being used. And the rest of the world will be
computing on more improved, less power consuming, more powerful
cars/computers. And hackers will still be the dust particles in
engines that cause wearing out.

willem

(I might not sound very coherently, but that's because I am not.)
( ^ neither does it 'sound' unless you have your
newsreader interfaced with some voice unit)

Chris Higgins - System Administrator

unread,
May 22, 1993, 6:28:54 AM5/22/93
to
In article <1993May22....@lynx.dac.northeastern.edu>, angel@Foghorn_Leghorn.coe.northeastern.edu (Angel at large) writes:
>In article <C7E7M...@curia.ucc.ie> ch...@csvax1.ucc.ie writes:
>>Excuse the tone, but I cannot abide people who believe that crackers shouldn't
>>be held responsible for their actions. If that responsibility extends to paying
>>reparations for damage, then so be it...
>>
>>(Lets not have "War reparations" because the countries at war are "cracking" at
>>each others borders... Lets not have people sueing others, because when a brain
>>surgeon messes your head up, he was only "cracking" at your head.. Obviously
>>not his responsibility....)
>>
>I think it all depends on what kind of cracking we're talking about here. For
Herein lies the problem...
>example, if I break into your system and send you a message that your system
>has been compromized, and log off, I shouldn't pay for the time it takes to up
>the security. In fact, I don't think the person who breaks into systems like

Ok, so you break in, and mail me a message. I'm going to have to try track down
EXACTLY what you did. I've then got a system, which is (potentially) very
insecure, so I've got to put effort into restoring the security confidence
level to where it was. That may not involve me doing anything except checking
that you didn't change anything. On the other hand it may require that I
re-install the entire OS from scratch. So while the actual damage done by the
cracker may be minimal, I would have to put in a lot of person-hours, to ensure
that no real damage has been done, and I'll have to patch the hole used so that
I can turn to my users and say that we are back where we were...
Then my users can continue knowning that it is unlikely that the same will
happen again.

>that even increases paranoia on the net. On the other hand if I login and
>delete data, or mangle the system in some other manner, it's entirely different
>matter.

As I said above, not really...

>Thats my cent and a half.
>--
> * Angel@foghorn_leghorn.coe.northeastern.edu
> * * * * BTW: These are my opinions, and not that of any other entity
>- * * * * * * ------------------------------------------------------------*
> * * * My god, its full of stars! - Dave
> * I don't know about you, but we've got company! - Epidemic
>

Danny Smith

unread,
May 22, 1993, 10:15:35 AM5/22/93
to
>Just because a person is paid to adminster a system, that doesn!t
>mean that they have the *extra* time to fix problems that
>may have been caused maliciously, either.

I recall more than one admin-type telling me that the BIG cost factor
was the time spent explaining the situation to upper management and
local news teams.

--
Danny Smith | 408/992-2365 | da...@juts.ccc.amdahl.com
Amdahl Corp. | Sunnyvale, CA | da...@uts.amdahl.com
[ Disclaimer - the above opinions are mine, and do not ]
[ reflect Amdahl policy. (They made me say that.) ]

Robert Gasch

unread,
May 22, 1993, 9:47:57 AM5/22/93
to
Leonard Hermens (lher...@eecs.wsu.edu) wrote:
: In article <1tgq9c$j...@wzv.win.tue.nl> Rob J. Nauta, r...@wzv.win.tue.nl

: writes:
: > ->This, of course, led very rapidly to rampant infestations of most
: > ->hosts on the internet circla late 1988, bringing down most infested
: hosts
: > ->and costing over $100,000 in damages.
: >
: > >I am curious about this part. If the damage was only software,
: requiring
: > >time to fix, where did the damage figure come from, just labor to
: correct?
: >
: > I wonder about this too. In Holland two young persons were arrested
: > after breaking in to a few desktop SUNs in Amsterdam in january 1992.
: > The management of the university in question claimed $50.000 worth
: > of labor had to be spent to secure them again !!
: >
: > What can be done about such outrageous claims that are unfortunately
: > impossible to check or verify, and give the general public the
: > impression that hackers/crackers really cause the damage, without
: realising
: > it's just a fictional amount of money.

: It could be fictional, but at least these costs come to mind
: immediately:
: 1. Time to find the problem (labor)
: 2. Time to correct the problem

Should hackers/crackers be charged for item 1&2 ? They didn't cause the
problem, they simply (ab)used problems left/caused by the OS vendor.

--> Robert

Angel at large

unread,
May 22, 1993, 3:20:26 PM5/22/93
to
In article <C7FBs...@curia.ucc.ie> ch...@csvax1.ucc.ie writes:
>Ok, so you break in, and mail me a message. I'm going to have to try track down
>EXACTLY what you did. I've then got a system, which is (potentially) very
>insecure, so I've got to put effort into restoring the security confidence
>level to where it was. That may not involve me doing anything except checking

But it was insecure to begin with! The person who breaks in did NOT change
the level of security!

>that you didn't change anything. On the other hand it may require that I
>re-install the entire OS from scratch. So while the actual damage done by the
>cracker may be minimal, I would have to put in a lot of person-hours, to ensure
>that no real damage has been done, and I'll have to patch the hole used so that
>I can turn to my users and say that we are back where we were...

What you do is your own perogative depending on YOUR level of paranoia. You
can patch the hole, or you can junk the disk, and reinstall everything, or
anything in between. You don't _have_ to re-install all the software.

BTW, I'm still using "you" as a generic sysadmin and "me" as a hypothetical
cracker.

Paul Ducklin

unread,
May 23, 1993, 4:31:41 AM5/23/93
to
Thus spake be...@tigger.cs.Colorado.EDU (Bear Giles):

>But that was a modest cost. This is a professional software lab and
>none of us would _intentionally_ infect systems, but because some clown
>decided he was God's Gift to Computers and didn't realize his "safe"
>DOS virus would kill Unix systems our lab had a demonstrated risk and
>had to disinfect _all_ of the computers in the lab. There's only
>a few hundred people here, so it probably only took a couple person-months.
>That's probably around $20,000 or more.

Sounds like you got hit by a boot sector virus. Now, when viruses like
Stoned hit *some* PC-Unix systems, there may be problems due to the act
of infection [Stoned writes to T0, H0, S7 -- for some older Unixes, this
is actually within the first active partition and thus trashes the boot-
strap loader]; with viruses like Michelangelo, then there will be direct
file system damage at specific times [March 6th, for the Big M]. For the
rest, disinfection of BSVs is usually fairly simple and readily automated.

