Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Immunizing the Internet

ScuttleMonkey posted more than 8 years ago | from the shot-in-the-keister dept.

181

jonny4001 writes "The Harvard Law Review has published a student-written article that argues that hackers, worms, and viruses are good for network security and that the law and public policy should encourage 'beneficial' hacking. From the article: 'Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security [...] Current federal law, however, does not properly value such strategic goals.'"

cancel ×

181 comments

Sorry! There are no comments related to the filter you selected.

IMMUNIZE this (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15604165)

...... 0 ......
a h yf g t

First post! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15604166)

FP!

Finally! (5, Funny)

Anonymous Coward | more than 8 years ago | (#15604176)

Totally telling the FBI slashdot said it was 'ok'.

Wow! Who knew? (5, Funny)

Heavyporker (922078) | more than 8 years ago | (#15604177)

Darwin operates perfectly online! Now all we need is to set up the digital version of the Darwin Awards. Now, granted, idiot users aren't permanently removed from the gene pools, but if they ram enough computers into the dirt, they'll be dirt-poor and thus unsuitable as mates, hence they won't reproduce. Right?

Re:Wow! Who knew? (4, Insightful)

Tatarize (682683) | more than 8 years ago | (#15604202)

It turns out while your a child, you will turn out better if you touch everything and pick your nose and eat your buggers.

In general being exposed to a lot of germs (typically harmless) trains up your immune system. buggers catch a lot of local bacteria and allows for exposure in a safe and weakened form.

-- Just because it's correct. Doesn't make you want to do it.

Re:Wow! Who knew? (1)

nacturation (646836) | more than 8 years ago | (#15604314)

It turns out while your a child, you will turn out better if you touch everything and pick your nose and eat your buggers.

While it may be safe to eat those who bug you, you may instead try eating your boogers.
 

Re:Wow! Who knew? (1, Troll)

Ohreally_factor (593551) | more than 8 years ago | (#15604452)

I was under the impression that buggers was a verb, implying that it was healthful for a child to perform oral sex on a person who performs anal sex on him or her. Unless the poster meant burgers. Who knew that eating fast food could be healthy?

Re:Wow! Who knew? (1)

ndg123 (801212) | more than 8 years ago | (#15604320)

Buggers ? I thought the term was boogers (USA) or bogies (UK). Buggers has a ahref=http://dictionary.reference.com/browse/bugge rsrel=url2html-19225 [slashdot.org] http://dictionary.reference.co m/browse/buggers> somewhat different meaning where I come from. Apologies in advance if I'm just not familiar with your local dialect. Mind you, much of your post may still be true.

Duh should have previewed (1)

ndg123 (801212) | more than 8 years ago | (#15604329)

Buggers ? I thought the term was boogers (USA) or bogies (UK). Buggers has a http://dictionary.reference.com/browse/buggers [reference.com] some what different meaning where I come from. Apologies in advance if I'm just not familiar with your local dialect.
Some of your post may still be true.

Re:Wow! Who knew? (2, Funny)

Mark Hood (1630) | more than 8 years ago | (#15604382)

Yeah, but you just try going around sneezing on babies....

Mark

Re:Wow! Who knew? (1)

dnoyeb (547705) | more than 8 years ago | (#15604406)

Heh, try saying that in England.

To the point, children may be stronger for this, but its increasingly a problem for adults having petri dishes running around.

Re:Wow! Who knew? (1)

JonathanR (852748) | more than 8 years ago | (#15604449)

You only eat buggers in Germany [wikipedia.org]

Re:Wow! Who knew? (2, Insightful)

Joebert (946227) | more than 8 years ago | (#15604278)

hence they won't reproduce

Don't bet on it.

The well is poisoned. (5, Interesting)

argent (18001) | more than 8 years ago | (#15604178)

More than a quarter of a century ago I inadvertently found a hole in a UNIX based bulletin board system, went in and fixed the code, called the operator to tell him what I'd done and how to fix the rest of the problems, and ended up with a series of contracts.

A few years later I wouldn't have considered it. People who'd not done much more had spent time in court and been threatened with jail. Not much later, you had people actually doing jail time for simply "knocking on doors".

What happened?

The whole "ethical intruder" meme had spread, and people had started cracking into systems and then claiming they were just "rattling doorknobs" to "help security". Of course you couldn't tell an "ethical hacker" from a crook, and the crooks could claim they were just trying to help.

It's the "ethical hackers" themselves that have made it impossible for this kind of activity to be condoned.

Re:The well is poisoned. (4, Interesting)

Xugumad (39311) | more than 8 years ago | (#15604263)

I think also, as systems stop being maintained by one person, and are covered by a group, it has become a lot less easy to simply go "Ah, they meant well, I'll just ignore it". Instead, the entire group has to come to a decision, and no-one wants to be seen as lazy at maintaining security.

I've seen a student here report a security hole (the muppet that originally developed the web app they were using tracked currently logged in user by putting their username in the CGI parameters. Change the name, and you can be whoever you want), and some members of staff still wanted to seem the kicked out (we did manage to talk some sense into them, though). Point is, if it had just gone to the person maintaining the system at the time (me), I'd have patched up the code, thanked them, and forgotten about it.

Re:The well is poisoned. (4, Funny)

vistic (556838) | more than 8 years ago | (#15604419)

I'll have you know that Dr. Bunsen Honeydew is a very good coder!

Re:Full disclosure is a necessary evil (3, Insightful)

Anonymous Coward | more than 8 years ago | (#15604375)

... but going in jail is may be a worse option.

It is true that bad hackers will pretend to be ethical hackers but by putting everone in jail you end up creating a less secure world. Only the bad hackers will find the security hole and they won't tell anyone.

Full discolure is the only solution and it is not popular: companies get bad press for having security holes, they might loose some business and thus try to shoot the messenger ... with success so far.

However, full discolure is a necessary evil it we want to have a safer online life.

Re:Full disclosure is a necessary evil (2, Informative)

Anonymous Coward | more than 8 years ago | (#15604418)

Exactly, but there is a time and a place for full disclosure, and the situation is easily complicated. Even just the act of disclosure is uncertain. Publish to widely and be accused of helping hackers. Publish too narrowly, and be accused of not informing the public. Its a messy job.

