Some Companies Don't Care about Web Defacement 217
An anonymous reader sent in an interesting link to a story that talks about
companies that just Don't care about Defacement. The story is just a light think piece worth a glance. And hell,
its the holidays so its not like anything else interesting is
gonna turn up to read for a few days :)
But it won't stand up as a defense (Score:1, Insightful)
So, be warned: depending on who you hack, you might get away with it, but you might not.
John
Sounds familiar... (Score:5, Interesting)
Re:Sounds familiar... (Score:3, Funny)
Re:Sounds familiar... (Score:2)
You are correct. You need to use both strategies:
- Patch and update to fix known problems as they come out
- Have some "low-level" protections in place to detect (and possibly, correct) unauthorized changes
However, my problem is that management thinks that option #2 is sufficient, and we'll just wait two years for the next service pack to address option #1.Simple solution (Score:3, Funny)
Re:Simple solution (Score:2, Funny)
Re:Simple solution (Score:1)
You cant back up your house contents for next to no cost
Re:Simple solution (Score:2, Interesting)
Something like a serial cable into the "servlet server" with a non-TCP/IP listener on the serial port. At max speed 115KB serial is like a 1Mbit connection. The web servers won't have IP access to the content server, and can't be defaced. Don't have to care about snort logs, tripwire -- all that happy hoo ha.
Want to run a bunch of web servers for load balancing? put an 8-port digiboard in the servlet server.
Re:Simple solution (Score:1)
Deface the cached content.
Re:Simple solution (Score:5, Insightful)
There are a couple of good reasons why this unlikely to be a workable solution. First, this requires almost double the equipment (a two-tier minimum), and it requires the front-end servers to have some type of read-only storage, which most server appliances (like the Netra X1) don't have.
Second, keeping the systems patched and up-to-date (which will still be imporant) is even more of a chore, as you can't just install patch foo -- you need to install the patch on a clean system, make a bootable CD, and then go physically insert the CD and reboot the machine to install the patch. In terms of administrator time, this is completely unacceptable.
Third, it requires that you use JSP (and possibly EJB); things like PHP and Perl won't work with this kind of set-up. As nice as JSP+EJB can be for building complex and stateful web applications, it's really lousy for doing simple things like customer-feedback forms and the like.
Fourth, the applications on the second-tier server are still open to exploit, as is the OS on the external server -- it's possible to crack and root a machine even if it has a read-only root filesystem.
Fifth and finally, it completely violates the KISS principle (Keep It Simple, S*). More machines means more overhead for the admins, higher operating costs; and, most importantly, a more complex system. One of those little rules-of-thumb is that the more complex a system becomes, the more easily it will fail.
Something like a serial cable into the "servlet server" with a non-TCP/IP listener on the serial port. At max speed 115KB serial is like a 1Mbit connection. The web servers won't have IP access to the content server, and can't be defaced. Don't have to care about snort logs, tripwire -- all that happy hoo ha.
Want to run a bunch of web servers for load balancing? put an 8-port digiboard in the servlet server.
I fail to see where a 115Kb/s serial connection is equal to a 1Mb/s link; I would suggest checking the numbers again, as I'm pretty sure that the latter is about ten times as fast as the former, and requires less processor overhead -- serial connections consume much more CPU time than ethernet ones.
Snort and tripwire are very useful tools, and whether or not you have a "secure" setup, it's a good idea to run them. Snort [snort.org] is an extremely capable IDS (Intrusion Detection System), and if your uebersecure system is cracked, can provide valuable logs to find the attacker (and the original security hole). Furthermore, it's always a fun thing to watch the IIS exploit attacks pile up against your smug little Apache server...
HTH. HAND.
Re:Simple solution (Score:4, Insightful)
this requires almost double the equipment (a two-tier minimum)
you normally have 3 tiers in professional ebusiness configurations. web servers, business logic, and database servers.
patch a clean system, make a bootable CD, and insert the CD and reboot the machine. this is completely unacceptable
I think we're looking at it from two different angles. You appear to be approaching it from a datacenter admin point of view, like a Qwest rack monkey watching 1,000 servers. My approach imagines an admin with about 20 servers for one e-business/e-commerce solution. If it's one guy's job to keep maybe 8 web servers, three or four servlet engines, and four database backends running, then occasionally publishing a new CD for the web servers is not "completely unacceptable". Plus, with multiple servers, you design one clean layout, burn 8 CD's, and reboot the web servers one at a time so the site never goes down.
the second-tier server are still open to exploit
if there is no IP connectivity from the web servers to the 2nd and 3rd tier, how are you going to get there? the web server would submit an ascii url to the servlet engine, and the servlet engine would reply with the content, also over serial. the web clients won't even have access to sending url requests over the serial line. even if they crack the box, LIDS will let you specify precisely which apps/binaries can use the serial port.
it's possible to crack and root a machine even if it has a read-only root filesystem.
www.lids.org - can't get root if root isn't even root
I fail to see where a 115Kb/s serial connection is equal to a 1Mb/s link
you're right. I'm an idiot. Need more coffee. that makes the whole thing too slow for anything over 128k upstream.
One of those little rules-of-thumb is that the more complex a system becomes, the more easily it will fail.
that of course depends on how well you plan and implement.
Re:Simple solution (Score:4, Insightful)
Thank you; and double thanks for taking it well and coming up with a good rebuttal. So rare on
you normally have 3 tiers in professional ebusiness configurations. web servers, business logic, and database servers.
This is true with JSP-based system (JSP+Web to EJB to DB), but often smaller setups are done with Perl or PHP in a two-tier system (Web+PHP/Perl to DB) that work quite well.
You are quite correct, however, in that most large installations use the three-tier model.
I think we're looking at it from two different angles. You appear to be approaching it from a datacenter admin point of view, like a Qwest rack monkey watching 1,000 servers. My approach imagines an admin with about 20 servers for one e-business/e-commerce solution. If it's one guy's job to keep maybe 8 web servers, three or four servlet engines, and four database backends running, then occasionally publishing a new CD for the web servers is not "completely unacceptable". Plus, with multiple servers, you design one clean layout, burn 8 CD's, and reboot the web servers one at a time so the site never goes down.
Speaking as a sysadmin, keeping one Unix admin around per twenty servers will get very expensive. One Unix admin can handle about fifty machines, assuming they were properly set up and documented to begin with.
Furthermore, one of the big advantages to running a Unix machine for things like this is that you don't need to physically interact with the hardware; for example, I can leave several "extra" Sun Netra X1 server appliances sitting in a rack, powered off, and if one of the production machines fails, I can remotely power the unit on, load an operating system on it (via Jumpstart, or just using dump and netcat), boot it, and configure it to take the place of the now-dead server (which I have powered off remotely). All without leaving my desk (or armchair if I'm telecommuting). I can then replace the dead server at my leisure.
