PDA

View Full Version : Way OT: Question about hacking.



pgmrdan
10-12-2016, 12:58 PM
I don't care about the political BS going on about hacking. I just have a couple of simple questions.

I've been in IT for longer than some of you have been alive. The whole idea of crucifying a hacker that simply copies or reads information on a website is extremely silly to me.

Imagine that in the old days someone posts on the bulletin board in the town square a sheet of paper with information written on it and on top of that another blank sheet of paper covering up the first sheet.

Now there is someone who is supposed to be watching the bulletin board because anyone caught reading the covered sheet on the bulletin board is guilty of 'hacking' and will go to jail. The person responsible for watching the bulletin board occasionally goes home for meals, to sleep, etc. or may go to the saloon for a couple of hours.

Who in their right mind would risk posting sensitive information to the bulletin board?

To my way of thinking, if the information/data are sensitive then you'd have to be an idiot to post it on the internet. The people putting this stuff on the internet are primarily responsible for the security of it and if that security is breached then they should suffer the punishment.

The internet is accessible to almost anyone around the world. Curiosity is intrinsic in human nature. How can those who post sensitive information be so stupid???

Doc Nickel
10-12-2016, 02:15 PM
Posting it "on a server", and "to the internet" are two very different things. In your example, there would be two bulletin boards; one out in the town square, and one in a side room of a private building that requires an issued ID to enter.

The current term "the cloud" is precisely that- essentially just hard drive storage that's not physically located in the same room or even the same building as the computer. Almost every company uses this sort of thing today, partly to make it easier for distributed offices to access the same data, and partly for safety- the data is not lost of the building itself burns down or suffers a flood, etc.

Doc.

pgmrdan
10-12-2016, 02:42 PM
Doc I know what you're saying but if a server is accessible from the internet it's fair game.

There used to be private computer networks using dedicated leased lines. No telephone access. No computer access from outside the company.

I worked for a company that did LOTS of defense industry work. The security was unbelievable. Faraday shielding. Gas pressurized networking cables with pressure sensors. No windows in the buildings.

Today's computer security is an absolute joke.

When I saw the movie War Games I laughed my butt off. Who would make anything so risky available to the customer telephone network but an absolute moron?

Now you hear about the power grid being accessible from the internet. Equally as absurd and only a bunch of morons would do something as risky as that.

Is it Iran that had the Siemens centrifuge controllers accessible? Come on.

The Cloud? Just a server farm provided by a 3rd party.

Some kid living in his mom's basement with extra time on his hands can peek and poke around on the internet for days. Sure, let's blame him instead of the idiots that put the stuff on the internet in a way that a 14 year old can crack. :)

JRouche
10-12-2016, 03:01 PM
I have been using PGP since the early 90s and post whatever I want to whomever I want :) JR

danlb
10-12-2016, 03:15 PM
I have to agree that the idea of crucifying a person for copying information is over-reacting. Copying does not deprive the owner of the data from using it themselves. (see note 1)

However... That assumes that it's an open server with no passwords, encryption, etc.

AND; It also assumes that nothing is done to possibly cause harm or damage to the server, it's networks or it's data. And there's the rub. Virtually every hack begins with some sort of attempt to leverage known vulnerabilities or weak passwords. Exploiting many of those vulnerabilities will cause the system to slow down, crash, freeze or corrupt data. Script kiddies use batches of hacking programs without knowing what impact it will have on the system.

FUTHERMORE; Even a person who only logs in using a stolen or guessed password may accidentally erase or damage data. Imagine accessing your doctor's mail server, and running mailx (a mail reader) just to see the mail. In doing so you may be marking all those emails as read, and the doctor may not get the email from the patient who is asking why his new medication is causing his hands to go numb.

ANECDOTE; In 1978 I had access to a system, and stumbled on a backdoor into a shell. I had overheard to techs mention two commands, and they were "ed" and "ls". The shell was running as the super user (root). I taught myself to write unix scripts by editing the scripts I found in / and /etc. I am amazed that my bumbling did not destroy the system or the data resting there. I should have been shot.

Yes, physical security has to be at least as good as the software security. Seldom are either of them that good. So we have laws to discourage people from trying.


Dan
Note1: In most cases, copying data deprives the owner of nothing, not even lost opportunity to sell it. In other cases, the disclosure of trade secrets may diminish the business value of the data. Publishing a book before the author has a chance to sell it is one of those cases. In still other cases the cost to the owner of the server is simply the extra work needed to validate that nothing was erased, nothing was changed, nothing else was altered. That can be a significant cost too.

pinstripe
10-12-2016, 03:17 PM
I think your argument would be stronger if the attacker was only capturing data as it went through their own server. Then they might be able to say that they were just looking. That is very different from attacking a system that they do not own.


To my way of thinking, if the information/data are sensitive then you'd have to be an idiot to post it on the internet.

But it wasn't posted to the Internet, it was stored on a private server and someone accessed it without permission through the Internet. It's like saying you would be an idiot to have your house on a public street because someone can drive up and rob you. Yes, they do have permission to drive up to your house. They can even look around from the street if they like. But they cannot walk into your house and take your stuff just because the street is there, not even if you leave the door open.

Joel
10-12-2016, 03:20 PM
Doc I know what you're saying but if a server is accessible from the internet it's fair game.
Your shop is accessible from the street, so its contents is fair game. You are out in public, so whatever is in your pockets is fair game.