Re:The well is poisoned. (4, Insightful)

jaclu (66513) | more than 8 years ago | (#15604492)

One problem is accountabilitty,

While I do agree with you, that a kid reporting an error and perhaps even a sugested solution, would be regarded as helpful and something of a "white-hat" on a private perspective

However one thing that has changed since the early eighties is that now there is usually quite a bit more money involved.

Now accountability is a big concern.

If that kid was into a system I admin, I must realize that even if he propably just is helpful, I still cant be sure, after all he was in there, where he shouldnt have been, who knows what he did and discover but not tell me about.

And thats what its all about, ne one side I have a complete stranger who claims that he has been in one of my systems, found a few bugs, and have a few suggestions, one the other side is that the only way to be sure of system integrity is to asume that the system is completely penetraded, and do a very expensive security checkup, to see how much damage that _could_ have occured.

If I trust the kid, and he happens to be a black-hat - poof - there goes my job

If he turns out to be a white-hat, well in that case he was nice and not much won for either me or my clients (since we have to do an expensive audit anyhow)

So I would asume he was a black-hat, cause if he wasnt, I havent lost much... Maybe synical, but thats how it works. /Jacob Lundqvist

Re:The well is poisoned. (2, Informative)

Dagmar d'Surreal (5939) | more than 8 years ago | (#15604603)

Doing an expensive audit after an intrusion is the cost of not having enough security in the first place. If you got hacked, you got hacked. It's true that it doesn't matter whether or not anything else was done with respect to the follow-up audit.

Having someone come forward and say "you've got a rather specific problem that needs fixing and here's a way to maybe fix it" and then going and doing your damnedest to ruin their career and/or put that person in jail is simply needlessly shooting the messenger.

Having someone break into your network and steal all your company's secrets and go sell them to a competitor without you knowing about it is called "a complete @#$@% disaster" and is usually the end of your company.

Generally, I would want the first group to get to my company before the second group does, since there's a chance my job would actually remain afterwards.

Re:The well is poisoned. (1, Insightful)

Dagmar d'Surreal (5939) | more than 8 years ago | (#15604528)

What? Are you trolling or just high? Your premises don't just fail to support your conclusion-- they would appear to support the exact opposite conclusion. You've distinguished "ethical hackers" as being separate from crooks, and then blamed the "ethical hackers" for the problem.

It's crooks who are the problem, but more commonly it just appears to be lawyers who are the major part of it, since they so often find themselves "forced" to do due-diligence and attempt to prosecute every little thing that comes along, catching the ethical hackers (who obviously aren't trying very hard to avoid being noticed, since they're not up to much, and who usually step forward and give them the information needed to send them to court thinking some sanity will prevail) and going full-tilt on them to make up for staff being utterly unable to cope with the actual criminals.

PDF WARNING! (5, Informative)

Maelwryth (982896) | more than 8 years ago | (#15604180)

The link is directly to a .pdf file. This [66.102.7.104] should link to the Google html cache.

Re:PDF WARNING! (0, Offtopic)

Joebert (946227) | more than 8 years ago | (#15604184)

Good [wo]man !

Re:PDF WARNING! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15604231)

$20 says you are not using Linux or OSX and probably you are using Windows, where opening a PDF file is enough to crash everything after Adobe loads its bloatware...

Re:PDF WARNING! (1)

Maelwryth (982896) | more than 8 years ago | (#15604393)

I thank you for your $20...doh! Damn you Anonymous Coward person!

Re:PDF WARNING! (2, Insightful)

tomhudson (43916) | more than 8 years ago | (#15604472)

Like a pdf isn't a royal PITA under linux + firefox? No wonder yu posted AC (/me currently running SuSE + Firefox, and avoiding pdf files whenever possible because they're still bloated).

Now back on topic, this is just SO fucked up logically:

hackers, worms, and viruses are good for network security and that the law and public policy should encourage 'beneficial' hacking. From the article: 'Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security [...] Current federal law, however, does not properly value such strategic goals.'"
... try it under this scenario ...
bank robbers, home invaders, and carjackers are good for your personal security and that the law and public policy should encourage 'beneficial' thieving. From the article: 'Exploitation of security holes prompts users and vendors to arm themselves to the max, vendors to emphasize rapid deployment of total coverage fields of fire in system development, and users to adopt a "shoot first, ask later" mentality. This constant arms race reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security [...] Current federal law, however, does not properly value such strategic goals.'"

If it isn't your system, don't be f*cking around with it, same as if its not your car, your home, or your other sh*t. Just because it's computers doesn't make it special all of a sudden, with a suspension of all the rules.

Yes, I know, servers are just responding to queries ... but there's a difference between entering through the front door where the welcome mat is, and the door is wide open, and the host is expecting you, and trying to break in through a rear window on the second floor.

Re:PDF WARNING! (1)

amorsen (7485) | more than 8 years ago | (#15604498)

Now back on topic, this is just SO fucked up logically:
[..]
If it isn't your system, don't be f*cking around with it, same as if its not your car, your home, or your other sh*t.

You are making a moral argument. The article isn't about morals, it's about facts.

Re:PDF WARNING! (1)

tomhudson (43916) | more than 8 years ago | (#15604646)

Poster wrote: You are making a moral argument. The article isn't about morals, it's about facts. No wonder its in a Law Review - morals are optional for lawyers.

Seriously, the simple fact is that don't have a legal right to try to do a buffer overrun on someone else's system. Or try to install a root kit. This isn't morals - this is fact. Its a crime.

Student from where ? (-1, Redundant)

Joebert (946227) | more than 8 years ago | (#15604181)

Is this actually a student from Harvard, or another school ?, I don't know who "Harvard Law Review" is.

Re:Student from where ? (3, Informative)

OverlordQ (264228) | more than 8 years ago | (#15604236)

Taking 2 seconds to view their hompages tells you this:

The Harvard Law Review is a student-run organization whose primary purpose is to publish a journal of legal scholarship. ... The organization is formally independent of the Harvard Law School.


What's with people being lazy? Or is it just an attempt at some karma whorage?

Re:Student from where ? (1)

Joebert (946227) | more than 8 years ago | (#15604257)

Hey pal, I had quite a few funnies over the last week, I can be lazy for a day. :)

And (1)

Joebert (946227) | more than 8 years ago | (#15604264)

Perhaps paying attention to actual people & not their stereo types for awhile might do you some good.