Same goes for patching; I can bring a spare server online, bring the old server down to single user mode, and use the serial console to load patches and updates, all without having to drive over to the colocation facility.
if there is no IP connectivity from the web servers to the 2nd and 3rd tier, how are you going to get there? the web server would submit an ascii url to the servlet engine, and the servlet engine would reply with the content, also over serial. the web clients won't even have access to sending url requests over the serial line. even if they crack the box, LIDS will let you specify precisely which apps/binaries can use the serial port.
Point; but giving that serial links aren't sufficiently fast, it's a moot point at best.
you're right. I'm an idiot. Need more coffee. that makes the whole thing too slow for anything over 128k upstream.
Happens to all of us. And I think I'll get more mud myself...
that of course depends on how well you plan and implement.
Not really; a more complex solution offers more total points of failure; even a well thought-out and well implemented solution is subject to this simple fact.
Re:Simple solution (Score:2)
Re:Simple solution (Score:2)
Why does that need JSP or EJB? What are these things doing in such a simple server that something else can't do? And why not just run the web server in a jail, virtual machine, vserver, or whatever?
Re:Simple solution (Score:2, Informative)
Palmstation (Score:3, Informative)
Re:Palmstation (Score:3, Funny)
Cost Justification (Score:3, Insightful)
What I can recommend to each SlashDot reader is to ask for your company's policy towards hacks and intrusions. It should be concise, clear, and objective. This way there will be no suprises, and the System Admins will know what to expect and not be punished for misunderstanding the policy.
Re:Cost Justification (Score:1)
Patching (Score:1)
A patch not applied is as good as no patch at all.
Re:Patching (Score:2, Informative)
Some take it too far though. (Score:5, Insightful)
Re:Some take it too far though. (Score:1, Interesting)
It's similar to drug busts. You read about the
cops catching someone with 2 pounds of marijuana, and the papers say "Street value of 30,000", when we all know better.
Re:Some take it too far though. (Score:2)
Ha ha ha! If they would have let this kid deface thier page 24/7 for a year, they would have lost 37,230,000! Probably more than thier entire net worth...
Even if they were an expensive ISP, like say $100 a month. at 200 customers, they can only rake in a *maximum* of 240,000 a year... By my cont, it would have taken this kid a little bit over 56 hours days to completely put them out of business...
Re:Some take it too far though. (Score:5, Informative)
(1) Obviously, there's a security breach. How widespread is it? We need to audit the network and see how severe the breach is and what hole was unpatched. I've got to put either employees or consultants onto it.
(2) We can't trust any code on our network, so the other copy of the web site on this other server may be bad, too. We'll have to check that against a known good copy, which means looking at our backups. Really, we need a known-good historical copy, too, just to be sure, so we've got to pull our off-site backups of the web site from records management vendor.
(3) One of our business clients saw the defaced web page and decided that they didn't trust us to protect their data. They will no longer do business with us. We have lost all of the income they would have provided forever.
(4) As part of our immediate security response, we had to shut down briefly. If someone had hacked our server, they might be trying to punch through to our client machines. Not a huge deal, but we had to issue a month's credit to everyone who complained about being unable to connect.
Add together 1-4, and I think you could easily come up with $17,000. Think about 2-3 net admins + 1 security consultant doing security cleanup for a week.
So does that mean when someone DoS's my workstation and I can't access apache from home for more than 15 minutes I've lost $1062.50?
No, because you are not a business concern. Note that the four hour downtime doesn't mean that all the costs were incurred in that four-hour timeframe. The ongoing security audit that becomes necessary in the event of a hacked server could have gone on for a week.
Are the figures inflated? Possibly. Did the idiot cost the business money? Certainly. Is the FBI playing hardball with the idiot who did it? Undoubtedly. You seem to be missing the point that your friend shouldn't have done it; instead, you are whining that the FBI talked mean to your friend.
Re:Some take it too far though. (Score:4, Insightful)
My ISP business website has been defaced.
(1) Obviously, there's a security breach. How widespread is it? We need to audit the network and see how severe the breach is and what hole was unpatched. I've got to put either employees or consultants onto it.
No, this is just a shifted cost. Since you DIDN'T pay to secure your network at the beginning (either through poor-quality admins or by not paying for intrusion detection tools, whatever), you are paying now. This is not a cost that you are suddenly having to pay, this is a cost that you didn't pay in the past when you should have. If a resturant decides that they don't want to pay for a new oven, does that mean that the fire inspector "costs thier business" when he says it's out of code and needs to be replaced?
All of your arguments stem from the same problem. If you are going to base things on your security and up-time (such as your policy to pay back a month's salary to those who couldn't connect), then you had better damn well make sure that you *won't be going down*. If you have a business model *based* on security then you can't *skimp* on security, it's common sense.
Re:Some take it too far though. (Score:2)
Sorry, but in this case you're wrong. I should have mentioned sooner that my ISP has excellent security policies and procedures. The original poster noted that his friend found a mistake in the permissions. You can have the best security system and policies in the world, but they are administered by people and PEOPLE MAKE MISTAKES. There's nothing you can do about it except deal with it and move on. However, when a breach does occur (and it will)*, it is a good idea to analyze what happened and see how bad the breach is. Is it merely the replacement of an HTML page, or is the page replacement merely a symptom of having been rooted?
We spent good money on our people and our systems. One of them made a mistake, and a skript kiddie took advantage of it before we discovered it (that's the joy of the internet - there are so many skript kiddies you have no margin for error; default installs last, what, four hours before they're hacked?). We spent money recovering from our mistake, and granted it was our mistake, but the fact that someone took advantage of it forced us to spend a lot more money determining exactly what happened.
Is this likely what happened in the original poster's situation? I don't know. It's entirely possible (more likely, in fact) that the situation is as you describe. My point is simply that even a small internet-based business (like an ISP)could easily have costs in the range of $10K-$20K as a direct result of a hack, even one as simple as a web-page defacement, because you don't know if that's all it is until you've paid someone to look at it really carefully.
*No system is completely hackproof. If someone says "System X has never been hacked!" I would interpret that as meaning either the system is very young, or the person talking to me is a moron who can't recognize an intrusion.
Re:Some take it too far though. (Score:2)
Sorry, but in this case you're wrong. I should have mentioned sooner that my ISP has excellent security policies and procedures. The original poster noted that his friend found a mistake in the permissions. You can have the best security system and policies in the world, but they are administered by people and PEOPLE MAKE MISTAKES. There's nothing you can do about it except deal with it and move on. However, when a breach does occur (and it will)*, it is a good idea to analyze what happened and see how bad the breach is. Is it merely the replacement of an HTML page, or is the page replacement merely a symptom of having been rooted?
