What Spooks Microsoft's Chief Security Advisor

alphadogg writes "Microsoft's U.S. general manager/chief security advisor for its National Security Team, Bret Arsenault, thinks like a true security professional. In every bit of good news, he wonders what bad news could be coming. Application security, virtualization security and the fact that over half of computer attacks seen by Microsoft come from the .edu domain are just some of the things keeping him up at night."

students sharpening their pens

[ionix5891]

half of computer attacks seen by Microsoft come from the .edu domain

nothing to worry just students testing their scripts against big bad microsoft :) we all did it at one stage ;)

Re:students sharpening their pens

[hostyle]

Fatter pipes are bigger targets to would-be evildoers, as it gives them more bandwidth with which to carry out their nefarious deeds. That makes a rooted .edu box almost as important a component of Dr. Evil In Trainings' arsenal as a hollowed out volcano island.

Re:

[morgan_greywolf]

Fatter pipes are bigger targets to would-be evildoers, as it gives them more bandwidth with which to carry out their nefarious deeds. That makes a rooted .edu box almost as important a component of Dr. Evil In Trainings' arsenal as a hollowed out volcano island.

At one time that was true. Not anymore. Haven't you heard? Fat pipes [verizon.com] are cheap and increasingly common these days.

Re:students sharpening their pens

[Bert64]

Home connections still have fairly poor upstream compared to their downstream...
People who root boxes want upstream, so they can scan for more boxes to hack, ddos things or distribute malware. They typically have very little need for downstream bandwidth to the compromised boxes.

Re:

[morgan_greywolf]

Home connections still have fairly poor upstream compared to their downstream...

Either you didn't at least hover over my link, or you actually have no idea that Verizon FiOS offers the same speed up and down. And that's not all -- all the telcos (included AT&T) are in the process of developing, deploying and testing this same tech[1].

[1] This knowledge comes from unofficial sources inside of AT&T

Re:

[ePhil_One]

Either you didn't at least hover over my link, or you actually have no idea that Verizon FiOS offers the same speed up and down.

Huh? My FIOS is 5Mbps down and only 2Mbps up. If I upgrade, I get 15Mbps down but still only 2Mbps up.

Or is this an undocumented feature in FIOS? (I never really bothered to test, even a 5Mbps bandwidth is almost never an issue for me).

Re:

[duckworth]

Well, over here in the NY metro area I have a residential 50 Mbps down, 20 Mbps up FIOS connection. They also offer a 20/20 package as well.

Re:

[ozmanjusri]

People who root boxes want upstream, so they can scan for more boxes to hack, ddos things or distribute malware. They typically have very little need for downstream bandwidth

There's a lot of home users out there running non-admined MS boxes.

never underestimate the bandwidth of a truckload of pipes...

Re:

[morgan_greywolf]

Who said anything about leaving your own IP? Duh, go for the low-hanging fruit! Do you have any idea how many home users running various insecure, unprotected versions of Windows there are out there?

Re:

[cbiltcliffe]

Do you have any idea how many home users running various insecure, unprotected versions of Windows there are out there?

Yes. I know exactly how many there are.
BWAHAHAHAHAHAHA!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[WuphonsReach]

Out on Long Island NY, I'm seeing cable download rates of 20-30 megabits/sec with upload rates of between 2.5 and 5.0 megabytes/sec. So it's still asymmetric, but it's a darn sight faster then the 1.5 down / 384 up that I had back in Pennsylvania.

(sigh) It makes the T1 line at the office seem *realy* slow now.

OTOH, the T1 line at the office is about 99.98% reliable over the course of a year (roughly 2 hours per year of downtime). My cable line is more like 99.5% (about 3 hours of downtime per month).

Coolest name for a security expert, EVER.

[mcrbids]

I mean seriously.... Bret Arsenault?

Did he legally change his name after he got hired? Other cool pseudo-names: Ima Baadash, Tod Newclierre, or John Wepunce.

Re:

[Jeremiah Cornelius]

He's also a pretty cool guy. His group sponsors big, security awareness events twice a year for MS customers - and these are real sessions, not PR fluff. Bret is friendly and accessible.