Re:Student from where ? (1)

Purist (716624) | more than 8 years ago | (#15604482)

^^^^^ As evidenced by the very naive points brought out in the summary - the article may be interesting, but lacks any practical insight.


If you want to hack into systems to make the world a better place, hack into your own systems and report your findings or get a job with an organization that hacks into systems for pay.

The predictable liberal-nonsense point that has been wrenched from the article is that people in general are too stupid to figure things out on their own and in order to protect them from theselves we must strip them of their rights (temporarily, mind you) so we, the brilliant ones, can shine the true light on things. Unfortunately, this is a viewpoint many Shlashdotters embrace.

For those who won't RTFA (5, Funny)

Anonymous Coward | more than 8 years ago | (#15604188)

I'm sure plenty won't click the link, so you are missing out on the great title that was left out of the summary:
IMMUNIZING THE INTERNET, OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE WORM

Re:For those who won't RTFA (1)

Joebert (946227) | more than 8 years ago | (#15604289)

A tank of manatees couldn't cover the potential jokes of that line.

Re:For those who won't RTFA (5, Interesting)

arivanov (12034) | more than 8 years ago | (#15604312)

Well...

Realistically this is the history repeating itself. Many times.

Prior to Edward Jenner discovering the vaccination the people tried to instill immunity to Smallpox in their children by a process known as variolation. The difference from vaccination was that people were deliberately infecting children with the real virus hoping that they have it in a milder form. Well... and if not, that was just a child, one more, one less who cares. In some more awkward and less developed parts of the world this is still done with Varicella, and less frequent Rubella, Measles and Mumps.

Society attitudes have changed since. The majority no longer consideres normal to infect children with the real viruses. Still, even now, there are idiots who insist that "having child diseases is good for the children as it improves their character" (or other such bollocks).

Similarly, infecting networks with real worms is not dissimilar to variolation. There are plenty of security tools out there nowdays which can detect the vulnerabilities that can be used by the worm and force the user to fix them. There is no real need to weed out the "weak" (yeah, I know, I am tempted myself to weed out the idiotz sometimes).

And as far as jo average user it will take some time for them to grow up, but it will end up the same as with vaccination. People were reluctant to do it initially. That is not the case now.

Re:For those who won't RTFA (2, Insightful)

Haertchen (810148) | more than 8 years ago | (#15604485)

***Well... and if not, that was just a child, one more, one less who cares.***

Can you provide any sources for this statement? Every description I've ever seen of losing a child, even in the bad old days, was usually pretty painful. You probably have to exempt the usual psychopaths.

Re:For those who won't RTFA (1)

Ohreally_factor (593551) | more than 8 years ago | (#15604495)

The point of the article is not that we need to weed out the weak, but that hackers serve the purpose of revealing vulnerabilities in our systems, and allow us to take action to secure our systems. If they use non-destructive methods to reveal these system weaknesses, they should either not be punished, or their punishment should be proportionate (to what it might be if their attack was destructive). The point is that if we are continually having our systems tested by hackers and then fixing the weaknesses thus revealed, we stand a better chance of withstanding a catastrophic and crippling attack, presumably by terrorists or an enemy nation.

Does this work for offline crime? (5, Insightful)

amelith (920455) | more than 8 years ago | (#15604189)

So bank robbery is good for their security and should be encouraged? Everyone who moves to a new city should be immediately mugged so they can learn valuable lessons about personal security? Perhaps there should be an official quota of licensed murders so people don't get too lax about their own safety?

What is the special magic about technology that makes people give opposite answers to "Is X sensible?" and "Is X sensible using a computer?" for just about all values of X?

Ame

Re:Does this work for offline crime? (2, Funny)

KlaymenDK (713149) | more than 8 years ago | (#15604226)

Might be a good idea, as long as you make the Robbers' Guild (wrong name I'm sure?) hand out receipts so nobody gets mugged more than three times a year. :)

Why Shouldn't it :-P (3, Interesting)

sakahna (597647) | more than 8 years ago | (#15604246)

Harry Harrison makes exacly this argument in his Stainless Steel Rat [wikipedia.org] series. As long as no-one gets physically hurt, the banks pass on the loss to their insurers, the police have what to do, the media what to report, the general public is entertained and the money is put back into circulation. So in theory, "everybody benefits".

Of course, real-life doesn't work like that. Just look how every little imaginery threat is currently used by the PTBs to further clamp down on the innocent general public.

Re:Why Shouldn't it :-P (3, Insightful)

Anonymous Coward | more than 8 years ago | (#15604279)

"the banks pass on the loss to their insurers"

Yeah, because we all know that insurers are not part of the system at all; unlike the rest of us, they have access to magic money-making machines powered by pixie dust.

Re:Why Shouldn't it :-P (5, Funny)

badfish99 (826052) | more than 8 years ago | (#15604325)

No, it's trickle-down economics in action. The banks recover the cost from their customers, who are mostly rich businessmen. So some of the wealth of those rich people ends up having trickled down to the poor robbers. Isn't that how things are supposed to work?

The rich people were probably just going to donate their spare wealth to charity to help the poor: robbery saves them the trouble of having to do that, too. It's a win-win situation!

Re:Why Shouldn't it :-P (0)

Anonymous Coward | more than 8 years ago | (#15604471)

Except its not tax deductible if you are robbed/mugged/bashed!

What is the special magic about technology (3, Interesting)

Animaether (411575) | more than 8 years ago | (#15604261)

Imagine if this was the so-manieth discussion about music or video copyright infringement. Now ask again: "What is the special magic about technology". I think you'll find your answer.

I don't agree with it, for what it's worth, in either case.

Re:Does this work for offline crime? (2, Informative)

skiman1979 (725635) | more than 8 years ago | (#15604286)

Well all those crimes hurt people/corporations. "Ethical hacking" is capable of occurring without causing damages. If I find a hole in a system for a remote code execution exploit, run code that simply displays a console message on a server, then determine how to fix the hole and inform the system administrator, that seems harmless. It allows the admin to find out about the hole and fix it. Now if I were to run code that roots the box and turns it into a spam bot sending millions of spam emails out wasting large amounts of bandwidth, or code to steal company data, that's another story. Should I be penalized if I go to your house, find out how to break into it, and tell you what I found?

