internet worm
Rob J. Nauta
->This, of course, led very rapidly to rampant infestations of most
->hosts on the internet circla late 1988, bringing down most infested hosts
->and costing over $100,000 in damages.
>I am curious about this part. If the damage was only software, requiring
>time to fix, where did the damage figure come from, just labor to correct?
I wonder about this too. In Holland two young persons were arrested
after breaking in to a few desktop SUNs in Amsterdam in january 1992.
The management of the university in question claimed $50.000 worth
of labor had to be spent to secure them again !!
What can be done about such outrageous claims that are unfortunately
impossible to check or verify, and give the general public the
impression that hackers/crackers really cause the damage, without realising
it's just a fictional amount of money.
Rob
--
/-----------------------------------------------\ Never ,==.
| Rob J. Nauta, UNIX computer security expert. | Apologize, /@ |
| r...@wzv.win.tue.nl, Phone: +31-40-837549 | Never /_ <
| r...@hacktic.nl -- Email me for UNIX advice | Explain. =" `g'
Andy Bolton
>I wonder about this too. In Holland two young persons were arrested
>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>The management of the university in question claimed $50.000 worth
>of labor had to be spent to secure them again !!
>What can be done about such outrageous claims that are unfortunately
>impossible to check or verify, and give the general public the
>impression that hackers/crackers really cause the damage, without realising
>it's just a fictional amount of money.
It may be an exaggerated figure, but not fictional. Somebody has to pay to
correct systems damaged by crackers. Whether it is only the OS needs reinstall
-ing, or valuable research data is lost, it still has to be paid for.
In the Cuckoos Egg, Cliff Stoll tells of Physics experiments data lost during
intrusions. How much do you think it costs to run a CAT scanner, or particle
accelerator ?
Maybe the answer to this is "They should have had backups and better security",
but because you leave your back door open one day, does that give anyone the
RIGHT to burgle you ?
That some crackers may have the best intentions in the world I do not doubt,
but they still cause damage to the security and trust of the net.
Cheers,
Andy.
---
#include <std/disclaimer> 'Opinions are mine, not my Employers'
________________________________________________________________________________
|
Andy_...@sbd-e.rx.xerox.com | Rank Xerox Technical Centre
abo...@cix.compulink.co.uk | Welwyn Garden City, Herts.
| ENGLAND
________________________________________L_______________________________________
Democracy: The worship of Jackals by Jackasses. H.L. Mencken.
Goldman of Chaos
>What can be done about such outrageous claims that are unfortunately
>impossible to check or verify, and give the general public the
>impression that hackers/crackers really cause the damage, without realising
>it's just a fictional amount of money.
Get your sled back into reality Santa. Fictional amount of money? I
think not.
1) Time to backup the current state of the system
2) Backup media
3) Cost to move backup media to offsite storage
4) Cost to move previous backups from offsite storage
5) System administrator time to reload the operating system
6) System administrator time to reload user files
7) System administrator time to close security problems
8) Time to backup the current state of the system
9) Backup media
10) Cost to move backup media to offsite storage
11) Cost of offsite storage
12) Costs of time explaining to management what went wrong
Matt
--
Matthew Goldman E-mail: gol...@orac.cray.com Work: (612) 683-3061
Buddy: "Why do I always have to go first?"
Sally: "Because you're expendable."
M Darrin Chaney
>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>The management of the university in question claimed $50.000 worth
>of labor had to be spent to secure them again !!
>
>What can be done about such outrageous claims that are unfortunately
>impossible to check or verify, and give the general public the
>impression that hackers/crackers really cause the damage, without realising
>it's just a fictional amount of money.
While $50,000 is way high, the money isn't fictional. If I have to
spend 5 hours cleaning up after a hacker, my organization has lost $75.
That's not fictional. If we have to hire a consultant, the price goes
up.
Darrin
--
M Darrin Chaney, Senior Database Programmer, University Computing Services, IU
mdch...@indiana.edu 1000 E 17th St. Work: (812)855-5492
mdch...@iubacs.bitnet Bloomington, IN 47408 Home: (812)333-6311
"I want- I need- to live, to see it all..."
Rafe Colburn
wrote:
>
> I wonder about this too. In Holland two young persons were arrested
> after breaking in to a few desktop SUNs in Amsterdam in january 1992.
> The management of the university in question claimed $50.000 worth
> of labor had to be spent to secure them again !!
>
> What can be done about such outrageous claims that are unfortunately
> impossible to check or verify, and give the general public the
> impression that hackers/crackers really cause the damage, without realising
> it's just a fictional amount of money.
It seems that all too often these kinds of outrageous claims are made. I
remember when BellSouth claimed an outrageous value (several thousand
dollars) for the ESS document that was taken by the so-called Atlanta boys,
when in fact the document could be had by any member of the public for less
than $20, just by calling an 800 number and ordering it.
I have also found that the people whose sites have been compromised expect
the crackers to pay the bill for securing the system in addition to paying
for any "damages" that have occurred. If someone robs your house, you
can't sue them to make them pay for a new lock and an alarm system to
prevent future break ins. It seems that this would hold true for cracked
systems as well. It was the admin's mistake to not have proper security in
the first place, and the cracker should not have to pay for it.
==============================================================================
Rafe Colburn : All opinions expressed are exclusively
Office of Development : mine, I don't think anyone else wants
them
University of Houston : anyway.
:
hdev...@admin.uh.edu :
==============================================================================
Davin K Hong
Get your sled back into reality Santa. Fictional amount of money? I
think not.
1) Time to backup the current state of the system
2) Backup media
3) Cost to move backup media to offsite storage
4) Cost to move previous backups from offsite storage
5) System administrator time to reload the operating system
6) System administrator time to reload user files
7) System administrator time to close security problems
8) Time to backup the current state of the system
9) Backup media
10) Cost to move backup media to offsite storage
11) Cost of offsite storage
12) Costs of time explaining to management what went wrong
-------
I agree that money is lost as system administrator must restore files
and the operating system, but a lot of the costs he lists are not really
"caused" by the crackers per se. Anything involving creating the backups
(i.e. 1, 2, 3, 8, 9, 10, 11) are included in the cost of normally managing
a system) - you should be doing, and paying for, that anyway. Furthermore,
the cost of closing up the security problem is not a cost caused by the
crackers - the problem was (apparently) there before anyone broke in.
It just irritates me when people overly inflate costs of anything, not
just cracker attacks.
Davin Hong
dav...@jhunix.hac.jhu.edu
Leonard Hermens
writes:
> ->This, of course, led very rapidly to rampant infestations of most
> ->hosts on the internet circla late 1988, bringing down most infested
hosts
> ->and costing over $100,000 in damages.
>
> >I am curious about this part. If the damage was only software,
requiring
> >time to fix, where did the damage figure come from, just labor to
correct?
>
> I wonder about this too. In Holland two young persons were arrested
> after breaking in to a few desktop SUNs in Amsterdam in january 1992.
> The management of the university in question claimed $50.000 worth
> of labor had to be spent to secure them again !!
>
> What can be done about such outrageous claims that are unfortunately
> impossible to check or verify, and give the general public the
> impression that hackers/crackers really cause the damage, without
realising
> it's just a fictional amount of money.
It could be fictional, but at least these costs come to mind
immediately:
1. Time to find the problem (labor)
2. Time to correct the problem
3. Time to restore lost/damaged/infected files
4. Money lost due to unavailable resources
(for example, timesharing charges to outside parties)
The fees sound high, however, because included in them is
probably the time spent to discover the security hole...and
that can be expensive. It is not a direct cost attributable to
the break-in, though.
Just because a person is paid to adminster a system, that doesn!t
mean that they have the *extra* time to fix problems that
may have been caused maliciously, either.
-----
Leonard
Bear Giles
>In article <1tgq9c$j...@wzv.win.tue.nl>, r...@wzv.win.tue.nl (Rob J. Nauta)
>wrote:
>>
>> I wonder about this too. In Holland two young persons were arrested
>> after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>> The management of the university in question claimed $50.000 worth
>> of labor had to be spent to secure them again !!
>
>the crackers to pay the bill for securing the system in addition to paying
>for any "damages" that have occurred. If someone robs your house, you
>can't sue them to make them pay for a new lock and an alarm system to
>prevent future break ins. It seems that this would hold true for cracked
>systems as well. It was the admin's mistake to not have proper security in
>the first place, and the cracker should not have to pay for it.
What about what happened here a year ago?
We were upgrading a 386 Unix system, and had to boot DOS to run a
configuration program for the new hardware.
Microsoft does not sell DOS boot disks. We _should_ have used a
clean copy of DOS on a new machine to make boot disks, but the person
doing the installation was lazy and built a DOS boot disk from a
"public" DOS system across the hall.
Too bad that system was infected, and when it booted on our Unix
system it trashed the Unix file system. Between the time required to
rebuild the Unix system, reinstall all options and our software, and
lost productivity this little virus probably cost over $5,000.
(Several people idle or rebuilding a system for several days is
expensive).
But that was a modest cost. This is a professional software lab and
none of us would _intentionally_ infect systems, but because some clown
decided he was God's Gift to Computers and didn't realize his "safe"
DOS virus would kill Unix systems our lab had a demonstrated risk and
had to disinfect _all_ of the computers in the lab. There's only
a few hundred people here, so it probably only took a couple person-months.
That's probably around $20,000 or more. Toss in the fact that many of
use had to purchase anti-virus software for our own systems, and the
cost is probably in excess of $50,000.
Your analogy to a burglar entering a house is FALSE. We _do_ have
locks on the doors; electronic locks on doors to "public" systems.
Virus writers are closer to a jerk who goes onto _private_ land to
dig holes despite knowing that the owner of this land rides his horse
across the field. When the horse breaks a leg in a hole WHICH SHOULD
NOT BE THERE and has to be destroyed, the owner has every right to
1) demand compensation for the lost horse, 2) demand the vandal
fill the holes he dug, and 3) demand compensation from the vandal
to erect sturdier fences and post yet more signs saying NO TRESPASSING.
If virus writers were competent, this would not be such a problem.
But there are a lot of "safe" viruses out there that cause extensive
damage because the writer's ego surpassed his ability to write clean
code. Therefore ANY virus must be considered destructive and removed,
even at high cost.
--
Bear Giles
be...@cs.colorado.edu/fsl.noaa.gov
Ken Arromdee
>>I wonder about this too. In Holland two young persons were arrested
>>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>>The management of the university in question claimed $50.000 worth
>>of labor had to be spent to secure them again !!
>>What can be done about such outrageous claims that are unfortunately
>>impossible to check or verify, and give the general public the
>>impression that hackers/crackers really cause the damage, without realising
>>it's just a fictional amount of money.
>but because you leave your back door open one day, does that give anyone the
>RIGHT to burgle you ?
You are confusing claims that the damage is exaggerated with attempts to
justify cracking. Neither implies the other.
--
"On the first day after Christmas my truelove served to me... Leftover Turkey!
On the second day after Christmas my truelove served to me... Turkey Casserole
that she made from Leftover Turkey.
[days 3-4 deleted] ... Flaming Turkey Wings! ...
-- Pizza Hut commercial (and M*tlu/A*gic bait)
Ken Arromdee (arro...@jyusenkyou.cs.jhu.edu)
Chris Higgins - System Administrator
>In article <1tgq9c$j...@wzv.win.tue.nl>, r...@wzv.win.tue.nl (Rob J. Nauta)
>wrote:
>>
>> I wonder about this too. In Holland two young persons were arrested
>>
>the crackers to pay the bill for securing the system in addition to paying
>for any "damages" that have occurred. If someone robs your house, you
>can't sue them to make them pay for a new lock and an alarm system to
>prevent future break ins. It seems that this would hold true for cracked
company that sold it to you.... It isn't your fault that something you bought
didn't work as advertised !
>systems as well. It was the admin's mistake to not have proper security in
>the first place, and the cracker should not have to pay for it.
>
BULLSHIT !!!! (pardon my french !)
If every administrator had to spend every waking minute (and those sleeping)
patching the holes in Un*x systems. Then the users will be complaining about
the lack of time spent on *their* important pressing problems.
The Admin can never win. If you enter a shop and break something on the shelf,
then shouldn't you pay for it ? Why should the shop lose out because of your
stupidity / malicious intent ?
Excuse the tone, but I cannot abide people who believe that crackers shouldn't
be held responsible for their actions. If that responsibility extends to paying
reparations for damage, then so be it...
(Lets not have "War reparations" because the countries at war are "cracking" at
each others borders... Lets not have people sueing others, because when a brain
surgeon messes your head up, he was only "cracking" at your head.. Obviously
not his responsibility....)
>==============================================================================
>Rafe Colburn : All opinions expressed are exclusively
>Office of Development : mine, I don't think anyone else wants
>them
>University of Houston : anyway.
> :
>hdev...@admin.uh.edu :
>==============================================================================
Chris.
+ J.C. Higgins, + + If you love something, set it +
+ VMS Sys. Admin, + Ch...@csvax1.ucc.ie + free. If it doesn't come back +
+ Comp.Sc.Dept. + Ch...@odyssey.ucc.ie + to you, hunt it down and +
+ UCC, Ireland + C.Hi...@bureau.ucc.ie + KILL it. -- Me. +
Timothy Newsham
>
>>I wonder about this too. In Holland two young persons were arrested
>>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>>The management of the university in question claimed $50.000 worth
>>of labor had to be spent to secure them again !!
>
>>What can be done about such outrageous claims that are unfortunately
>>impossible to check or verify, and give the general public the
>>impression that hackers/crackers really cause the damage, without realising
>>it's just a fictional amount of money.
>
>It may be an exaggerated figure, but not fictional. Somebody has to pay to
>correct systems damaged by crackers. Whether it is only the OS needs reinstall
>-ing, or valuable research data is lost, it still has to be paid for.
Often included in the damages are the cost of making the system secure.
The hacker didnt impose this on the system administrators, and if they
had spent this money before hand then more likely than not the
hacker wouldnt have gotten in. It is unfair to include these
sort of costs in the damages.
Steven Bellovin
> cow...@csuslip4.csuohio.edu (Syscrusher) writes:
>
> ->This, of course, led very rapidly to rampant infestations of most
> ->hosts on the internet circla late 1988, bringing down most infested hosts
> ->and costing over $100,000 in damages.
