Clean Needles for Hackers 373
scubacuda writes "Jon Lasser of the Register opines that we should "give up on the notion that computer security can be improved by putting more people in prison." He argues that a "harm reduction" approach (similar to that of "clean needle" campaign in the War on Drugs) might be more productive. If we, say, wrote in safer programming languages, used tools like Immunix's StackGuard, ProPolice, or OpenBSD 3.3, chroot and UML, we could reduce the damage a malicious hacker might do without damaging our civil liberities."
What??? (Score:3, Insightful)
Re:What??? (Score:5, Insightful)
It depends on what is defined as a crime, and what the punishment is.
Law is all about drawing lines - what is acceptable and what isn't. At what point does a particular act become unacceptable. If, for instance, saying things that were "unamerican" became a crime, then that would clearly be a reduction in our civil liberties.
Re:What??? (Score:5, Insightful)
That's exactly the sort of thinking that got us into this mess of huge, bloated, corrupt, oppressive government in the first place -- the idea that government's function is to tell us what's "acceptable" and what's not. The idea that government -- or a majority -- knows what's best for an individual better than the individual themselves. This is a very dangerous mode of thinking.
Government's function is to protect us against the initiation of force -- to secure our property rights. Everything beyond that is arbitrary by definition, and necessarily screws over somebody for the benefit of somebody else.
There are no natural property rights. (Score:4, Insightful)
Now, let's say each person carries a Law Giver weapon, which is perfectly effective, but only when defending natural property. In these situations who will the weapon side with?
Territory - claimed, defended, and expanded by violence and threat of violence - is natural. Claiming territory can be an act of aggression against the common welfare. Property is territory formalized with artificial rules. Rules for transactions of existing property might be considered natural and simple, but rules for the origin of property are entirely arbitrary. No matter how far down the chain of "natural" voluntary transactions, it is anchored in and tainted by an artificial and arbitrary government decision about the allocation of natural capital.
This is how, "securing your property rights screws over somebody for the benefit of somebody else" is true. It's not all of the picture, but it's a significant part of it. Defending the fruitbaskets of the man who runs out and picks all the fruit before anyone else can get to it screws over those who would have picked it themselves. There isn't one man in ten who'd agree that a just government would give this opportunistic weasel exclusive rights to nature's bounty in this situation.
Government's core function is not to secure "natural property rights." It is to minimize violence by easing the pressures that promote it. A large part of this is encouraging stability and voluntary interactions, but it's not the only part. Government is a balancing act, a series of compromises, and couldn't work according to simple, inflexible rules.
Re:What??? (Score:5, Insightful)
Spending $10k to have someone go to AA to treat his alcoholism is a whole lot less than the $40k/year when he's in jail after beating his wife in a drunken rage, no?
Same idea here. You prevent the ability to commit a crime, and it can't happen (or the results are less severe). If you let them happen, you often times get an overraction from the authorities.
Re:What??? (Score:2)
Re:What??? (Score:3, Insightful)
No. This way leads to madness. This is how police states get started. If we had armed guards and cameras on every corner, I'm sure there would be less violent crime, but I wouldn't want to live here. The best defense to lower crime AND protect liberties, is to have STRONG deterents to commiting crime. The problem in modern america, is that if you commit a crime, even if you're caught, likely you won't serve ve
Re:What??? (Score:5, Interesting)
America imprisons a higher percentage of its population than China, Saudi Arabia or Syria.
One in four young black males in America has served time in prison.
Yet people still believe America has a "wussy" legal system and that imprisoning more people will help reduce crime.
Re:What??? (Score:5, Insightful)
Define "crime" as "harm to society" and you start to see that many of the "crimes" on the books are not true harm, but rather annoyances on the order of "disturbing the peace." The thicker the statutes become, the more likely you will run afoul of them. (Some people claim that LEOs like this, because it lets them engage in selective enforcement to punish those people doing things said LEOs don't like.)
"I didn't know about that law!" is not a defense; as you pile on more laws, though, the chance that you didn't know about that law rises to unity. Using firearm laws as an example, the laws on the books since we were children were not being enforced, so the "popular" answer was to pass new laws! Some of those new laws made sense, some of them just warmed over what was already on the books.