A breach occoured becuase of either a lack of imagination on the part of the admins or a lack of dedication on the part of everyone. How hard is it really to put all of the system files on a un-alterable partition. It could be something like a CD, or simply cutting the black wire on the back of a hard drive and replacing that with a switch. When it's "on" you can write to the drive, and when it's off you physically can't. Sure, you need to write to some things, like log files and data stores, but when do you ever need to over-write 'ps' or 'login'? If these programs are being stored somewhere that they cannot be tampered with, then you are 90% safe already. Even with a wide-open system, you are still safe, since the only damage that can be done is to your data, which is being backed-up hourly right? How often does a small ISP need to update customer data? You could even put that data on the unwriteable drive and only change it once every few months or whenever a customer calls in to change his billing address or whatever.
We spent good money on our people and our systems. One of them made a mistake, and a skript kiddie took advantage of it before we discovered it (that's the joy of the internet - there are so many skript kiddies you have no margin for error; default installs last, what, four hours before they're hacked?). We spent money recovering from our mistake, and granted it was our mistake, but the fact that someone took advantage of it forced us to spend a lot more money determining exactly what happened.
All well and good, but like you said in your pervious post, you were basing a core component of your business on *not making mistakes*. You were paying back the customers an entire month of service if they could not connect. This policy is of your own choosing, so you have to live with it. If the power company is going to charge me for electricity, they actually have to provide electricity to me. If I order a pizza, I will *not* pay for it if it never gets delivered. If you are going to promise your customers 100% uptime, then it is your burden to deliver it. If someone gets into an accident with the pizza man's car on his way over, that guy is *not* responsible for paying for the undelivered pizza.
Is this likely what happened in the original poster's situation? I don't know. It's entirely possible (more likely, in fact) that the situation is as you describe. My point is simply that even a small internet-based business (like an ISP)could easily have costs in the range of $10K-$20K as a direct result of a hack, even one as simple as a web-page defacement, because you don't know if that's all it is until you've paid someone to look at it really carefully.
Where is this money coming from? You are already paying your admins (I hope), so why do they have to get paid again? Are you outsourcing "security consultants"? If so, then why didn't you call them in *before* you had a problem? That is what I mean by shifted costs. Since you didn't pay a security consultant to secure and test your netowrk before you started, you are paying for it now.
*No system is completely hackproof. If someone says "System X has never been hacked!" I would interpret that as meaning either the system is very young, or the person talking to me is a moron who can't recognize an intrusion.
This is a cliche and wrong. There are many "hack-proof" systems, but you probably won't buy them in a shrink-wrapped box. They are dedicated systems that serve specific purposes and are written by people who take security into account from the ground up, not as an after-thought when the system is "finished".
Re:Some take it too far though. (Score:2, Insightful)
Erm..who's fault is that? You obviously did have poor security.
Companies complaining that a cracker made them look bad are idiots, as is anyone who listens to them. If a company can't do what it's being paid to do, it may hurt the comany when it comes out, but tough shit. If Brinks trucks started getting defaced while there are supposed to be armed security guards inside, does Brinks deserve any sympathy? No, the defacers deserve a round of thanks as we all leap to using another armored car company.
I usually don't defend crackers, but saying 'they made the company look bad, and thus cost money' is the dumbest thing I've ever heard. Of course the company looks bad, it can't secure its network, which is hardly the cracker's fault!
Re:Some take it too far though. (Score:2)
Just because there's more that I could do to prevent crime from affecting me doesn't mean that I am at fault when someone else commits a criminal act that I COULD have protected against.
Yeah, well... (Score:1)
I bet these companies will start caring pretty damn quick once their web server is 0wn3d and used to DOS whitehouse.gov or something. If I'm an admin at a company with this kind of policy, I'm updating my resume as of right now, cause you know who the hammer's going to land on when the shit really hits the fan.
Re:Yeah, well... (Score:1)
Why do non-technical people always come up with the 'great' ideas for things like this
Re:Yeah, well... (Score:2)
If you work for a place like this, send your concerns to up the chain of command... IN WRITING... IN HARDCOPY. Insist on hardcopy response, and keep copies of all such communications offsite, where you can get at them, but the company (in an attempt to create plausible deniability) can't.
Then, when they try to nail your ass to the wall, you can show that you wanted to fix it, but were overruled.
if they dont care, i dont care. (Score:1)
who hosted the website, how many websites defaced that were hosted that that particular company/individual and not use their services.
they will wake up really quick as to how the world turns, when they are administering a standalone dos machine in the basement.
defacement IS a problem, havent we learned enough in the past when companies are scrambling to find out if the credit information of customers was compromised?
funny how many 'lazy' admins we have out there.
Dead On... (Score:5, Interesting)
What I am speaking of is investigating and prosecuting the criminal element involved in the act of defacement, root compromise or infection by "worms". In otherwords, companies tend to "fix & forget".
Actually, this is probably the stance that every serious IT department out to take. If your website was cracked, then it's almost certainly *your* fault your server was compromised. There just aren't any rootkits out there that don't exploit known buffer-overflows or other bugs. There are a few situations when this is not the case, but it's usually still someone sitting around testing a web application (like Slashcode) for buffer overflows or back doors.
Even if you do prosecute, it's like stomping cockroaches. There will just be more, and if you hadn't left the food out on the counter to rot, they wouldn't have come to your apartment in the first place.
Finally, there's the human element to contemplate. We all did stupid stuff when we were kids, which most website vandals are. I don't know any kid who didn't tresspass or vandalize property at least once during their youth. For many, it was the old junkyard or the cemetary. For these kids, its websites. Are you really going to put them in prison for decades because they're young and stupid? You might as well ruin their lives for experimenting with drugs or sex....
Oh wait. We do that too. Nevermind.
Re:Dead On... (Score:2)
Bitch, you break into my computer, I will press charges, I don't care what patches I've neglected, nor do I care what clildish prank you are playing. Just because I forgot to lock my door doesn't mean I've invited you into my house. Unauthorized access is just that, unauthorized. Once little shit 'kids' recognize that every computer connected to the Internet isn't put there for you to hack into or DOS, the world will be a much better place.
Re:Dead On... (Score:4, Insightful)
Hmmm.... No, but you're pretty stupid if you don't lock your door... or replace your locks if they're recalled.
You're not considering the relative seriousness of the crimes here. If someone breaks into your house and steals your stuff or kills your pets, then yeah, you wanna press charges. If they spraypaint or break your windows... maybe.