Since you talk of "disinfection", rather than "repair", I assume that you
were able to clean up easily using suitable a-v software. And I infer from
"there's only a few hundred people here" that you have only a few hundred
machines in your lab. If, as is usual, the machines in your lab are laid
out in rows -- not scattered all over in hundreds of offices -- then I'd
suggest that a single person could clean every machine in a day or two.
$20,000 sounds rather a lot...

>Toss in the fact that many of
>use had to purchase anti-virus software for our own systems, and the
>cost is probably in excess of $50,000.

$30,000 dollars *more* for "many of us to purchase a-v software for our
own systems"? How many of you, exactly? F-PROT, for example, would cost
you $30,000 for a licence for 30,000 users! And the a-v service I'm
involved with would cost you $30k for a licence of, say, 7,500 users
*with total service included*. For that kind of money, you could keep
the other $20,000 in your pocket -- we'd do the clean-up for you
[we'd ask you to pay the airfare so we could Cross the Ocean] :-)

And you're not-for-profit, aren't you? Then the cost of the systems
mentioned above are even lower -- academic discount, and all that...

Viruses are a *big* problem in the PC world. A very big problem, which
I don't wish to downplay. But $50,000 sounds like a figure that's way,
way too big.

Paul

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\ Paul Ducklin du...@nuustak.csir.co.za /
/ CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Kevin D. Quitt

unread,
May 23, 1993, 3:48:56 PM5/23/93
to
> What you do is your own perogative depending on YOUR level of paranoia. You
> can patch the hole, or you can junk the disk, and reinstall everything, or
> anything in between. You don't _have_ to re-install all the software.

And when you (as the sysadmin) are facing your boss, and he says "How can you
guarantee me that none of our software has been compromised?", what do you
say?


_
Kevin D. Quitt 96.37% of all statistics are made up. usc!srhqla!quest!kdq

Angel at large

unread,
May 23, 1993, 6:59:30 PM5/23/93
to
In article <08P14B...@quest.UUCP> {ames,jato,usc,pacbell}!srhqla!quest!kdq writes:
>angel@Foghorn_Leghorn.coe.northeastern.edu (Angel at large) writes:
>> What you do is your own perogative depending on YOUR level of paranoia. You
>> can patch the hole, or you can junk the disk, and reinstall everything, or
>> anything in between. You don't _have_ to re-install all the software.
>
>And when you (as the sysadmin) are facing your boss, and he says "How can you
>guarantee me that none of our software has been compromised?", what do you
>say?

There are two things that come into play here:
1. If I was THAT worried about security then I would either
a. Patch all the holes known to (wo)man
b. Runa truly secure operating system with audits alarms, and such
2. I could say that if the hacker DID compromise the whole system, then he
probably wouln't have send e-mail to sysadmin (me) telling me about this.

Bernie Cosell

unread,
May 23, 1993, 10:01:33 PM5/23/93
to
In article <08P14B...@quest.UUCP>, Kevin D. Quitt writes:

} > What you do is your own perogative depending on YOUR level of paranoia. You
} > can patch the hole, or you can junk the disk, and reinstall everything, or
} > anything in between. You don't _have_ to re-install all the software.
}

} And when you (as the sysadmin) are facing your boss, and he says "How can you
} guarantee me that none of our software has been compromised?", what do you
} say?

Well, I was in that position and I'll tell you what we did: we
isolated the system [to prevent further infestation on the way, and
to prevent us from propagating anything until we knew what was
happening]. Then we brought the [unix] system up in single-user
mode and did an incremental backup of the ENTIRE disk system [no
NFS so this wasn't hopelessly difficult]. Then we examined *EVERY*
disk block that the incremental claimed that was changed from the
last-dump-before-infestation. fortunately, we backed up at 11PM,
got infected at something like 2AM, and were working at it by
sunup, so there wasn't all that much to check. But when it was done
and I had to report to the higher-ups, I could say:
1) we had disabled the virus, so it would no longer be a problem, and
2) we *KNEW* that the virus had caused no damage or otherwise impeached
our file systems.

What did you do to keep your bosses from worrying about subsequent trojan
horses, files corrupted in subtle ways, libraries with traps snuck into
them, etc?

/Bernie\
--
Bernie Cosell cos...@world.std.com
Fantasy Farm Fibers, Pearisburg, VA (703) 921-2358

Oleg Kibirev

unread,
May 23, 1993, 3:18:20 PM5/23/93
to
In article <40...@nlsun1.oracle.nl> rga...@nl.oracle.com (Robert Gasch) writes:

Leonard Hermens (lher...@eecs.wsu.edu) wrote:
: >
: > What can be done about such outrageous claims that are unfortunately
: > impossible to check or verify, and give the general public the
: > impression that hackers/crackers really cause the damage, without
: realising
: > it's just a fictional amount of money.

: It could be fictional, but at least these costs come to mind
: immediately:
: 1. Time to find the problem (labor)
: 2. Time to correct the problem

Should hackers/crackers be charged for item 1&2 ? They didn't cause the
problem, they simply (ab)used problems left/caused by the OS vendor.

Yes, but OS vendor wrote a disclaimer that they are not responsible
for their programs ;(

Oleg

Andrew McVeigh

unread,
May 24, 1993, 12:42:37 PM5/24/93
to
In article <OLEG.93Ma...@gd.cs.CSUFresno.EDU> ol...@gd.cs.CSUFresno.EDU (Oleg Kibirev) writes:

> [ text deleted ]


> Should hackers/crackers be charged for item 1&2 ? They didn't cause the
> problem, they simply (ab)used problems left/caused by the OS vendor.
>
> Yes, but OS vendor wrote a disclaimer that they are not responsible
> for their programs ;(

Perhaps all future WORMS will contain such disclaimers also ;-)

>
> Oleg

Cheers,

Andrew McVeigh
--
*****


Andrew McVeigh

Johan Wevers

unread,
May 24, 1993, 5:57:20 AM5/24/93
to
Rob Nauta wrote:
>>What can be done about such outrageous claims that are unfortunately
>>impossible to check or verify, and give the general public the
>>impression that hackers/crackers really cause the damage, without realising
>>it's just a fictional amount of money.

gol...@orac.cray.com (Goldman of Chaos) writes:
>Get your sled back into reality Santa. Fictional amount of money? I
>think not.
> 1) Time to backup the current state of the system
> 2) Backup media
> 3) Cost to move backup media to offsite storage
> 4) Cost to move previous backups from offsite storage
> 5) System administrator time to reload the operating system
> 6) System administrator time to reload user files
> 7) System administrator time to close security problems
> 8) Time to backup the current state of the system
> 9) Backup media
> 10) Cost to move backup media to offsite storage
> 11) Cost of offsite storage

All these things should be done anyway. What about power failure, or
a fire, or a fool who knocks the computer to pieces?