The problem is that a legislature is sorely tempted, at some point, to stop telling us prohibitions and start telling us permissions. At that point, civil liberties are out the windows.
Re:What??? (Score:3, Insightful)
No, that's not why it's complicated. (Score:3, Insightful)
Making language meet an arbitrary level of prec
Re:What??? (Score:2)
I agree criminals should be punished but I also think the DMCA = BAD and hacker laws should be re-written
Re:What??? (Score:2)
That's not what this is... (Score:5, Informative)
Or, to put it another way, alleviating a symptom (rampant hacking) of a problem (programs with security holes) by actually solving the problem (using safer programming methods to close the security holes) while still punishing those who continue to try to hack, who, with these lower-level holes closed, will have to resort to higher-visibility methods where they are easy to catch using ethical (i.e. strictly-reactive) methods of law enforcement, rather than violating the rights of 10,000 innocent people for the sake of catching a single wrongdoer.
Re:That's not what this is... (Score:4, Insightful)
Seriously, the problem is not insecure systems. The problem is little fucknuts that think they have some god given right to violate my systems. There's really no comparison to be made with the war on drugs. It's much more like burglary. While the vast majority of these obnoxious little h4x0rs would never even think of robbing a bank or burglarizing a house, breaking into a computer is easy to rationalize because they don't see the damage that they're doing (and the odds of getting caught are low).
Solving the problem does not mean closing the security holes, although that should be done. Solving the problem means dipshits don't try to hack.
Re:That's not what this is... (Score:3, Interesting)
Amen. I'm in the middle of cleaning up a number of servers that got r00ted due to compromised user accounts. Could we have prevented this? Maybe. Does this excuse the hacker? No. I would castrate the little shit in a second if I had the opportunity. The fact that he's from some godforsaken third-world nation means we'll probably never find him, though.
I read an article the other day about some kid who'd
Because a stupid law can have side effects... (Score:2)
A recent example is the Computer Decency Act. The reason the US Supreme Court shot it down was not because pornography is good but because they didn't want to turn the internet into a reading room for kindergartners.
I wasn't happy with the wording of the article even though I agree that throwing people in prison doesn't actually work. Better wording would have been that companies should take responsibilty for their own security.
Doesn't make sense... (Score:2, Insightful)
Whatever. I do support using better security on everything though. But it can, and will be cracked if someone really wants to do it.
Re:Doesn't make sense... (Score:2)
This, in contrast to locking up 18-year-old Bobby Smith indefinitely for circumventing his high school's NetNanny.</exaggeration>
Re:Doesn't make sense... (Score:2, Flamebait)
As long as it's legal to hack your own properity then there's no problem.
I think this article should be -1 Flamebait.
Re:Doesn't make sense... (Score:3, Interesting)
"It's an approach that acknowledges the reality of drug abuse, and seeks to reduce the dangers posed by those drugs, both to the users and to society at large."
Replace "drugs" with "hacking", or $BADSTUFF. Let people retain some liberty; don't punish the crime (so much anyway), but make the problem caused by the "crime" obsolete.
OS Enhancement? (Score:2, Informative)
UML (Score:5, Informative)
Re:UML (Score:3, Insightful)
You either design for security or you don't. The first method takes longer, is more costly and requires better designers/programmers. It's not really that amazing to notice that it's a cost/value tradeoff.
Re:UML (Score:3, Insightful)
Riiiiight... (Score:3, Insightful)
Also, we're going to stop rape by having everyone wear chastity belts.
Re:Riiiiight... (Score:3, Insightful)
Re:Riiiiight... (Score:3, Insightful)
Re:Riiiiight... (Score:5, Interesting)
gspr, this is reality calling, do you copy?
The only way to make an un-hackable system is to remove power, and bury it in a mile of concrete, and even then its questionable. If you leave any shread of functionality its going to have a hole somewhere, even if it is between the chair and the keyboard. This is like the whole quest to make a system have 100% uptime, the first 99% is easy, after that it gets exponentially harder and more costly.