How about if they stomp your flowerbeds? Or rearrange your rock garden to spell out dirty words? How about if they egg your door or toliet-paper your trees?
You need to think about that, because that's the mental level that most kids who vandalize websites are working on. (Show me a person who's never done at least one of these things, and I'll show you someone who was very sheltered as a child.) They're not hurting anyone, at least in their own minds. They're doing the equivalent of dropping a big nasty stink-bomb on your front porch.
You don't put kids in prison because they're being mischevious, regardless of what John Ashcroft tells you. You tell them that what they were doing is wrong, give them incentive not to do it again, and then let them get on with life.
Unfortuneately, police don't have the option of giving script kiddies a 'firm talking to', since any kind of computer crime has been labeled 'terrorism' by both our corporate oligarchy and our reactionary government.
Re:Dead On... (Score:2, Interesting)
If I paid money for those flowers, yes. Just because something has no value to you, it doesn't mean it has no value to the owner.
Or rearrange your rock garden to spell out dirty words?
You will find that people may not want to go to a store that has "Fuck off and die" spelled out on their front lawn. Lost customers == lost $$$.
How about if they egg your door or toliet-paper your trees?
I would expect them to pay for the clean up, or for them to do it themselves.
You need to think about that, because that's the mental level that most kids who vandalize websites are working on.
Like I stated above: Just because something has no value to these 'kids', that does not mean it has no value to the owner.
Get off my lawn you damn kids... (Score:3, Insightful)
That's what I'm trying to get at. The kids who do this sort of thing need to be punished... mildly. Not sent to prison where they can be ass-raped by their cellmates and/or be transfigured from a loser, messed-up kid into a hardened criminal.
Lost customers == lost $$$.
Because of people and businesses who demand monetary accountability and are not willing to write off the stupidity of those around them, mild punishments are not acceptable, by the lawyers if no one else. Dealing with the rigors of the community is simply one of the costs of doing businesses for most companies. If a vandal spraypaints obscene grafitti on a company's storefront, then that company has to pay to have it repainted that day. If they manage to catch the guy who did it, they'll press charges for the paint and labor they had to buy, not all the estimated 'lost businesses' that any given e-commerce website owner would.
In my community, if a kid commits a crime like vandalism, fighting (assault), shoplifting or loitering, and is caught, he or she is sent to 'Teen Court', and is assigned a small community service penality to attone for his or her misdeeds. If script kiddies would get the same treatment, then they a.) wouldn't become martyrs, inspiring more script kiddies, and b.) would learn that there are better, more profitable ways to spend your time.
Re:Dead On... (Score:2)
To paraphrase you: "You are confusing your private residence with a business. There is a difference, you know."
As another poster pointed out, your analogy is weak at best.
-Legion
Seriously now... (Score:2)
People _don't_ break in to other's houses because;
1. They have some modicium of morality.
2. They respect the law or fear the police.
3. They're worried that I might be home
and I would hurt them. And I would.
Re:Seriously now... (Score:2, Insightful)
And why do people continuously use the comparison of house being broken into and computers being broken into. They are different things... I compare Inet sites to stores.. they are both offering a public service.. they require more attention than a house since a house offers no public services and less security is needed. It's like running a business from your home... even then people use more security at their homes..
And finally, morality is a common sense thing and you may be a perfect moral citizen who does no wrong, but some kids growing up in weird situations have less moral convictions.. I'm not at all defending their acts nor support them, but keep an open mind. I'm all for giving them hard sentences, but strong jail time and fines might not be the correct punishment. Afterall, they'll just end up stealing more to pay for fines, etc..
Re:Seriously now... (Score:2)
I also like the metaphore because it emphasizes that government monitoring of private computer data (and most computer data is not actually private, I realize) without a warrant should be considered unlawful search and seizure if they violate your personal computer.
Re:Seriously now... (Score:2)
Re:Dead On... (Score:4, Interesting)
Maybe my experience was different from others', but - as a kid - I stopped experimenting with stupid things once I was caught. I kept doing bigger and more risky things until I finally got in trouble, and I realized that I wasn't the smartest guy in the world, and that rules weren't just for other people.
Nailing a kid for defacement now might mean that he doesn't need to be nailed for something much more serious later on.
Re:Dead On... (Score:2)
Unfortuneately, police don't have the option of giving script kiddies a 'firm talking to', since any kind of computer crime has been labeled 'terrorism' by both our corporate oligarchy and our reactionary government.
If you bust a kid for defacing a website, he'll be lucky not to spend time in jail, along with drug-dealers, murderers, gang-bangers, and child-molestors, when all that should have happened is that his computer should be taken away because he can't use it responisibly.
If you are a company who has been 'defaced', the best thing you can do is to try to identify and locate your vandal yourself, and then talk to his or her parents. If you discover that the person your dealing with is an adult... and this will be the rare case, *then* it's time to call the police and start talking about pressing charges.
Re:Dead On... (Score:2)
Re:Dead On... (Score:2)
Maybe my experience was different from others', but - as a kid - I stopped experimenting with stupid things once I was caught. I kept doing bigger and more risky things until I finally got in trouble, and I realized that I wasn't the smartest guy in the world, and that rules weren't just for other people.
Nailing a kid for defacement now might mean that he doesn't need to be nailed for something much more serious later on.
And how did you enjoy your many years in the maximum security prision? What? Are you saying that when you got caught for *real* vandalism, you didn't go to prison for 5-50 years as a terrorist? You're kidding!?
If you want to slap a $100 fine on these kinds, sure, that's what a web-site defacement is worth, but if you are going to put them in jail, even a single night in jail, then no, this is not justified.
Re:Dead On... (Score:3, Interesting)
Prosecuting is the only way to start changing the attitude that it is morally OK to do this. Only thing is that most of the time I don't believe they should be thrown into jail, but punishment needs to be dolled out to the offender who broke into the website. The most appropriate, in my mind would be fines levied against the parents nothing like tens of thousands of dollars, but something appropriate enough to get the parents involved in their childs life, throw in some probation & community service. Those out of their parents care should be delt with the same way, a reasonable fine (except of course they pay it), probation & community service.
Any additional fees should be done in a civil court, a simple break-in can get very expensive, someone told me that they brought in the Wheel group at $60,000 for 3 days to make sure other systems were not compromised (can you be *sure* they didn't do anything else in your system). Civil court (in my opinion) is more apt to deal with whether or not the moneys spent was appropriate for the situation, since that is the only issue they are dealing with, and tend to look at whether or not the reparations requested are *truely* appropriate for the situation.