Re:Does this work for offline crime? (4, Insightful)

evilviper (135110) | more than 8 years ago | (#15604341)

So bank robbery is good for their security and should be encouraged?

This isn't the equivalent of bank robbery (nobody gets potentially harmed, and no real damage done). Rather, a far better example would be the instances of journalists repeatedly and successfully smuggling weapons through TSA security, onto commercial flights. Absolutely no real harm is done by it, and success leads to very important good things (increasing security where it is lacking).

The more they will find security holes, and make the system safer against the real threat, the truely malicious professionals. Of course, the analogy isn't perfect, but it's far closer than bank robbery and murder.

What is the special magic about technology that makes people give opposite answers to "Is X sensible?" and "Is X sensible using a computer?" for just about all values of X?

Probably because of people like you... People who can't relate the computer world to the proper real-world equivalents, and therefore have a really warped and twisted misunderstanding of the computer world.

Re:Does this work for offline crime? (1)

gidds (56397) | more than 8 years ago | (#15604559)

a far better example would be the instances of journalists repeatedly and successfully smuggling weapons through TSA security, onto commercial flights. Absolutely no real harm is done by it

Is that so? Hmmm. "No, officer, I'm a journalist, honest. I know I'm wearing a turban and have a foreign-sounding name, but I wasn't going to use these explosives strapped to my chest. It's just for a newspaper story. Sorry, what? 'Press card'? Er, no, I left that at home, sorry. But I really wasn't going to set these off. Honest."

Exactly the same applies to computer hacking. If an intruder was good enough, you might not be able to tell whether any serious damage was done; which means you must always assume the worst. Grey-hat hacking just doesn't seem justifiable.

Anyway, doesn't this whole story boil down to "We need hackers, because if there were no hackers we wouldn't know how to protect against, er, hackers..."?

Re:Does this work for offline crime? (4, Insightful)

Archtech (159117) | more than 8 years ago | (#15604386)

Every time computer security is discussed, someone immediately trots out the "burglar" analogy. I have nothing against analogies - they are very useful for getting insight into unfamiliar situations - but every analogy has its limits. In this case, a burglar is someone whose only purpose is to steal property for his own gain. Some people who hack into computers have this motivation, but many do not.

This is where the analogy breaks down catastrophically. There is no simple, familiar motivation for anyone to try getting into a house as an intellectual exercise, or even as a challenge. Either the house is wide open - in which case it would be legal to enter in some jurisdictions, while in others the householder could legitimately shoot an intruder anyway - or it is secured, in which case any attempt to gain entry is almost certainly of a criminal nature.

Computers are different, in that trying to understand and improve on software mechanisms is a universal impulse among (good) programmers. Bill Gates, and many other people who came to be famous, hacked in his youth. The sainted Richard Feynman confessed openly to having made a hobby of getting into as many locked areas and safes as he could, while working on the Manhattan Project. He had absolutely no ill intentions, although he was well aware that the military bosses would be hard to convince of that. Incidentally, he told of a valuable spin-off, when a senior official left the project and his immense safe was found to be secured. No one had the combination, and they were thinking of explosives and thermic lances until Feynman came along and casually opened it.

Please don't accuse me of trying to excuse genuine criminals - I am the last person to do that. But do realize that many people who experiment with software do so from motives of genuine curiosity and intellectual challenge, which can be very useful if properly harnessed. And let's get over the crude physical analogy of "breaking into" a computer. A computer is a machine that executes instructions. When some sets of instructions are executed, the computer can display words, numbers, and pictures meaningful to humans, and accept human input through keyboards and other devices. A computer does not have a mind of any sort, and thus cannot be deceived, pleased, annoyed, or educated. Moreover, the idea of the computer as a structure or territory that could be broken into is simply an analogy that helps us to think about it; it does not correspond to anything real.

Re:Does this work for offline crime? (1)

Ohreally_factor (593551) | more than 8 years ago | (#15604510)

OK, let's say someone steals your car, but not for personal gain, only so they can figure out how internal combustion works . . .

I have no real point here. I just wanted to work a car analogy into the conversation. =)

Re:Does this work for offline crime? (1)

JasonKChapman (842766) | more than 8 years ago | (#15604527)

And let's get over the crude physical analogy of "breaking into" a computer. A computer is a machine that executes instructions. When some sets of instructions are executed, the computer can display words, numbers, and pictures meaningful to humans, and accept human input through keyboards and other devices. A computer does not have a mind of any sort, and thus cannot be deceived, pleased, annoyed, or educated. Moreover, the idea of the computer as a structure or territory that could be broken into is simply an analogy that helps us to think about it; it does not correspond to anything real.

While I agree with what you wrote before this, it starts to fall apart here. Bank vaults, homes, and automobiles don't have minds either, so that's clearly not the deciding factor in your anti-analogy. Cracking a system without abusing the contents in any way really falls somewhere between "breaking and entering" and "unauthorized use of property." What is needed is a new concept.

In some legal contexts, a person's automobile is considered an extension of the person's home. It's a legal fiction that allows prior legal concepts to extend to previously (at the time) unknown areas. In some cases, that's a good thing. For example, it allows the extension of illegal search and seizure protections to a person's car rather than declaring the car the legal equivalent of "something they left lying around in public."

If someone leaves a car unlocked and the keys in it, many jurisdictions still consider it illegal to drive off with the car or even get into it. It's still unauthorized use of someone else's property, even though the car's owner was "just asking for it."

The difference, of course, is that a car's normal function doesn't include providing an interface to services which are intended to be accessible to the public. So while there are similarities to prior concepts, any attempt at a one-to-one comparison is doomed to failure. Clearly, the concept of "unauthorized use" is heading in the right direction, but something needs to be defined as the demarcation between what the system can do, and what the owner intended for the public to be able to do. Just because XYZ server can deliver root access to anyone who shoves a 5k packet to a particular port (for example), it clearly wasn't the owner's intent.

If we need a new descriptive, we need to dump all analogies and start fresh from the basic concepts. It's been done before. There's no reason it can't be done again.

Re:Does this work for offline crime? (1)

Archtech (159117) | more than 8 years ago | (#15604607)

Bringing the "mind" element in was a tactical error, I admit; I was broadening my assault on comparisons of computers with any physical form of property whatsoever.