>
> >I am curious about this part. If the damage was only software, requiring
> >time to fix, where did the damage figure come from, just labor to correct?
>
> I wonder about this too. In Holland two young persons were arrested
> after breaking in to a few desktop SUNs in Amsterdam in january 1992.
> The management of the university in question claimed $50.000 worth
> of labor had to be spent to secure them again !!
I can't speak to that example, but $100K in *total* damages seems
reasonable for the Internet worm. How many sites do you think it it?
300? That means only about $333 per site, which is not many staff
hours. And that doesn't even include lost productivity, time that
people couldn't work because their machines were either unusable or
unable to speak to the outside world.
$100K in direct costs? Probably not. And one shouldn't count time to
install security fixes that needed to be in anyway. But I don't think
that $100K is out of line for the total damage, worldwide, for that
particular incident. It may be high, but not grossly so.
Steven J Tucker
In a previous article, r...@wzv.win.tue.nl (Rob J. Nauta) says:
>cow...@csuslip4.csuohio.edu (Syscrusher) writes:
>
>->This, of course, led very rapidly to rampant infestations of most
>->hosts on the internet circla late 1988, bringing down most infested hosts
>->and costing over $100,000 in damages.
>
>>I am curious about this part. If the damage was only software, requiring
>>time to fix, where did the damage figure come from, just labor to correct?
>
>I wonder about this too. In Holland two young persons were arrested
>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>The management of the university in question claimed $50.000 worth
>of labor had to be spent to secure them again !!
Claiming damages to "secure them again" does not seem viable, since just
"securing them again" might involve changing a password where the $50,000
comes in is IMPROVING the security that was never there to begin with.
Does this seem right?
--
Steven J Tucker | \|/ \|/ \|/ \|/ \|/ \|/ | dh...@cleveland.Freenet.edu
P.o.Box 33475 | Visit the Atari 8Bit Sig |-------------------------------
North Royalton | Cleveland Free-Net | " There is no right or wrong
Ohio 44133-0475 | /|\ /|\ /|\ /|\ /|\ /|\ | only thinking makes is so "
Angel at large
>Excuse the tone, but I cannot abide people who believe that crackers shouldn't
>be held responsible for their actions. If that responsibility extends to paying
>reparations for damage, then so be it...
>
>(Lets not have "War reparations" because the countries at war are "cracking" at
>each others borders... Lets not have people sueing others, because when a brain
>surgeon messes your head up, he was only "cracking" at your head.. Obviously
>not his responsibility....)
>
example, if I break into your system and send you a message that your system
has been compromized, and log off, I shouldn't pay for the time it takes to up
the security. In fact, I don't think the person who breaks into systems like
that even increases paranoia on the net. On the other hand if I login and
delete data, or mangle the system in some other manner, it's entirely different
matter.
Thats my cent and a half.
--
* Angel@foghorn_leghorn.coe.northeastern.edu
* * * * BTW: These are my opinions, and not that of any other entity
- * * * * * * ------------------------------------------------------------*
* * * My god, its full of stars! - Dave
* I don't know about you, but we've got company! - Epidemic
R.v.Kampen
>In article <1tgq9c$j...@wzv.win.tue.nl> r...@wzv.win.tue.nl (Rob J. Nauta) writes:
>>I wonder about this too. In Holland two young persons were arrested
>>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>>The management of the university in question claimed $50.000 worth
>>of labor had to be spent to secure them again !!
>>
>>What can be done about such outrageous claims that are unfortunately
>>impossible to check or verify, and give the general public the
>>impression that hackers/crackers really cause the damage, without realising
>>it's just a fictional amount of money.
>
>While $50,000 is way high, the money isn't fictional. If I have to
>spend 5 hours cleaning up after a hacker, my organization has lost $75.
>That's not fictional. If we have to hire a consultant, the price goes
>up.
>
that wears out due to friction, old age etc...
computer systems when left alone don't wear out due to software
getting old (maybe when te century turns) So hackers cause the
friction which causes computer systems wear out, so that way they will
continuously be updated and improved.
In a couple of years there will be oldtimers clubs where all ancient
computers are still being used. And the rest of the world will be
computing on more improved, less power consuming, more powerful
cars/computers. And hackers will still be the dust particles in
engines that cause wearing out.
willem
(I might not sound very coherently, but that's because I am not.)
( ^ neither does it 'sound' unless you have your
newsreader interfaced with some voice unit)
Chris Higgins - System Administrator
>In article <C7E7M...@curia.ucc.ie> ch...@csvax1.ucc.ie writes:
>>Excuse the tone, but I cannot abide people who believe that crackers shouldn't
>>be held responsible for their actions. If that responsibility extends to paying
>>reparations for damage, then so be it...
>>
>>(Lets not have "War reparations" because the countries at war are "cracking" at
>>each others borders... Lets not have people sueing others, because when a brain
>>surgeon messes your head up, he was only "cracking" at your head.. Obviously
>>not his responsibility....)
>>
>I think it all depends on what kind of cracking we're talking about here. For
>has been compromized, and log off, I shouldn't pay for the time it takes to up
>the security. In fact, I don't think the person who breaks into systems like
Ok, so you break in, and mail me a message. I'm going to have to try track down
EXACTLY what you did. I've then got a system, which is (potentially) very
insecure, so I've got to put effort into restoring the security confidence
level to where it was. That may not involve me doing anything except checking
that you didn't change anything. On the other hand it may require that I
re-install the entire OS from scratch. So while the actual damage done by the
cracker may be minimal, I would have to put in a lot of person-hours, to ensure
that no real damage has been done, and I'll have to patch the hole used so that
I can turn to my users and say that we are back where we were...
Then my users can continue knowning that it is unlikely that the same will
happen again.
>that even increases paranoia on the net. On the other hand if I login and
>delete data, or mangle the system in some other manner, it's entirely different
>matter.
As I said above, not really...
>Thats my cent and a half.
>--
> * Angel@foghorn_leghorn.coe.northeastern.edu
> * * * * BTW: These are my opinions, and not that of any other entity
>- * * * * * * ------------------------------------------------------------*
> * * * My god, its full of stars! - Dave
> * I don't know about you, but we've got company! - Epidemic
>
Danny Smith
>mean that they have the *extra* time to fix problems that
>may have been caused maliciously, either.
I recall more than one admin-type telling me that the BIG cost factor
was the time spent explaining the situation to upper management and
local news teams.
--
Danny Smith | 408/992-2365 | da...@juts.ccc.amdahl.com
Amdahl Corp. | Sunnyvale, CA | da...@uts.amdahl.com
[ Disclaimer - the above opinions are mine, and do not ]
[ reflect Amdahl policy. (They made me say that.) ]
Robert Gasch
: In article <1tgq9c$j...@wzv.win.tue.nl> Rob J. Nauta, r...@wzv.win.tue.nl
: writes:
: > ->This, of course, led very rapidly to rampant infestations of most
: > ->hosts on the internet circla late 1988, bringing down most infested
: hosts
: > ->and costing over $100,000 in damages.
: >
: > >I am curious about this part. If the damage was only software,
: requiring
: > >time to fix, where did the damage figure come from, just labor to
: correct?
: >
: > I wonder about this too. In Holland two young persons were arrested
: > after breaking in to a few desktop SUNs in Amsterdam in january 1992.
: > The management of the university in question claimed $50.000 worth
: > of labor had to be spent to secure them again !!
: >
: > What can be done about such outrageous claims that are unfortunately
: > impossible to check or verify, and give the general public the
: > impression that hackers/crackers really cause the damage, without
: realising
: > it's just a fictional amount of money.
: It could be fictional, but at least these costs come to mind
: immediately:
: 1. Time to find the problem (labor)
: 2. Time to correct the problem
Should hackers/crackers be charged for item 1&2 ? They didn't cause the
problem, they simply (ab)used problems left/caused by the OS vendor.
--> Robert
Angel at large
>Ok, so you break in, and mail me a message. I'm going to have to try track down
>EXACTLY what you did. I've then got a system, which is (potentially) very
>insecure, so I've got to put effort into restoring the security confidence
>level to where it was. That may not involve me doing anything except checking
But it was insecure to begin with! The person who breaks in did NOT change
the level of security!
>that you didn't change anything. On the other hand it may require that I
>re-install the entire OS from scratch. So while the actual damage done by the
>cracker may be minimal, I would have to put in a lot of person-hours, to ensure
>that no real damage has been done, and I'll have to patch the hole used so that
>I can turn to my users and say that we are back where we were...
What you do is your own perogative depending on YOUR level of paranoia. You
can patch the hole, or you can junk the disk, and reinstall everything, or
anything in between. You don't _have_ to re-install all the software.
BTW, I'm still using "you" as a generic sysadmin and "me" as a hypothetical
cracker.
Paul Ducklin
>But that was a modest cost. This is a professional software lab and
>none of us would _intentionally_ infect systems, but because some clown
>decided he was God's Gift to Computers and didn't realize his "safe"
>DOS virus would kill Unix systems our lab had a demonstrated risk and
>had to disinfect _all_ of the computers in the lab. There's only
>a few hundred people here, so it probably only took a couple person-months.
>That's probably around $20,000 or more.
Sounds like you got hit by a boot sector virus. Now, when viruses like
Stoned hit *some* PC-Unix systems, there may be problems due to the act
of infection [Stoned writes to T0, H0, S7 -- for some older Unixes, this
is actually within the first active partition and thus trashes the boot-
strap loader]; with viruses like Michelangelo, then there will be direct
file system damage at specific times [March 6th, for the Big M]. For the
rest, disinfection of BSVs is usually fairly simple and readily automated.
Since you talk of "disinfection", rather than "repair", I assume that you
were able to clean up easily using suitable a-v software. And I infer from
"there's only a few hundred people here" that you have only a few hundred
machines in your lab. If, as is usual, the machines in your lab are laid
out in rows -- not scattered all over in hundreds of offices -- then I'd
suggest that a single person could clean every machine in a day or two.
$20,000 sounds rather a lot...
>Toss in the fact that many of
>use had to purchase anti-virus software for our own systems, and the
>cost is probably in excess of $50,000.
$30,000 dollars *more* for "many of us to purchase a-v software for our
own systems"? How many of you, exactly? F-PROT, for example, would cost
you $30,000 for a licence for 30,000 users! And the a-v service I'm
involved with would cost you $30k for a licence of, say, 7,500 users
*with total service included*. For that kind of money, you could keep
the other $20,000 in your pocket -- we'd do the clean-up for you
[we'd ask you to pay the airfare so we could Cross the Ocean] :-)
And you're not-for-profit, aren't you? Then the cost of the systems
mentioned above are even lower -- academic discount, and all that...
Viruses are a *big* problem in the PC world. A very big problem, which
I don't wish to downplay. But $50,000 sounds like a figure that's way,
way too big.
Paul
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\ Paul Ducklin du...@nuustak.csir.co.za /
/ CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Kevin D. Quitt
> can patch the hole, or you can junk the disk, and reinstall everything, or
> anything in between. You don't _have_ to re-install all the software.
And when you (as the sysadmin) are facing your boss, and he says "How can you
guarantee me that none of our software has been compromised?", what do you
say?
_
Kevin D. Quitt 96.37% of all statistics are made up. usc!srhqla!quest!kdq
Angel at large
>angel@Foghorn_Leghorn.coe.northeastern.edu (Angel at large) writes:
>> What you do is your own perogative depending on YOUR level of paranoia. You
>> can patch the hole, or you can junk the disk, and reinstall everything, or
>> anything in between. You don't _have_ to re-install all the software.
>
>And when you (as the sysadmin) are facing your boss, and he says "How can you
>guarantee me that none of our software has been compromised?", what do you
>say?
There are two things that come into play here:
1. If I was THAT worried about security then I would either
a. Patch all the holes known to (wo)man
b. Runa truly secure operating system with audits alarms, and such
2. I could say that if the hacker DID compromise the whole system, then he
probably wouln't have send e-mail to sysadmin (me) telling me about this.
Bernie Cosell
} angel@Foghorn_Leghorn.coe.northeastern.edu (Angel at large) writes:
} > What you do is your own perogative depending on YOUR level of paranoia. You
} > can patch the hole, or you can junk the disk, and reinstall everything, or
} > anything in between. You don't _have_ to re-install all the software.
}
} And when you (as the sysadmin) are facing your boss, and he says "How can you
} guarantee me that none of our software has been compromised?", what do you
} say?
Well, I was in that position and I'll tell you what we did: we
isolated the system [to prevent further infestation on the way, and
to prevent us from propagating anything until we knew what was
happening]. Then we brought the [unix] system up in single-user
mode and did an incremental backup of the ENTIRE disk system [no
NFS so this wasn't hopelessly difficult]. Then we examined *EVERY*
disk block that the incremental claimed that was changed from the
last-dump-before-infestation. fortunately, we backed up at 11PM,
got infected at something like 2AM, and were working at it by
sunup, so there wasn't all that much to check. But when it was done
and I had to report to the higher-ups, I could say:
1) we had disabled the virus, so it would no longer be a problem, and
2) we *KNEW* that the virus had caused no damage or otherwise impeached
our file systems.
What did you do to keep your bosses from worrying about subsequent trojan
horses, files corrupted in subtle ways, libraries with traps snuck into
them, etc?
/Bernie\
--
Bernie Cosell cos...@world.std.com
Fantasy Farm Fibers, Pearisburg, VA (703) 921-2358
Oleg Kibirev
Leonard Hermens (lher...@eecs.wsu.edu) wrote:
: >
: > What can be done about such outrageous claims that are unfortunately
: > impossible to check or verify, and give the general public the
: > impression that hackers/crackers really cause the damage, without
: realising
: > it's just a fictional amount of money.
: It could be fictional, but at least these costs come to mind
: immediately:
: 1. Time to find the problem (labor)
: 2. Time to correct the problem
Should hackers/crackers be charged for item 1&2 ? They didn't cause the
problem, they simply (ab)used problems left/caused by the OS vendor.
Yes, but OS vendor wrote a disclaimer that they are not responsible
for their programs ;(
Oleg
Andrew McVeigh
> [ text deleted ]
> Should hackers/crackers be charged for item 1&2 ? They didn't cause the
> problem, they simply (ab)used problems left/caused by the OS vendor.