And this is surprising why? (Score:5, Insightful)
Lack of understanding (Score:2, Informative)
Re:Lack of understanding (Score:2)
Then again.. I've seen a lot of IT people who misunderstand their own job.. they see themselves as some ronin, as the mayamoto musashi of sysadmin, there to hide in the shadows and make the company work. Perhaps helping with Outlook was part of the damn job description in the first place.
A lot of times, it's the IT kid who misunderstands what he was hired to do.. or in otherwords, it's not up to you to tell your boss what your job is, unless he asks you to.
They might not, but I do (Score:2, Insightful)
If a company doesn't care about "grafitti" on their storefront, then how much do they care about customer privacy, esp. credit card information? How much do they care about the security of their actual network?
If I can tell, I won't order from a MS hosted e-commerce site.
Off topic: Anyone know how CCBILL was comprimised? I wonder what they were running...
Re:They might not, but I do (Score:2)
A website with a Linux front end may very well be connecting to an NT 4 or even 3.51 server running Oracle or Sybase, which is where your data is stored.
NT web servers may have Solaris application and database servers running in the background.
Re:They might not, but I do (Score:2, Insightful)
This is indeed true, it is common, and is a good idea. But the problem here is you can't generally tell what the database is hosted on (and if you can tell, you probably don't want to trust that site, either).
I think the point is that the outside host, which is the only host you can check for platform generally, is going to be the first point of attack (excluding trojans), and if it is vulnerable, it gives a toehold to the potential cracker. The poster seems to believe any company which would put Windows systems out as their first line of defense is not serious about security, and a lot of people would agree, especially after hearing the ignorant rantings of Microsoft's "chief security officer," Scott Culp.
The guy routinely reflexivly claims any proven exploit is impossible without having read about the exploit itself (or the details for recreation, source code, etc) and generally demonstrates a lack of knowlege of the issues affecting MS customers who actually think they might like to be reasonably secure. Contrast this with the output of people in charge of security/development for your more secure platforms/products.
It is clear MS has a don't-care attitude toward security, is not really interested in being up to speed on the research being done in the field, and essentially will only release a patch for a problem which has been around for a long time, has a published exploit, and also is on the radar of big consulting firms/Time Magazine/ Wall Street Journal. In other words, they only care about security when they are forced to by their big customers. Therefore it is reasonable to assume someone who really puts MS on the front line is not up to speed or does not care enough about the security of your data.
Re:They might not, but I do (Score:2)
I support a number of projects which have third-tier webservers running Windows that are maintained by our clients. Oftentimes because of government contracts they are still on Windows NT 4. (or even 3.51 in one case!!)
We own the middleware and database tiers, and keep a VERY tight ship. We've never had a breach in the database tier in four years, and only had one in the middle tier (which was an internal breach by an admin). The webservers are considered more dangerous than the general internet user.
Personally, I am more afraid of Unix systems being breached on the front end than windows machines. It is quite easy for an unsophisticated hacker wannabe to do real damage with a poorly secured Linux or Solaris box.
Yep, this isn't unusual at all. (Score:5, Interesting)
I've worked at one or two places where boxes have been cracked and once the initial panic settled down the word that came down from On High(tm) was to quietly pull the system, disinfect it (but not reformat/reinstall), and return it to service. "This system needs to be available for the developers, we don't have time for you to find whomever did it."
Needless to say, I wasn't real happy at the prospect of putting a questionable system back into active duty. Just because you found the /usr/lib/.../31337^k17 directory and copied back the files replaced by the rootkit does not mean that you've found every last trojan horse or old config file. I'm surprised that the more intelligent kiddies havn't started doubling up their rootkits yet - one which acts as your basic rootkit, replacing system binaries et al, and a second in an entirely different location that they leave in place for situations just like this: If the primary rootkit is removed but the system isn't reinstalled, they've still got a way back into the system and a backup toybox to get revenge with. It wouldn't take much at all.
Not to rip on Redhat exclusively, but with all the RH servers popping up these days I'm surprised that the newer rootkits aren't being passed around as .rpm files. No muss, no fuss, but the sysadmin would still notice if (s)he did a verification from the install CD-ROM.
At the end of all of it, I did what they asked me to and put the box back into service. I'm reasonably sure that I swept the system clean but you can't prove a negative, you can only state a negative to within a certain tolerance. For all I know, the backed up system binaries I'd found and put back into place were trojans as well and the originals had long since been overwritten.
But that's in the past now.
Statistics *are* collected (Score:4, Insightful)
To me, the real problem is that every couple of months folks come along like internet security is something new, when in fact the exploits and vulnerabilities of today are very much like the same problems from a decade ago.
This is somewhat of a problem. (Score:2, Insightful)
This is perhaps one of the most insidious qualities of the 'net - a person can commit an illegal act (Unauthorized alteration of a computer system) without even knowing it, or intending to. Yes, I believe that most website defacements are intentional. But this only makes it worse for the person who accidentally mistypes a URL and ends up getting their computer seized, or worse, dragged into court.
Granted, you may not like Microsoft. You don't have to use their insecure products. But this is not enough - you could go to jail because of their negligent ignorance in security issues.
When cars became widespread, there was a legal push to make them safer. Soon, people started holding the car maker, rather than the driver, responsible for safety. Hopefully, the same thing will happen to Microsoft - people will hold them accountable for their (almost) criminal negligence when it comes to security.
Re:This is somewhat of a problem. (Score:3, Insightful)
http://www.someserver.com/scripts/..%25%35%63..
I realize it is vogue to talk about how MS is the devil and "you could go to jail", but you're being ridiculous.
Additionally: "you could go to jail because of their negligent ignorance in security issues." No. It is not MS problem that you didn't patch. Or is it also Slackware's problem if you don't patch for the recent
Re:This is somewhat of a problem. (Score:2)
The chance of someone "mistyping a URL" and accidentally triggering the Unicode exploit are laughably small. What are the chances of someone "mistyping a URL" and doing the following?i nnt/system32/cmd.exe?/c+dir
http://www.someserver.com/scripts/..%25%35%63../w
Social engineering. If I was a real prick of a Webmaster, I could include a link in my web page that would "mis-type" the URL for you when all you wanted was to see the item "advertised" by the link, an intimate and revealing picture of Brittney Spears. It's even worse with HTML-capable electronic mail -- when was the last time you really looked at the URL behind the juicy link in front of you? Now imagine a clueless newbie presented with the same message. What happens is left as an exercise to the reader.
As for going to jail, you might want to look into the history of BBS sysops who have been "investigated" for wrong-doing. Suitable links are elsewhere in the discussion.