If he's at RSA this year, drop by the MS booth and say hi to him.

Re:

[Forseti]

What, cause it's spelled somewhat similarly to arsenal? It's a relatively common French name, and pronounced "Arseno", so your analysis breaks down a little... :-)

Re:students sharpening their pens

[an.echte.trilingue]

True. Students usually have time on their hands, knowledge at their disposal and being young they still have an underdeveloped sense for the potential consequences of their actions. Oh, and T1 connections directly into the dorms. Just talk to somebody who administers a university network: trying to keep students from "playing" with the school infrastructure is a nightmare.

Re:students sharpening their pens

[Brian Gordon]

No T1 directly into my dorm.. unless you're at MIT chances are you're starved for bandwidth and have to sleep during the day and game all night to get any decent pings.

Re:students sharpening their pens

[Anonymous Coward]

unless you're at MIT chances are you're starved for bandwidth and have to sleep during the day and game all night to get any decent pings.

You don't get very good grades, do you?

Re:

[Delkster]

He might be sleeping at lectures. Isn't that a pretty normal way of going to college?

Re:

[confused one]

It might be a T1. A T1 is only 1.5 Mbit. That's not enough bandwidth for a dorm full of MIT students who are all trying to play online games and hack.

Re:

[Arivia]

Actually, it's pretty damn Canadian. I can't believe you're at one of our universities and you're still conflating our values and the USA's.

Re:

[wuzfuzzy]

Most schools have Greater then a T1 speeds to their dorm rooms! A T1 is a measly 1.544Mbps. Most dorms have at least a 10Mbps connection to the LAN and 1-8Mbps to the Internet.

Re:

[besalope]

Our's has a 10x10 pipe that goes directly to the hall; however, divide that by the 200~300 students in the dorm hall and the mbps drops back to dial-up.

Re:

[fbartho]

more schools than MIT have great dorm networks. My saddest regret when I left the dorm system was that I couldn't get internet access as fast as in the dorms for less than 500$/month. My only affordable options were comcast or DSL and it turns out that DSL would usually have as good effective upstream as comcast. Go Blue! (umich.edu) I wish the fiber providers would get their asses in gear and provide me!

Re:

[Jellybob]

Peesh... T1.

You should try working for an ISP, where we have a gigabit pipe into the office... now, if I could only persuade IT support to get me a network card capable of keeping up with it ;)

Re:

[no-body]

Nope - that goes differently: Do you believe anything some sworn in M$ looney coughs up?

NOPE!

Totally PR brainwashed individuals learning from their propaganda bible, dreaming or living in a different reality!

Re:

[jav1231]

I smell a big Microsoft initiative for securing colleges and universities coming. Government contracts, proprietary model continues, and it's all for our children.

Big surprise?

[suso]

over half of computer attacks seen by Microsoft come from the .edu domain

Actually, does this really surprise anyone? I think if you took away the botnets that might attack Microsoft, you might have
something more like 80%. Not that it was an attack, but I used to always use billy@microsoft.com as a return address when I was testing
e-mail or showing someone something.

Re:

[Anonymous Coward]

When I got pissed off enough by spam around 1994/95 at university, I would launch DoS attacks (syn flooding) against the offending websites :)

I'm sure there are plenty of students young and stupid like I was at the time.

Re:

[xaxa]

I only have a small mail server's logs to look at (just my personal domain). But I haven't seen *any* botnets in the .edu domain attempting to deliver spam to me in the last 20 days. I think Microsoft is referring to cracking attempts?

Top five domains (number of spam messages delivered to me):
120 .net, 110 .com, 98 .ru, 95 .pl, 83 .it
(Very simple statistics: just grepping the mail log for domain names. It doesn't include any host with no reverse DNS. And I don't get that much spam, as you can se

Re:

[Anonymous Coward]

I used to always use billy@microsoft.com as a return address when I was testing

billg@microsoft.com would have been better.

Cleaner Version

[Anonymous Coward]

Without [networkworld.com] all of the ads. Won't someone please think of my eyes?

Obligatory...

