It really depends how the engineered "infowar disaster" is presented in the press, ranging from say:
Dr Adam Back, a computer security researcher at Exeter University highlighted a fundamental weakness in DNS security which he demonstrates can be easily exploited. "This is entirely avoidable", said Back, "the only reason that global infrastructure is left vulnerable, is that the wire-tapping extremists and intelligence special groups are being allowed to jeopardise national security to protect their jobs in their now redundant function in a post-cold war era."
Unfortunately I don't think the above is true. The secure DNS specs have been circulating in a serious way for about three years. The main impediment to implementing them has been the time taken to completely rewrite the existing BIND code to make it work. Unfortunately the design of DNS does not encourage good coding parctice. The easy way to implement is to send out your request independently of processing the reply. One might possibly argue that the D-H patent has held matters up or that the FBI has generally intimidated people. I don't think this is actually the case however. Certainly Jeff Schiller, the IETF security director has not been intimidated, he has been handing out PGP to all commers for some time. An anonymous cypherpunk took down half of the internet yesterday, with an estimated loss to business of $50 million. The cypherpunk hacker terrorist issued a manifesto claiming that his motives were to highlight insecurities in the DNS. Whether his motives were pure or not, the incident does highlight the vulnerabilities in our infrastructure, something infowar researchers have been arguing. And which do you think is going to get published? Declan might possibly put the second story in rather than the first (but I would not count on it). But after his editor was finished with it it would be more like the second.
either one I can't see getting me or anyone else in trouble.
Not unless you or they get caught.
They guy who wrote the SYN flood attack is none the worse for wear, it was released in a phrack article, and I don't think there was any secret as to who authored the software.
Some of the people who doiwnloaded and used it are in big trouble though.
I suspect I'm not the only person on the list who is responsible for a service that is a regular hacker target. If I catch someone I really don't care what the motive for the attack was. I'm going to look to make that person serve jail time.
Your argument seems to be that if you legislate against OS bugs, that they will go away.
That is not what I said. And in any case you probably would not be continuing the meme that reaction is useless if you knew the origin. All O/S inevitably have bugs. There is nothing that can be done about this in most cases. Many vendors simply don't give a hoot about fixing bugs. Two years ago Sun delivered a machine to me with a version of the O/S that didn't recognize the sound or video card. That was a standard package, completely current O/S and broken out of the box. Didn't strike them as the wrong approach. Nothing I could do but never buy from them again. If there is a bug in the O/S and the manufacturer is not interested in fixing it my *only* recourse may be to persecute the perpetrator of an attack. That is not my FIRST choice, but it is a choice. Also most of my systems are designed to give warning long before an attack succeeds. I don't trust the clowns who put UNIX together all that much. If there is an attack I want to know as soon as possible and respond by removing the threat as soon as possible. I'm not complacent enough to put my trust in the O/S.
I would point out that the hackers who change your web page, or exploit OS bugs you haven't applied patches, and send you taunting messages telling what's wrong with your setup, are probably doing you a service.
If I want such a service I will ask. I built a burgalar alarm into the system. If it goes off I assume that someone is robbing the bank. I don't care what their motives are or were, even if they are able to prove them they can tell them to the judge, I am simply not interested. If someone sets off the alarm it costs real money to react. Probably in the tens of thousands of dollars.
If you have something of real value to secure, you'd rather know about it from a few harmless hackers, than an industrial spy who takes the farm, and covers up his tracks so well that you don't even notice.
At present there arn't any secrets on the machine (with the exception of some heavily encrypted signature keys). In fact the purpose is to distribute information. All the logs could be obtained under FOIA in any case. The sole concern in the risk model is reputation capital. If the machine is compromised it is front page news. I want to ensure that does not happen. I am simply giving fair notice that I do not consider any attack 'friendly' and that I will react with the maximum force available to me. I have good reasons for this policy and they have nothing to do with complacency. Phill