>
> Yes, but OS vendor wrote a disclaimer that they are not responsible
> for their programs ;(
Perhaps all future WORMS will contain such disclaimers also ;-)
>
> Oleg
Cheers,
Andrew McVeigh
--
*****
Andrew McVeigh
Johan Wevers
>>What can be done about such outrageous claims that are unfortunately
>>impossible to check or verify, and give the general public the
>>impression that hackers/crackers really cause the damage, without realising
>>it's just a fictional amount of money.
gol...@orac.cray.com (Goldman of Chaos) writes:
>Get your sled back into reality Santa. Fictional amount of money? I
>think not.
> 1) Time to backup the current state of the system
> 2) Backup media
> 3) Cost to move backup media to offsite storage
> 4) Cost to move previous backups from offsite storage
> 5) System administrator time to reload the operating system
> 6) System administrator time to reload user files
> 7) System administrator time to close security problems
> 8) Time to backup the current state of the system
> 9) Backup media
> 10) Cost to move backup media to offsite storage
> 11) Cost of offsite storage
All these things should be done anyway. What about power failure, or
a fire, or a fool who knocks the computer to pieces?
> 12) Costs of time explaining to management what went wrong
In most cases, and _certainly_ in the Amsterdam case Rob cited, this is easy:
"I'm very sorry boss, the hacker was much smarter than I was. Please don't
fire me because my knowledge wasn't what it should be..."
No copyright fees asked for desperate system managers if they use this string...
--
J.C.A. Wevers The only nature of reality is physics.
jo...@blade.stack.urc.tue.nl
Johan Wevers
>>I wonder about this too. In Holland two young persons were arrested
>>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>>The management of the university in question claimed $50.000 worth
>>of labor had to be spent to secure them again !!
>>What can be done about such outrageous claims that are unfortunately
>>impossible to check or verify, and give the general public the
>>impression that hackers/crackers really cause the damage, without realising
>>it's just a fictional amount of money.
>While $50,000 is way high, the money isn't fictional. If I have to
>spend 5 hours cleaning up after a hacker, my organization has lost $75.
>That's not fictional. If we have to hire a consultant, the price goes
>up.
In Amsterdam, they even didn't know what the real costs were. They claimed
that they had to spend much money on tracing and peeping at the hacker,
not to get them out of the system, but because the police asked them to
do so they could catch them. The police worked after the arrests so stupid
that they almost certainly won't be convicted, so I think the police should
pay the $50.000. Afer all, if you break into a house, and you get caught,
the police won't say "we spent 100 hours on you, that's $10.000."
Carl Brewer
>
>> 12) Costs of time explaining to management what went wrong
>
>In most cases, and _certainly_ in the Amsterdam case Rob cited, this is easy:
>
>"I'm very sorry boss, the hacker was much smarter than I was. Please don't
>fire me because my knowledge wasn't what it should be..."
In most cases :
Arseholeus Cracker has copied a trick his/her friend showed him/her,
exploiting a "hole" that aids networking and functionality of the
network under attack. Sure we can make the machines almost totally
crackerproof, but I like my machines to be useful ....
And if I ever catch one of the shits red handed ... how well do these
people type with their noses and toes?
--
Annal Natrach, Usthvah Spethed, cbr...@uniwa.uwa.edu.au
Dochoel Dienve IRC: Bleve
ca...@montebello.ecom.unimelb.EDU.AU
Merlin, where are you? Call your dragon, to weave a mist ....
Johan Wevers
>Arseholeus Cracker has copied a trick his/her friend showed him/her,
>exploiting a "hole" that aids networking and functionality of the
>network under attack.
I'm sure that a "+" in .rhosts in the particular SUN in that case isn't
a hole that aids networking or functionality, unless the system manager
is totally incapable.
>And if I ever catch one of the shits red handed ... how well do these
>people type with their noses and toes?
Cheap... You should better beat up real scum, of which there seems to be
no shortage in the US, if you dare...
Goldman of Chaos
>Matthew Goldman says:
>Get your sled back into reality Santa. Fictional amount of money? I
>think not.
> 1) Time to backup the current state of the system
> 2) Backup media
> 3) Cost to move backup media to offsite storage
> 4) Cost to move previous backups from offsite storage
> 5) System administrator time to reload the operating system
> 6) System administrator time to reload user files
> 7) System administrator time to close security problems
> 8) Time to backup the current state of the system
> 9) Backup media
> 10) Cost to move backup media to offsite storage
> 11) Cost of offsite storage
> 12) Costs of time explaining to management what went wrong
>
>-------
>
> I agree that money is lost as system administrator must restore files
>and the operating system, but a lot of the costs he lists are not really
>"caused" by the crackers per se. Anything involving creating the backups
>(i.e. 1, 2, 3, 8, 9, 10, 11) are included in the cost of normally managing
>a system) - you should be doing, and paying for, that anyway. Furthermore,
>the cost of closing up the security problem is not a cost caused by the
>crackers - the problem was (apparently) there before anyone broke in.
At the risk of this degenerating into a flame festival, you are wrong.
The cost of backups is a *new* cost, the cost of keeping *all* of the
previous backups in long term offsite storage. The cost of *new*
backup media. The cost of the extra backups is directly caused by the
criminals.
> It just irritates me when people overly inflate costs of anything, not
>just cracker attacks.
Cracker? Lets call them what they are, criminals.
Matt
--
Matthew Goldman E-mail: gol...@orac.cray.com Work: (612) 683-3061
Buddy: "Why do I always have to go first?"
Sally: "Because you're expendable."
Goldman of Chaos
>> What you do is your own perogative depending on YOUR level of paranoia. You
>> can patch the hole, or you can junk the disk, and reinstall everything, or
>> anything in between. You don't _have_ to re-install all the software.
>
>And when you (as the sysadmin) are facing your boss, and he says "How can you
>guarantee me that none of our software has been compromised?", what do you
>say?
We captured the perp and forced him to tell exactly what he did.
Unfortunately he did not survive questioning. We've put out hits on
his friends an family.
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
:-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-)
Goldman of Chaos
>All these things should be done anyway. What about power failure, or
>a fire, or a fool who knocks the computer to pieces?
I'm talking about *additional* backups, keeping the backups
from before the attack out of the backup loop. If you are
not doing backups, I really don't pity you going up to
management.
>> 12) Costs of time explaining to management what went wrong
>
>In most cases, and _certainly_ in the Amsterdam case Rob cited, this is easy:
>
>"I'm very sorry boss, the hacker was much smarter than I was. Please don't
>fire me because my knowledge wasn't what it should be..."
No, the important part is to be able to supply info to the corporate
lawyers so that the CRIMINAL can be dealt with.
Matt
Tim Weaver
>>
>> Should hackers/crackers be charged for item 1&2 ? They didn't cause the
>> problem, they simply (ab)used problems left/caused by the OS vendor.
Haakon Styri
>If someone broke into your home by breaking a window, are you going to
>charge the vendor? Not very likely. Some of the ways the worm entered
>a system would be through open doors, but there was enough lockpicking
>and entry by force techniques employed by the worm to classify it into
>a trespassing program.
If I leave my door open, this does not mean you are allowed to walk into
my house and start going through my drawers.
--
|Timothy E. Weaver | Kalamazoo College | (616) 337-7323 |
|Database Programmer/Analyst | 1200 Academy | These are MY opinions! |
|email: twe...@kzoo.edu | Kalamazoo MI 49006 | Mine!! Mine!! Mine!! |
Rogier Wolff
: ca...@montebello.ecom.unimelb.EDU.AU (Carl Brewer) writes:
: >Arseholeus Cracker has copied a trick his/her friend showed him/her,
: >exploiting a "hole" that aids networking and functionality of the
: >network under attack.
: I'm sure that a "+" in .rhosts in the particular SUN in that case isn't
: a hole that aids networking or functionality, unless the system manager
: is totally incapable.
I am sure you meant /etc/hosts....
: J.C.A. Wevers The only nature of reality is physics.
: jo...@blade.stack.urc.tue.nl
Roger.
--
**** a 486 in V86 mode is like a VW buggy with a 6 liter V12 motor. ****
EMail: wo...@duteca.et.tudelft.nl ** Tel +31-15-783643 or +31-15-142371
Tom O Breton
> If someone broke into your home by breaking a window, are you going to
> charge the vendor? Not very likely.
Seems to me that's a bad analogy. The costs Robert is talking about are
analogous to buying and installing a new security system, not replacing
a broken window.(**)
So there is no convincing causal link to the illegal entry. Instead it
looks to me like finding someone to send the bill to(*) for something
that needed doing anyways.
> Some of the ways the worm entered a system would be through open doors,
> but there was enough lockpicking and entry by force techniques employed
> by the worm to classify it into a trespassing program.
Classifying it into one of only two categories may be of interest to
insurance companies and so forth, but I think we on the net understand
that it is not quite so simple.
Tom
(*) Even in the sense of creating a "bad debt" for tax purposes
(**) Obviously I'm not talking about other costs such as loss of
computer time or compromise of sensitive information.
--
The Tom spreads its huge, scaly wings and soars into the sky...
(t...@world.std.com, TomB...@delphi.com)
Magnus Y Alvestad
Tim> allowed to walk into my house and start going through my
Tim> drawers. --
That's not the issue.
The issue:
If you have a very simple lock on your door, and a burglar easily
opens it (without harming the lock), can you charge the burglar for
the cost of buying a better lock?
-Magnus
Tim Weaver
Tim> If I leave my door open, this does not mean you are
Tim> allowed to walk into my house and start going through my
Tim> drawers. --
Magnus> That's not the issue.
Magnus> The issue:
Magnus> If you have a very simple lock on your door, and a burglar easily
Magnus> opens it (without harming the lock), can you charge the burglar for
Magnus> the cost of buying a better lock?
Now there's an interesting form of justice. I like it.
Of course there's no precedent for it.
I do think it's appropriate to charge them for the time
you spent making sure there was no damage done.
Rafe Colburn
I wrote:
> >systems as well. It was the admin's mistake to not have proper security in
> >the first place, and the cracker should not have to pay for it.
> >
J. C. Higgins wrote:
> BULLSHIT !!!! (pardon my french !)
> If every administrator had to spend every waking minute (and those sleeping)
> patching the holes in Un*x systems. Then the users will be complaining about
> the lack of time spent on *their* important pressing problems.
>
> The Admin can never win. If you enter a shop and break something on the shelf,
> then shouldn't you pay for it ? Why should the shop lose out because of your
> stupidity / malicious intent ?
>
> Excuse the tone, but I cannot abide people who believe that crackers shouldn't
> be held responsible for their actions. If that responsibility extends to paying
> reparations for damage, then so be it...
Obviously, you misunderstood the point which I was making. The cracker is
responsible for the damage he causes to the systems which he enters.
Anyone
who says otherwise is foolish. However, the costs of SECURING a system
so that other crackers cannot enter it should be the responsibility of
the owners/administrators of the system.
Any data destroyed, the costs of restoring from backups, the cost of
getting data that was not backed up, the opportunity costs of losing the
data, the hours of work lost because the system is fouled up, and the
like are all the responsibility of the cracker who had nothing better
to do than mess with your system. But the costs of actually providing
good security for the system once he has proven that yours sucks should
not be tagged onto the bill, that security should be there in the first
place. Besides, if you report the break in, the writer of the operating
system will write a patch that fixes the hole anyway. Too many admins
are too embarrassed to report when their system is compromised.
===========================================================================
Rafe Colburn : All opinions expressed are exclusively
Office of Development : mine, I don't think anyone else wants
University of Houston : them anyway.
713.743.8866 :
hdev...@admin.uh.edu :
===========================================================================
Gordon Burditt
>after breaking in to a few desktop SUNs in Amsterdam in january 1992.
>The management of the university in question claimed $50.000 worth
>of labor had to be spent to secure them again !!
>
>What can be done about such outrageous claims that are unfortunately
>impossible to check or verify, and give the general public the
>impression that hackers/crackers really cause the damage, without realising
>it's just a fictional amount of money.
Are such claims really fictional? The absolute minimum response to such
a breakin should be to back up the system, and re-install the entire
system from scratch from backup tapes that predate the breakin. This
can be a problem if you don't know the first date of the breakin. Then
you have to go through the backups and find more recent files and restore
the undamaged ones. Considering that this was on a network, you probably
have to do it for the whole network. If the university does not have
in-house expertise to reload the systems itself, it will have to
hire consultants to do it. This is a real, out-of-pocket expense.
Wages are also a real, out-of-pocket expense, especially if overtime
has to be paid to get the systems working again.
Note that these damages occur even if there was actually no breakin
but the "intruders" manage to come up with convincing evidence that
there was, or there was a breakin but all the intruders did was post
one USENET message from the machine gloating about it.
I can't comment on the reasonableness of that $50,000 figure as I have
no details. If the network had 500 machines and they all had to be
restored, even though only "a few" machines were broken into, this figure
is cheap. If a year's worth of research data was lost, a lot more could
be justified. ("should have had backups" doesn't help if the data was
damaged and it went unnoticed for long enough that the backups are damaged,
too.) If that's the cost for restoring 10 machines, the cost seems
rather inflated.
If a burglar breaks into a store and steals stuff, I'm going
to include in the cost of the burglary:
- The value of the stuff stolen, if not recovered.
- Cost of taking inventory after the burglary to determine what was stolen.
- Bookkeeping and legal expenses of filing an insurance claim.
- The cost of repairing the lock broken by a crowbar (but NOT the cost
of upgrading it to a deadbolt) and the door it was attached to.
- The cost of restoring the burglar alarm to workable condition. (Fix cut
wires, etc., and change the security code if it was compromised, but not
the cost of putting one in in the first place or upgrading the system.
- The cost of replacing the safe which was blown open. (but NOT the
cost of upgrading it to a more secure model)
- The cost of replacing/re-keying all the locks that go with keys stolen
(the store's delivery vans, which haven't been stolen, yet).
- The cost of ammunition used to scare off the burglar.
- The cost of cleaning burglar blood, shotgun shells, and safe debris
from the carpet and walls.
- The replacement/repair cost of damaged merchandise.