[fluffman86]

AdBlock Plus?

but seriously, thanks for the link. :)

fifty-fifty

[foufoux]

over half of computer attacks seen by Microsoft come from the .edu domain IT Teachers have too much free time on their hands... But I bet the other half comes from .cn domain.

What Spooks Microsoft's Chief Security Advisor ?

[ionix5891]

i presume same things that spooks every other network admin

*rooted linux boxes, yes these are dangerous in wrong hands :(
*Russian business network
*chineese spammers
*prolonged multi gbit DDOS

Re:

[tomhudson]

Yes, but this is Microsoft's Cheif Security Advisor ...

This is slashdot ... the headline should read "What spooks Microsoft's Chief spook?"

The guys is an idiot

[Anonymous Coward]

The reason why the security flaws are dropping is because the 2 largest groups of crackers are operating under foreign govs. The russians were out to make money, But now operate with the russian gov. In addition, the chinese crackers have also switched up. Why? Because they can do all this legally in their country and not worry about a bullet to the brain. The simple fact is, that 5 years ago, these folks were cracking systems for money. Now, they are cracking targeted systems (i.e. DOD) and using subtle openings. Almost certainly the big openings are being saved for future use.

Q&A

[cerberusss]

Question: What do you think about Microsoft's U.S. general manager/chief security advisor?
Answer: I think it would be a good idea.

Re:

[Teun]

But who would want a job where you are single handedly taking (over) responsibility for just about 100% of the world's existing computer viruses?

Gandhi's Joke: Credit Where Credit's Due

[AslanTheMentat]

Come now, give credit: Mahatma Gandhi...

Reporter: "Mr. Gandhi, What do you think of western civilization?"

Gandhi: "I think it would be a good idea!"

What Spooks Microsoft's Chief Security Advisor

[somethingwicked]

What Spooks Microsoft's Chief Security Advisor?

Flying chairs?

Re:

[poena.dare]

The Blue Screen of Death... that really results in... death!

Re:

[Shaltenn]

Developers developers developers?

What do you prefer?

[miffo.swe]

"Application security, virtualization security and the fact that over half of computer attacks seen by Microsoft come from the .edu domain are just some of the things keeping him up at night."

As a user of said computers/servers i much prefer a scripthappy student whimsing around my systems alerting me about security issues. What do worries me are govt founded hackers stealing sensitive information, research and other secrets leaving no n00b traces for me to discover. Its not the actual breakin that worries me but what the perpetrator do thats an issue. If someone breaks in but does no harm i can live with that. My feelings may get hurt but the company is ok atleast.

An application/OS vendor ofcourse prefer the stealth hacker since the student hacker brings into attention all the various security issues with their products and makes people look for other options. Many vendors prefer a company being hacked to pieces before letting an exploit being known publicly. Microsofts own exploit policy is a very telling sign of this. As long as an exploit isnt used extensively its not going to get patched regardless of how many systems are exploitable. That worries me at night...

Re:

[Bert64]

I doubt it's students in control of those .edu systems...
They are probably being used as jump boxes by hackers operating elsewhere, including those government sponsored ones.

Re:

[miffo.swe]

I sometimes work in a school enviroment and you can bet they keep me occupied.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Forseti]

What you say is true, and the time-to-market requirements of the current market certainly aren't conducive to long QA cycles prior to release, but still; Using the word "innovation" as an excuse in a story about Microsoft? Get real!

This Guy Doesn't Get Security

[segedunum]

Among the most frustrating findings for Arsenault: Just over half of all attacks originated from the .edu domain. "[That's] a fundamental problem," he said. "We've got to do a better job with the university systems to stop that."

You can never run around trying to get people, and universities, to stop things that are basically open-ended. If those are the number of attacks you're experiencing then those are the number of attacks you're experiencing, regardless of where they originate from and why. The web is a free place, and it shows an exceptional naivety to think that can be stopped by pressuring universities.

But Arsenault does sweat over whether there's really less exploitable code, or whether it's more a case of such code just being kept secret by nation states looking to wage cyberwar.

Rrrrrrrrrright. So just like with Iraq's incredibly destructive weapons, if there isn't anything happening then it's because there is something even more devious and cunning going on?