Re:This is somewhat of a problem. (Score:2)
Click here [microsoft.com]
to get an unsuspecting visitor of my site to launch an attack against a remote server. Granted, the average user wouldn't know what to do if it worked, but someone monitoring for hackers would be able to pick up their IP.And maybe not (Score:5, Insightful)
I, for one, cannot afford to have my servers collecting dust in an evidence locker while I rearrange my business schedule around interviews, depositions, and testimony. Sorry folks, but yes, I'd bury it and forget it.
Happened here too... (Score:4, Interesting)
That is, until, i sent a message to the CEO, COO, and CFO with their credit card information. Apparently there were credit cards and user information stored on this machine.
They started to care then. Just a bit though. Of course, two months later, we were one of the companies that had to shut down EVERYTHING due to Nimda.
They're out of business now. Take that for what it's worth.
Re:Happened here too... (Score:2)
>their credit card information.
What you did is known as "pulling a Schwartz"
You are lucky they didn't fire you and then prosecute you.
>They're out of business now. Take that for what
>it's worth.
You are twice lucky: so far, they haven't held you responsible for this.
Cost analysis (Score:2, Interesting)
Re:Cost analysis (Score:2)
Go roam around IBM website and its subsites (support.ibm.com, etc.) and you'll see thousands if not 10s of thousands of pages. Uploading all that takes time.
One other point is if someone cracked Amazon and put up a message saying "Amazon has been cracked and we now have your credit cards numbers!" What are you going to think when you see that again, or for the third, fouth, and fifth time? Bye, bye business! That would be a good reason to prevent it in the first place.
I don't care either (Score:2, Interesting)
Penalty for me: yelled at by boss and now I have to reformat server. Score 1 point for the kiddies and I learn for next time.
I don't care much unless they do something lame like use the box to DDos or something equally lame.
If you find your site defaced more than not it's a sure sign that something is not right with the tech department.
Mind you I've not had a production site defaced in over 2 years.
Depends on what the cracker does... (Score:3, Insightful)
If someone just added a statement saying "Hi, I'm l33t hax0r, I've cracked this site 00000001 times", it's likely just a kid trying to have fun, not someone who should end up in prison.
On the other hand, if it's a spammer cracking my server and using it to send spam, they'd face all consequences I can think of. And there are quite a few in-between things...
Re:Depends on what the cracker does... (Score:2)
Please cite your source.
(why they hell do [prisons] have [TVs]
You'd be surprised what you can get in prison. If I lost my house and didn't have a wife to care for, I'd definitely go commit enough crimes to put me in a minimum security facility. Just think: free room and board, free meals, free HBO, free weight room, free basketball court, free law library, free limited internet access. Possibly free beatings and sodomy too, but I bet that's less likely in min security than it is in max.
The one thing you don't have is free movement, but how much of that do you have now? How many hours a day are you chained to a desk? Hell, prison would be a luxury in many ways.
-Legion
Re:Depends on what the cracker does... (Score:2)
Who'd want to go back to work after lounging around watching HBO all day? I'd move to California and make sure I got three convictions....
-Legion
Re:Depends on what the cracker does... (Score:2)
Your stinging repartee has demolished my argument, Anonymous Coward.
-Legion
Re:Depends on what the cracker does... (Score:2)
Maybe, but computer geeks are not exactly typical teens. At least I know what I occasionally did for fun back when I was 14-15 (which isn't THAT long ago, it was late enough to give me a chance to toy with some early website defacing -- but it's so long ago that I can safely admit things without running in the danger of being arrested
Teens (at least the ones I know) are a usually a bit extreme in their views and not as controlled as older people, and "It's impossible to crack this" is an invitation to try that many can't resist, even though they know it's not exactly legal.
I agree about giving them hard punishments for real crimes, such as murder, beating up people until they go to hospital and such, but for stuff like this, a warning ("We know who you are, do it again and...") would suffice.
I tend to agree that prison conditions are too good, but on the other hand, locking someone up in a dark cell without anything is likely to get more nasty ideas into their heads (giving them enough time to think about taking revenge on the system that got them in there for something small [at least in their view])...
Maybe just a longer period of community service would be the best thing to do.
Too hard to prosecute (Score:4, Insightful)
The FBI is way too busy with the real bad guys, like Bin Laden. You should go check out Gibson's story [grc.com] about the DOS attack that he was subjected to, and the results of his attempt to get the law involved. Basically, if your damages are less the $20,000 they don't care, and if the alleged hacker is less the 18, they probably don't care. It may be very hard to put a value on a webpage defacement that will hold up in court. Courts don't like to do much to kids either.
To make a long story short, it only makes sense to not throw good money after bad by trying to apprehend and prosecute someone. The effort on behalf of the corporation will be better spent shoring things up to prevent it from happening again.
Cheers!
gs
Article Has a BAD Example (Score:3, Insightful)
Damnit I was all set to paste and italicize the part where the person says something like, "...but I was there only for one month and didnt want to seem like a pain in the ass." but it's
Anyway what really irks me is that this I get the impression that this guy doesnt take his job seriously. Being a NetAdmin is not a job, it's a duty. You have a duty to your Network and it's users first. Your PHB's second. I think anyone who treats their role as any different is inviting disaster.
I mean seriously, I'm lazy; does that mean I want to have more to do later on b/c someone who cant appreciate the gravity of their decisions told me to do something against my better judgement.
If I were him I would have kicked and screamed about that OOB installation on a public server but if thats how they want it done, then thats how I'll do it. If that becomes a pattern in their decisions, then I'll decided to start surfing monster.com. What I'm getting at tho is that it's not hard to make someone understand that best practices are called as such for a reason and straying away from them should only be done with very high degree of deliberateness, instead of the implied laziness on the part of the PHB and the cowardice of the person interviewed in the article. The whole point of the article could have been avoided with a pair of cojones.