- The cost of repairing bullet holes, from bullets fired by the burglar,
police, or employees.
- Medical expenses of the guard who shot himself in the foot while
trying to shoot the burglar.
- The wages of employees paid while the store couldn't be open (but don't
double-count this in the cost of inventory, cleanup, etc.).
but don't include:
- The cost of having locks, burglar alarms, and safes in the first place.
- 5 years of wages for the security guard
- The cost of taking routine inventory
- Taxes paid for, among other things, police.
"Lost sales" is a figure that's hard to pin down. Your customers might
come back the next day after you open and buy everything they would have
the day you were closed after the burglary. Or they might go to the
competition. In any case, it's "lost profit from sales", not "lost sales"
that's a loss, but a somewhat imaginary one. In a manufacturing or service
environment, lost production line time or lost billable hours, especially
if the company has a work backlog, are easier to justify. Don't
double-count employee time used for cleanup, inventory, or "idle time"
instead of production or service. It's really easy to claim the same
employee several times in the cost of inventory, idle time, and "lost sales",
and I suspect that's where some of the inflated damage figures come from.
Gordon L. Burditt
sneaky.lonestar.org!gordon
Carl Brewer
>ca...@montebello.ecom.unimelb.EDU.AU (Carl Brewer) writes:
>
>>Arseholeus Cracker has copied a trick his/her friend showed him/her,
>>exploiting a "hole" that aids networking and functionality of the
>>network under attack.
>
>I'm sure that a "+" in .rhosts in the particular SUN in that case isn't
>a hole that aids networking or functionality, unless the system manager
>is totally incapable.
Or they want to be able to connect machines easily to it. Without
having to set up a bunch of netgroups etc. Why *should* we have to
put razor wire around our hardware to keep the scumbags out?
"Oh, but you were lazy/incompitatant, so you should be broken into"
*BULLSHIT*
>
>>And if I ever catch one of the shits red handed ... how well do these
>>people type with their noses and toes?
>
>Cheap... You should better beat up real scum, of which there seems to be
>no shortage in the US, if you dare...
This deserves ignoring ...
Rogier Wolff
: I can't comment on the reasonableness of that $50,000 figure as I have
: no details. If the network had 500 machines and they all had to be
: restored, even though only "a few" machines were broken into, this figure
: is cheap. If a year's worth of research data was lost, a lot more could
: be justified. ("should have had backups" doesn't help if the data was
: damaged and it went unnoticed for long enough that the backups are damaged,
: too.) If that's the cost for restoring 10 machines, the cost seems
: rather inflated.
Facts are that there were one or two machines involved. No more. Furthermore
most of the costs were incurred for
1) Tracing and tapping of the intruders to be able to get a case against the
intruders.
2) After reloading of the OS, securing all OS-default holes in the system.
(like removing the + in /etc/hosts.equiv, which got them into trouble in
the first place.....)
: - The cost of repairing the lock broken by a crowbar (but NOT the cost
: of upgrading it to a deadbolt) and the door it was attached to.
I agree with you here. This is what was claimed. It seems (I talked to someone
studying law yesterday) that in holland you ask for the sky. The judge will
eventually determine what's reasonable.
Rogier Wolff
: Johan wrote:
: : I'm sure that a "+" in .rhosts in the particular SUN in that case isn't
: I am sure you meant /etc/hosts....
I fouled up while correcting someone else.... Jee what a shame....
I (and Johan) meant /etc/hosts.equiv ....
Johan Wevers
>>All these things should be done anyway. What about power failure, or
>>a fire, or a fool who knocks the computer to pieces?
> I'm talking about *additional* backups, keeping the backups
> from before the attack out of the backup loop. If you are
> not doing backups, I really don't pity you going up to
> management.
Usually, hackers don't change _that_ much that a complete backup is needed.
If you keep backups from su, rlogin, /etc/passwd and some other important
files, you're safe enough.
>>In most cases, and _certainly_ in the Amsterdam case Rob cited, this is easy:
>>"I'm very sorry boss, the hacker was much smarter than I was. Please don't
>>fire me because my knowledge wasn't what it should be..."
>No, the important part is to be able to supply info to the corporate
>lawyers so that the CRIMINAL can be dealt with.
That's a waste of money: they will most probably not get convicted because
they didn't really break a Dutch law (they're accused from breaking some
laws but this is very weak), and a civil damage claim will be rejected if
they didn't do anything which was not allowed by law. Calling them criminals,
you don't use the law but you use what you think should be the law. No judge
will accept that (fortunately).
Kyle Jones
> gol...@orac.cray.com (Goldman of Chaos) writes:
>
> >>All these things should be done anyway. What about power failure, or
> >>a fire, or a fool who knocks the computer to pieces?
>
> > I'm talking about *additional* backups, keeping the backups
> > from before the attack out of the backup loop. If you are
> > not doing backups, I really don't pity you going up to
> > management.
>
> Usually, hackers don't change _that_ much that a complete backup is needed.
> If you keep backups from su, rlogin, /etc/passwd and some other important
> files, you're safe enough.
But unless you're running Tripwire or some other security auditing
software you don't know. And restoring the standard login suite
is not nearly enough.
Keith Mancus
|> rga...@nl.oracle.com (Robert Gasch) writes:
|> > Should hackers/crackers be charged for item 1&2 ? They didn't cause the
|> > problem, they simply (ab)used problems left/caused by the OS vendor.
|> If someone broke into your home by breaking a window, are you going to
|> charge the vendor? Not very likely. Some of the ways the worm entered
|> a system would be through open doors, but there was enough lockpicking
|> and entry by force techniques employed by the worm to classify it into
|> a trespassing program.
A more valid comparison would be "if someone broke into your home,
would you bill them for the burglar alarm and new locks you bought
afterward?" (assuming that you didn't have any before, not that you
had them and the burglar damaged them)
--
| Keith Mancus <man...@pat.mdc.com> |
| N5WVR |
| "Black powder and alcohol, when your states and cities fall, |
| when your back's against the wall...." -Leslie Fish |
Jym Dyer
to alt.sources -- alt.sources is for sources, not for discussion
of any kind.
<_Jym_>
Rob J. Nauta
>angel@Foghorn_Leghorn.coe.northeastern.edu (Angel at large) writes:
-> What you do is your own perogative depending on YOUR level of paranoia. You
-> can patch the hole, or you can junk the disk, and reinstall everything, or
-> anything in between. You don't _have_ to re-install all the software.
>And when you (as the sysadmin) are facing your boss, and he says "How can you
>guarantee me that none of our software has been compromised?", what do you
>say?
I'd say 'can you define "compromised" ?' Or "our" software, in case
software is developed, what do you mean ?
Rob
--
/-----------------------------------------------\ Never ,==.
| Rob J. Nauta, UNIX computer security expert. | Apologize, /@ |
| r...@wzv.win.tue.nl, Phone: +31-40-837549 | Never /_ <
| r...@hacktic.nl -- Email me for UNIX advice | Explain. =" `g'
Rob J. Nauta
>In article <OLEG.93Ma...@gd.cs.CSUFresno.EDU> ol...@gd.cs.CSUFresno.EDU (Oleg Kibirev) writes:
-> [ text deleted ]
-> Should hackers/crackers be charged for item 1&2 ? They didn't cause the
-> problem, they simply (ab)used problems left/caused by the OS vendor.
->
-> Yes, but OS vendor wrote a disclaimer that they are not responsible
-> for their programs ;(
>Perhaps all future WORMS will contain such disclaimers also ;-)
You're straying from my original question. I was wondering why the
internet worm is often quoted as doing $100,000 of damage, while in
the case of two ppl breaking into a desktop sparc system management
could claim $50,000 in damages caused by lost time. Yet these figures
are never questioned. A lot of ppl thought I meant to say there was
no damage, instead I think in the internet worm case there was much
more indirect damage , while in the other case costs were exaggerated.
Steven Bellovin
> gol...@orac.cray.com (Goldman of Chaos) writes:
> Usually, hackers don't change _that_ much that a complete backup is needed.
> If you keep backups from su, rlogin, /etc/passwd and some other important
> files, you're safe enough.
??? Don't forget the setuid shells that may be lying around, or the
altered network daemons to let them in later, or the cron jobs to call
out later, or -- well, you see my point; you don't *know*, with any
degree of assurance, what they'll do. Likely, you're right; I doubt
that most hackers replace more than a very few files. I'm reminded
of a (possibly apocryphal) story about Steinmetz, who was once called
in as a consultant to deal with a balky piece of electrical equipment.
He looked at for a while, listened to, and then adjusted one screw.
Voila -- it was working perfectly. He then wrote out a bill saying
``adjusted screw -- $1000''. The customer protested that that was an
outrageous charge for such a simple fix. He agreed, tore up the bill,
and wrote up a new one: ``adjusted screw -- $1; knowing which screw to
adjust -- $999''.
Which files were changed?
California's computer crime law permits a suit to recover ``any
expenditure reasonably and necessarily incurred by the owner or lessee
to verify that a computer system, computer network, comptuer program,
or data was or was not altered, damaged, or deleted by the access''. I
find the provision entirely reasonable. Note, btw, the ``was or was
not'' clause.
--Steve Bellovin
Ramaswamy Krishnan
>> of labor had to be spent to secure them again !!
>>
>> What can be done about such outrageous claims that are unfortunately
>
> It could be fictional, but at least these costs come to mind immediately:
> 1. Time to find the problem (labor)
> 2. Time to correct the problem
> 3. Time to restore lost/damaged/infected files
> 4. Money lost due to unavailable resources
> (for example, timesharing charges to outside parties)
How about the "psychological" consequences to that lone student
who found at 8:50am that he could not use the system to complete
his homework due at 9am! :-)
Ove Hansen
>Should hackers/crackers be charged for item 1&2 ? They didn't cause the
I've flamed vendors before for leaving barn doors open into (my) systems and
believe they have a lot to answer for. But the fact that my house is built
with crap locks, doors and windows doesn't mean that anyone has the right
to break into it. Crackers who break into systems for the kick of it, or
to access or steal data they haven't got the right to access are scum and
should be shot dead on sight. (Now flame me for my opinions...;-)
--
---------------------------------------------------------------------------
Ove Hansen, Cisco Systems Europe | Mail: oha...@cisco.com
16, avenue du Quebec, Z.A. de Courtaboeuf | Tel: +33 1 60 92 20 00
91961 Les Ulis cedex, France | Fax: +33 1 69 28 83 26
Robert Gasch
: In article <40...@nlsun1.oracle.nl> rga...@nl.oracle.com (Robert Gasch) writes:
: >Should hackers/crackers be charged for item 1&2 ? They didn't cause the
: >problem, they simply (ab)used problems left/caused by the OS vendor.
: I've flamed vendors before for leaving barn doors open into (my) systems and
: believe they have a lot to answer for. But the fact that my house is built
: with crap locks, doors and windows doesn't mean that anyone has the right
: to break into it. Crackers who break into systems for the kick of it, or
: to access or steal data they haven't got the right to access are scum and
: should be shot dead on sight. (Now flame me for my opinions...;-)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Now, now ...
Granted, but the issue of the above mentioned points 1&2 was that
hackers/crackers were charged with figuring out what allowed them
to gain entry into your system and the repair of this problem. Of
course they havn't got the right to break into you machine but the
analogy is more like (someone pointed this out earlier) this:
If someone breaks into your house are you going to charge him to
buy a sturdy door&lock? Is he reponsible for the weakness in your
'defense'? I would say No.
--> Robert
******************************************************************************
* Robert Gasch * Ich will einmal nach Saarbruecken *
* Oracle Engineering * Ja Saarbruecken waere nett *
* De Meern, NL * Ich will Haare auf dem Ruecken *
* rga...@nl.oracle.com * Und ein rosa Gummibett - Die Aerzte *
******************************************************************************
Rogier Wolff
: I've flamed vendors before for leaving barn doors open into (my) systems and
: believe they have a lot to answer for. But the fact that my house is built
: with crap locks, doors and windows doesn't mean that anyone has the right
: to break into it. Crackers who break into systems for the kick of it, or
: to access or steal data they haven't got the right to access are scum and
: should be shot dead on sight. (Now flame me for my opinions...;-)
(I'll take that on.... :-)
Nope, leaving doors open doesn't directly make it legal to walk in or steal.
In the computer case, many laws (from different countries) say that a
password prompt is enough to tell you that it isn't a public access system.
In the Amsterdam case, "rlogin [machine] -l bin" didn't ask for a password.
This makes it a public system, according to many laws. (or "not equipped
with at least minimal security that can be expected in such a case")
Roger.
-- CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC - Just
**** a 486 in V86 mode is like a VW buggy with a 6 liter V12 motor. ****
EMail: wo...@duteca.et.tudelft.nl ** Tel +31-15-783643 or +31-15-142371
-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - testing
Granville Moore
>
> In a previous article, r...@wzv.win.tue.nl (Rob J. Nauta) says:
> >
> >I wonder about this too. In Holland two young persons were arrested
> >after breaking in to a few desktop SUNs in Amsterdam in january 1992.
> >of labor had to be spent to secure them again !!
>
> "securing them again" might involve changing a password where the $50,000
> comes in is IMPROVING the security that was never there to begin with.
>
> Does this seem right?
Well, what you're saying doesn't sound right - changing a password *isn't*
going to secure the system again. If someone's been playing around inside
your system, you can't be sure exactly what has been altered, and whether
any trojan horses, backdoors, etc. have been installed. Checking all
of this can take a long time and can be very expensive.
If you want to contine the well-worn (but somewhat dubious) analogy with
burglary - how long does it take to fix the broken window (a couple of
hours or so) and how long does it take you to check every item
in the house to make sure that it's still there? (probably several days!)
Regards
Granville
========================================================================
Granville Moore g...@nemesys.demon.co.uk
I am not an accountant! I am a free man!
========================================================================
Leendert van Doorn
# Nope, leaving doors open doesn't directly make it legal to walk in or steal.
# In the computer case, many laws (from different countries) say that a
# password prompt is enough to tell you that it isn't a public access system.
#
# In the Amsterdam case, "rlogin [machine] -l bin" didn't ask for a password.
# This makes it a public system, according to many laws. (or "not equipped
# with at least minimal security that can be expected in such a case")
In the "Amsterdam case" the problem wasn't so much that the hackers broke into
the systems (at that time that was not illegal by Dutch law), but the fact that
they changed program binaries and purged log files. Since the result of a
previous court case is that a file equals a document, their action is fraud and
that is illegal by almost any law. However, it remains to be seen whether
this interpretation is sufficient to convict the hackers.