Mind you, I wouldn't have expected anything less from Microsoft's Chief Security Advisor.

Re:

[Time Ed]

I think he "gets it" just fine. Most of his assessments are right on the money compared to what I see day-to-day.

Who wouldn't want to stop attacks against their site? Half the attacks I see are sourced from Asia. The other half from US-based broadband connections. We buy BIG pipes, and my execs pay a lot of money for our provider to work with regional ISP's to filter attacks at the source.

Like it or not, he's right: attacks are becoming application-based. Mostly browser-based. The other end of that is socia

Computer Security what is a crime and what isn't?

[mlwmohawk]

I hear a lot of people make the analogy that computer breaches are like breaking and entering, and while some of the actions are, some are clearly not.

Mischief is the motivation of youth. Vandalism is a form of expression. We've all participated in it in some form, so everyone get off their high horse, and rather than "get tough on crime," its time to figure out the difference between kids having fun and serious criminals. It is also time to make computer systems in "the digital world" as resilient to mischief and vandalism as real physical buildings are in the real world.

We've all carved our names in a tree in a park. We've all stolen a pack of gum or something from a store. We've all done petty crimes when we were young. The difference in the digital world is that everything is so brittle and poorly built and the mischief that is expected from youth ends up costing companies [B|M]illions of dollars. In the classic movie, "War Games," a kid practically starts world war III, the analogy fits if you excuse the hyperbole.

From a societal point of view, we need to separate the smarts kids being mischievous from the criminals committing real harm, just like we do in the real world.

Re:Computer Security what is a crime and what isn'

[Anonymous Coward]

Mischief is the motivation of youth. Vandalism is a form of expression. We've all participated in it in some form, so everyone get off their high horse

Ahem.
Perhaps it is your horse that you should be dismounting from. Don't presume to speak on behalf of everyone else with regard to participation in unruly behaviors. Dipshit.

We've all stolen a pack of gum or something from a store.

ORLY??
Somebody owes me a free pack of gum, then. Apparently I missed "sticky finger day" when I was a kid.

we need to separate the smarts kids being mischievous from the criminals committing real harm

Your arrogance astounds me. You actually think that "mischievous" behavior and socially irresponsible law breaking is somehow correlated to "being smart". Wow.

Re:Computer Security what is a crime and what isn'

[Jason Levine]

I guess I'm just a "goody two shoes." When I was growing up, I never stole a pack of gum (or anything else) from a store. I never carved my name in a tree or participated in vandalizing something at all (much less as a "form of expression"). My motivations in my youth had nothing to do with mischief. I did experiment with computers, but they were my own computers or they were the school's and I was acting within the limits of my classroom activities. For example, when asked to program a slot machine program on an old Apple IIe, I finished *way* before everyone else. So I started adding in more features. I added in betting, and still people weren't done. So then I added in a mobster that you could borrow money from if you were broke. (I coded it so that you either paid him back in a certain number of turns or he broke an arm and a leg of yours, took all of your money, and the game ended.) I was exploring the limits of what my coding could do, but it was without causing harm/damage to someone else's property.

Re:

[QuantumG]

Let me guess, you were well-to-do right?

See, kids who grow up poor get to see the injustice of the world first hand and, unlike adults, they feel the need to do something about it. Problem is, they're kids, so they can't.

Re:

[Jason Levine]

I wasn't poor growing up, but I wasn't "well-to-do" either. My family was comfortably middle class. My father worked hard to earn a living just like I do today.

Re:

[QuantumG]

They're ineffectual attempts to rectify injustice, yes. Taking from the "haves" is exactly why social justice is so distasteful. Forced redistribution of wealth is just as unsavory as the concentration of wealth.

Thankfully, we now live in an era where redistribution of wealth by force is not necessary to achieve social justice, unfortunately some people still see it as the only solution.

Re:

[Jason Levine]

I was mainly taking issue with mlwmohawk's insistence that "we've all" done these things. Not everyone has. And there are ways of pushing the limits while not treading on other people's property. Want to test how secure a server is? Set one up yourself and see if you can hack it. Or have a friend set one up that you two agree you can try to hack into. There are entire contests built around this idea. I don't see why a community of "limits pushers" need to find out why rules exist by trashing other pe

Re:Computer Security what is a crime and what isn'

[Hasai]

We've all carved our names in a tree in a park. We've all stolen a pack of gum or something from a store. We've all done petty crimes when we were young.