A computer is an abstract machine for manipulating information. As good /.ers, we all understand that implicitly, but it's amazing how many people don't. They think it's a machine for running Office, or a machine for browsing the Web, or for email, or for playing games. Whereas it is actually all of the above and infinitely more, just as "the natural numbers" are not just 1, or 2, or 3 although it includes them.

Re:Does this work for offline crime? (2, Interesting)

PyroPenguin (827234) | more than 8 years ago | (#15604612)

This is where the analogy breaks down catastrophically. There is no simple, familiar motivation for anyone to try getting into a house as an intellectual exercise, or even as a challenge. Either the house is wide open - in which case it would be legal to enter in some jurisdictions, while in others the householder could legitimately shoot an intruder anyway - or it is secured, in which case any attempt to gain entry is almost certainly of a criminal nature.
Slightly off-topic, but there is a quite funny program on The Discovery Channel called 'It Takes a Thief'. The premise is the same; a non threatening crime to show the victim where they need to improve their security.

"So how safe is your house? Enter It Takes a Thief, a unique new Discovery Channel series that offers viewers something they've never seen before: a home burglary performed by convicted former thieves that is taped as it happens, followed by a lesson in what steps to take to prevent such a violation from occurring again."

Re:Does this work for offline crime? (2, Interesting)

swarsron (612788) | more than 8 years ago | (#15604427)

The special thing is stupidity. Consider the things you see and hear about IT security in real life.
People taping their keys next to their door.
Banks where you just state a different name and get full access to the corresponding accounts.
People stating that they don't bother if other people can access everything in their house as long as they don't do anything that actually harms them ("i don't care if someone can read my mail")

I and probably everyone on slashdot know people who don't give a shit about IT security and if the only way to get them to care is a decent kick in the ass then so be it. A bank robbery now and then is good for *my* security because it keeps banks everywhere concerned about their security measures. Three years ago people laughed when i told them about the stuff they now experience and suddenly they care to take responsibility and secure their PC.

Re:Does this work for offline crime? (1)

Tim C (15259) | more than 8 years ago | (#15604451)

Well, if it's *ethical* hacking you're talking about, the offline analogue wouldn't be bank robbing, it would be noticing that someone's front door looks a bit flimsy, managing to easily open it without doing any damage, then letting the owner know, perhaps fixing the problem in the process.

If you break into a computer system, copy/steal/mess around with stuff, then tell the maintainer, it's hardly ethical, is it?

That's not to say that it's sensible, just that done right, it's absolutely nothing like bank robbery or mugging.

Re:Does this work for offline crime? (1)

Yvanhoe (564877) | more than 8 years ago | (#15604534)

In fact, thanks to bank robbers, safes are safer today than they were 100 years ago.

Re:Does this work for offline crime? (1)

john83 (923470) | more than 8 years ago | (#15604543)

Perhaps there should be an official quota of licensed murders so people don't get too lax about their own safety?
You clearly don't read enough Pratchett. ;)

Re:Does this work for offline crime? (1)

Dagmar d'Surreal (5939) | more than 8 years ago | (#15604545)

Your analogy is simply broken and does not apply to this situation in the way you want it to.

It's not good for banks to be robbed, but it is good for honest people to be thinking about how their bank might be robbed and to go to the management and say "Hey, I've noticed that you've got this weakness that would let me walk off with a lot of money". ...provided, of course, that they're not summarily charged with conspiracy and sentenced to a few years in jail.

Viscious Circle (1, Insightful)

mcai8rw2 (923718) | more than 8 years ago | (#15604192)

Its a bit of a viscious cirlce this idea though...

The reason Virii and Worms etc are good for the security of a network, is because they prompt us to tighten security for future attacks based on historic ones.

"Nessesscity is the mother of invention" But the irony is...if the Virii/Worms didn't exist in the first place, then we wouldn't NEED to improve security against such attacks.

Oh the confusion.

Re:Viscious Circle (1)

skiman1979 (725635) | more than 8 years ago | (#15604307)

We would still need to improve security, not against automated attacks, but against manual ones.

Re:Viscious Circle (1)

NeilTheStupidHead (963719) | more than 8 years ago | (#15604335)

And if such a cause and effect development of anti-virus software hadn't occured, the computers on our mothership could be hacked and implanted with a virus by a mac-using, alien Jeff Goldblum after SUV driving Bush supporters use up all the oil and we are forced to steal from other planets.

Re:Viscious Circle (0)

Anonymous Coward | more than 8 years ago | (#15604387)

... viscious cirlce ... Virii ... Nessesscity ... Virii

Too bad grammar isn't an evolutionary advantage!

Re:Viscious Circle (1)

ichigo 2.0 (900288) | more than 8 years ago | (#15604397)

But the irony is...if the Virii/Worms didn't exist in the first place, then we wouldn't NEED to improve security against such attacks.

I think the article is about worms in the wild evolving our security to better withstand against intentional attacks from hostile nations/aliens/whatever, not from the worms themselves. I didn't really RTFA though. :P

I, for one... (0)

Anonymous Coward | more than 8 years ago | (#15604195)

I, for one, wellcome our friendly inmunicers hax05ss :D

Wait, I am hacker soo.. I am now overlord! niiiiice..

My first command will be.. all womens of slashdot serve me and go here at once!.

Taquila Sunrise (3, Funny)

Joebert (946227) | more than 8 years ago | (#15604197)

How I learned to stop worrying & love the worm.

Looks like I found a new Taquila drinking buddy.

Re:Taquila Sunrise (1)

rehashed (948690) | more than 8 years ago | (#15604305)

What is it with Slashdot and people consistently misspelling "Tequila"!
I would pull up some stats but the search seems broken?

Re:Taquila Sunrise (4, Funny)

Joebert (946227) | more than 8 years ago | (#15604330)

I'm drinking a bottle of rotted juice, with a worm in it, & you expect me to know how to spell it ?!

Re:Taquila Sunrise (1)

rehashed (948690) | more than 8 years ago | (#15604368)

Best response ever.
Wish I had mod points :D

Re:Taquila Sunrise (1)

nacturation (646836) | more than 8 years ago | (#15604326)

Looks like I found a new Taquila drinking buddy.

Or perhaps you have too many Tequila buddies already.
 