Leendert
--
Leendert van Doorn <leen...@cs.vu.nl>
Vrije Universiteit / Dept. of Math. & Comp. Sci. +31 20 5484477
Amoeba project / De Boelelaan 1081A
1081 HV Amsterdam / The Netherlands
Andy Bolton
..several repeated articles deleted...
>Should hackers/crackers be charged for item 1&2 ? They didn't cause the
>problem, they simply (ab)used problems left/caused by the OS vendor.
>
>--> Robert
Yes. If you have crap locks fitted on your front door and I come round and trash
your home, is it your fault ?
crackers that cause anyone else to have to correct their problems should have to
pay for their damage.
Cheers,
Andy.
---
#include <std/disclaimer> 'Opinions are mine, not my Employers'
cat flames >/dev/null ; rsh -e 'init 6'
________________________________________________________________________________
|
Andy_...@sbd-e.rx.xerox.com | Rank Xerox Technical Centre
abo...@cix.compulink.co.uk | Welwyn Garden City, Herts.
| ENGLAND
________________________________________L_______________________________________
Advertising is the rattling of a stick inside a swill bucket. George
Orwell.
Steven Bellovin
>
> In the Amsterdam case, "rlogin [machine] -l bin" didn't ask for a password.
> This makes it a public system, according to many laws. (or "not equipped
> with at least minimal security that can be expected in such a case")
Umm -- that's an interesting question. I know of at least one workstation
for which that command worked solely because of a bug in the system.
Note carefully: I mean a genuine bug, not an administrator's error.
If the target in the Amsterdam case was this model of machine, and if
the folks who used the command knew of the hole, I'd be hard-pressed
to classify that as innocent trespass.
--Steve Bellovin
Edward Kroeze
>In the Amsterdam case, "rlogin [machine] -l bin" didn't ask for a password.
So the hacker/cracker impersonated someone else!! He was not 'bin' on the
first machine, but he tried (and succeeded) to decieve the second machine in
believing he was 'bin' and had accessrights.
So I think he can be he prosecuted (?sp) for this impersonating.
>This makes it a public system, according to many laws. (or "not equipped
>with at least minimal security that can be expected in such a case")
Of course the system is still public: You should always ask the meterman for
identification when he want's to see your electricitymeter.
Edward
---
*----------------------------------------------------------------*
| Edward Kroeze | University Of Twente, |
| | Dept. Of Computer Science, B&O-group, |
| kro...@cs.utwente.nl | P.O. Box 217, |
| | 7500 AE Enschede, The Netherlands |
*------------------------+---------------------------------------*
If I can be of any help, you're in worse trouble than I thought.
Johan Wevers
[old story about breaking into houses deleted. We've heard that one 1e6 times.]
>Crackers who break into systems for the kick of it, or
>to access or steal data they haven't got the right to access are scum and
>should be shot dead on sight. (Now flame me for my opinions...;-)
Should be shot on sight... That's even overreacted for normal thieves. We've
left the Dark Ages far behind us, did you know? How about the NSA, etc.
intercepting email? Should they also be shot on sight?
Small technical point: just _how_ do you want to do that? Shoot at your
computer when they're in? They won't pay such damage I think.
Johan Wevers
>In the "Amsterdam case" the problem wasn't so much that the hackers broke into
>the systems (at that time that was not illegal by Dutch law), but the fact that
>they changed program binaries and purged log files. Since the result of a
>previous court case is that a file equals a document,
You're incorrect. A file _that can be easily read_ is a document. The log
files you refer to were binaries, so this jurisdiction doesn't apply here.
>their action is fraud and that is illegal by almost any law.
Their action isn't fraud. Some other way to look at it: when the hackers
logged in, this action caused bronto to add something to the log file.
The hackers removed it, so nothing has changed after all.
>However, it remains to be seen whether
>this interpretation is sufficient to convict the hackers.
If the department of justice (openbaar ministerie) continues the way they
did, I think the only case in court will be a damage claim from the hackers
because they have been arrested and not convicted. I've heard that the
court had to ask a year after they were the police to tell them what they
exactly were acused of... Doesn't sound like a strong case to me.
BTW, your system "bronto" is still very insecure. I guess this doesn't
improve your position in a civil case.
Haakon Styri
>
> If someone breaks into your house are you going to charge him to
> buy a sturdy door&lock? Is he reponsible for the weakness in your
> 'defense'? I would say No.
Well, I'll say Yes. These people have no right to attack my locks
in the first place. When they do they increase my expenses. If I
didn't want a refund of those expenses I'd practically agree that
they have a right to play at my cost. That doesn't sound right to
me...
---
Haakon Styri
Leendert van Doorn
# leen...@cs.vu.nl (Leendert van Doorn) writes:
# >their action is fraud and that is illegal by almost any law.
#
# Their action isn't fraud. Some other way to look at it: when the hackers
# logged in, this action caused bronto to add something to the log file.
# The hackers removed it, so nothing has changed after all.
Also program binaries were changed, this hardly qualifies as "nothing
has changed after all". As I said, it remains to be seen whether this
interesting interpretation is sufficient to convict the hackers.
# BTW, your system "bronto" is still very insecure. I guess this doesn't
# improve your position in a civil case.
Bronto is not my system! I'm a computer science PhD student and have
nothing to do with the geology departement except for the fact that I
have an entry on their machines. What ever measure the SAs of bronto
take (or not take) is their responsibility not mine.
Johan Wevers
>Also program binaries were changed, this hardly qualifies as "nothing
>has changed after all". As I said, it remains to be seen whether this
>interesting interpretation is sufficient to convict the hackers.
As far as I know (but I can be corrected), they ADDED a fake su. I don't know
wether they changed something at the original one. But anyway, this are not
"documents" in the juridical sense of the word.
Rogier Wolff
: they changed program binaries and purged log files. Since the result of a
: previous court case is that a file equals a document, their action is fraud and
: that is illegal by almost any law. However, it remains to be seen whether
: this interpretation is sufficient to convict the hackers.
: Leendert
Now what is the "value" of the logfiles. Do you ever take more than a
quick look at your logfiles?
The court case you mention, established that a file can be stolen, just
like a document, and that this is considered theft.
Dutch law states that you are not required to cooperate in getting yourself
convicted. (that doesn't mean that you can resist arrest. you're allowed to
run, untill they grab you I think....)
Can you blame the thieves that broke into a house for wearing gloves,
and destroying (possible) evidence?
Roger
--
Rogier Wolff
: Well, I'll say Yes. These people have no right to attack my locks
: in the first place. When they do they increase my expenses. If I
: didn't want a refund of those expenses I'd practically agree that
: they have a right to play at my cost. That doesn't sound right to
: me...
I want to secure my computer. I might want to put some sensitive information
on it in the future. I connect it to the internet, leave all doors as
open as can be. I start a rumor that this system is easily broken into.
(make sure that this can't be traced back to you....) I sit and wait
(taking notes of how many hours I have to wait :-) for someone to break
in. Easy enough to start tracing where things come from, and a few months
later we have two crackers in jail. Next I sue them for the cost of the
time to catch them, and the cost of securing the system afterwards.
Now I have a secure system, and what's more I've gotten someone else
to pay for the cost of securing it. Excellent situation :-).
The breaking into houses analogy works too! You should try it once! :-)
Roger.
Rogier Wolff
: In article 25...@donau.et.tudelft.nl, wo...@liberator.et.tudelft.nl (Rogier Wolff) writes:
: >In the Amsterdam case, "rlogin [machine] -l bin" didn't ask for a password.
: ^^^^^^
: So the hacker/cracker impersonated someone else!! He was not 'bin' on the
: first machine, but he tried (and succeeded) to decieve the second machine in
: believing he was 'bin' and had accessrights.
: So I think he can be he prosecuted (?sp) for this impersonating.
Now I have this roommate, with whom I cooperate. Every now and then I
issue the command "rlogin tardis -l sietze". Ok. He won't sue me for it.
Am I illegally impersonating him. Just the fact that that I login to an
account that doesn't have my name, or isn't character for character
identical as the one that I work in right now doesn't mean that I am
doing something illegal.
Ok. I won't say that they hacked the machine completely by accident.
But it is not quite trivial to make it stick legally....
Roger.
--
Leendert van Doorn
# leen...@cs.vu.nl (Leendert van Doorn) writes:
#
# >Also program binaries were changed, this hardly qualifies as "nothing
# >has changed after all". As I said, it remains to be seen whether this
# >interesting interpretation is sufficient to convict the hackers.
#
# As far as I know (but I can be corrected), they ADDED a fake su. I don't know
# wether they changed something at the original one. But anyway, this are not
# "documents" in the juridical sense of the word.
They also modified the ftp client and daemon, placed "+ +" in .rhost files;
there is a CERT announcement when you want to know exactly what they did.
Now I come to think of it, you are right that a program should be readable
in order to call it a document. However, the Dutch law allows for a trans-
formation to take place to make a document readable. In the case of a program
binary a disassembler is the proper transformation to make it readable.
Of course one may argue whether assembly code is readable (it is for many
people though). In any event it is an interesting case.
Davin K Hong
your damages are limited to the monetary equivalent of your loss. For
example, if someone totals your three year old car, you don't recover the
original amount you paid for the car. Instead, you get the fair market
value - what it would cost to replace the car in its previous condition.
Similarly, the damages incurred by a cracker break-in should be limited to
what it costs to return the system to its original condition, not a "better"
condition.
Just my two cents - if there's any attorneys out there, tell me if I'm
right or wrong about this.
Davin Hong
dav...@jhunix.hcf.jhu.edu
Lori Ann Ludick
|>
|> I wrote:
|> > >systems as well. It was the admin's mistake to not have proper security in
|> > >the first place, and the cracker should not have to pay for it.
|> > >
|>
|> J. C. Higgins wrote:
|> > BULLSHIT !!!! (pardon my french !)
|> > If every administrator had to spend every waking minute (and those sleeping)
|> > patching the holes in Un*x systems. Then the users will be complaining about
|> > the lack of time spent on *their* important pressing problems.
|> >
|> > The Admin can never win. If you enter a shop and break something on the shelf,
|> > then shouldn't you pay for it ? Why should the shop lose out because of your
|> > stupidity / malicious intent ?
|> >
|> > Excuse the tone, but I cannot abide people who believe that crackers shouldn't
|> > be held responsible for their actions. If that responsibility extends to paying
|> > reparations for damage, then so be it...
|>
|> Obviously, you misunderstood the point which I was making. The cracker is
|> responsible for the damage he causes to the systems which he enters.
|> Anyone
|> who says otherwise is foolish. However, the costs of SECURING a system
|> so that other crackers cannot enter it should be the responsibility of
|> the owners/administrators of the system.
|>
If someone expploits a hole in your system I believe that this person
should pay for fixing that hole under certain circumstances.
If a user breaks into your system and exploits a small hole that normally
would not have been found, how do you know who else knows about it. How
do you know this person did not tell the world. I usually do not care for
analogies because people try and nit pick it to death, but a way to
explain what I mean is if a safe cracker gets into your place and cracks
your safe and only takes a few things then goes and tells others what your
combination is so others can come in and take some things this safe
cracker should have to pay for new security.
Please do not nit pick the analogy if it isnt just right, I would rather
see a discussion on what the point I am trying to show concerning computer
crackers.
|> Any data destroyed, the costs of restoring from backups, the cost of
|> getting data that was not backed up, the opportunity costs of losing the
|> data, the hours of work lost because the system is fouled up, and the
|> like are all the responsibility of the cracker who had nothing better
|> to do than mess with your system. But the costs of actually providing
|> good security for the system once he has proven that yours sucks should
|> not be tagged onto the bill, that security should be there in the first
|> place. Besides, if you report the break in, the writer of the operating
|> system will write a patch that fixes the hole anyway. Too many admins
|> are too embarrassed to report when their system is compromised.
|>
Are you an admin?
How many users on the system, open to the internet?
How much computer security training do you have?
Would you want an admin to always announce when the system has been
comprimised?
How secure should a system be?
I hear alot of people complaining about security and admins, but
I do not know from what side of the fence you are arguing,
uninformed, informed, novice, intermediate, advanced user, sysop,
sys admin, or other...
Thomas A Peterson
aristotle$ archie IWorm
19881210000000Z 114673 huon.itd.adelaide.edu.au /pub/security/purdue/security/IWorm.PS.Z
19911127000000Z 74365 huon.itd.adelaide.edu.au /pub/security/purdue/security/IWorm2.PS.Z
19921110000000Z 114673 sunb.ocs.mq.edu.au /Documents/Security/IWorm.PS.Z
19921110000000Z 74365 sunb.ocs.mq.edu.au /Documents/Security/IWorm2.PS.Z
19930408102000Z 74365 rzsun2.informatik.uni-hamburg.de /pub/security/worm/internet/IWorm2.ps.Z
19881210000000Z 114673 arthur.cs.purdue.edu /pub/spaf/security/IWorm.PS.Z
19911127000000Z 74365 arthur.cs.purdue.edu /pub/spaf/security/IWorm2.PS.Z
aristotle$
peter da silva
> If someone breaks into your house are you going to charge him to
> buy a sturdy door&lock? Is he reponsible for the weakness in your
> 'defense'? I would say No.
What weakness?
If someone wants to break into your house, you can't stop them. If they can
try and break into houses all day without any chance of reprisal until they
actually succeed, nobody will be safe. That's why simple trespass is illegal,
and you can be prosecuted for it, even if nothing is damaged.
On the other hand *most* cases of simple trespass get off with a warning,
and are never charged. Not all illegal activity justifies ruining someone's
life. If a company finds a couple of kids in their warehouse they may not
even charge them, and will certainly not assume they went around making
copies of all they keys they could find... nor would the cops confiscate
the kids' bicycles. Adults, now, especially adults with a history of breakins,
would be treated differently... but I believe most phreaks, like most pirates,
are kids.
