CDR: Re: AT&T signs bulk hosting contract with spammers
On Mon, 6 Nov 2000, Tom Vogt wrote:
Jim Choate wrote:
but on the other hand, we *do* want to keep cracking legal (at least to some extend) because otherwise what is left of security in cyberspace will quickly vanish into oblivion, right?
What security? I've never had or made any claims that cyberspace was secure. Even in its nascent days.
you're right. that's why I said "what's left of it".
But if it wasn't ever there how can there be any left of it?
Are you possibly confusing 'privacy' (which has the same issue) and 'security'?
no. the argument is: if you make probing illegal, we'll see even more (and *much* more) "security through obscurity" - because figuring out that this crap is insecure will land you in jail.
Going to jail won't stop anyone from figuring it out if that's what they want. I would be so bold as to suggest that if they make it illegal then you'll see a significant rise in the behaviour, along with increased use of anonymous remailers and Open Source software than can be kludged. ____________________________________________________________________ He is able who thinks he is able. Buddha The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
On Mon, 6 Nov 2000, Jim Choate wrote:
On Mon, 6 Nov 2000, Tom Vogt wrote:
no. the argument is: if you make probing illegal, we'll see even more (and *much* more) "security through obscurity" - because figuring out that this crap is insecure will land you in jail.
Going to jail won't stop anyone from figuring it out if that's what they want. I would be so bold as to suggest that if they make it illegal then you'll see a significant rise in the behaviour, along with increased use of anonymous remailers and Open Source software than can be kludged.
I have been thinking about the DMCA recently, in respect to the limited ability granted to researchers for analysis of security protocols. I doubt we'll see a significant rise in the reverse engineering of security protocols. We *will* see a rise in the use of anonymous remailers to reveal vulnerabilities, but overall, I think that such research will decrease. Would GSM have been broken if the researchers couldn't have taken credit for it? Inside the NSA it would have been, surely. But where is the incentive for private researchers to attack these protocols if they can't take public credit for their work? The allowances that the DCMA makes for academic research is not sufficient to continue to provide motivation for such research. Which is exactly what the manufacturers want: security through obscurity, and obscurity through legality. Alex
On Mon, 6 Nov 2000, Alex B. Shepardsen wrote:
Would GSM have been broken if the researchers couldn't have taken credit for it?
Yes. There would have been a very increased motivation for doing so by many groups who would benefit from being the only part who had the information. Profit is a strong motive. ____________________________________________________________________ He is able who thinks he is able. Buddha The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
On Mon, 6 Nov 2000, Jim Choate wrote:
On Mon, 6 Nov 2000, Alex B. Shepardsen wrote:
Would GSM have been broken if the researchers couldn't have taken credit for it?
Yes. There would have been a very increased motivation for doing so by many groups who would benefit from being the only part who had the information.
Ah, but would you or I know that it had been broken? You've missed my point, Choate. Public disclosure of security vulnerabilities happens because of researchers and groups who work for recognition.
Profit is a strong motive.
If people cannot gain recognition for having broken a system, they will not profit from revealing that said system is broken, unless perhaps they are the developers of a competing system. So, perhaps Sprint or AT&T or one of the CDMA/TDMA cell network providers would have put researchers on the problem of breaking A5/1... but who else would have had the motivation *and* would benefit from the public knowing that it wasn't secure? And besides, I think it would probably have been less legal for Sprint to reverse-engineer GSM than the SDA/Berkeley folks. So my point stands. Systems will still be broken, but will be broken by the "bad guys" and the public will not be notified. Alex
On Mon, 6 Nov 2000, Alex B. Shepardsen wrote:
On Mon, 6 Nov 2000, Jim Choate wrote:
On Mon, 6 Nov 2000, Alex B. Shepardsen wrote:
Would GSM have been broken if the researchers couldn't have taken credit for it?
Yes. There would have been a very increased motivation for doing so by many groups who would benefit from being the only part who had the information.
Ah, but would you or I know that it had been broken?
That's exactly where the value comes from and why clandanstine groups in that environment can find funding for such adventure. In a more open market it isn't worth the hassle, just become an investor in the venture or commit industrial sabotage. Let them do the work, you reap the benefit. In an environment where nobody is supposed to have it then anybody is on top. Remember... In the land of the blind, the one-eyed man is king. ____________________________________________________________________ He is able who thinks he is able. Buddha The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
On Mon, 6 Nov 2000, Jim Choate wrote:
no. the argument is: if you make probing illegal, we'll see even more (and *much* more) "security through obscurity" - because figuring out that this crap is insecure will land you in jail.
Going to jail won't stop anyone from figuring it out if that's what they want. I would be so bold as to suggest that if they make it illegal then you'll see a significant rise in the behaviour, along with increased use of anonymous remailers and Open Source software than can be kludged.
My personal opinion is that if the Government(tm) wants to make security illegal, then they should suffer for their actions. The research will go on, no matter what. Making it illegal is not going to stop human curiosity. What I think should happen is that anyone in the security industry should refuse to help the feds in any form. They should not help them secure their systems. They should not let them have access to their ftp servers. (Hosts.deny is your friend.) They should let them feel the pain of their stupidity. And after they get rooted by the script kiddies for the millionth time, maybe they will get a clue and allow people to find and fix the holes without having to worry about the feds carting off every thing they own. Making security work illegal is a BIG hint that they do not like security. I certainly won't work with someone who holds a grudge against me. Neither should anyone else. alan@ctrl-alt-del.com | Note to AOL users: for a quick shortcut to reply Alan Olsen | to my mail, just hit the ctrl, alt and del keys. "In the future, everything will have its 15 minutes of blame."
At 09:47 PM 11/6/00 -0500, Alan Olsen wrote:
Going to jail won't stop anyone from figuring it out if that's what they want. I would be so bold as to suggest that if they make it illegal then you'll see a significant rise in the behaviour, along with increased use of anonymous remailers and Open Source software than can be kludged.
My personal opinion is that if the Government(tm) wants to make security illegal, then they should suffer for their actions.
The research will go on, no matter what. Making it illegal is not going to stop human curiosity.
Come on, we all know US neurosis covers all the globe...
Jim Choate wrote:
you're right. that's why I said "what's left of it".
But if it wasn't ever there how can there be any left of it?
there always was security. just never enough to make a difference in the total sum. but it's not like *every* machine on the net is wide open.
no. the argument is: if you make probing illegal, we'll see even more (and *much* more) "security through obscurity" - because figuring out that this crap is insecure will land you in jail.
Going to jail won't stop anyone from figuring it out if that's what they want. I would be so bold as to suggest that if they make it illegal then you'll see a significant rise in the behaviour, along with increased use of anonymous remailers and Open Source software than can be kludged.
there's a lot of people who couldn't care less. however, there are also a couple of people who do care. for example, I have occasional sysadmin-to-sysadmin contacts along the lines of "hey, by accident I found that on your site..." - that would definitely not work as well if by pointing out some config error to the guy running the site you risk that if he's an asshole you're in a lawsuit.
participants (5)
-
Alan Olsen -
Alex B. Shepardsen -
David Honig -
Jim Choate -
Tom Vogt