> 12) Costs of time explaining to management what went wrong

In most cases, and _certainly_ in the Amsterdam case Rob cited, this is easy:

"I'm very sorry boss, the hacker was much smarter than I was. Please don't
fire me because my knowledge wasn't what it should be..."

No copyright fees asked for desperate system managers if they use this string...
--
J.C.A. Wevers The only nature of reality is physics.
jo...@blade.stack.urc.tue.nl

Johan Wevers

unread,
May 24, 1993, 6:02:36 AM5/24/93
to
mdch...@fractal.ucs.indiana.edu (M Darrin Chaney) writes:

>>I wonder about this too. In Holland two young persons were arrested
>>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>>The management of the university in question claimed $50.000 worth
>>of labor had to be spent to secure them again !!

>>What can be done about such outrageous claims that are unfortunately
>>impossible to check or verify, and give the general public the
>>impression that hackers/crackers really cause the damage, without realising
>>it's just a fictional amount of money.

>While $50,000 is way high, the money isn't fictional. If I have to
>spend 5 hours cleaning up after a hacker, my organization has lost $75.
>That's not fictional. If we have to hire a consultant, the price goes
>up.

In Amsterdam, they even didn't know what the real costs were. They claimed
that they had to spend much money on tracing and peeping at the hacker,
not to get them out of the system, but because the police asked them to
do so they could catch them. The police worked after the arrests so stupid
that they almost certainly won't be convicted, so I think the police should
pay the $50.000. Afer all, if you break into a house, and you get caught,
the police won't say "we spent 100 hours on you, that's $10.000."

Carl Brewer

unread,
May 24, 1993, 6:53:20 AM5/24/93
to
In article <1tq660$s...@tuegate.tue.nl> jo...@blade.stack.urc.tue.nl (Johan Wevers) writes:
>
>> 12) Costs of time explaining to management what went wrong
>
>In most cases, and _certainly_ in the Amsterdam case Rob cited, this is easy:
>
>"I'm very sorry boss, the hacker was much smarter than I was. Please don't
>fire me because my knowledge wasn't what it should be..."

In most cases :

Arseholeus Cracker has copied a trick his/her friend showed him/her,
exploiting a "hole" that aids networking and functionality of the
network under attack. Sure we can make the machines almost totally
crackerproof, but I like my machines to be useful ....

And if I ever catch one of the shits red handed ... how well do these
people type with their noses and toes?


--
Annal Natrach, Usthvah Spethed, cbr...@uniwa.uwa.edu.au
Dochoel Dienve IRC: Bleve
ca...@montebello.ecom.unimelb.EDU.AU
Merlin, where are you? Call your dragon, to weave a mist ....

Johan Wevers

unread,
May 24, 1993, 7:44:10 AM5/24/93
to
ca...@montebello.ecom.unimelb.EDU.AU (Carl Brewer) writes:

>Arseholeus Cracker has copied a trick his/her friend showed him/her,
>exploiting a "hole" that aids networking and functionality of the
>network under attack.

I'm sure that a "+" in .rhosts in the particular SUN in that case isn't
a hole that aids networking or functionality, unless the system manager
is totally incapable.

>And if I ever catch one of the shits red handed ... how well do these
>people type with their noses and toes?

Cheap... You should better beat up real scum, of which there seems to be
no shortage in the US, if you dare...

Goldman of Chaos

unread,
May 24, 1993, 9:34:45 AM5/24/93
to
In article <1tis6a...@jhunix.hcf.jhu.edu> dav...@jhunix.hcf.jhu.edu (Davin K Hong) writes:
>Matthew Goldman says:
>Get your sled back into reality Santa. Fictional amount of money? I
>think not.
> 1) Time to backup the current state of the system
> 2) Backup media
> 3) Cost to move backup media to offsite storage
> 4) Cost to move previous backups from offsite storage
> 5) System administrator time to reload the operating system
> 6) System administrator time to reload user files
> 7) System administrator time to close security problems
> 8) Time to backup the current state of the system
> 9) Backup media
> 10) Cost to move backup media to offsite storage
> 11) Cost of offsite storage
> 12) Costs of time explaining to management what went wrong
>
>-------
>
> I agree that money is lost as system administrator must restore files
>and the operating system, but a lot of the costs he lists are not really
>"caused" by the crackers per se. Anything involving creating the backups
>(i.e. 1, 2, 3, 8, 9, 10, 11) are included in the cost of normally managing
>a system) - you should be doing, and paying for, that anyway. Furthermore,
>the cost of closing up the security problem is not a cost caused by the
>crackers - the problem was (apparently) there before anyone broke in.

At the risk of this degenerating into a flame festival, you are wrong.
The cost of backups is a *new* cost, the cost of keeping *all* of the
previous backups in long term offsite storage. The cost of *new*
backup media. The cost of the extra backups is directly caused by the
criminals.

> It just irritates me when people overly inflate costs of anything, not
>just cracker attacks.

Cracker? Lets call them what they are, criminals.

Matt

--
Matthew Goldman E-mail: gol...@orac.cray.com Work: (612) 683-3061

Buddy: "Why do I always have to go first?"
Sally: "Because you're expendable."

Goldman of Chaos

unread,
May 24, 1993, 9:42:34 AM5/24/93
to
In article <08P14B...@quest.UUCP> {ames,jato,usc,pacbell}!srhqla!quest!kdq writes:
>angel@Foghorn_Leghorn.coe.northeastern.edu (Angel at large) writes:
>> What you do is your own perogative depending on YOUR level of paranoia. You
>> can patch the hole, or you can junk the disk, and reinstall everything, or
>> anything in between. You don't _have_ to re-install all the software.
>
>And when you (as the sysadmin) are facing your boss, and he says "How can you
>guarantee me that none of our software has been compromised?", what do you
>say?

We captured the perp and forced him to tell exactly what he did.
Unfortunately he did not survive questioning. We've put out hits on
his friends an family.

:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)

Goldman of Chaos

unread,
May 24, 1993, 9:47:53 AM5/24/93
to
In article <1tq660$s...@tuegate.tue.nl> jo...@blade.stack.urc.tue.nl (Johan Wevers) writes:
cleanup procedures posted by gol...@orac.cray.com skipped.

>All these things should be done anyway. What about power failure, or
>a fire, or a fool who knocks the computer to pieces?

I'm talking about *additional* backups, keeping the backups
from before the attack out of the backup loop. If you are
not doing backups, I really don't pity you going up to
management.