The problem here is that most everyone has settled into two radically opposed
camps, and the truth is somewhere in the middle. Cracking computers and
pirating software are illegal, and unethical, and can't be justified on the
grounds of poverty or curiosity... but they're also mostly petty crimes, on
the order of joyriding or simple trespass. There are, I must admit, exceptions
but they're few and far between *on both sides*.
This opinion isn't popular, and it isn't necessarily shared by NMTI, and I
do my best to make sure the whole question stays strictly of academic interest
here... but I believe it's the one most reasonable people would reach if they
took a step back and looked at the facts of the matter.
--
Peter da Silva `-_-'
Network Management Technology Incorporated 'U`
12808 West Airport Blvd. Sugar Land, TX 77478 USA
+1 713 274 5180 "Na sema Jambo mbwa kali yake leo?"
Ove Hansen
+ If someone breaks into your house are you going to charge him to
+ buy a sturdy door&lock? Is he reponsible for the weakness in your
+ 'defense'? I would say No.
Well, he should be charged for every penny I have to spend to have my doorlock
checked for damage, for new locks even if there is reason to believe he has
found my keys (easily copied aren't they?), and for all my costs in making
sure my house is as it was before he broke in. Even if he didn't physically
damage anything! *OF COURSE* he bloody well isn't *responsible* for me only
having one lock on the back door of my house - but that still does not give
him any right to break in! If he does - well, my time is money, police time
is money, checking my locks and alarm costs money... you seriously doesn't
expect *me* to want to pay for his fun? &%$#@&#$ [CENSORED]
Kyle Jones
> Well, he should be charged for every penny I have to spend to
> have my doorlock checked for damage, for new locks even if
> there is reason to believe he has found my keys (easily copied
> aren't they?), and for all my costs in making sure my house is
> as it was before he broke in. Even if he didn't physically
> damage anything! *OF COURSE* he bloody well isn't
> *responsible* for me only having one lock on the back door of
> my house - but that still does not give him any right to break
> in! If he does - well, my time is money, police time is money,
> checking my locks and alarm costs money... you seriously
> doesn't expect *me* to want to pay for his fun? &%$#@&#$
The question is just much of your paranoia are you allowed bill
to the intruder?
B.M. Buck
>In article <40...@nlsun1.oracle.nl> rga...@nl.oracle.com (Robert Gasch) writes:
>{...stuff deleted...]
>+ If someone breaks into your house are you going to charge him to
>+ buy a sturdy door&lock? Is he reponsible for the weakness in your
>+ 'defense'? I would say No.
>
>Well, he should be charged for every penny I have to spend to have my doorlock
>checked for damage, for new locks even if there is reason to believe he has
>found my keys (easily copied aren't they?), and for all my costs in making
>sure my house is as it was before he broke in. Even if he didn't physically
>damage anything! *OF COURSE* he bloody well isn't *responsible* for me only
>having one lock on the back door of my house - but that still does not give
>him any right to break in! If he does - well, my time is money, police time
>is money, checking my locks and alarm costs money... you seriously doesn't
>expect *me* to want to pay for his fun? &%$#@&#$ [CENSORED]
>
there wasn't one on it before he went through it?
Should be be expected to buy you a securer garage door after he got into
your house exploiting a security problem with your garage door, and then
entering via your (accidentally) unlocked back door?
>--
>---------------------------------------------------------------------------
>Ove Hansen, Cisco Systems Europe | Mail: oha...@cisco.com
>16, avenue du Quebec, Z.A. de Courtaboeuf | Tel: +33 1 60 92 20 00
>91961 Les Ulis cedex, France | Fax: +33 1 69 28 83 26
--
-----
Buddha Buck bmb...@ultb.isc.rit.edu
(insert-file ".disclaimer")
"I'm not an actor, but I play one on TV."
David L. Cathey
> You're straying from my original question. I was wondering why the
> internet worm is often quoted as doing $100,000 of damage, while in
> the case of two ppl breaking into a desktop sparc system management
> could claim $50,000 in damages caused by lost time. Yet these figures
> are never questioned. A lot of ppl thought I meant to say there was
> no damage, instead I think in the internet worm case there was much
> more indirect damage , while in the other case costs were exaggerated.
These seems to be common. In Bruce Sterling's "The Hacker Crackdown",
AT&T used some bogus figure of $73,000 dollars for "theft" of the 911 document
published in Phrack.
The figure was derived by taking the cost of the all the people
involved + the entire cost of the VAX it was written on + ... Yet at no time
was the document, hardware, or people missing. Added to the fact that through
another portion of AT&T, you could buy hundreds of related documents for about
$15 each.
Every time I hear some outlandish figure for "damages", I really have
a hard time taking it with any seriousness... There may be damage, but it's
ridiculous to claim $150,000 in damages to your home for a broken window...
> Rob
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
David L. Cathey |INET: dav...@montagar.com
Montagar Software Concepts |UUCP: ...!montagar!davidc
P. O. Box 260772, Plano TX 75026-0772 |Fone: (214)-618-2117
Timothy Newsham
>In article 25...@donau.et.tudelft.nl, wo...@liberator.et.tudelft.nl (Rogier Wolff) writes:
>>In the Amsterdam case, "rlogin [machine] -l bin" didn't ask for a password.
> ^^^^^^
>
>So the hacker/cracker impersonated someone else!! He was not 'bin' on the
>first machine, but he tried (and succeeded) to decieve the second machine in
>believing he was 'bin' and had accessrights.
>So I think he can be he prosecuted (?sp) for this impersonating.
Wrong. rlogin still passes on your real name and the username
you wish to login as. It hard to be "impersonating someone" when
you explicitely tell that person (machine) who you are.
Szymon Sokol
Point for you, Haakon! I do not like crackers plaing at my cost, either.
OTOH: why do they increase your (or anybody else's) expenses? If you mean
"because we have to repair damage", you are right. If you mean "because we
have to improve our security", you are wrong. A particular cracker who breaks
into your system does not decrease your security, it has already been bad.
Your system was endangered by the very existence of crackers. So, if you
charge a particular cracker with costs of *improving* your security, it is
not just - those costs should be paid by all crackers of the world, who are
a *potential* threat to insecure systems. Have you any idea how to make them
pay ??? ;-)
Seriously: it is really astonishing how many sysadmins think: "It won't happen
to my machine", and they take basic precautions only after first break-in
(or even not then...). If I hear that my neighbour's house has been robbed
I do not sigh "Uff, I was lucky - that was not me this time", I rather think
"Next time it could be me", and if I do not have a good doorlock, I buy one.
People who do otherwise are short-sighted or do not have anything valuable
to protect (and therefore have no reason to complain if their security is
compromised). I do not think that crackers are that creative, it is rather
that many sysadmins are too stupid (or too busy, or too lazy, or unaware of
possible threats, etc. - the net result is the same).
--
U U M M M M Szymon Sokol -- Network Manager
U U MM MM MM MM University of Mining and Metallurgy, Computer Center
U U M M M M M M M M ave. Mickiewicza 30, 30-059 Krakow, POLAND
UUUUU M M M M M M TEL. +48 12 338100 EXT. 2885 FAX +48 12 338907
Ove Hansen
*In article <1u2vn3...@cronkite.cisco.com> oha...@europe.cisco.com (Ove Hanse
n) writes:
* >In article <40...@nlsun1.oracle.nl> rga...@nl.oracle.com (Robert Gasch) writes:
* >*{...stuff deleted...]
* >* If someone breaks into your house are you going to charge him to
* >* buy a sturdy door&lock? Is he reponsible for the weakness in your
* >* 'defense'? I would say No.
* >
* >Well, he should be charged for every penny I have to spend to have my
* >doorlock checked for damage [...more of my rants and raves deleted... ] you
* >seriously don't expect *me* to want to pay for his fun?
*
* Should he be expected to pay for a lock for the kitchen window when
* there wasn't one on it before he went through it?
Of course not! (never even hinted that did I?!?)
* Should he be expected to buy you a securer garage door after he got into
* your house exploiting a security problem with your garage door, and then
* entering via your (accidentally) unlocked back door?
Of course not! If you'd cared to read my posting properly you'd have
understood what I meant: If he enters - by any means - my property, I
should be able to expect him to pay for (1) any damage he causes and
(2) any checks necessary to find out whether he's damaged or stolen
anything. My weak locks are *my* responsibility, but they give nobody
the *right* to enter without my permission. Or do *you* think so...?
(anyone got a more interesting analogy than the house with weak locks...?)
Furthermore, replying to the same rants from me:
In article 930527201...@wendy-fate.UU.NET> ky...@uunet.uu.net (Kyle Jones) writes:
[... all of my own rants and raves deleted...]
* The question is just much of your paranoia are you allowed bill
* to the intruder?
All of it, I hope! :-)
Sad isn't it? Because one has strong feelings about people cracking into
computers, possibly causing damage or stealing confidential information
one is "paranoid". Personally there are a million other things I'd like
to do than waste time tightening up security on my systems and making them
less easy to use for real work and sharing information. If I didn't, well,
I wouldn't have to worry about my weak locks anymore as I'd probably find
myself without a job quite soon, sleeping under a bridge...
Honestly, this is getting boring - Logoff from me...<K>
Michael J. Eager
>In article <1tu0sp$q...@wzv.win.tue.nl>, r...@wzv.win.tue.nl (Rob J. Nauta) writes:
>> You're straying from my original question. I was wondering why the
>> internet worm is often quoted as doing $100,000 of damage, while in
>> the case of two ppl breaking into a desktop sparc system management
>> could claim $50,000 in damages caused by lost time. Yet these figures
>> are never questioned. A lot of ppl thought I meant to say there was
>> no damage, instead I think in the internet worm case there was much
>> more indirect damage , while in the other case costs were exaggerated.
>
> These seems to be common. In Bruce Sterling's "The Hacker Crackdown",
>AT&T used some bogus figure of $73,000 dollars for "theft" of the 911 document
>published in Phrack.
It wasn't AT&T. It was one of the RBOC's, Southern Bell if I remember correctly.
> The figure was derived by taking the cost of the all the people
>involved + the entire cost of the VAX it was written on + ... Yet at no time
>was the document, hardware, or people missing. Added to the fact that through
>another portion of AT&T, you could buy hundreds of related documents for about
>$15 each.
Not accurate, but never mind.
The claim of the value of the document was not based on the cost of the equipment,
but on the perceived value of the information. Exactly how they determined that
I'm not sure. I do not believe that the lawyers in the case were aware that
the document had been published. The value of proprietary information is
significantly different from the cost of either creating or reproducing the
information. (If you don't believe this is true, ask your self what the cost
is of stamping a number on a credit card. Then ask what the value of the
number is. If you get the same value, I'll be happy to send you a quarter
for your credit card number.)
> Every time I hear some outlandish figure for "damages", I really have
>a hard time taking it with any seriousness... There may be damage, but it's
>ridiculous to claim $150,000 in damages to your home for a broken window...
I hate to rain on somebody's hyperbole, but I do not find that the claims of
$100-150K for the damage done by the internet worm are extreme. The worm
closed down operation of computer systems at hundreds of sites around the
country. A large number of people, many acting independently, spent many hours
identifying the worm, finding how it traveled from system to system, and then
devising ways of stopping it.
Let's do a rough calculation just to see if the estimate of damages is in the
right ballpark: assume that there were 200 computer sites which were shut down
for an average of 2 days. Let's assume that each of these sites served 20
people each, and that they were not able to do any significant work for these
two days. This is 4000 days of work lost. University users work for cheap,
industry is much more expensive; let's assume that the value of each day's work
is $50. My rough calculation says that perhaps $200K of work was lost. To me an
estimate of $100K is not unreasonable.
---
Michael J. Eager Michae...@eagercon.com
Eager Consulting (415) 325-8077
1960 Park Boulevard, Palo Alto, CA 94306-1141
Rob J. Nauta
|wo...@liberator.et.tudelft.nl (Rogier Wolff) writes:
|# Nope, leaving doors open doesn't directly make it legal to walk in or steal.
|# In the computer case, many laws (from different countries) say that a
|# password prompt is enough to tell you that it isn't a public access system.
|#
|# In the Amsterdam case, "rlogin [machine] -l bin" didn't ask for a password.
|# This makes it a public system, according to many laws. (or "not equipped
|# with at least minimal security that can be expected in such a case")
Not really true, you could rlogin when you are bin. If you rlogin from
another machine as another user and you use '-l bin' it won't work.
But from bin to bin would work (the infamous '+' in /etc/hosts.equiv)
|In the "Amsterdam case" the problem wasn't so much that the hackers broke into
|the systems (at that time that was not illegal by Dutch law), but the fact that
|they changed program binaries and purged log files. Since the result of a
|previous court case is that a file equals a document, their action is fraud and
|that is illegal by almost any law. However, it remains to be seen whether
|this interpretation is sufficient to convict the hackers.
You seem to be misinformed. Purging log files never happened. Besides,
prof. Francken says that a wtmp file is a 'mechanische registratie'
and thus not considered a document. Thus forgery is not appropriate.
| Leendert
Rob
--
/-----------------------------------------------\ Never ,==.
| Rob J. Nauta, UNIX computer security expert. | Apologize, /@ |
| r...@wzv.win.tue.nl, Phone: +31-40-837549 | Never /_ <
| r...@hacktic.nl -- Email me for UNIX advice | Explain. =" `g'
Paul Ducklin
>If someone wants to break into your house, you can't stop them. If they can
>try and break into houses all day without any chance of reprisal until they
>actually succeed, nobody will be safe. That's why simple trespass is illegal,
>and you can be prosecuted for it, even if nothing is damaged.
If I'm not wrong, this is one of those "it's true in the US; must be true
everywhere in the world" statements. Under British law, I seem to recall,
trespass is not a *criminal* offence; the same is true in South Africa, too.
You can take civil action against a person for trespass -- whence the
prevalence of signs "Trespassers Will be Prosecuted [ie: by the owner]".
If trespass were a criminal offence, such signs would be redundant -- it
would be the State [or Her Majesty the Queeg] who'd be doing the prosecution.