Personally, I don't think jail-time is much of a deterent for malicious hacking. I'd love to see us institute caning or some such other non-permanently damaging forms of punishment. Might work for other crimes as well say vandalism, or drunk driving (though, this should be a capital offence anyway, but I digress.)
While prevention is nice, and giving the script kiddies something better to do with their time and abilities would be a good idea, it should be made painfully clear to them that stepping over the line will not be accepted in society.
The idea is simple, and has a point (Score:2, Insightful)
Re:The idea is simple, and has a point (Score:3, Insightful)
Re:The idea is simple, and has a point (Score:4, Insightful)
Unethical hackers would have everyone believe that it is the system owner's responsibility (in home terms, again, to belabor the analogy) to not only lock the doors, but bar the windows, reinforce all the walls and foundation with steel, post vicious guard dogs and security cameras at every egress, and keep an armed guard in a gatehouse at the foot of the driveway. The reality, on the other hand, is that the right thing to do is walk on by. How hard is it to leave alone what is not yours? Did we not all learn this at age, oh I don't know, three? Four?
Don't buy into the false myth propagated by unprincipled individuals that "security is solely the responsibility of the system owner." Security also means confidence and assurance, specifically the implication that one should be free from the apprehension that one is always on the verge of having one's property violated by others. We are generally free to walk the streets when and where we wish, with the concomitant responsibility that we do not trespass where prohibited by someone else's right to private property/ownership.
This doesn't mean that not locking up should be the SOP, but in our analogous world where the average person wouldn't understand how to work a deadbolt on a door (cf. Joe User's understanding of the security of Windows software on his networked home PC), the blame the owner assumes when someone takes advantage of his ignorance or naivete is minimal if not infinitesimal.
Hackers and Thieves (Score:4, Insightful)
How is this any different from a person hacking into a computer?
Re:Hackers and Thieves (Score:4, Insightful)
I think the problem here is that far too many companies have taken the approach that the path to better security is to make the penalties for "cracking" more extreme. (Remember, "Hackers" build things, "Crackers" break things)
For example, part of the DMCA increases the penalties for "reverse engineering a technology intended to protect copywrited material". So if a company wants to use ROT13 as it's security system that's fine, they just make sure anyone who cracks it get thrown in jail for years. That is also an unacceptable solution
So the best solution to this problem is to approach it from both sides. The crackers must be punished, but the companies owe it to their customers to try to maintain their servers in as secure a manner as they are capable of doing.
Better Security Would Help (Score:3, Insightful)
It all seems too simple. Which is why it isn't being done. Or has the beast become so large that it can no longer be controlled?
A simple view from a simple guy.
Sounds like a good idea for most of society (Score:2, Insightful)
Re:Sounds like a good idea for most of society (Score:3, Insightful)
Just to emphasise my point, how is the trial going of the Enron directors?
That's not an isolated case either - there is lots of fraud and committed by company executives, by middle-class people, and by poor people too.
The problem is not money, but attitudes towards others - generally only self-centered immature people are criminals because they think of themselves, and not their victims. Mature, well-adjusted people don'
Crazy (Score:3, Interesting)
The gene pool will always produce more hackers as it will spawn more murders. Locking them up when they commit crimes is a pushiment for them.
If we locked up all the murders ever, would murder stop? No, a person who has never murdered anyone will commit the crime. The same is true for hacking.
How Many People? (Score:3, Insightful)
Exactly how many people have been inprisoned for breaking into computers? I don't think it's the reason the prisons are over-crowded.
Prison is part of US Policy (Score:3, Insightful)
People can be amazingly shortsighted. Though I suppose I'm being offtopic..
Re:Prison is part of US Policy (Score:2)
Screw justice, right?
Re:Prison is part of US Policy (Score:2)
Schools in Buffalo were at risk of losing their music programs. I don't know how that ended up, but I say a school without a music program is about as useful as a school without books.
Nice theory, but... (Score:2)
UML???? (Score:2)
Re:UML???? (Score:4, Funny)
Re:UML???? (Score:2)
Re:UML???? (Score:2)
Ahem. That's Unified Modelling* Language -- AFAIK it isn't in any way a markup language.