>> 12) Costs of time explaining to management what went wrong
>
>In most cases, and _certainly_ in the Amsterdam case Rob cited, this is easy:
>
>"I'm very sorry boss, the hacker was much smarter than I was. Please don't
>fire me because my knowledge wasn't what it should be..."

No, the important part is to be able to supply info to the corporate
lawyers so that the CRIMINAL can be dealt with.

Matt

Tim Weaver

unread,
May 24, 1993, 12:04:31 PM5/24/93
to
rga...@nl.oracle.com (Robert Gasch) writes:
>>
>> Should hackers/crackers be charged for item 1&2 ? They didn't cause the
>> problem, they simply (ab)used problems left/caused by the OS vendor.

Haakon Styri
>If someone broke into your home by breaking a window, are you going to
>charge the vendor? Not very likely. Some of the ways the worm entered
>a system would be through open doors, but there was enough lockpicking
>and entry by force techniques employed by the worm to classify it into
>a trespassing program.

If I leave my door open, this does not mean you are allowed to walk into
my house and start going through my drawers.
--

|Timothy E. Weaver | Kalamazoo College | (616) 337-7323 |
|Database Programmer/Analyst | 1200 Academy | These are MY opinions! |
|email: twe...@kzoo.edu | Kalamazoo MI 49006 | Mine!! Mine!! Mine!! |

Rogier Wolff

unread,
May 24, 1993, 11:33:34 AM5/24/93
to
Johan Wevers (jo...@blade.stack.urc.tue.nl) wrote:
: ca...@montebello.ecom.unimelb.EDU.AU (Carl Brewer) writes:

: >Arseholeus Cracker has copied a trick his/her friend showed him/her,
: >exploiting a "hole" that aids networking and functionality of the
: >network under attack.

: I'm sure that a "+" in .rhosts in the particular SUN in that case isn't
: a hole that aids networking or functionality, unless the system manager
: is totally incapable.

I am sure you meant /etc/hosts....


: J.C.A. Wevers The only nature of reality is physics.
: jo...@blade.stack.urc.tue.nl

Roger.

--
**** a 486 in V86 mode is like a VW buggy with a 6 liter V12 motor. ****
EMail: wo...@duteca.et.tudelft.nl ** Tel +31-15-783643 or +31-15-142371

Tom O Breton

unread,
May 24, 1993, 1:24:47 PM5/24/93
to
Haakon:

> If someone broke into your home by breaking a window, are you going to
> charge the vendor? Not very likely.

Seems to me that's a bad analogy. The costs Robert is talking about are
analogous to buying and installing a new security system, not replacing
a broken window.(**)

So there is no convincing causal link to the illegal entry. Instead it
looks to me like finding someone to send the bill to(*) for something
that needed doing anyways.


> Some of the ways the worm entered a system would be through open doors,
> but there was enough lockpicking and entry by force techniques employed
> by the worm to classify it into a trespassing program.

Classifying it into one of only two categories may be of interest to
insurance companies and so forth, but I think we on the net understand
that it is not quite so simple.

Tom

(*) Even in the sense of creating a "bad debt" for tax purposes

(**) Obviously I'm not talking about other costs such as loss of
computer time or compromise of sensitive information.


--
The Tom spreads its huge, scaly wings and soars into the sky...
(t...@world.std.com, TomB...@delphi.com)

Magnus Y Alvestad

unread,
May 24, 1993, 1:09:52 PM5/24/93
to
Tim> If I leave my door open, this does not mean you are
Tim> allowed to walk into my house and start going through my
Tim> drawers. --

That's not the issue.

The issue:

If you have a very simple lock on your door, and a burglar easily
opens it (without harming the lock), can you charge the burglar for
the cost of buying a better lock?

-Magnus

Tim Weaver

unread,
May 24, 1993, 2:47:20 PM5/24/93
to

Tim> If I leave my door open, this does not mean you are
Tim> allowed to walk into my house and start going through my
Tim> drawers. --

Magnus> That's not the issue.
Magnus> The issue:
Magnus> If you have a very simple lock on your door, and a burglar easily
Magnus> opens it (without harming the lock), can you charge the burglar for
Magnus> the cost of buying a better lock?

Now there's an interesting form of justice. I like it.
Of course there's no precedent for it.

I do think it's appropriate to charge them for the time
you spent making sure there was no damage done.

Rafe Colburn

unread,
May 24, 1993, 5:32:00 PM5/24/93
to

I wrote:
> >systems as well. It was the admin's mistake to not have proper security in
> >the first place, and the cracker should not have to pay for it.
> >

J. C. Higgins wrote:
> BULLSHIT !!!! (pardon my french !)
> If every administrator had to spend every waking minute (and those sleeping)
> patching the holes in Un*x systems. Then the users will be complaining about
> the lack of time spent on *their* important pressing problems.
>
> The Admin can never win. If you enter a shop and break something on the shelf,
> then shouldn't you pay for it ? Why should the shop lose out because of your
> stupidity / malicious intent ?


>
> Excuse the tone, but I cannot abide people who believe that crackers shouldn't
> be held responsible for their actions. If that responsibility extends to paying
> reparations for damage, then so be it...

Obviously, you misunderstood the point which I was making. The cracker is
responsible for the damage he causes to the systems which he enters.
Anyone
who says otherwise is foolish. However, the costs of SECURING a system
so that other crackers cannot enter it should be the responsibility of
the owners/administrators of the system.

Any data destroyed, the costs of restoring from backups, the cost of
getting data that was not backed up, the opportunity costs of losing the
data, the hours of work lost because the system is fouled up, and the
like are all the responsibility of the cracker who had nothing better
to do than mess with your system. But the costs of actually providing
good security for the system once he has proven that yours sucks should
not be tagged onto the bill, that security should be there in the first
place. Besides, if you report the break in, the writer of the operating
system will write a patch that fixes the hole anyway. Too many admins
are too embarrassed to report when their system is compromised.

===========================================================================
Rafe Colburn : All opinions expressed are exclusively
Office of Development : mine, I don't think anyone else wants
University of Houston : them anyway.
713.743.8866 :
hdev...@admin.uh.edu :
===========================================================================

Gordon Burditt

unread,
May 24, 1993, 2:09:48 AM5/24/93
to
>I wonder about this too. In Holland two young persons were arrested
>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>The management of the university in question claimed $50.000 worth
>of labor had to be spent to secure them again !!
>
>What can be done about such outrageous claims that are unfortunately
>impossible to check or verify, and give the general public the
>impression that hackers/crackers really cause the damage, without realising
>it's just a fictional amount of money.