>On the other hand *most* cases of simple trespass get off with a warning,
>and are never charged. Not all illegal activity justifies ruining someone's
>life. If a company finds a couple of kids in their warehouse they may not
>even charge them,
Depends how they got in. Assuming the warehouse was locked, and that the way
in was non-trivial [eg: not just walking through an open door], then they'd
be nabbed by the cops [in ZA, at any rate] for "Breaking and Entering", which
is a criminal offence. They wouldn't have to steal anything to be breaking the
law.
Paul
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\ Paul Ducklin du...@nuustak.csir.co.za /
/ CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Richard Gooch
> Thus spake pe...@nmti.com (peter da silva):
>
> >If someone wants to break into your house, you can't stop them. If they can
> >try and break into houses all day without any chance of reprisal until they
> >actually succeed, nobody will be safe. That's why simple trespass is illegal,
> >and you can be prosecuted for it, even if nothing is damaged.
>
> If I'm not wrong, this is one of those "it's true in the US; must be true
> everywhere in the world" statements. Under British law, I seem to recall,
> trespass is not a *criminal* offence; the same is true in South Africa, too.
> You can take civil action against a person for trespass -- whence the
> prevalence of signs "Trespassers Will be Prosecuted [ie: by the owner]".
> If trespass were a criminal offence, such signs would be redundant -- it
> would be the State [or Her Majesty the Queeg] who'd be doing the prosecution.
I believe it's the same in Australia: trespassing is a civil matter.
And seeing the number of "Trespassers will be Prosecuted" signs I've seen
in the U.S.A., I suspect that trespassing is also a civil matter there.
Regards,
Richard Gooch,
rgo...@atnf.csiro.au
-----------------------------------------------------------------------------
Want computer privacy/ security? Use PGP: public key encryption.
Don't know what it is? Ask me.
PGP Public Key available on request, or: finger rgo...@lynx.atnf.csiro.au
Mike Zeleznik
>>a hard time taking it with any seriousness... There may be damage, but it's
>>ridiculous to claim $150,000 in damages to your home for a broken window...
I have had to opportunity to observe, on numerous occasions, the amount of
resources that go into discovering, tracking down, contacting, and then
following up (e.g., with the legal side, or university authorities), and
cleaning up after, people who have engaged in screwing around with systems
here.
For example, with the old internet worm, it was not just being off the net
for a couple of days, but the amount of time spent by a very capable
systems staff in computer science (many of which were out at Berkeley at
the time), in tracking down and cleaning everything out (and initially just
trying to understand what was going on). Here in the computer center, even
casual passwork crackers can suck a great deal of time. Every bit of that
time is time we CAN NOT spend on more productive things.
If you have been involved with this kind of thing, you probably have a feel
for just what a resource sink this is (unless this is your sole
responsibility, and you have all kinds of automatic tools and such set up
to help; but even then it is a drain).
If you have not had to deal with this, then I expect you will largely
underestimate what is involved, and what I say will not mean much to you.
Mike
Michael Zeleznik Computer Center / Computer Science
University of Utah
zele...@cs.utah.edu Salt Lake City, UT 84112
(801) 585-6156
David L. Cathey
> In article 17...@alpha.montagar.com, dav...@alpha.montagar.com (David L. Cathey) writes:
>> These seems to be common. In Bruce Sterling's "The Hacker Crackdown",
>>AT&T used some bogus figure of $73,000 dollars for "theft" of the 911 document
>>published in Phrack.
>
> It wasn't AT&T. It was one of the RBOC's, Southern Bell if I remember correctly.
Oops... that's right...
>> The figure was derived by taking the cost of the all the people
>>involved + the entire cost of the VAX it was written on + ... Yet at no time
>>was the document, hardware, or people missing. Added to the fact that through
>>another portion of AT&T, you could buy hundreds of related documents for about
>>$15 each.
>
> Not accurate, but never mind.
Actually, read page 258-259:
"Bureaucratic overhead alone, therefore was alleged to have cost a
whopping $17,099. ..." [i.e. the people invloved]
"But this was just the beginning. There were also the hardware
expenses. Eight hundren fifty dollars for a VT220 computer monitor.
Thirty-one thousand dollars for a sophisticated VAXstation II computer. Six
thousand dollars for aa computer printer. Two thousand dollar five hundred
dollars for VMS software...."
[yes, they included the entire HARDWARE/SOFTWARE costs!]
> The claim of the value of the document was not based on the cost of the equipment,
> but on the perceived value of the information.
Wrong, as was brought out in the court case. The RBOC's were already
handing out the information at much less that $77K/document.
> Exactly how they determined that
> I'm not sure. I do not believe that the lawyers in the case were aware that
> the document had been published.
That much is true, as that is why Craig got off. The "value of the
information" was only $15 dollars or out of Telecom magazines, so the
information was already reasonable "free".
>> Every time I hear some outlandish figure for "damages", I really have
>>a hard time taking it with any seriousness... There may be damage, but it's
>>ridiculous to claim $150,000 in damages to your home for a broken window...
>
> I hate to rain on somebody's hyperbole, but I do not find that the claims of
> $100-150K for the damage done by the internet worm are extreme.
That one I can understand, considering the scope. I've worked in the
the business world way long enough to understand that a crashed computer can
cost real dollars, by employees sitting on their thumbs alone...
> Michael J. Eager Michae...@eagercon.com
Mike Zeleznik
>>> Every time I hear some outlandish figure for "damages", I really have
>>>a hard time taking it with any seriousness... There may be damage, but it's
>>>ridiculous to claim $150,000 in damages to your home for a broken window...
>
>underestimate what is involved, and what I say will not mean much to you.
I realize this sounds like an attack on the original poster.
** IT WAS NOT MEANT TO BE **
I should have said "if *one* has not had to deal with this, then..."
** I DID NOT mean this to sound directed at anyone in particular. **
Mike
J. D. McDonald
[changed to protect the obscure folks hidden behind multiple >>>>>]
>>> These seems to be common. In Bruce Sterling's "The Hacker
Crackdown",>>>AT&T used some bogus figure of $73,000 dollars for "theft" of
the 911 document>>>published in Phrack.
>>
>
>> I hate to rain on somebody's hyperbole, but I do not find that the claims of
>> $100-150K for the damage done by the internet worm are extreme.
>
> That one I can understand, considering the scope.
I agree.
But how much is that, really, compared to the waste of time caused by general
time-sharing system administration crap?? We probably spend $30,000
a year on that alone, in our own "little" department (Actually, only
little compared to the University as a whole. We are a multi-ten-million
dollar operation). That's on the **waste**.
Unix machines are flaky, as Unix is a flaky OS. It is constantly being
brought down by built in bugs. As was discussed, for example, recently,
about the case of the computers (in that case, RS6000's) whose OS did not
actually allocate memory when a process asked for it, but told that process
that it actually did allocate it. Thus causing a system crash when some other
program actually used the memory it thought it had. We've seen things like
that happen, and frequently.
And, of course, Murphy's law says that it happens a 5:10 PM on Friday,
and won't get fixed till Monday, and Unix being what it is, the users who
are locked out simply **can't** do anything about it.
No, I'd say that $150,000 for the worm is so totally negligible we should
not even consider it a drop in the bucket.
That's one reason that PCs and Macs are taking over: they are much more
reliable, in the sense that they are not subject to breakdowns that cannot
be fixed because the users are prevented from fixing them. My PCs are
enormously more reliable than our Unix machines. I can count on them.
I most emphatically can't count on the Unix machines. Security has a cost,
a very very big one.
Doug McDonald
Jim McCoy
In article <mcdonald.11...@aries.scs.uiuc.edu>, mcdo...@aries.scs.uiuc.edu (J. D. McDonald) writes:
>
> That's one reason that PCs and Macs are taking over: they are much more
> reliable, in the sense that they are not subject to breakdowns that cannot
> be fixed because the users are prevented from fixing them. My PCs are
> enormously more reliable than our Unix machines. I can count on them.
> I most emphatically can't count on the Unix machines. Security has a cost,
> a very very big one.
Macs and PCs go down from bugs in the OS software and the subtle
interactions between these and the application programs _all the time_
(moreso for MS than Apple OS releases, but it is a frequent event). The
difference is that you just cycle the power on your micro and get back to
work. This is not a great option when there is more than one person using
a machine. If you count on any computer to be working the way you expect it
to you are deluding yourself.
Additionally, if you have been watching the computer trade at all for the
past few years you would notice how much your Macs and PCs are
incorporating parts of unix just to keep up with the rest of the world....
On the security side, PCs and orther micros really suck as far as being
able to secure the machine. The only real option is physically securing
the machine; most PC protection products can be defeated quite easily and
the OS itself provides no real security. Your trust in your micro is
unwarranted by the facts...
jim
--
Jim McCoy | UT Unix Sysadmin Tiger Team
mc...@ccwf.cc.utexas.edu | #include <disclaimer.h>
pgp key available via "finger -l", on pubkey servers, or upon request
Marcus J Ranum
> reliable, in the sense that they are not subject to breakdowns that cannot
> be fixed because the users are prevented from fixing them. My PCs are
> enormously more reliable than our Unix machines. I can count on them.
> I most emphatically can't count on the Unix machines. Security has a cost,
> a very very big one.
Yeah, but skanking around with all the virii and whatnot that
a total protectionless environment breeds gets old fast.
Security's a pain, but I sure wish that Macs and PCs had some
vague permissions model. It would have made networking so much less
of an exercise in creativity.
A favorite recently: a large office in the DC area uses a PC
based Email system. Someone sent a mail message that they wanted to
unsend. Turns out that since the mail files were stored encrypted
(because there's no other way to protect anything, right?) the guy
had to just delete everything out of the server's mail spool area.
Ooops, there was no support at all for any notion of file ownership
or permissions.
Having an operating system with at least *some* kind of
permissions domains built in is a useful thing for anything other
than desktop automation.
mjr.
Stu Bell
(like alt.sources.d (??)).
alt.sources is supposed to be sources ONLY.
(or at least kill "alt.sources" out of your Newsgroups and Followup-To lines).
Thanks! And now back to your regularly scheduled source files...
-------------------------------------------------------------------------------
Stu Bell | "Why is it that when you dig yourself into a
Hewlett-Packard, Ft. Collins | hole, you insist on calling it a tunnel?"
Email: s...@fc.hp.com | Doonesbury
-------------------------------------------------------------------------------
Obligatory source:
A potential classic from... talk.bizarre
I'm sure many of you have been wondering what is meant by:
#include <stdisclaimer.h>
Well, below is stdisclaimer.h
From: Sysop of Dave's FIDO, Garner, MA
STANDARD DISCLAIMER
This product is meant for educational purposes only. Any resemblance to real
persons, living or dead is purely coincidental. Void where prohibited. Some
assembly required. List each check separately by bank number. Batteries not
included. Contents may settle during shipment. Use only as directed. No
other warranty expressed or implied. Do not use while operating a motor
vehicle or heavy equipment. Postage will be paid by addressee. Subject to CAB
approval. This is not an offer to sell securities. Apply only to affected
area. May be too intense for some viewers. Do not stamp. Use other side for
additional listings. For recreational use only. Do not disturb. All models
over 18 years of age. If condition persists, consult your physician. No
user-serviceable parts inside. Freshest if eaten before date on carton.
Subject to change without notice. Times approximate. Simulated picture. No
postage necessary if mailed in the United States. Breaking seal constitutes
acceptance of agreement. For off-road use only. As seen on TV. One size fits
all. Many suitcases look alike. Contains a substantial amount of non-tobacco
ingredients. Colors may, in time, fade. We have sent the forms which seem
right for you. Slippery when wet. For office use only. Not affiliated with
the American Red Cross. Drop in any mailbox. Edited for television. Keep
cool; process promptly. Post office will not deliver without postage. List
was current at time of printing. Return to sender, no forwarding order on
file, unable to forward. Not responsible for direct, indirect, incidental or
consequential damages resulting from any defect, error or failure to perform.
At participating locations only. Not the Beatles. Penalty for private use.
See label for sequence. Substantial penalty for early withdrawal. Do not
write below this line. Falling rock. Lost ticket pays maximum rate. Your
canceled check is your receipt. Add toner. Place stamp here. Avoid contact
with skin. Sanitized for your protection. Be sure each item is properly
endorsed. Sign here without admitting guilt. Slightly higher west of the
Mississippi. Employees and their families are not eligible. Beware of dog.
Contestants have been briefed on some questions before the show. Limited time
offer, call now to ensure prompt delivery. You must be present to win. No
passes accepted for this engagement. No purchase necessary. Processed at
location stamped in code at top of carton. Shading within a garment may occur.
Use only in a well-ventilated are. Keep away from fire or flames. Replace
with same type. Approved for veterans. Booths for two or more. Check here if
tax deductible. Some equipment shown is optional. Price does not include
taxes. No Canadian coins. Not recommended for children. Prerecorded for this
time zone. Reproduction strictly prohibited. No solicitors. No alcohol, dogs
or horses. No anchovies unless otherwise specified. Restaurant package, not
for resale. List at least two alternate dates. First pull up, then pull down.
Call toll free before digging. Driver does not carry cash. Some of the
trademarks mentioned in this product appear for identification purposes only.
Record additional transactions on back of previous stub. Unix is a registered
trademark of AT&T. Do not fold, spindle or mutilate. No transfers issued
until the bus comes to a complete stop. Package sold by weight, not volume.
Your mileage may vary.
This supersedes all previous notices.
Wouter Slegers
the sourcecode of the Internet worm is available on the HackTic-BBSes and
systems! So don't think you can contain it, it's out there and it's easy to
get too for people who are interessed in it. Anyway, I thought the
security-holes exploited by the worm should be plugged by now..
BTW: flame all you want, it's cold here!
Regards,
Wouter
--
Wouter Slegers, 1st year CS at TUE (nl), wou...@stack.urc.tue.nl.
Disclaimer: If the above sounds plausible, reread it several times!
Religion and sex are powerplays*manipulate the people for the money they pay
Selling skin, selling god* the numbers are the same on their creditcards!