:::rant mode off:::
oh, i know this story.. (Score:3, Interesting)
i was one of only two admins for what was then the 3rd largest dial-up provider in that state.
first of all, their network infrastructure was a mess. they didn't even bother using their lovely switches with segmentable backplanes to set up different suubnets for the internal network. i mean, a lot of good this would have done, considering that the owner was FAR to cheap to shell out money for even a cheap firewall. we actually had very smart and network-savy techs printing warnings about network security to the printer on the owner's desk (while connected with other ISPs no less!) and the idiot still didn't get the message. this is made more rediculous by the fact that the man built the company from the ground up, he was supposed to know what he was talking about! (quote: "do we even know if that shit works? why do we need that?" - owner, when asked if we should use RAID in the SQL server i was building)
second, the main admin and 'webmaster' was too cozy in his M$ bubble to venture into the world of open source software. granted, the two of us often had more work than four more of us could have handled, but in the interest of job security he should have at least tried listening to all the people (more security-conscious than he) who were telling him that our setup was crap. he, the operations manager for the company, and the owner (my three immediate bosses, in that order) didn't seem comfortable with the idea of me, a newer constituant to the department, tightening security.
so, when it came to setting up and securing machines i was left to dabble on shell boxes hidden under my desk. (which i did from under my workstation at the other end of the building even before i worked in the department or had access to the zone files. the network room was unlocked, so it was simply a matter of noting a jack number and moving your connection to a switch that wasn't managed by novell.) the owner was actually more afraid of his employees in the building using the hi-cap lines for d/ling MP3s on his dime than he was about paying an army of trained monkeys to manually re-enter 17,000 accounts when some 15-year-old decided to kill the user database from his AOL connection.
so rediculous was his thinking that he paid all the money he could have spent on securing the entire network and more on some overpriced Intel server and the (fucking) NOVELL software necessary to control network access from INSIDE the building.
so lax was the security and so cheap the owner, that it actually took two incidents of having production monkeys switch our servers off (for the hell of it) in mid-operation (first the SQL/RadiusNT server, then the Mailsite server) before we managed to get locks for the network room doors.
anyways.. i'm finished.
-j0nah
Ride in an elevator controlled by a M$ computer? (Score:2)
Eventually some dweeb will come up with a real killer script. One that infects hospital systems, screws up with the meds and results in a few hundred deaths.
Then some smart lawyer will go after M$ and learn that they do not warranty the suitability or fitness of their product for any purpose what-so-ever.
Then the governor of the state who's aging mother died because of the boo-boo will get into the act and the software industry will be as regulated as the automotive industry.
Given the number of blazing Corvairs and chest impalements by steering columns, this will NOT be a bad thing. But its about as likely as M$ selling elevator systems.
As long as the cost is ONLY money, nobody in the corporate world gives shit. Its not their money. They don't want to waste time or money fixing the problem. They don't even want to report the problem.
I know of at least one company that got screwed on Sept. 11, 01 because they hadn't even taken a copy of their back-up tapes off site in months. Takes too long. Costs money. Like cab fare. Believe it...
Get used to it.
Re:Ride in an elevator controlled by a M$ computer (Score:2)
Bigger buildings generally have more customized software on an embedded platform.
Re:Ride in an elevator controlled by a M$ computer (Score:2)
Management education of the legal consequences (Score:5, Insightful)
After reading the link for this story, I was amused to see that things really haven't changed in a number of places. Management doesn't worry about Web site security until it hits them where it hurts, their liability insurance premium, or when the executives spend some time in the cooler.
The majority of defacements I've seen described involve little more than vandelism, electronic tagging by lower lifeforms of script kiddies, that do very little harm to the company whose site is defaced. You "wash the walls" and go on. End of story.
Except that it isn't the end of the story.
What happens when the defacer decides to use your Web site to store a couple hundred cracked credit card numbers? How about the 600 MB of MP3s of copyrighted music material that appears in its own directory of your Web server? The kiddie porn? Can you imagine what would happen if a terrorist cookbook were to be uploaded to your site, given today's paranoia caused by the November 11 terrorist attack?
IANAL, but I recall the Mogur-BBS debacle [textfiles.com] when a BBS system was used to traffic in telephone calling card numbers. Some facts are missing from the account the link points to, but it's sufficiently accurate to be useful. Here is another account of the incident. [www.dang.se] Here is a more thoughtful retrospective and analysis. [publiceye.org]
Shall I bring up the episode of Steve Jackson Games [eff.org] as an indication of the kind of risk that operators of public computer systems face when security is not a primary concern? Steve Jackson Games is apparently alive and well [sjgames.com] (and probably mad as hell about being mentioned in a Slashdot article) so the news isn't all bad, but the six months they were effectively out of business -- the publishing business -- must have hurt and hurt badly. Granted, the Secret Service has learned much since that 1990 fiasco, but can you imagine the long arm, and the long flatbed truck, coming and taking your computer systems because of the acts of some malicious script kiddie who does more than tagging?
Can your company afford to have its Web servers siezed and perhaps damaged because of the illegal acts of non-employees?
What you can do: tell your manager to contact your company's general legal counsel and request they research the legal liability, and the practical effects of law enforcement action, resulting from illegal acts committeed on public servers that have inadequate security controls. Emphasize that the research include short-term effects such as equipment seizure and forceable removal, damage inflicted during such action, and the expense of obtaining the timely return of the equipment.
If you run an e-commerce site, also be sure to ask about legal exposure in the event any web server containing crdit card records, customer information records, order histories, or credit search information is compromised and the information released to unauthorized people.
Steve Jackson Games was almost put out of business based on a bogus rumor. How would your company survive the legal onslaught from a script kiddie interested in more than just defacement?
Re:Management education of the legal consequences (Score:3, Informative)
Really, you shouldn't.
As I recall, they didn't get raided because of anything to do with their system security, and indeed their computers had nothing to do with it at all (other than that they were taken in the raid) - they published, on paper, an entirely fictional game about computer hacking that any sane person should have been able to tell was a game (the game rules should be a big hint) and didn't constitute a criminal instruction guide, and they got raided for it because the Secret Service apparently wasn't able to make that distinction.
Re:Management education of the legal consequences (Score:2)
Steve Jackson Games was almost put out of business based on a bogus rumor.
Somebody told the Secret Service that SJ's BBS had hacker files on it. They took away the BBS and some vital manuscripts. What if your hacked server actually had illegal material on it? In other words, the poster's point was...a rumor and stupid cops almost shut down a business. What if the rumor were true, and there was illegal information on your web server (put there by a skript kiddie), and the cops were smart?
Re:Management education of the legal consequences (Score:2)
Really, your mother should have taught you better manners. I understood the original author's point. My point, however, is that the anecdote has nothing to do with the consequences of lax computer security and therefore doesn't make a good example for their argument. If the rumor had been true, prosecuting them would probably have been justifiable if I remember correctly what the rumor was. If the cops were smart, they would have tried just looking into the matter before raiding the place, and also would have realized that the owner of the computer isn't necessarily responsible for the actions of every script kiddie who attacks it.
Bluntly, I think it's just a lousy example for this particular discussion.
Free content (Score:3, Funny)
His "solution" is wrong (Score:4, Interesting)
No. The reason it's called a democracy is because people get to vote. If there are in fact three sides to a debate, there is the distinct possibility that no one will be appeased. In fact, most compromise among reasonable people results in everyone being equally displeased, but willing to accept it.
Insisting on seeing every disagreement as a matter of two opposites is how we got the Republicans and the Democrats, with no (okay, little) room for third parties. I can't see how applying the same method to computer security will somehow suddenly work.