Are such claims really fictional? The absolute minimum response to such
a breakin should be to back up the system, and re-install the entire
system from scratch from backup tapes that predate the breakin. This
can be a problem if you don't know the first date of the breakin. Then
you have to go through the backups and find more recent files and restore
the undamaged ones. Considering that this was on a network, you probably
have to do it for the whole network. If the university does not have
in-house expertise to reload the systems itself, it will have to
hire consultants to do it. This is a real, out-of-pocket expense.
Wages are also a real, out-of-pocket expense, especially if overtime
has to be paid to get the systems working again.

Note that these damages occur even if there was actually no breakin
but the "intruders" manage to come up with convincing evidence that
there was, or there was a breakin but all the intruders did was post
one USENET message from the machine gloating about it.

I can't comment on the reasonableness of that $50,000 figure as I have
no details. If the network had 500 machines and they all had to be
restored, even though only "a few" machines were broken into, this figure
is cheap. If a year's worth of research data was lost, a lot more could
be justified. ("should have had backups" doesn't help if the data was
damaged and it went unnoticed for long enough that the backups are damaged,
too.) If that's the cost for restoring 10 machines, the cost seems
rather inflated.

If a burglar breaks into a store and steals stuff, I'm going
to include in the cost of the burglary:

- The value of the stuff stolen, if not recovered.
- Cost of taking inventory after the burglary to determine what was stolen.
- Bookkeeping and legal expenses of filing an insurance claim.
- The cost of repairing the lock broken by a crowbar (but NOT the cost
of upgrading it to a deadbolt) and the door it was attached to.
- The cost of restoring the burglar alarm to workable condition. (Fix cut
wires, etc., and change the security code if it was compromised, but not
the cost of putting one in in the first place or upgrading the system.
- The cost of replacing the safe which was blown open. (but NOT the
cost of upgrading it to a more secure model)
- The cost of replacing/re-keying all the locks that go with keys stolen
(the store's delivery vans, which haven't been stolen, yet).
- The cost of ammunition used to scare off the burglar.
- The cost of cleaning burglar blood, shotgun shells, and safe debris
from the carpet and walls.
- The replacement/repair cost of damaged merchandise.
- The cost of repairing bullet holes, from bullets fired by the burglar,
police, or employees.
- Medical expenses of the guard who shot himself in the foot while
trying to shoot the burglar.
- The wages of employees paid while the store couldn't be open (but don't
double-count this in the cost of inventory, cleanup, etc.).

but don't include:

- The cost of having locks, burglar alarms, and safes in the first place.
- 5 years of wages for the security guard
- The cost of taking routine inventory
- Taxes paid for, among other things, police.


"Lost sales" is a figure that's hard to pin down. Your customers might
come back the next day after you open and buy everything they would have
the day you were closed after the burglary. Or they might go to the
competition. In any case, it's "lost profit from sales", not "lost sales"
that's a loss, but a somewhat imaginary one. In a manufacturing or service
environment, lost production line time or lost billable hours, especially
if the company has a work backlog, are easier to justify. Don't
double-count employee time used for cleanup, inventory, or "idle time"
instead of production or service. It's really easy to claim the same
employee several times in the cost of inventory, idle time, and "lost sales",
and I suspect that's where some of the inflated damage figures come from.

Gordon L. Burditt
sneaky.lonestar.org!gordon

Carl Brewer

unread,
May 24, 1993, 8:21:39 PM5/24/93
to
In article <1tqcea$4...@tuegate.tue.nl> jo...@blade.stack.urc.tue.nl (Johan Wevers) writes:
>ca...@montebello.ecom.unimelb.EDU.AU (Carl Brewer) writes:
>
>>Arseholeus Cracker has copied a trick his/her friend showed him/her,
>>exploiting a "hole" that aids networking and functionality of the
>>network under attack.
>
>I'm sure that a "+" in .rhosts in the particular SUN in that case isn't
>a hole that aids networking or functionality, unless the system manager
>is totally incapable.

Or they want to be able to connect machines easily to it. Without
having to set up a bunch of netgroups etc. Why *should* we have to
put razor wire around our hardware to keep the scumbags out?

"Oh, but you were lazy/incompitatant, so you should be broken into"
*BULLSHIT*


>
>>And if I ever catch one of the shits red handed ... how well do these
>>people type with their noses and toes?
>
>Cheap... You should better beat up real scum, of which there seems to be
>no shortage in the US, if you dare...

This deserves ignoring ...

Rogier Wolff

unread,
May 25, 1993, 4:50:30 AM5/25/93
to
Gordon Burditt (gor...@sneaky.lonestar.org) wrote:

: I can't comment on the reasonableness of that $50,000 figure as I have


: no details. If the network had 500 machines and they all had to be
: restored, even though only "a few" machines were broken into, this figure
: is cheap. If a year's worth of research data was lost, a lot more could
: be justified. ("should have had backups" doesn't help if the data was
: damaged and it went unnoticed for long enough that the backups are damaged,
: too.) If that's the cost for restoring 10 machines, the cost seems
: rather inflated.

Facts are that there were one or two machines involved. No more. Furthermore
most of the costs were incurred for

1) Tracing and tapping of the intruders to be able to get a case against the
intruders.

2) After reloading of the OS, securing all OS-default holes in the system.
(like removing the + in /etc/hosts.equiv, which got them into trouble in
the first place.....)

: - The cost of repairing the lock broken by a crowbar (but NOT the cost


: of upgrading it to a deadbolt) and the door it was attached to.

I agree with you here. This is what was claimed. It seems (I talked to someone
studying law yesterday) that in holland you ask for the sky. The judge will
eventually determine what's reasonable.

Rogier Wolff

unread,
May 25, 1993, 4:55:06 AM5/25/93
to
Rogier Wolff () wrote:

: Johan wrote:
: : I'm sure that a "+" in .rhosts in the particular SUN in that case isn't

: I am sure you meant /etc/hosts....

I fouled up while correcting someone else.... Jee what a shame....

I (and Johan) meant /etc/hosts.equiv ....

Johan Wevers

unread,
May 25, 1993, 8:50:02 AM5/25/93
to
gol...@orac.cray.com (Goldman of Chaos) writes:

>>All these things should be done anyway. What about power failure, or
>>a fire, or a fool who knocks the computer to pieces?

> I'm talking about *additional* backups, keeping the backups
> from before the attack out of the backup loop. If you are
> not doing backups, I really don't pity you going up to
> management.

Usually, hackers don't change _that_ much that a complete backup is needed.
If you keep backups from su, rlogin, /etc/passwd and some other important
files, you're safe enough.


>>In most cases, and _certainly_ in the Amsterdam case Rob cited, this is easy:

>>"I'm very sorry boss, the hacker was much smarter than I was. Please don't
>>fire me because my knowledge wasn't what it should be..."