* Remove one L if outside UK
Wait a sec... (Score:5, Funny)
Is this guys on drugs? (Score:4, Insightful)
Drug addition is a physical additiction. The idea of the needle exchange program is to prevent reduce the spread of a FATAL disease. The purpose of the laws against needles is to cut the use of drugs, but the drugs are still illegal.
Here, this guy is proposing something along the lines of eliminating car locks so that noone will be arrested for carrying burgulary tools.
Re:Is this guys on drugs? (Score:2)
No, it's more along the lines of advocating the elimination of car locks in favor of mandatory keyless entry with extra security safeguards so that no on will be arrested for carrying burglary tools.
Let me give you a good example. Say it's your job to convert documentation for your business. (It's part of mine from time to time.) A lot of that documentation comes to
Re:Is this guys on drugs? (Score:2)
No, he's suggest equiping all cars with DNA sequencing biometric locks so that theives can't possibly hope to ever break into a car again.
It's looney like your scenario, but the important distinction is that it's shifting all of the costs onto the victims of the crimes, meanwhile positing that every potential victim will be a victim unless they engage in the preventat
Since when? (Score:5, Interesting)
Re:Since when? (Score:3, Interesting)
Two Words for you (Score:3, Insightful)
Dmitry Skylarov.
'nuff said.
Horrible Analogy (Score:5, Insightful)
People who use or trade drugs, on the other hand, have initiated no force. There is no breach of property rights. Drug "crimes" represent, at best, a breach of government-mandated conformity -- an "artificial crime" if you will.
To compare the two is not only illogical, but dangerously misleading.
Re:Horrible Analogy (Score:3, Insightful)
Indeed. Plus, HIV, hepatitis, other, are side effects of sharing needles whose main purpose is to get drugs into the body.
Security breaches do not occur as a side effect of cracking/hacking. They are usually the main purpose. That would be equivalent of distributing rubber knives to the criminally insane to reduce the number of victims.
Re:Horrible Analogy (Score:3, Informative)
I certainly don't regard trespass as a 'natural crime'. In the UK, it isn't a crime at all. Only if damage is caused, or the area is restricted is it a crime.
The conflict between freedom to go where you will and enjoyment of property rights has been going on for centuries, without a clear resolution. For example, at K [bbc.co.uk]
Re:Horrible Analogy (Score:4, Insightful)
That is highly debatable. I agree that hacking is not ethical, but it would be better if you dealt with as a violation of privacy. Technically, no ever enters your computer (assuming they don't physically come into your house and open the box) and so property law doesn't really hold true. My computer sends requests to your computer, your computer sends replies. It is the same as yelling at you from across the street. If I trick you into getting you to yell sensitive information back at me, I have not tresspassed and yet I have, in a manner of speaking, hacked into you. This is not a pefect analogy, but it holds the same weight as your analogy of thinking of cyberspace as real space (and hence tresspasable.) No matter what analogy you use though, hacking does not necessarily fit the old norms of property law. The fact remains that cyberspace property and real space property are fundementally different and so you cannot simply assume that the old laws of property cover this new type of medium, especially considering that real space property laws were written to protect only real space property. As such, discussion must be held to determine how we will view this new type of 'property'. You see regulation of it as an extension of the values that influence real space property law. However, the concept of seeing regulation of cyberspace as being similiar to the regulation of drugs is also a valid viewpoint. An example of such an argument would be that: hackers have chosen not to conform to the norms of what most people would consider to be ethical conduct on the net; whether this is illegal or not is as artificial as the computer networks cyberspace exists on. In the end, comparing computers and drugs is as logical as comparing cyberspace to property; if your final line holds true for one, it holds true for your comparing cyberspace to real property as well. You, accidently I assume, allowed your analogy of seeing cyberspace as property to cause a myopic effect that blinded you to seeing cyberspace regulation from a different viewpoint (the greatest danger of analogies.)
yeah but (Score:2, Funny)
Hackers are not dying of really horrid diseases and passing these diseases onto non-hackers, are they? Maybe we should give clean needles to the hackers, and then let the war-on-drugs folks deal with them.
