Phillip Hallam-Baker <hallam@ai.mit.edu> writes:
Attila T Hun <attila@primenet.com> writes:
I never promised any sabateur that I would keep any secret of theirs. I have worked with law enforcement and the security services for many years. If I catch someone damaging my property or property I am responsible for I call the authorities.
You know, Phill, life is not black and white. Let's say for the sake of argument that you are admin for a system which is based on the security of MD4. Then along comes Boesslaers and co, and trashes it. You going to call for him to be locked up? How about if someone then uses this new cryptanalysis to write some code which demonstrates the weakness... do you figure they should be locked up for demonstrating the flaw. (Note they haven't gone within a mile of your precious systems). How about if some cypherpunks used this code to demonstrate that they could decrypt something which was encrypted by a webserver running on a machine you are admin for. Should these cypherpunks also be locked up? Perhaps those of us who spent some time a couple of years back trashing Netscapes browser and server security in various ways should be grateful that the people at Netscape were a a lot less closed minded than yourself. Let me guess .. your response to the demonstration code showing how to exploit the RNG seed flaw Goldberg & Wagner found in netscapes browser would be ... "lock them up?" Jeeze ever heard of "Kerckhoffs principle?" I can assure you that kerckhoffs principle applies doubly to infowar attacks, a hostile foreign government is hardly going to be cowed by your suggestion that you will call the feds if anyone breaks anything you've got anything to do with. I can see it now, Sadam Hussien's hired system-crackers, his inforwar attack team, will really be quaking in their boots, "better not trash US internet infrastructure -- that brit Phill Hallam-Barker guy will narc us out".
If someone is breaking into a bank and someone recognises the theif thats not a snitch, thats a hero.
Uh, ok.
I believe that people who do bad things should go to prison.
Personally I would rather see murderers and rapists locked up than teenage recreational crackers who go around breaking into poorly maintained systems for the challenge, but break nothing. Malicious hacking (breaking and rm -rf'ing the disk) is poor form. The correct method of informing people of flaws you happen across is to tell them. People involved in system cracking do so at their own risk, but don't over-react man. I'm kind of wondering if _you_ as the security person who was responsible for security at the site, feel no responsibility to secure your systems. ("Oh don't worry about security, if anyone breaks in we'll call the feds").
I completely reject your pseudononymous attempt to posit that there is a 'them and us' and that I somehow have a responsibility towards anarchist thugs. When you grow up a bit you will learn that the real world is not like your high school.
I would hardly describe a bit of cryptanalysis of infowar risks as the work of `anarchist thugs'. Applying said cryptanalysis to in practice take out root DNS might not be such a friendly thing though. But hey, if someone does it, the real people to blame are Freeh and co for hindering use of crypto techniques to protect the infrastructure.
People depend on infrastructure. Lives depend on it.
If people are depending on the internet for mission critical information, of the sort where people will die quickly if information isn't getting through, they need their heads examining. If they have been advised to use the internet for this kind of information they need to get better advice.
If people screw it up someone is likely to be killed. Freeh will have a party. Indeed its the sort of thing Nixon might have done on purpose to take advantage of the backlash.
Uhh... could you explain the logic there a bit please? Someone demonstrates that there is a flaw in some internet protcols. The flaw in the protocols is that there is no cryptographic protection against DoS attacks. Freeh will use this to show what? That they need laws to ban domestic use of crypto meaning even less protoection against DoS attacks? I would kind of hope that the military folks into infowar would speak up and say that more crypto must be used to protect against this type of attack. Adam -- Now officially an EAR violation... Have *you* violated EAR today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`