>No, the important part is to be able to supply info to the corporate
>lawyers so that the CRIMINAL can be dealt with.

That's a waste of money: they will most probably not get convicted because
they didn't really break a Dutch law (they're accused from breaking some
laws but this is very weak), and a civil damage claim will be rejected if
they didn't do anything which was not allowed by law. Calling them criminals,
you don't use the law but you use what you think should be the law. No judge
will accept that (fortunately).

Kyle Jones

unread,
May 25, 1993, 9:26:40 AM5/25/93
to
Johan Wevers writes:
> gol...@orac.cray.com (Goldman of Chaos) writes:
>
> >>All these things should be done anyway. What about power failure, or
> >>a fire, or a fool who knocks the computer to pieces?
>
> > I'm talking about *additional* backups, keeping the backups
> > from before the attack out of the backup loop. If you are
> > not doing backups, I really don't pity you going up to
> > management.
>
> Usually, hackers don't change _that_ much that a complete backup is needed.
> If you keep backups from su, rlogin, /etc/passwd and some other important
> files, you're safe enough.

But unless you're running Tripwire or some other security auditing
software you don't know. And restoring the standard login suite
is not nearly enough.

Keith Mancus

unread,
May 25, 1993, 10:03:15 AM5/25/93
to
In article <1993May24....@nntp.nta.no>, st...@hal.nta.no (Haakon Styri, TFI) writes:
|> rga...@nl.oracle.com (Robert Gasch) writes:
|> > Should hackers/crackers be charged for item 1&2 ? They didn't cause the
|> > problem, they simply (ab)used problems left/caused by the OS vendor.

|> If someone broke into your home by breaking a window, are you going to
|> charge the vendor? Not very likely. Some of the ways the worm entered


|> a system would be through open doors, but there was enough lockpicking
|> and entry by force techniques employed by the worm to classify it into
|> a trespassing program.

A more valid comparison would be "if someone broke into your home,
would you bill them for the burglar alarm and new locks you bought
afterward?" (assuming that you didn't have any before, not that you
had them and the burglar damaged them)

--
| Keith Mancus <man...@pat.mdc.com> |
| N5WVR |
| "Black powder and alcohol, when your states and cities fall, |
| when your back's against the wall...." -Leslie Fish |

Jym Dyer

unread,
May 25, 1993, 6:51:25 PM5/25/93
to
=o= Stop crossposting to alt.sources. Send no more followups
to alt.sources -- alt.sources is for sources, not for discussion
of any kind.
<_Jym_>

Rob J. Nauta

unread,
May 25, 1993, 4:47:32 PM5/25/93
to
k...@quest.UUCP (Kevin D. Quitt) writes:

-> What you do is your own perogative depending on YOUR level of paranoia. You
-> can patch the hole, or you can junk the disk, and reinstall everything, or
-> anything in between. You don't _have_ to re-install all the software.

>And when you (as the sysadmin) are facing your boss, and he says "How can you
>guarantee me that none of our software has been compromised?", what do you
>say?

I'd say 'can you define "compromised" ?' Or "our" software, in case
software is developed, what do you mean ?

Rob
--
/-----------------------------------------------\ Never ,==.
| Rob J. Nauta, UNIX computer security expert. | Apologize, /@ |
| r...@wzv.win.tue.nl, Phone: +31-40-837549 | Never /_ <
| r...@hacktic.nl -- Email me for UNIX advice | Explain. =" `g'

Rob J. Nauta

unread,
May 25, 1993, 4:51:37 PM5/25/93
to
and...@srsune.shlrc.mq.edu.au (Andrew McVeigh) writes:

>In article <OLEG.93Ma...@gd.cs.CSUFresno.EDU> ol...@gd.cs.CSUFresno.EDU (Oleg Kibirev) writes:

-> [ text deleted ]
-> Should hackers/crackers be charged for item 1&2 ? They didn't cause the
-> problem, they simply (ab)used problems left/caused by the OS vendor.
->
-> Yes, but OS vendor wrote a disclaimer that they are not responsible
-> for their programs ;(

>Perhaps all future WORMS will contain such disclaimers also ;-)

You're straying from my original question. I was wondering why the
internet worm is often quoted as doing $100,000 of damage, while in
the case of two ppl breaking into a desktop sparc system management
could claim $50,000 in damages caused by lost time. Yet these figures
are never questioned. A lot of ppl thought I meant to say there was
no damage, instead I think in the internet worm case there was much
more indirect damage , while in the other case costs were exaggerated.

Steven Bellovin

unread,
May 25, 1993, 10:36:44 PM5/25/93
to
In article <1tt4lq$l...@tuegate.tue.nl>, jo...@blade.stack.urc.tue.nl (Johan Wevers) writes:
> gol...@orac.cray.com (Goldman of Chaos) writes:
> Usually, hackers don't change _that_ much that a complete backup is needed.
> If you keep backups from su, rlogin, /etc/passwd and some other important
> files, you're safe enough.

??? Don't forget the setuid shells that may be lying around, or the
altered network daemons to let them in later, or the cron jobs to call
out later, or -- well, you see my point; you don't *know*, with any
degree of assurance, what they'll do. Likely, you're right; I doubt
that most hackers replace more than a very few files. I'm reminded
of a (possibly apocryphal) story about Steinmetz, who was once called
in as a consultant to deal with a balky piece of electrical equipment.
He looked at for a while, listened to, and then adjusted one screw.
Voila -- it was working perfectly. He then wrote out a bill saying
``adjusted screw -- $1000''. The customer protested that that was an
outrageous charge for such a simple fix. He agreed, tore up the bill,
and wrote up a new one: ``adjusted screw -- $1; knowing which screw to
adjust -- $999''.

Which files were changed?

California's computer crime law permits a suit to recover ``any
expenditure reasonably and necessarily incurred by the owner or lessee
to verify that a computer system, computer network, comptuer program,
or data was or was not altered, damaged, or deleted by the access''. I
find the provision entirely reasonable. Note, btw, the ``was or was
not'' clause.


--Steve Bellovin

Ramaswamy Krishnan

unread,
May 26, 1993, 4:17:54 AM5/26/93
to
>> The management of the university in question claimed $50.000 worth
>> of labor had to be spent to secure them again !!
>>
>> What can be done about such outrageous claims that are unfortunately
>> impossible to check or verify, ........
>
> It could be fictional, but at least these costs come to mind immediately:
> 1. Time to find the problem (labor)
> 2. Time to correct the problem
> 3. Time to restore lost/damaged/infected files
> 4. Money lost due to unavailable resources
> (for example, timesharing charges to outside parties)

How about the "psychological" consequences to that lone student
who found at 8:50am that he could not use the system to complete
his homework due at 9am! :-)

--
k...@myan.uc.edu

Ove Hansen

unread,
May 26, 1993, 7:45:41 AM5/26/93
to
In article <40...@nlsun1.oracle.nl> rga...@nl.oracle.com (Robert Gasch) writes:
>Should hackers/crackers be charged for item 1&2 ? They didn't cause the
>problem, they simply (ab)used problems left/caused by the OS vendor.