Speak for yourself.

Re:

[mlwmohawk]

You've never broken the law? You've never exceeded the legally posted speed limit? You've never spit on the street? Tell me where you live and I bet I can find a few local ordinances you've broken.

Don't lose the point by being pedantic.

Re:Computer Security what is a crime and what isn'

[frehe]

Vandalism is a form of expression.

I tried to tell the judge that rape is a form of art, and that convicting me would be like convicting Michelangelo for painting the ceiling of the Sistine Chapel, but for some reason she didn't agree. Bitch!

Re:

[mlwmohawk]

This is exactly what I'm talking about. Equating serious crime with mischief. Vandalism is by no means the violent act that rape is.

Re:

[frehe]

This is exactly what I'm talking about. Equating serious crime with mischief. Vandalism is by no means the violent act that rape is.

My previous post was obviously not serious, but this is. I consider vandalism to be a "serious crime", in the meaning that yes, it is a crime in most (all?) places to destroy other people's property, and yes, any crime that effects other people in a non-trivial negative way is serious IMHO. How would you like it if someone spray painted your car or house, ripped up all the plants in your garden, or broke into your computer and did god-knows-what to it? And for clarification, no, this doesn't mean that I eq

Re:Computer Security what is a crime and what isn'

[mlwmohawk]

Again, you are being "absolutist" about this, and that is the problem. Your descriptions do not describe mere mischief, but harassment and intimidation. They *may be* acts described as vandalism, but they are more serious than what I'm talking about.

Putting a sticker on a street sign. Carving your name in a tree. Small mischievous things are far different than wholesale destruction.

This "zero tolerance" absolutist world we live in doesn't allow children to make mistakes or recover from bad judgment. One mistake and they want to bring the full force of law down on you.

Some transgressions should not be considered crime even though they share some similarity, and in some cases repercussions, as real crime. Kids have bad judgment, it is a fact and it is a flaw in human beings. We should seriously consider this during prosecution.

Re:

[PitaBred]

Thank you for making sense, even if you don't get modded up for it. It's sad to see so many self-selected "smart" people that just accept rules and laws simply because they exist, rather than because they are there for a just reason, and don't understand that because there's an infinite range of human behavior, there should also be an infinite range of reactions to it.

Re:

[frehe]

Your descriptions do not describe mere mischief, but harassment and intimidation.

So where/how do draw the line between on one hand "mere mischief", and on the other hand "harassment and intimidation"?

Putting a sticker on a street sign. Carving your name in a tree. Small mischievous things are far different than wholesale destruction.

Things like that make your neighborhood look like crap if enough people do it. There's a good Swedish saying than exemplifies this: "Många bäckar små bildar stor å." (Literal translation: "Many small brooks create a big river." Closest English saying I know of: "Many a little makes a mickle."/"Many a mickle makes a muckle.") I'm annoyed each time I get into the elevato

Re:

[mlwmohawk]

Preface:
At this point in time I have a 16 year old son and a 2 year old daughter.

So where/how do draw the line between on one hand "mere mischief", and on the other hand "harassment and intimidation"?

That is the hard part, isn't it? The fact that it is not easy should not mean that we should abandon it.

I'm annoyed each time I get into the elevator in my house and see the increasing amount of stickers and scribble on the walls.

I agree will Bill Maher, if you are not annoyed every day, you are not living in

Re:

[GauteL]

He could have a Toyota sports car from 1992 and be very enthusiastic about it you know. Plenty of people would rather spend loads of money on their old MR2 than buy a new car.

Personally that's not my cup of tea, but it is pretty ignorant to label him as some kind of cheap moron and it is pretty daft to think that a top level manager at Microsoft is somehow a poor man.

