Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Netgate.net.nz/ORBS spam colusion

  • From: Derek J. Balling
  • Date: Tue Jan 11 17:57:16 2000

At 04:49 PM 1/11/00 -0500, Dean Anderson wrote:
I see the guy in Russia took his model from ORBS, and did exactly the same
thing:  He apparently used a security exploit to get data, and published
that data. So far, it doesn't sound like he made any credit card charges.
Sounds like he didn't actually damage the compromised system.  According to
Derek Balling and a few others, he should be free and clear.
Whoa whoa whoa... back up there. Don't even think that you get to put words in my mouth.

What *I* have said is that a person is subject to the laws and regulations of the country they live in (plus those they are a citizen of, if those are not the same country), and not subject to the whims of other countries, so that's how I see it "from a legal standpoint". If the laws of his nation say that what he did, specifically, is a crime, then he can (and should) be held accountable to them. That's what sovereignty is all about.

Philosophically, I disagree with "anti-cracking" laws, by and large, because (short of password theft or confidential information and NDA violation-style cracks) any information a cracker can access, ANYONE can access, if they know enough about the system. What, specifically, makes the cracker "bad"? YOU (the proverbial you, although your mail servers are a decent example) are making (the data|your servers) available, not the cracker. If you are stupid enough to do so, I see no moral obligation on any user who discovers this to feel it needs to stay quiet. If you bring it out into the light, it tends to get fixed and people realize how poor the security at that site is. If you cover it up and go quietly about it or (worst) tell NOBODY, then nobody knows how poor the security is, or how little that site should be trusted with data/money/services.

According to those few people, the cracker hasn't done anything wrong.
Never made that claim. Could you show me where I said that? I'll say it now, that I don't think he's done much of anything wrong, because (personally) I believe that crackers, by and large, are a good thing. They find the holes the rest of the world overlooks and misses. They bring them to our attention -- often in a flamboyant manner or one that some people might consider "reckless" -- because most of the time, reporting the problem to the people who lack security falls on deaf ears.

According to those same people, CD Universe accepted the consequences of
having an insecure server. Anybody could accessed the data.
So long as the Russian Cracker was not using a password or such that he stole from someone (and using a default password is not stealing a password, since the password is public knowledge), I would concur with that. (I haven't read the details on how exactly the Russian cracked CD Universe, so I can't say that for certain, but I think this fairly well defines where I personally would draw the line).

So it must be
publicly available information then. He just published some publicly
available data.  US law doesn't apply to Russians.  The fault here is with
CD Universe for operating an insecure server.
Yes, in fact, the ultimate fault does lie with CD Universe. CD Universe compromised their users' data, not a Russian hacker. The Russian Hacker merely publicized that compromise.

There is no fault with the
guy who published the credit cards.  He is not responsible if other people
misuse that data.
Correct. In the same way that ancient Chinese scientists are not responsible if you buy an Uzi and kill someone just because they invented gunpowder. You are responsible for your own actions, just as the perpetrators of credit-card-fraud are responsible for THEIR own actions.

Wrong.  If it wasn't already clear to reasonable people, it certainly is
now.  Those people who made those stupid assertions are clearly full of crap.
I guess I'm full of crap then. It wouldn't be the first time I've been told that before, but coming from you, I feel much better now, since it now very-effectively lowers the credibility of all the rest of the people who have said that by the very nature of being lumped together with the likes of you. :)

Now what happens to the Russian ISP that refuses to shut down the site?
Yep. You guessed it.
OK, I'll bite,... what do you think happens? Do you think the FBI is going to go over there and ask the successors to the KGB (same uniform, different TLA) "pretty please can we arrest these people"? Are you really that ignorant?

I'm suspecting the answer is "nothing" will happen to the ISP, but they might volunteer to take it down for PR reasons, but not because anyone has any authority or moral responsibility to make them shut it down.

My $0.02 worth, I speak for nobody but myself.

D







Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.