I've flamed vendors before for leaving barn doors open into (my) systems and
believe they have a lot to answer for. But the fact that my house is built
with crap locks, doors and windows doesn't mean that anyone has the right
to break into it. Crackers who break into systems for the kick of it, or
to access or steal data they haven't got the right to access are scum and
should be shot dead on sight. (Now flame me for my opinions...;-)
--
---------------------------------------------------------------------------
Ove Hansen, Cisco Systems Europe | Mail: oha...@cisco.com
16, avenue du Quebec, Z.A. de Courtaboeuf | Tel: +33 1 60 92 20 00
91961 Les Ulis cedex, France | Fax: +33 1 69 28 83 26

Robert Gasch

unread,
May 26, 1993, 11:57:53 AM5/26/93
to
Ove Hansen (oha...@europe.cisco.com) wrote:

: In article <40...@nlsun1.oracle.nl> rga...@nl.oracle.com (Robert Gasch) writes:
: >Should hackers/crackers be charged for item 1&2 ? They didn't cause the
: >problem, they simply (ab)used problems left/caused by the OS vendor.

: I've flamed vendors before for leaving barn doors open into (my) systems and
: believe they have a lot to answer for. But the fact that my house is built
: with crap locks, doors and windows doesn't mean that anyone has the right
: to break into it. Crackers who break into systems for the kick of it, or
: to access or steal data they haven't got the right to access are scum and
: should be shot dead on sight. (Now flame me for my opinions...;-)

^^^^^^^^^^^^^^^^^^^^^^^^^^^
Now, now ...

Granted, but the issue of the above mentioned points 1&2 was that
hackers/crackers were charged with figuring out what allowed them
to gain entry into your system and the repair of this problem. Of
course they havn't got the right to break into you machine but the
analogy is more like (someone pointed this out earlier) this:

If someone breaks into your house are you going to charge him to
buy a sturdy door&lock? Is he reponsible for the weakness in your
'defense'? I would say No.

--> Robert


******************************************************************************
* Robert Gasch * Ich will einmal nach Saarbruecken *
* Oracle Engineering * Ja Saarbruecken waere nett *
* De Meern, NL * Ich will Haare auf dem Ruecken *
* rga...@nl.oracle.com * Und ein rosa Gummibett - Die Aerzte *
******************************************************************************

Rogier Wolff

unread,
May 26, 1993, 11:58:22 AM5/26/93
to
Ove Hansen (oha...@europe.cisco.com) wrote:

: I've flamed vendors before for leaving barn doors open into (my) systems and


: believe they have a lot to answer for. But the fact that my house is built
: with crap locks, doors and windows doesn't mean that anyone has the right
: to break into it. Crackers who break into systems for the kick of it, or
: to access or steal data they haven't got the right to access are scum and
: should be shot dead on sight. (Now flame me for my opinions...;-)

(I'll take that on.... :-)
Nope, leaving doors open doesn't directly make it legal to walk in or steal.
In the computer case, many laws (from different countries) say that a
password prompt is enough to tell you that it isn't a public access system.

In the Amsterdam case, "rlogin [machine] -l bin" didn't ask for a password.
This makes it a public system, according to many laws. (or "not equipped
with at least minimal security that can be expected in such a case")

Roger.

-- CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC - Just


**** a 486 in V86 mode is like a VW buggy with a 6 liter V12 motor. ****
EMail: wo...@duteca.et.tudelft.nl ** Tel +31-15-783643 or +31-15-142371

-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - testing

Granville Moore

unread,
May 26, 1993, 12:19:26 PM5/26/93
to
In article <1tkf55$g...@usenet.INS.CWRU.Edu> dh...@cleveland.Freenet.Edu (Steven J Tucker) writes:

>
> In a previous article, r...@wzv.win.tue.nl (Rob J. Nauta) says:
> >
> >I wonder about this too. In Holland two young persons were arrested
> >after breaking in to a few desktop SUNs in Amsterdam in january 1992.
> >The management of the university in question claimed $50.000 worth
> >of labor had to be spent to secure them again !!
>
> Claiming damages to "secure them again" does not seem viable, since just
> "securing them again" might involve changing a password where the $50,000
> comes in is IMPROVING the security that was never there to begin with.
>
> Does this seem right?

Well, what you're saying doesn't sound right - changing a password *isn't*
going to secure the system again. If someone's been playing around inside
your system, you can't be sure exactly what has been altered, and whether
any trojan horses, backdoors, etc. have been installed. Checking all
of this can take a long time and can be very expensive.

If you want to contine the well-worn (but somewhat dubious) analogy with
burglary - how long does it take to fix the broken window (a couple of
hours or so) and how long does it take you to check every item
in the house to make sure that it's still there? (probably several days!)

Regards

Granville


========================================================================
Granville Moore g...@nemesys.demon.co.uk
I am not an accountant! I am a free man!
========================================================================

Leendert van Doorn

unread,
May 26, 1993, 3:21:43 PM5/26/93
to
wo...@liberator.et.tudelft.nl (Rogier Wolff) writes:

# Nope, leaving doors open doesn't directly make it legal to walk in or steal.
# In the computer case, many laws (from different countries) say that a
# password prompt is enough to tell you that it isn't a public access system.
#
# In the Amsterdam case, "rlogin [machine] -l bin" didn't ask for a password.
# This makes it a public system, according to many laws. (or "not equipped
# with at least minimal security that can be expected in such a case")

In the "Amsterdam case" the problem wasn't so much that the hackers broke into
the systems (at that time that was not illegal by Dutch law), but the fact that
they changed program binaries and purged log files. Since the result of a
previous court case is that a file equals a document, their action is fraud and
that is illegal by almost any law. However, it remains to be seen whether
this interpretation is sufficient to convict the hackers.

Leendert

--
Leendert van Doorn <leen...@cs.vu.nl>
Vrije Universiteit / Dept. of Math. & Comp. Sci. +31 20 5484477
Amoeba project / De Boelelaan 1081A
1081 HV Amsterdam / The Netherlands

Andy Bolton

unread,
May 26, 1993, 9:53:12 AM5/26/93
to
From rga...@nl.oracle.com (Robert Gasch) writes:

..several repeated articles deleted...