What about thier job? (Score:3, Interesting)
What are they going to do? Report a defacement/breakin and look bad in the eyes of upper management, or cover it up so that it looks like it never happened and keep management in the dark as much as possible?
It may not be that these companies do not care, they may just not know that they have a crappy staff.
This subject is quite misleading ... (Score:2)
If they didn't care, they'd never correct it -- they'd leave the defacement up forever.
Some more appropriate/accurate titles would be :
or Of course, once somebody read one of these more `accurate' titles, they'd go `duh! and this is news? We all knew that already!'Default Installations (Score:2)
OpenBSD has been secure for "Four years without a remote hole in the default install". They look over just about every line of code every release for possible security problems, and also regularly screen their ports collection for possible problems. FreeBSD has a secure mode option in the installer that apparently makes it about as good as OpenBSD, but I have to doubt that somewhat.
Is there a way to make a default Linux distro as secure as OpenBSD (and have long-term proof of it)? Probably not. So, if you want a secure web server as soon as the installation is finished... go with OpenBSD. It runs just as well as Linux, and has the same capabilities, so why not?
Working in security (the polyester type)… (Score:2)
As you might have guessed, some people would steal stuff. Every once in a while, we would catch them, we would call the cops, they would fill out a report, and that was the end of it. Termination, but no criminal prosecution... Some of these folks made off with a lot of stuff before you figured out how they were running off with it.
I suspect our police force is not interested in dealing with the "lowly" 13 year old script kiddies who would make a lousy public example. Lord knows they did not really care to prosecute when someone runs off with several thousand dollars worth of gold, confesses, and provides a verbal and written confession to the officers as well.
I also suspect these companies do care; they just realize the futility of trying to bring these "crackers" to justice....
An Idea To Help Both Sides? (Score:2)
Is it really an issue? Why should they care? (Score:2)
NFS ro Mount? (Score:2, Insightful)
You would still have to provide security patches to your servers, and be a proactive admin to keep your network secure, but wouldnt this solve the modification/defacement problems?
Geeks reroute around 'bad law' ? (Score:2)
Companies do not report defacement, People do. Here are some reasons not to report defacement.
1) The Geek thinks it makes him look bad if he cannot secure the platform.
2) The Management view than 'if Big Guy's aka Microsoft cannot secure the Web, then nobody can! '.
3) The Company also thinks it makes them look bad if a) they are prosecuted for failing to secure their data and b) if they start prosecuting their customers.
Geeks recognise Web Defacement is about as serious as Vandalism, and the punishment for each is completely disproportionate. Perhaps the Geeks are not reporting these breaches to the Authorities because they understand the law is B.S. I KNOW this colours my view.
In the UK, we have the Data Protection Act and the Computer Misuse Act these are well regarded amongst lawyers & politicians and are held up as good examples of computer internationally, the rest of the EU has (is) adopting the same standard legislative framework. These stipulate a six year term for 'each unauthorised access' by an individual, and an 'enforcement notice' for a company committing a similar offence, or failing to secure their data.
Another question is 'what constitutes an unauthorised access ?' is it each packet, each login/session or each machine compromised ? A packet storm could result in a Six Million year sentence in a few minutes.
The platform I work on has been attacked several times, yet time has proven we have a very effective security setup, breaches have been handled without damage. The nature of our platform means that the hackers are also our customers, we usually cut the offender off and send a warning letter and once they apologise and ask nicely, we let them back on the platform. So far we have had only one repeat incident and they have be cut off permanently. We have never informed the authorities, despite the fact that these actions certainly constitute a breach of UK Law.
Re:Warning: Semi-OT (Score:2, Funny)
Re:Warning: Semi-OT (Score:1)
Re:Cover it up and go to lunch.... (Score:2, Insightful)
Internet security isn't as "new" as everybody wants you to believe. CERT [cert.org] has had a reporting hotline for many years now, as well as guidelines on how to make a report [cert.org].
To me, the amazing fact is that judging by the comments folks are making, Most slashdotters don't even know about CERT. How do we expect the guy off the street (aka IIS administrator) to know?
Re:what a loser (Score:2)
I know younger people who have been on my ass about 'fix this bug' 'fix that bug' 'you should be watching for this kind of scan or that kind of scan'.
No concept of actual systems administration.
Hint: It's just NOT WORTH THE TIME for many companies to have a full-time 'security' geek on staff.
Yes, sysadmins should patch their shit. Yes, they should stay informed. But some kid who does nothing but hang out on #hack and collect exploits is *always* going to seem to know more about security. Period.
Its not just security; it's easy, when you are young, and think you know it all, to assume that those who are not doing things 'your' way are stupid. Then you get older, and realize that's not the case. (or not always, anyway, there certainly are people who are about as smart as a brick out there).
Revenge can equal jail time... (Score:2, Insightful)
Okay, the original post was some bait, but here goes...
Let's just say that you do get away with rooting some cracker's box. What do you do when that cracker sicks the FBI upon you?
He/she could also just sue you in civil court and could likely win.
If you don't think this can happen, ask your legal counsel if the families of criminals have ever sued the pants off of and won in court after their "loved one" got himself or herself shot to death while committing a crime in someone else's home. It has indeed happened and will continue to happen.
If you do go about an end up hacking the hell out of someone else's machine, how can you surely prove that it is the right machine that you are hacking? You may claim that there are no cracker's that know more about cracking then me.
That is total arrogance and idiocy. Nobody should ever claim that they are the be-all and end-all of any subject. There will always be something that you don't know, there will always be someone that knows more or at least more about an little looked at fact.
You could have hacked the system of someone that was rooted by your cracker. What happens if the admin at that site knows someone that looks at the logs and finds your smiling face all over the place? Well, I suppose that you would then be payed a little visit by the FBI and will find yourself in just a wee bit of trouble.
The better thing would be to patch your holes, protect your rear and let the trained government investigators take the risk of looking the fool. You eliminate your chance of going to prison and or facing untold fines.
--
.sig seperator
--
Re:Revenge (Score:2, Insightful)
A: You don't.
Vigilantes: amateurs trying to look like professionals.
Re:Finally some one said it! (Score:3, Interesting)
In 1991 I was breaking into Vax and Unix machines left and right, and so were many of my friends (in fact, they were much better at it than I was, which is why many of them work in computer security today and I don't). Misconfigured menu screens, unshadowed password files, Sendmail--you name it, we were exploiting it.
Disclaimer: I don't know about my friends, but I always informed the sysadmin about his security problems after playing around for a bit. While still technically illegal, none of them ever decided to press charges and I suppose the statute of limitations is up by now anyway, so thbbbbpppttttt.
-Legion