Tim Nelson
:In article 17...@alpha.montagar.com, dav...@alpha.montagar.com (David L. Cathey) writes:
:>In article <1tu0sp$q...@wzv.win.tue.nl>, r...@wzv.win.tue.nl (Rob J. Nauta) writes:
:>> You're straying from my original question. I was wondering why the
:>> internet worm is often quoted as doing $100,000 of damage, while in
:>> the case of two ppl breaking into a desktop sparc system management
:>> could claim $50,000 in damages caused by lost time. Yet these figures
:>> are never questioned. A lot of ppl thought I meant to say there was
:>> no damage, instead I think in the internet worm case there was much
:>> more indirect damage , while in the other case costs were exaggerated.
:>
:> These seems to be common. In Bruce Sterling's "The Hacker Crackdown",
:>AT&T used some bogus figure of $73,000 dollars for "theft" of the 911 document
:>published in Phrack.
:
:It wasn't AT&T. It was one of the RBOC's, Southern Bell if I remember correctly.
True.
:> The figure was derived by taking the cost of the all the people
:>involved + the entire cost of the VAX it was written on + ... Yet at no time
:>was the document, hardware, or people missing. Added to the fact that through
:>another portion of AT&T, you could buy hundreds of related documents for about
:>$15 each.
:
:Not accurate, but never mind.
:
:The claim of the value of the document was not based on the cost of the equipment,
:but on the perceived value of the information. Exactly how they determined that
:I'm not sure. I do not believe that the lawyers in the case were aware that
:the document had been published. The value of proprietary information is
:significantly different from the cost of either creating or reproducing the
:information. (If you don't believe this is true, ask your self what the cost
:is of stamping a number on a credit card. Then ask what the value of the
:number is. If you get the same value, I'll be happy to send you a quarter
:for your credit card number.)
Actually, in this case, the cost of the document as shown in the court
documents was taken as the cost of the workstation that it was written on,
the maintenance contact for that workstation, the cost of the laser printer,
the cost of the time spent typing in the info...
In other words, it had nothing at all to do with the real value.
The lawyers it appears (for Southern Bell) did know the documents were
available.
(for more info on this, refer to the cud archives or the appropriate newsgroup)
:> Every time I hear some outlandish figure for "damages", I really have
:>a hard time taking it with any seriousness... There may be damage, but it's
:>ridiculous to claim $150,000 in damages to your home for a broken window...
:
:I hate to rain on somebody's hyperbole, but I do not find that the claims of
:$100-150K for the damage done by the internet worm are extreme. The worm
:closed down operation of computer systems at hundreds of sites around the
:country. A large number of people, many acting independently, spent many hours
:identifying the worm, finding how it traveled from system to system, and then
:devising ways of stopping it.
In this case, I would have to partially agree. But, not all the systems were
in fact shutdown. Many stayed up at reduced work loads until the problem
was recognized, information/solution passed to connecting sites and systems
shutdown and rebooted.
The cost for doing this is similar and as unreal as a guess at the number of
non-repeating decimal places in pi. It is one of those numbers that is put
on writing off a piece of hardware or finding the hourly charge for computer
time.
So, I guess that the figure above $100k will have to be accepted.
But, since financial people were involved in making up this number, shouldn't
it be in the neighbourhood of several million dollars?
--
Tim.N...@Canada.NCR.CA
NCR Canada +1 416 819 4112
Jason O'Broin
In article <1u1ugj$6...@tuegate.tue.nl>, jo...@blade.stack.urc.tue.nl (Johan Wevers) writes:
>oha...@europe.cisco.com (Ove Hansen) writes:
>Should be shot on sight... That's even overreacted for normal thieves. We've
>left the Dark Ages far behind us, did you know? How about the NSA, etc.
>intercepting email? Should they also be shot on sight?
Erm, Yes ?
Jason
--
( 'In the presence of another world BLUE OYSTER CULT
You guess the things unguessed 'In the Presence..'
In the fullness of another world Imaginos
There is no emptiness' )
L Jean Camp
|>
|> If someone breaks into your house are you going to charge him to
|>
|>
If someone breaks into your house they have committed a criminal offense,
which may result in a fine. But that cost would go to the state. You are not
charging them with breaking in. The burglar is responsible for breaking and
entering no matter how simple the system. Certainly you don't believe silly
people who put the key under the welcome mat should be prohibited from
bringing breaking and entering charges, do you? Blaming the victim
is always easy, and usually wrong.
You could charge hackers seperately in a civil suit. And you could sue them for
any amount you like. Bringing suit against someone for psychological harm, and
the resulting need to increase security to feel secure would certainly not be
the most unreasonable case I can remember. Of course, you can sue anybody for
anything. If you win depends on, ohhh, precedent, the mood of the jusdge, you
lawyer, the weather, press coverage,....
You may or may not be allowed to bring evidence of an untried civil case
before the court in a criminal case. This sounds like the problem to me. The
company produced a number and then presented it as evidence. The problem with
this has been well illustrated in multiple cases. (SLAPP - Strategic
Litagation Against Public Participation. Companies bring cases against members
of the public who object to corporate actions, usually development, in a
democratic arena. Ridiculous damages are sought.)
But the breaking and entering analogy assumes two points, neither of which I
think Robert would agree with
1) the owner of the computer is a victim, and
2) the threat of harm whenever anyone breaks into a computer is
significant.
The threat of a stranger in your house is considered so great that in some
states it is actually legal to kill the intruder (LA and NC for two),
regardless of the amount of apparent threat or security. Your door could be
unlocked and it would still be self defense. There is a big difference between
feeling that your family is threatened and feeling that your files are
threatened. (Gee honey, before she goes camping should we make a backup of
little Susie?) The issue of breaking and entering into a home is more than a
property law issue. So I think this analogy is weak, becasue the fundamental
difference appears to be the answer to the question: if someone breaks into a
computer, does no harm, denies no services, has there been a crime? I think,
given what I see in the difference of beliefs, a better analogy may be using a
park that has been reserved for the affluent although you are not a certified
resident.
Cheers,
Jean
Dave Ratcliffe
- wo...@liberator.et.tudelft.nl (Rogier Wolff) writes:
-
- # Nope, leaving doors open doesn't directly make it legal to walk in or steal.
- # In the computer case, many laws (from different countries) say that a
- # password prompt is enough to tell you that it isn't a public access
[ deletions ]
- In the "Amsterdam case" the problem wasn't so much that the hackers broke into
- the systems (at that time that was not illegal by Dutch law), but the fact that
- they changed program binaries and purged log files. Since the result of a
This article and MANY more in the thread have been cross-posted to
alt.sources where they DO NOT BELONG!
PUHLEEEEEZE! Edit your newsgroups line to remove source only groups from
discussion threads.
Your co-operation is very much appreciated.
--
vogon1!compnect!frackit!da...@psuvax1.psu.edu | Dave Ratcliffe |
- or - ..uunet!wa3wbu!frackit!dave | Sys. <*> Admin. |
- or - dave.ra...@p777.f211.n270.z1.fidonet.org | Harrisburg, Pa. |
Jym Dyer
> BTW: flame all you want, it's cold here!
=o= The above was cross-posted to alt.sources. Alt.sources is
for sources, not for discussion or "flaming all you want." Many
sites auto-archive alt.sources, expecting it to contain sources.
=o= Please get and keep this discussion
:::: :: :: ::::::
:: :: :: :: ::
:: :: :: :: ::
:::: :::: ::
of alt.sources. I realize that most of you are simply following
up to discussion that was already (mis-)cross-posted. A good
rule of thumb for following up to cross-posted newsgroups is
that if you don't know what a newsgroup's purpose and policies
are, you shouldn't cross-post to it.
Thank you,
<_Jym_>
Marc Thibault
> Security's a pain, but I sure wish that Macs and PCs had some
> vague permissions model. It would have made networking so much less
> of an exercise in creativity.
The PC is _exactly_ as vulnerable to someone physically at the
local console as any other system. Permissions on a single
user system would be ludicrous. Do you have authentication and
matrix authorisation on your VCR? On the other hand,
networking solutions that are designed, rather than cobbled
together from available parts, require little or no creativity
to be as secure as required. Doing this correctly has become
so boring that it's no longer considered a niche for
consultants or system integrators. Anybody can do it who can
read manuals.
> A favorite recently: a large office in the DC area uses a PC
> based Email system. Someone sent a mail message that they wanted to
> unsend. Turns out that since the mail files were stored encrypted
> (because there's no other way to protect anything, right?) the guy
- wrong -
> had to just delete everything out of the server's mail spool area.
> Ooops, there was no support at all for any notion of file ownership
> or permissions.
Wrote the E-mail service themselves, did they? No mainstream
E-mail suffers this. Novell's file server, coming off the
blocks in 1985 had fine-grained authorisation. A simple-minded
E-mail system, even then, set permissions so that my mail
directory was write-only to everybody, read/write/modify/etc.
to me.
You can't lay one firm's stupidity on a whole genre of PC
software.
Cheers,
Marc
---
Marc Thibault | ma...@tanda.isis.org
Automation Architect | CIS:71441,2226
R.R.1, Oxford Mills, Ontario, Canada | NC FreeNet: aa185
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh
AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg
PG1hcmNAdGFuZGEuaXNpcy5vcmc+
=HLnv
-----END PGP PUBLIC KEY BLOCK-----
richard.b.dell
>In article <1tis6a...@jhunix.hcf.jhu.edu> dav...@jhunix.hcf.jhu.edu (Davin K Hong) writes:
>>Matthew Goldman says:
>>Get your sled back into reality Santa. Fictional amount of money? I
>>think not.
>> 1) Time to backup the current state of the system
>> 2) Backup media
>> 3) Cost to move backup media to offsite storage
>> 4) Cost to move previous backups from offsite storage
>> 5) System administrator time to reload the operating system
>> 6) System administrator time to reload user files
>> 7) System administrator time to close security problems
>> 8) Time to backup the current state of the system
>> 9) Backup media
>> 10) Cost to move backup media to offsite storage
>> 11) Cost of offsite storage
>> 12) Costs of time explaining to management what went wrong
>>
>>-------
>>
>> I agree that money is lost as system administrator must restore files
>>and the operating system, but a lot of the costs he lists are not really
>>"caused" by the crackers per se. Anything involving creating the backups
>>(i.e. 1, 2, 3, 8, 9, 10, 11) are included in the cost of normally managing
>>a system) - you should be doing, and paying for, that anyway. Furthermore,
>>the cost of closing up the security problem is not a cost caused by the
>>crackers - the problem was (apparently) there before anyone broke in.
>
>At the risk of this degenerating into a flame festival, you are wrong.
>The cost of backups is a *new* cost, the cost of keeping *all* of the
>previous backups in long term offsite storage. The cost of *new*
>backup media. The cost of the extra backups is directly caused by the
>criminals.
>
>> It just irritates me when people overly inflate costs of anything, not
>>just cracker attacks.
>
>Cracker? Lets call them what they are, criminals.
>
>Matt
>
>--
>Matthew Goldman E-mail: gol...@orac.cray.com Work: (612) 683-3061
>
> Buddy: "Why do I always have to go first?"
> Sally: "Because you're expendable."
At the risk of further fanning the flames, I see nothing here about the
costs of users not being able to access the system. Where I work, and
the systems I work on, we run 24 hrs a day 365 days a year, and most of
the users are paid an hourly wage. We are _very_ aware of how expensive
our downtime is (having enough due to our own mistakes <grin>).
If we have a poweer glitch, we have down time. A _REAL_ cost. If we
have a disk crash, we have down time. A _REAL_ cost. If a hacker breaks
in, and we have to be sure no damage was done, we have downtime. A
_REAL_ cost. The first two events are not (most likely) criminal. The
last one is.
The cost of any actiivity that occurs after an event of any kind can
be accounted for many ways. Some of the immediate costs seem to me
to be directly attributable to the event (resotration, special backup,
retrieving offsite tapes, etc). Others may correctly be called new
ongoing expenses (a new backup schedule, new offsite storage, etc)
and one may argue as to how to spread those costs out. In my opinion,
the initialization expenses (new documentation, signup fees, new media)
are directly attributable to the event, further ongoing expenses may
or may not be. But that is my opinion.
The key here seems to me to be megligence. I am no lawyer, but
I would assume that contributory negligence would figure into the
degree of penalty for an offence. _But_ different people may view
negligence completely differently. It may be considered negligent
to not wear a flak jacket in Bosnia, or Beirut, or similar circumstances
but would not be negligent to not wear one in the US. How then would
a criminal be viewed who injured someone in LA, when no harm would
have been caused if that person had worn a flak jacket? Or if someone
runs a stop sign, and hits someone not wearing a seat belt? We could
all make arguments for reduced culpibility in any of these cases,
and could all have different opinions about it. That is why there are
juries.
In many cases, the guilty party in a dispute has to pay _all_ ongoing
expenses caused as a result of his actions. This is what many juries
decide. Each individual case is different. It seems to me you are arguing
over how much due diligence is required before negligence occurs. And
about whether lack of due diligence should decrease the costs attributable
to the criminal activiy.
The costs are mostly real. If I have _never_ backed up my system,
have a disk crash, and lose my data, and have to reconstruct it ...
those costs are real. You may certainly think I was negligent, and if
on a jury, reduce the award given me for the event (perhaps an _evil_
hacker sneaking a virus into my system, perhaps an _innocent_ hacker
accidentally corupting my data) but the costs are still real. Someone
has to pay them. And the determination of who that someone is, and
how much they should pay, is what the courts determine it to be. Yes,
in my example in this paragraph, backups are wise, and to me it seems
reasonable that costs due to having _no_ backups would rightly be born
by me. But I strongly suspect (anyone know?) that the courts may
think differently .. look at how many drunk driveing cases spread
out to cover the tavern in civil suits.
But criminal activity is still criminal. And real activity has real
costs. If I buy a flak jacket because newspaper newspaper stories
make me nervous, The costs certainly must be born by me. But if I buy
one because I was shot at, even if the person shooting was intentionally
aiming to miss, and was just firing a warning shot, in my opinion those
costs _should_ be born by the shooter. Presuming his activity was
intentional and/or illegal. If a drug company has to recall all of a
product because one item was found contaminated, and the contamination
was intentional, the contaminator should bear the costs. Even if he
says, I only painted that one red to show you the defect in your systems.
And all of this is dependent on the specific circumstances, and on the
emotions present in the court hearing the specific case. Because only
the courts decide the way the law is applied ... our opinions only
influence them.
--
Richard Dell -- personal opinions throughout -- yours are likely to vary