Woah! Woah! (Score:2, Interesting)
-Brent
Not right, or feasible (Score:4, Insightful)
But mainly, this is simply the wrong attitude. If someone breaks into your house, it is the burglar's fault. It isn't your fault for not surrounding your house with barbed wire and a pack of rabid dogs. While I agree that penalties for hackers are often overly harsh, that doesn't change the fact that they knowingly committed a crime of their own free will, and should be punished for it. Hackers are responsible for their own actions. It's that simple.
Security increase (Score:2, Funny)
What an analogy (Score:3, Informative)
Addicts get clean needles in drug programs so they don't catch AIDS and start costing society even more.
In the case of hackers, a program on the same lines would give them money so they don't commit fraud and cost society even more.
If you wanted to find an analogy to writing more secure code in drug solutions it would be making it physically impossible for heroin addicts to take their drug (Cut their arms off? Lock them up?)
Drugs, Needles bad analogy (Score:3, Insightful)
A better analogy might be that giving up on IT security is like giving up on transportation security.
Fix the UML link... (Score:4, Informative)
Really freaking dreadful analogy (Score:5, Funny)
The 'clean needle' approach basically involves making life easier for the criminal group (drug addicts) so that they don't need to commit so many troublesome crimes -- thus making life easier for everyone.
The approach advocated in the Register involves making life harder for the criminal group (hackers) so that they aren't able to commit troublesome crimes.
There is no similarity, and furthermore, while the 'clean needle' thing is hightly controversial and frequently shades into a program of government-subsidised drug abuse, writing software more securely is obviously beneficial and should be a no-brainer.
I therefore conclude, your honor, that the phrase 'clean needle' was only introduced because it's eyecatching -- perhaps because the original submitter was caught in a fringe eddy of the Really Rather Silly Field (RRSF) that usually surrounds The Register.
Duh (Score:2)
And in other news, fire is hot and the Iraqi Information Minister has been telling lies all along.
irrelevant (Score:2)
The reality is that our whole criminal justice system is badly broken
Instead of hacking (Score:2)
~S
This is stupid (Score:2)
Both of these examples interfer with normal operation - I don't want to have to make extra effort (I could be being creative in the time I have to spend on extra security) because hackers are at large.
Personal Responsibility (Score:2)
There are generally accepted coding standards out there. We all know that buffer overflows are Bad Things, yet unbounded buffers still seem to magically appear in production code. Software manufacturers should be held to the same standards as everyone else. If your failure to exercise a reasonable amount
Inappropriate Metaphor (Score:2)
The idea of a clean-needle program is to provide a safer way to commit the crime. Applied to hacking, this would be more like providing free public honeypot servers which the hackers could 0wn to their heart's content.
Closing the security holes -making it impossible to hack- would be more like actually eradicating the drugs themselves. Worthy goals in both cases, I think, but it means that the analogy is more like the current War on Drugs than the idea of clean-needl
Path of Least Resistance (People) (Score:2, Informative)
If you lock your systems down tight, you still have to worry about social attacks. Unless something is done, social engineering will always be one of the most effective, least difficult methods for gaining access.
One of the biggest needs of improvement is in employee education. Most people just do not understand why the password "Snoop
Completely Inappropriate Analogy (Score:2)
This is really nothing more than increased security and good programming practices. It's watching your back. That's it.
That said there's a lot to what we in IT should be doing to make the world a safer place. But we can do it without lousy analogies.
disturbing trends (Score:5, Insightful)
Come on Americans, what's happened to you recently? Where's your spirit gone? The spirit of justice, fairness, freedom? Is it right that teenagers get sent to jail for "hacking" when the state of IT security is so poor? If your bank left sacks of money outside it's doors, when they got stolen by a couple of kids would you think it was the kids were guilty of a crime, or the bank?
In the old America, the kids would get a stern telling off and the bank manager would be accused of negligence. These days the kids would be looking at a long jail sentence, and the bank would be pressing the government to pass laws waiving them of any responsibility.