Re:

[Skrynesaver]

Hey! I drive a 12 year old Corolla (don't know what they're marketed as in the US) and it's a fine car.
I've grown out of the "must be capable of 180 and 0-60 in under 4secs attitude and now it's just a means of getting about.
Just because he doesn't share your (in my opinion juvenile) obsession in modes of transport doesn't mean he's underpaid
In fact given the general security level of MS products he's almost certainly overpaid ;)

Re:

[BiggerIsBetter]

The MS chief security advisor drives a 1992 Toyota? Really? Two things come to mind here: Either Microsoft doesn't take security seriously enough to even give this guy a decent salary, or the urge to keep supporting outdated legacy crap is so ingrained at the company that even the guys at the top can't drop old tech for something better.

Of course it also makes me wonder, why can this guy take supporting a '92 car seriously, and yet the company he works for can't even make sure that the printer you bought last year will be supported in the latest OS?

Nobody said it was his only car. Maybe it's a pet project or something.

Masochist...

[FridayBob]

It may seem strange, but if you're a security professional and relish a severe challenge (or just want the money), then the Redmond campus may be just the place you want to be! However, after a while I can only imagine that the experience must feel more like beating your head against a wall.

Security expert?

[Zero__Kelvin]

"One reason for this, Arsenault says, is that vendors like Microsoft, Apple and Red Hat have done a good job in recent years securing the IP stack and operating system."

So either Microsoft's chief security advisor really thinks Red Hat is responsible for Linux security, and also thinks that security can be layered on in recent years rather than being a fundamental part of the core design starting from day one, or more likely his title should be "Marketing Advisor/Security Spin Specialist"

Re:

[Zero__Kelvin]

"You realize that Red Hat employ a fair number of kernel developers right?"

Even though an anonymous coward posted this, I can see how others might also be thinking along these lines. Of course, the US sends lots of athletes to the Olympics also, but it would be ludicrous to suggest that this means the US is responsible for the success of the Olympics. To extend the analogy, the AC also seems to miss the fact that Red Hat, while a long time participant in the Olympics, wasn't even a country when the Olympi

your own fault

[nguy]

Among the most frustrating findings for Arsenault: Just over half of all attacks originated from the .edu domain. "[That's] a fundamental problem," he said. "We've got to do a better job with the university systems to stop that."

There's a simple solution: stop maintaining the fiction that one company and one operating system can do it all. If you want to be a vendor of high-uptime, high-reliability systems, concentrate on that market segment and stop marketing your systems to the mass market. On the other hand, if you want to be a vendor of flaky commodity operating systems, stop worrying about your systems not being secure and stop marketing them as such (oh, and run your own corporate operations on something that actually is secure).

Re:

[nguy]

Spare us the sarcasm. "Multiple divisions" is obviously not working for them, otherwise this guy wouldn't be so desperate in the first place.

opportunity knocks?

[sgt scrub]

With Vista and other new products, Microsoft ships the hardening guide along with the product

Dell, Toshiba, HP, et el do not send that documentation along with a new machine when Vista is pre-installed. Could they be held accountable for people getting pwnd? Could this be an opening to get the M$ tax back when someone is forced to buy a machine with Vista on it?

Poor guy

[rnturn]

It's been about three now since the last Windows system at home was converted to Linux. And we sleep just fine, thank you.

Re:Poor guy

[z0idberg]

You "years" key is broken.

Re:

[iroc409]

Your 'R' key is broken. =) I keed I keed!

Could it be?

[BCW2]

The fact that he has to use M$ products?

Re:

[BCW2]

Tell the truth or a reasonable possibility and get modded flamebait. The standards around here are falling faster than SCO's stock did.

What spooks me

[MrVictor]

This security guy cited userland applications as the next battleground in windows. This, to me, sounds like he is trying to drum up support for completely locking down user space and only allowing signed apps to run in future versions of windows. Vista already forbids non-signed kernel mode drivers from running and has the ability to differentiate between signed/unsigned user apps. Previously, in XP, signed kernel mode drivers were an option and it was _not_ forced upon you. Application development on windo

Re:

[mlts]

Actually, those times are upon us, and its not a bad thing. Any professional software developer will sign their install code, .MSI files, .CAB files, and executables before it ships. Its not uncommon for a company to have a domain policy of refusing to execute any executables on a production network that are not Authenticode signed.