>Should hackers/crackers be charged for item 1&2 ? They didn't cause the
>problem, they simply (ab)used problems left/caused by the OS vendor.
>

>--> Robert

Yes. If you have crap locks fitted on your front door and I come round and trash
your home, is it your fault ?

crackers that cause anyone else to have to correct their problems should have to
pay for their damage.

Cheers,

Andy.
---

#include <std/disclaimer> 'Opinions are mine, not my Employers'
cat flames >/dev/null ; rsh -e 'init 6'
________________________________________________________________________________
|
Andy_...@sbd-e.rx.xerox.com | Rank Xerox Technical Centre
abo...@cix.compulink.co.uk | Welwyn Garden City, Herts.
| ENGLAND
________________________________________L_______________________________________

Advertising is the rattling of a stick inside a swill bucket. George
Orwell.

Steven Bellovin

unread,
May 26, 1993, 5:23:05 PM5/26/93
to
In article <1993May26.1...@donau.et.tudelft.nl>, wo...@liberator.et.tudelft.nl (Rogier Wolff) writes:
>
> In the Amsterdam case, "rlogin [machine] -l bin" didn't ask for a password.
> This makes it a public system, according to many laws. (or "not equipped
> with at least minimal security that can be expected in such a case")

Umm -- that's an interesting question. I know of at least one workstation
for which that command worked solely because of a bug in the system.
Note carefully: I mean a genuine bug, not an administrator's error.
If the target in the Amsterdam case was this model of machine, and if
the folks who used the command knew of the hole, I'd be hard-pressed
to classify that as innocent trespass.

--Steve Bellovin

Edward Kroeze

unread,
May 27, 1993, 2:44:16 AM5/27/93
to
In article 25...@donau.et.tudelft.nl, wo...@liberator.et.tudelft.nl (Rogier Wolff) writes:
>In the Amsterdam case, "rlogin [machine] -l bin" didn't ask for a password.
^^^^^^

So the hacker/cracker impersonated someone else!! He was not 'bin' on the
first machine, but he tried (and succeeded) to decieve the second machine in
believing he was 'bin' and had accessrights.
So I think he can be he prosecuted (?sp) for this impersonating.



>This makes it a public system, according to many laws. (or "not equipped
>with at least minimal security that can be expected in such a case")

Of course the system is still public: You should always ask the meterman for
identification when he want's to see your electricitymeter.

Edward
---
*----------------------------------------------------------------*
| Edward Kroeze | University Of Twente, |
| | Dept. Of Computer Science, B&O-group, |
| kro...@cs.utwente.nl | P.O. Box 217, |
| | 7500 AE Enschede, The Netherlands |
*------------------------+---------------------------------------*
If I can be of any help, you're in worse trouble than I thought.

Johan Wevers

unread,
May 27, 1993, 4:35:31 AM5/27/93
to
oha...@europe.cisco.com (Ove Hansen) writes:

[old story about breaking into houses deleted. We've heard that one 1e6 times.]

>Crackers who break into systems for the kick of it, or
>to access or steal data they haven't got the right to access are scum and
>should be shot dead on sight. (Now flame me for my opinions...;-)

Should be shot on sight... That's even overreacted for normal thieves. We've
left the Dark Ages far behind us, did you know? How about the NSA, etc.
intercepting email? Should they also be shot on sight?

Small technical point: just _how_ do you want to do that? Shoot at your
computer when they're in? They won't pay such damage I think.

Johan Wevers

unread,
May 27, 1993, 4:46:09 AM5/27/93
to
leen...@cs.vu.nl (Leendert van Doorn) writes:

>In the "Amsterdam case" the problem wasn't so much that the hackers broke into
>the systems (at that time that was not illegal by Dutch law), but the fact that
>they changed program binaries and purged log files. Since the result of a
>previous court case is that a file equals a document,

You're incorrect. A file _that can be easily read_ is a document. The log
files you refer to were binaries, so this jurisdiction doesn't apply here.

>their action is fraud and that is illegal by almost any law.

Their action isn't fraud. Some other way to look at it: when the hackers
logged in, this action caused bronto to add something to the log file.
The hackers removed it, so nothing has changed after all.

>However, it remains to be seen whether
>this interpretation is sufficient to convict the hackers.

If the department of justice (openbaar ministerie) continues the way they
did, I think the only case in court will be a damage claim from the hackers
because they have been arrested and not convicted. I've heard that the
court had to ask a year after they were the police to tell them what they
exactly were acused of... Doesn't sound like a strong case to me.

BTW, your system "bronto" is still very insecure. I guess this doesn't
improve your position in a civil case.

Haakon Styri

unread,
May 27, 1993, 5:38:12 AM5/27/93
to
rga...@nl.oracle.com (Robert Gasch) writes:
>
> If someone breaks into your house are you going to charge him to
> buy a sturdy door&lock? Is he reponsible for the weakness in your
> 'defense'? I would say No.

Well, I'll say Yes. These people have no right to attack my locks
in the first place. When they do they increase my expenses. If I
didn't want a refund of those expenses I'd practically agree that
they have a right to play at my cost. That doesn't sound right to
me...

---
Haakon Styri

Leendert van Doorn

unread,
May 27, 1993, 6:42:20 AM5/27/93
to
jo...@blade.stack.urc.tue.nl (Johan Wevers) writes:

# leen...@cs.vu.nl (Leendert van Doorn) writes:

# >their action is fraud and that is illegal by almost any law.
#
# Their action isn't fraud. Some other way to look at it: when the hackers
# logged in, this action caused bronto to add something to the log file.
# The hackers removed it, so nothing has changed after all.

Also program binaries were changed, this hardly qualifies as "nothing
has changed after all". As I said, it remains to be seen whether this
interesting interpretation is sufficient to convict the hackers.

# BTW, your system "bronto" is still very insecure. I guess this doesn't
# improve your position in a civil case.

Bronto is not my system! I'm a computer science PhD student and have
nothing to do with the geology departement except for the fact that I
have an entry on their machines. What ever measure the SAs of bronto
take (or not take) is their responsibility not mine.

Johan Wevers

unread,
May 27, 1993, 7:53:28 AM5/27/93
to
leen...@cs.vu.nl (Leendert van Doorn) writes:

>Also program binaries were changed, this hardly qualifies as "nothing
>has changed after all". As I said, it remains to be seen whether this
>interesting interpretation is sufficient to convict the hackers.

As far as I know (but I can be corrected), they ADDED a fake su. I don't know
wether they changed something at the original one. But anyway, this are not
"documents" in the juridical sense of the word.

Rogier Wolff

unread,
May 27, 1993, 8:11:21 AM5/27/93