Re:disturbing trends (Score:4, Insightful)
That was a good question, and you were doing fine up until
> when the state of IT security is so poor?
Where on earth did you pick up that warped morality? Surely we don't have to explain what is wrong with "I didn't rape her, she was (drunk/dressed provocatively/in the wrong area/whatever)"? Although the gravity of the offences are on completely different levels, there is no difference in the crassness of the proposed defences.
Re:disturbing trends (Score:3, Insightful)
Wait a minute, Sparky, your analogy isn't working. I agree that not relying on security-friendly tools is almost criminally niave, but let's review for a minute.
It's not like kids get on their computers, log into AOL, and suddenly find themselve
Sounds like "It's the victim's fault" (Score:2, Insightful)
If we, say, wrote in safer programming languages, used tools like Immunix's StackGuard, ProPolice, or OpenBSD 3.3, chroot and UML, we could reduce the damage a malicious hacker might do without damaging our civil liberities.
Hmm... why does this sound like "it's the victim's fault"? C'mon! Nobody would say that to a woman who was dragged into an alley, beaten and raped.
If anything, it seems to me that prison time puts out a loud and clear message to crackers that what they do is indeed a crime and wil
The problem... (Score:3, Insightful)
is not the hackers. Or viruses. Or trojans. Or bugs. It's the money.
Most software still is propietary and someone wants to make money with it. So he wants to see it protected. He doesn't want his software to be secure since that costs money. Having someone thrown into jail costs less money, so that's the preferred way.
At least this is my experience with the thoughts of suits. Many think of software like it would be, say, a car: with enough brute force you can get into any car you like easily. They don't realize that this is not how software works. You don't hack software (i.e. servers) by using brute force attacks but by cleverly exploiting weak spots, like the lock or the window seal.
But since many suits don't get this they think no matter what, their software can be hacked by Joe Average and thus that they need fierce laws that prevent them from doing so instead of securing their software in the first place.
Living in a high-crime rate city... (Score:2)
That's about the view presented
Exercise your digital immune system (Score:3, Insightful)
Picture your computer as your faithful dog, man's best friend.
Now say your neighbor has one too.
Your neighbor lets his dog run free, and it tends to play in the local junkyard, picking up god knows what.
You on the other hand, keep your dog nice and sheltered, only letting it outside on a leash when you walk it.
Now which dog do you think will have a more robust immune system, if they both get sick which is more likely to survive?
The septic environment that is today's internet forces us to make decisions that increase security, strengthening our digital immune systems.
Imagine if there had been far less malicious hacking over the last decade or so. Imagine a world where there are no effective anti-virus programs because there are no particularly effective viruses. Where all those security holes we've read about over the years are still exploitable because we never found out about them the hard way.
Now imagine how vulnerable such a world's systems would be if some person or organization decided to try to take them down.
Phooweee (Score:2)
I liken this to the current state of American jails. People are always complaining that we have too many people in jail, and
Corporate sites need corporate security but (Score:2)
Back in 1984 I was working on a source store that I tied into the project management and then I was able to restrict the mainframe's compiler to only accept source from the machines of the guy who was supposed to be working on it.
Even then it went to UT, QA, SIT and finally production. The source and destination environments were set by the workflow NOT developer and depended on who was requesting the compile.
If you weren't supposed to be working on a program,
True (Score:2)
From the article:
Most individuals can control themselves, but there is a substantial group of people for whom no legal penalties will be enough to discourage their behavior.
That's true of every crime I can think of. That's why we like to keep people who have demonstrated that legal penalties don't discourage them in prison, where they can do no further harm. Legal penalties may not aways be a deterent to crime, but they sure as hell can be an impediment to it.
Different Camps (Score:2)
Right... (Score:4, Interesting)
Where this all gets hazy and crazy is when people with wide-open systems can prosecute someone for "hacking" them when all they did was walk in through an open door. Open doors are good for public places; if you don't want your computer systems to be public, don't allow it. Put a lock on it. If someone breaks and enters, that's prosecutable. But that should be the line drawn.