Re:Taquila Sunrise (1)

thePowerOfGrayskull (905905) | more than 8 years ago | (#15604443)

If you're drinking taquila, what's the "tequila" stuff I've got here?

Re:Taquila Sunrise (1)

Joebert (946227) | more than 8 years ago | (#15604460)

My guess is an unopened bottle since you spelled it right.

Yeah... (1, Insightful)

Dieppe (668614) | more than 8 years ago | (#15604204)

...and current law that arrests tresspassing and burglary don't reward people for learning to lock their doors for fear of a breakin.

I'm sorry if I don't buy the whole "we're writing viruses and trying to break in to teach you people to do better" excuse. If someone's tresspassing I'm going to shoot them anyway, regardless of whether they think they're teaching me a lesson.

Used to be the world was a friendlier place, and there are parts of the U.S. where you still can leave your door unlocked at night. Doesn't mean that robbers are to be rewarded though...they're still bad guys.

Re:Yeah... (2, Insightful)

CRCulver (715279) | more than 8 years ago | (#15604222)

If someone's tresspassing I'm going to shoot them anyway, regardless of whether they think they're teaching me a lesson.

Uh, before you start stocking up on ammunition, you might want to look at case law for people who have shot trespassers. Except for when the trespasser was threatening physical harm, those who shot them usually got indicted for murder. You can't shoot someone just because they are on your property, especially if they are hundreds or thousands of feet from any houses. The whole "Trespassers will be shot" sign meme doesn't really mean anything in court.

Re:Yeah... (1)

Detritus (11846) | more than 8 years ago | (#15604592)

There's a difference between trespassing on someone's land and breaking in to a house or apartment. If I hear someone breaking in to my residence, I'm going to get my shotgun. Look up the "Castle Doctrine".

Re:Yeah... (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15604310)

I think you fail to see the distinction here.

Virii, worms and the like, are products of malicious intent from malicious people motivated by a desire for destructive and harmful ends.

The article in question, at least to me, appeals to people that have the technical knowledge to be able to find these vulnerabilities, and implores them to apply those skills in a positive manner. They're not encouraging these people to exploit said vulnerabilities to any detrimental end. The idea is to foster an environment where people that possess the talent to find security holes do so, and report them to developers so that these potentially damaging flaws can be fixed.

There is a very large difference between uncovering and exploiting new vulnerabilities for personal gain, as opposed to uncovering them for the sake of improving the general state of security. Your analogy is entirely flawed, as it assumes anyone that has the knowledge to uncover these security holes only does so for the sake of personal gain and cannot operate in an ethical fashion.

I did my fair share of 'hacking' when I was younger, and when I found critical security flaws in my school's network, I demonstrated them to the system administrator and worked with him to try and get the problems fixed. Those security issues affected me just as much as anyone else, and with a sizable student body such as the one that school housed, I wanted to see to it that my data, along with everyone elses' was going to be safe. It's simply a matter of encouraging the right people with the right motivations to identify problems and assist in solving them before the wrong people can discover and leverage those vulnerabilities to do any serious damage.

Re:Yeah... (1)

smoker2 (750216) | more than 8 years ago | (#15604385)

If someone's tresspassing I'm going to shoot them anyway, regardless of whether they think they're teaching me a lesson.
And when that trespasser is having to break in because you are ignoring them or the phone line's down and you can't be reached, or the house is on fire and the smoke has knocked you unconcious, should you still shoot first and ask questions later ?

Even to take your statement as it stands, you will have learned something from their "attack" - if you notice it and even get to *shoot* in the first place.

I think the saying - A fool and their money are soon parted - can be adapted for use here. An idiot admin and their computer are soon rooted.

Shooting the messenger soon leads to getting no messages.

Too often companies ignore problems until it's.... (4, Interesting)

Anonymous Coward | more than 8 years ago | (#15604209)

.... too late. It doesn't even have to be a real security issue. It can be something as simple as good security practices. Here are ideas I would recommend e-mail providers, for example, to implement.

Dual passwords. A master password which can change anything in the account, and a secondary password which can change anything but the master password. The idea is that if your secondary password is stolen, you clean your machine (just incase you were infected), log in with your master password, change your secondary password, and everything is fine.

Freezing expired accounts for 10 year periods to prevent someone from grabbing it up and gaining mail-forgotten-password privledges from other sites. Got a bank account? Got online banking? Got an account which you can easily send your password to your e-mail address? Oh wait! Your e-mail address expired! Someone else registered it, went to a bunch of bank websites and such, just to see if your former e-mail address has an account there.

Re:Too often companies ignore problems until it's. (0)

Anonymous Coward | more than 8 years ago | (#15604255)

I forgot to mention IP flags. When someone logs into their account, list the last 3 IP addresses.

Hey, it works for living creatures (3, Insightful)

hapoo (607664) | more than 8 years ago | (#15604215)

Keep someone in a clean room all their life and then one day let them out. With an immune system that has never had the chance to "practice" they guy wouldn't last a week. On the other hand its been proven that eating your own boogers will boost your immune system. Just extend the same logic to a network.

Re:Hey, it works for living creatures (1)

zaphod_es (613312) | more than 8 years ago | (#15604407)

Well, if eating your own boogers is so good for you, just imagine how much better it would be to eat other people's.

open source hacking (2, Interesting)

joe 155 (937621) | more than 8 years ago | (#15604225)

does anyone know where you can get open source hacking tools to use against your own system? I would like to know if my password could stand up to a traditional brute force crack, or if it would be possible to use remote ssh login to get contol of my computer...

Re:open source hacking (2, Informative)

smoker2 (750216) | more than 8 years ago | (#15604324)

How about here ? [sectools.org]

Article summary - rewritten... (4, Interesting)

jkrise (535370) | more than 8 years ago | (#15604238)

Hackers, worms, and viruses are good for network security ("Security Software firms such as Symantec) and that the law and public policy should encourage 'beneficial' hacking (Legislation must ensure we keep such firms running). From the article: 'Exploitation of security holes prompts users and vendors to close those holes (Makes people believe that such defects are inevitable, and can only be solved by continuous updates) , vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security (reliance on vendors for updates) reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security (any negative impact on suspect business practices OR bottom-lines)

Makes sense now, don't you think?