Why is this not a bad thing? Simple due diligence/CYA. If I install a signed executable from a company and it causes a malware breach, then the damage done can be explained a

Re:

[MrVictor]

I agree with you. It isn't a bad thing when the end user or a company has the option of turning on/off code signing. When it is forced upon everyone by Microsoft it is certainly a bad thing.

Re:Punishment needs to fit the crime

[Anonymous Coward]

That's quite the straw man... and it seems to be singing something...

*listens in*

"If I only had a brain..."

10 years?

[Shivetya]

Hell you can kill someone and not even get that much time. If your rich or a politician you can get off completely.

I agree with punishment fitting the crime but I think you put too much value on the damage the cause. The simple fact is that too few of people take the required steps to protect themselves. People have locks on their homes and cars, they don't normally allow complete strangers inside, and most people won't give out personal information to complete strangers they meet. Yet when it comes to the net it seems as if all bets are off, you never know what they will do - other than it being stupid.

I am all for punishment, but damn, people put more value on things and animals than human life.

Re:

[amchugh]

Human life does have a monetary value. Every day decisions are made in hospitals, health insurance administration, and military procurement that prove that. More to the point, if someone causes a broad enough swath of economic damage I guarantee you that deaths will result.

Re:

[miffo.swe]

The crime is most often hurt feelings and public shame. I do not see a virus, a trojan or such things as that bad of a deal. All they do is point with a very large sign towards some faulty software and says "fix this its insecure as hell".

The error lies in the exploitable system that should be more secure. Hightening the sentences only takes away the bulk but really malicious people will still use them to get access to trade, state and research secrets. The faulty systems will continue to be computerized sw

Re:

[jonadab]

> The error lies in the exploitable system that should be more secure.

Technically, the only way to really secure a system against trojans is to remove the ability to install software that doesn't come with the system from the factory. In other words, throw out the general-purpose computer and buy all hardwired appliances instead.

The problem with that is, programmability is a very useful feature.

Re:

[encoderer]

10 years in a federal-pound-me-in-the-ass prison?

Re:

[Hal_Porter]

It's worse than that! The cells don't even have wifi.

Re:

[Lobster Quadrille]

You know, that's actually not an entirely bad analogy, but the way I see it, it proves the opposite of your point. A person who walks into a house and explores it is certainly guilty of trespassing and probably more, but if he hasn't taken anything, then he isn't guilty of burglary and shouldn't be tried for it.

People exploring networks often do it for no reason other than to see what's there. They may use illegal means to do so, and they should be held responsible for that, but the fact is, a lot of grey

Re:

[Jane_Dozey]

Unfortunately if a breech of network security is noticed, it becomes a great big headache for those who have to sort it out. Nobody knows if the attacker was being malicious or just having a little look and so every break in has to be treated as if the attacker meant to do harm. This means making sure nothing was tampered with, nothing nasty was left behind and that it can't happen again. This process takes both time and money to sort out, meaning that even the most 'innocent' of attacks can cost the networ

Re:

[Lobster Quadrille]

I'm fully aware of that, trust me. I'm the Information Security Officer at a large hosting company, and I am that guy, who has to sort it out.

Though I wouldn't claim it is foolproof, it usually isn't hard to tell the difference in style of a malicious attacker and a harmless one- primarily because at one point or another, I have functioned in both capacities. If I hadn't done so, I wouldn't be qualified to do what I'm doing.

Yes, I do treat every breach like it was a serious one, and as my earlier post sta

Re:

[Viol8]

"Yeah, let's start ruining young hackers' (and I mean that in the positive sense) lives for youthful indiscretion, that's the way to go."

Aww diddums. Perhaps we shouldn't punish kids when they chuck bricks through someones window either since that'll be just youthful exuberance right?

"it's just that the 'crime' of rooting some insecure corporate box and not doing anything particularly destructive or criminal (credit card fraud etc.) with it is just not what I'd consider a big deal"

Rooting around someones pr

Re:"...he wonders what bad news could be coming...

[hyades1]

I see we're at that point in the orbit where the moderators totally lack a sense of humour again.

It was a joke, people. Get it? A joke.