What we need is for the law to say that an open door is good as an invitation, but that breaching a locked door with a sign on it that says Authorized Access and Use Only is a criminal offense -- the equivalent of tresspassing, breaking and entering, robbery, or destruction of property, as is appropriate to what actually takes place.
Of course... (Score:3, Insightful)
And not having 10' high barbed wire fences around your property is invitation to trespass.
Just because someone shoul dknow better than to leave things open does not lessen the crime at all. The intent of the transgresso is important however. If the trespass or computer intrusion was accidental, then that's different but if the transgressor's intention was to hack the computer, it doesn't matter if they broke a 128 bit key or tapped the spacebar twice.
Responsible development? (Score:3, Insightful)
You're saying that developers should take responsibility for what they write to ensure it's secure? You're kidding, right? I mean, who the hell wants to be responsible in this day and age?
This kind of thing will never happen because businesses (plenty of them out there that would rahter sue than write solid code) are too lazy. I've been told "secure code doesn't make business sense -- it costs money".
Question: when a company/whatever gets hacked, who handles the prosecution? Do you just turn it over to the FBI and they go and nail the little bastard? If that's the case, what this story discusses will never happen.
Comment removed (Score:3, Insightful)
Ah, more false logic (Score:3, Insightful)
so we're asking for it? (Score:3, Insightful)
"You used Windows, it's your fault your server was hacked. You should only use XXX."
"She was wearing a sexy blouse, she was asking to be raped. Women should only wear burkas."
"You left your car door unlocked, you were asking for it to be stolen. Everyone should lock their car doors and buy a Club (tm)."
If you want to use the clean needle program as an analogy, what we should do is provide public honeypots for people to test their skills against. Something along these lines:
"Hey Kids, try and crack Kevin Mitnick's computer. This is a special setup for you to test your skills against."
"It's the Call Captain Crunch from the Vatican challenge! Captain Crunch has enabled caller id on his phone. Your job is to determine the Pope's private phone number and get it to appear as the originating phone number on the good Captain's caller id box."
But vandalism, and that's what we're talking about here, is different than drug use. Drug use is at it's most basic, a crime against yourself. A consensual crime. Yes, addicts steal and kill, but the act of taking the drug itself only harms the user. That's why drug give away programs are supposed to work -- they eliminate the addicts need to commit a crime to feed the habit.
People in IT, especially consultants won't like to hear this, but if you hire a consultant to manage your server and it gets broken into, you should go after both the criiminal for the vandalization and the consultant for malpractice. Madonna should have a cause of action for malpractice against whoever designed her site so poorly that it was easily cracked. And the vandal, like all vandals, should be punished.
An analogy from the "real world" (Score:4, Insightful)
To me this is like responding to a rise in shootings by decriminalizing assault with intent to kill, and instead demanding that doctors and paramedics do a better job.
Whose definition of computer security? (Score:3, Insightful)
The big thing to me is whose definition of computer security are we going to use? I think there's a big difference between hacking into somebody else's system and destroying things, and reverse engineering something to work better or downloading a software crack. However, in the eyes of the governement, and their new tough on computer crimes approach, this can be treated as practically the same thing!
Re:That's all well and good (Score:2, Interesting)
Re:That's all well and good (Score:2)
Re:That's all well and good (Score:2)
Re:Necessity the mother of invention (Score:2)
In other news, burglars will now be awarded medals instead of being punished, in recognition of their role in promoting the development of better locks...
Re: safer programming languages?? (Score:2, Insightful)
There's also a difference between local denial-of-service (claiming all memory in an applet) and a full-access break-in (administrator privileges via a buffer-overflow).
Re:Yeah lots of people think they can write in C (Score:3, Funny)
((EvilClass)evilpointer)->do_evil_stuff();
}
Economics, externalities and tool building (Score:3, Interesting)
A lot of people like to blame wizards that can generate little apps for you in a hurry. They discourage a really deep understanding of the code. True enough, but it isn't the root of the problem. That is one facet of the fact that the barriers to entry into programming are trivial. You can buy a PC, even retail, with off-the-shelf shrink-wrapped development tools for under $1K these days. Even that isn't the problem.
The prob