Good idea, but doesn't work out (3, Interesting)

Opportunist (166417) | more than 8 years ago | (#15604248)

The idea that finding a hole and reporting it leads to more security works in a "perfect" setup. Perfect in a sense that the one finding it reports it instead of abuses it, and the one informed about it fixes it instead of ignoring it.

The reality looks different.

In reality, people don't want to be bothered with this pesky thing called security. They want their machines to do the magic by themselves and not worry about it. So they created laws where it becomes illegal to even look for a security hole. Because, what you can't see isn't there.

Take you average user. Just enough smarts to turn on the PC, updating with an automatically generated and even transfered script is beyond their capabilities. When (not if, when) their computer is turned into a spamslugger, who will they blame? Themselves for not being able to keep their machines secure?

Keep on dreaming.

The laws are a reflection of the general unconsciousness. People don't want to be hacked, so it must not be done. Yes, the machines are insecure, yes, there are billions of trojans and viruses out there trying to break in (and succeeding, most of the time), but as long as we don't see them, they're not there.

La la la, I can't hear you...

Lawmakers out of touch (4, Interesting)

pubjames (468013) | more than 8 years ago | (#15604256)

I think this raises a fundamental issue - most of our lawmakers and enforcers are people who have not grown up with these new technologies and have little understanding of them, both from a technology point of view, but also their social context.

Most judges, seeing a bank had implented very poor physical security - so poor that a lone teenager could fairly easily get into the bank without help - would be lenient on the teenager for breaking into that bank and bank would be in lots of legal trouble for having lax security. But when the internet is involved the teenager becomes an evil hacker in the eyes of both our lawmakers and much of society, and it's off to jail for the teen and no punishment for the bank.

I really worry about the next generation. All kids do stupid stuff and talk about stupid things as they are growing up. Only now, much of that stupid talk is done via electronic communications, and much of the stupid stuff is easier to trace.

I can see in the near future (maybe it's happening already?) that when a misdemeanour with a youth occurs one of the first steps a law enforcer will take will be to get access to the youths electronic communications. Then they'll uncover all kinds of stuff that will look terrible in the eyes of a law enforcer and the parents - and be extremely embarrassing or worrying for the youth. But in reality will just be the stupid things people do and say when they are growing up. We'll have youngers going to jail and being ostracized by their parents and society just for doing and saying the stupid things that we all did when we were young.

oh, there should be penalties (2, Insightful)

m874t232 (973431) | more than 8 years ago | (#15604308)

They should be against companies running buggy or insecure servers and end up exposing customer data or causing hassles to their customers.

As for "hackers", they should be held responsible under existing fraud laws if they commit fraud; the mere act of "breaking into" a computer system should not be a violation of law.

A little knowledge is a dangerous thing... (5, Insightful)

trims (10010) | more than 8 years ago | (#15604334)

The paper (or article, or whatever) is actually quite well-nuanced and fairly even-handed. However, it suffers from a fatal flaw of many legal articles: a fundamental ignorance of the subject matter itself.

It's a paper written by (wannabe) lawyers, who, while they site large rafts of supposedly corroberating papers and "experts", don't understand what they (the exports and sited papers) are talking about.

This kind of approach is eminently practical (and effective) when attempting to try a case, or negotiate a settlement. However, it is absolutely the wrong way to do things when attempting to write a Public Policy piece. If one is attempting to educate the populance (or some subsection of it) about an issue, you have to actually understand the subject, not just quote others' ideas.

They are correct in the supposition that cybercrime has a different nature than that of "real world" crime. But they completely misunderstand how this difference affects people.

A classic example of not really understanding the subject matter occurs when they claim that a compromised system actually causes very little economic damage, as the system itself is not physically damaged, and the effort to repair it is theoretically comparable to a periodic security audit/update of the machine. What they perceive is a JoyRide in a "stolen" car - someone took my car out for a whirl, and if they've returned it in good shape, all I (the owner) have to do is sweep out a few of the crumbs (and maybe fix the door lock) before it is ready to go again. This isn't the true case. Rather, it is closer to the case that I, the owner, would have to completely dissassemble the entire car, and put it back together again from its component parts, just to make sure that the kids didn't screw something up (or wire a bomb to the ignition). There is a HUGE economic cost to cleaning up after even a minor intrusion. Because, frankly, there is no way to determine if something was a minor or a major intrusion, until a complete postmortem is done. And the risk associated with keeping a compromised system working is far too great to NOT do the full rebuild. In many ways, the risk analysis looks a lot like empidemiology: when a herd of cows is found to contain one case of Mad Cow, we kill the entire herd and check them all, rather than just kill the sick cow, and say "oh, we found the problem, and it is fixed now".

The real solution is not to allow "ethical hackers", but rather to provide economic incentives for companies to protect their data. If this were the case, then companies would take security seriously, and there would be a whole thriving sector of legal security probing companies (which exists in a very tiny manner today). If companies were held to multimillion dollar fines every time private data was compromised, you could be damned well sure that security would rank somewhere above "oh, and empty the trash before you leave tonight", which is where it currently resides. And security checks would be done by true professionals, complete with after-incident reports and improvement suggestions.

-Erik

Honest, officer, I was just checking the doors (3, Insightful)

davmoo (63521) | more than 8 years ago | (#15604353)

So to use this same idea, y'all have no problem if I discover your back door to your house is unlocked and I come in just to look around and make sure there are no other 'security issues', right? I promise I won't steal or damage anything, I just want to look around...

Sorry, it don't work that way, and just because computers are computers doesn't make it any different. If you want to come in to my computer and inspect, I expect you to ask, just like I would for my house.

When Microsoft is caught sniffing around anyone's computer without permission, even if they don't damage or alter anything, everyone here wants Bill Gates' head on a pike for public display and criminal charges against Microsoft. But if its a white-hat hacker, that's okay, and we should have the law allow them in. Funny how that works.

Re:Honest, officer, I was just checking the doors (1)

DJ Rubbie (621940) | more than 8 years ago | (#15604433)

Equation to that may be slightly different if your house happens to be in a warzone, where other crooks can use your house as a staging ground to attack _my_ house. The Internet is more like a warzone to me than a quiet residential district. As for Microsoft sniffing around your computer, it's most likely covered under their EULA, if not, buyers of Windows got what they paid for.

Parallels in Biological Systems (3, Informative)

D.A. Zollinger (549301) | more than 8 years ago | (#15604358)

From another perspective, the author's ideas have some merit. In biological systems, it is only after one has been infected and their immune system fights off a disease that they are impervious to repeat infections. In this way entire societies build up resistances to deadly diseases. For example, Jared Diamond believes 95% of Native Americans were killed off by diseases carried by European settlers who were largely immune to said diseases. (link) [wikipedia.org]

In a way, as different portions of the computer systems and software are attacked, the flaws that allow for such attacks are, in general, corrected. Problems identified in one attack can be applied to other areas, and as such, can affect system-wide changes toward a better system (think buffer overruns), as well as more security-minded design (think security developments in IE7 and Vista).

I'm not advocating that the world governments should let virus writers and crackers have free reign of the Internet. A balanced response would allow for leniency for those who have no malice in their intentions. Of course, this is difficult to prove, and from personal experience, I have yet to meet a virus writer with purely altruistic intentions. Also there are corporate interests to deal with as well. How embarrassing must it have been for Symantic to have their flagship product meant to help secure a computer be the source of insecurity? While Symantic handled the situation extremely well, many other companies do not have a large security minded staff on hand to deal with security problems. For them it is easier to accuse the attacker than acknowledge a problem they cannot deal with.

Re:Parallels in Biological Systems (1)

D.A. Zollinger (549301) | more than 8 years ago | (#15604455)

Consider the avian flu (H5N1). The World Health Organization has found evidence that this disease has mutated and is now starting to transmit from human to human, where previously it was only transmitted from bird to human. (link) [arstechnica.com] The chance for a world pandemic has greatly increased with this revelation, yet people and communities who have prepared themselves, and are in good health to begin with will most likely survive the infection, or avoid becoming infected in the first place.

Similarly, it is the computer networks and systems that are focused on security that tend to be the best protected when it comes to zero-day exploits. Good network and system administrators know the general weaknesses of the computers they are responsible for, and work to protect those weaknesses from exposure. Good administrators that have planned well, tend to monitor an attempted attack on their network, while poor administrators tend to find themselves recovering from a successful attack.

As Good As It Gets (2, Interesting)

Joebert (946227) | more than 8 years ago | (#15604381)

I don't think the world can ever be truely secure.
The world is always in a sort of "Ok on the count of three, we all drop our guns" state.

Good Idea (0, Redundant)

friedman101 (618627) | more than 8 years ago | (#15604391)

While we're at it let's make bankrobbing legal because of its role in beefing up safe security.

So what *are* you allowd to use the Internet for ? (0)

Anonymous Coward | more than 8 years ago | (#15604408)

So many people depend on 'the Internet', and assume it will 'just work'. But it's rapidly coming to the point where you can't use it, without someone getting upset about what you're doing and sending the police round to lock you up.
And of course it doesn't 'just work'. It's a 'best-effort' network for carrying sequences of 0's and 1's around, which neither knows nor cares what the 0's and 1's mean.
Just because *you* think it's a virus, doesn't mean *I* think so. It might be 500 DVDs per second of 'star noise' from the radiotelescope [lofar.org] , just doing its job in the normal way.

the internet is a communicationsnetwork (1)

NotInTheBox (235496) | more than 8 years ago | (#15604411)

Breaking in to something is a physical act as far as I am concerned. So it would cover the act op opening the computer or something like it.

This whole metaphor has gone to far. People don't break in to computers, they communicate with them.

If I ask someone (or a computer) for a copy of X and the other side sends me this is this then a crime? Was the sender authorized to allow me access?
if I send something to someone and they accept it is this a crime? Maybe, if the thing, I was sending was a bomb or something else equally nasty.

Right.... (0)

Anonymous Coward | more than 8 years ago | (#15604432)

Right right..just like having someone try to break into your house makes you safer. I swear, do liberals just get up in the morning and leave brain cells on the pillow?

Get the terminology right...! (2, Informative)

welshwaterloo (740554) | more than 8 years ago | (#15604444)

Yeesh.. from the article:

Even old-fashioned e-mail worms, which rely primarily on user ignorance, can spread to hundreds of thousands of computers.

Now, I always thought a worm is "self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers."

Geez people - if you can't cromulize your terminology, I have little faith in your article..

Certified Ethical Hacker (3, Interesting)

Flying pig (925874) | more than 8 years ago | (#15604459)

There is a possible way...

Introduce a properly run certification scheme for "Certified ethical hacker". Base it on a course taking in relevant law, security techniques etc., and make damn sure it is vendor-agnostic. Only make the course available to persons who have no criminal convictions, are on the voter's list, member of a professional body, and pass FBI checks or your national alternative. It will be free to qualified applicants.

Now issue those people with a set of official paper forms, with proper security marking and tied to the individual. When they encounter a security issue, they issue a paper based advisory (because it is still traceable, and because you do not then leave a trail on the net that might enable the black hats to find and target you.) copy to some official body who every year will report the statistics, and list the companies that failed to respond to security advisories.

So now you have it on your resume when you write in for the bank job: Certified Ethical Hacker, 42 confirmed alerts (or whatever).

Before anybody tells me this is simply fantasy, consider that there are already volunteer public security forces. In the UK we have Special Constables and the Territorial Army, and there are equivalents in many other countries. We have a Health and Safety Executive who can walk into any company at any time it is operating and demand immediately to observe what is going on. So why not a properly trained volunteer Internet security force?

Open doors vs Closed doors. (2, Interesting)

Tei (520358) | more than 8 years ago | (#15604526)

Imagine a white hat h4xo that found a dangerous hole, send info about that to admins, and that hole is fixed.

Its that good?

I think yes. but need:

1) The white hat attitude. Complete morons are discarded.
2) Its a hole, and not a feature. Maybe the users want the system this way, and know enough about the tradeoff.
3) The hole being fixed. If is imposible to fix holes, maybe because lack or resources, this help nothing. Of course, the problem here is the lack of resources.

On real world, some people want to live with his doors unlocked, mostly on rural areas. Its that a "hole"?. Its not. What safety expert AND ha4xors fail to realice, its that the world is not about of safety for everyone. Some people like his doors unlocked, thanks. Other people dont know about that, and will love to know about a hole, and fix it.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>