Just because people can do something doesn't mean they should. Life has gotten pretty damn complex for the average person, and while it is unfortunate that they are ignorant of many things (such as internet security), it hardly means that is is OK to steal from them because you happen posses somewhat esoteric knowledge. I can pick a cheap lock in seconds, or get in even faster using brute force, but that gives me no right to enter your house. If I have to put on burglar bars, 3 deadbolts and 6" screws, YOU are the problem, not me.

And no, I have not/will never use the 'cloud' and am reasonably good about internet security. I have nothing of particular value to steal, but the idea of you coming into my 'house' uninvited, kind of pisses me off.

Added: Pinstripe beat me to it!

pinstripe
10-12-2016, 03:24 PM
Joel, great minds... :)

Also, Dan. "In most cases, copying data deprives the owner of nothing." Let's assume this is true, even though there are exceptions as you note. You are still not allowed to walk into someone's house and take photos of their place or read their books without permission. Even if the door is open.

pgmrdan
10-12-2016, 03:39 PM
Nope. It's not like that. Everyone has access to the internet and for someone who makes their valuable information/data available to the network is stupid. Nothing physically has to be done to the victim's property. I don't have to break down any doors or pick any locks. You probably will never discover anyone has breached your security. You've put data/information in a vulnerable location and I'm looking at it, copying it, and maybe even changing it. If you don't have good back up copies then too bad. Corporations/governments are relying on laws to protect them from their own stupidity.

Imagine that valuable data is sent over the air on radio broadcast frequencies. And imagine it was illegal to listen in on the middle of the AM and FM broadcast bands because 'sensitive information is transmitted there'. That's not an exact analogy but a similarly absurd requirement.

danlb
10-12-2016, 03:43 PM
Joel, great minds... :)

Also, Dan. "In most cases, copying data deprives the owner of nothing." Let's assume this is true, even though there are exceptions as you note. You are still not allowed to walk into someone's house and take photos of their place or read their books without permission. Even if the door is open.

I'm not a lawyer, so you may be right. But I don't think so. I don't know of a federal law that prohibits you from taking a photo through an open door or open window. I don't know one that prohibits a salesman from taking a picture of financial papers that you leave on your desk while talking to him.

In California they had to make a law to explicitly prohibit taking pictures under the door of department store changing rooms.

There was no statute that made it illegal to just look at someone's data, so California came up with a law that broadly calls most every electronic thing a computer and makes it a felony to access a "computer" without explicit permission. I don't know of a statute that makes it illegal to look at data that someone has copied, unless it is a movie, video, music or other work of art.

Dan
Note: I worked in virtually every aspect of Information Technologies over a very long career. That included network, system and physical security.

danlb
10-12-2016, 03:54 PM
Imagine that valuable data is sent over the air on radio broadcast frequencies. And imagine it was illegal to listen in on the middle of the AM and FM broadcast bands because 'sensitive information is transmitted there'. That's not an exact analogy but a similarly absurd requirement.

You do know that your example is the way it works in real life, right? For many years it was illegal to build and sell a radio (or scanner) that tuned into the bands used by cell phones. That was before encryption.

It's also illegal to take the cable signal that is delivered to your house by the cable company and use it without their permission. For that matter, it's illegal to receive radio signals from pay satellite systems without permission. The weirdest one? The broadcast TV signal that they throw out on public airwaves that permeate your house? You are not allowed to rebroadcast them into a nearby neighborhood without permission.

Semantically, there is no difference between a sign that says "keep out" and a chain link fence with guard dogs and razor wire. It's just the level of difficulty. The same applies to data security. If the data exists, it will be targeted and it's just the level of effort required that changes.

Dan

pinstripe
10-12-2016, 04:08 PM
I don't know of a federal law that prohibits you from taking a photo through an open door or open window.

I was referring to them taking photos from inside the house. I agree that photos taken from a public place would probably be OK in most places. That's why I said that it may be a valid argument to capture Internet data as it goes through your own server. That's just looking at data as it travels through your own system as opposed to looking at it on someone else's system.



I don't know one that prohibits a salesman from taking a picture of financial papers that you leave on your desk while talking to him.

Again, I think you are right. If the salesman is given permission to enter your property, then they can take photos in your house unless told not to. That's different to entering the property without permission. Physical entry is much easier to define than digital entry, but as you know the law is always decades behind technology and tries to frame things based on concepts that were accepted centuries ago.

pgmrdan
10-12-2016, 05:11 PM
You do know that your example is the way it works in real life, right? For many years it was illegal to build and sell a radio (or scanner) that tuned into the bands used by cell phones. That was before encryption.

It's also illegal to take the cable signal that is delivered to your house by the cable company and use it without their permission. For that matter, it's illegal to receive radio signals from pay satellite systems without permission. The weirdest one? The broadcast TV signal that they throw out on public airwaves that permeate your house? You are not allowed to rebroadcast them into a nearby neighborhood without permission.

Semantically, there is no difference between a sign that says "keep out" and a chain link fence with guard dogs and razor wire. It's just the level of difficulty. The same applies to data security. If the data exists, it will be targeted and it's just the level of effort required that changes.

Dan

Yes, I do know this. And in some metropolitan areas it is illegal to have a police scanner in your car but not illegal to have one at home.

Does it make sense to almost shove information in someone's face and make it illegal for them to look at it? It's almost that bad.

Not too long ago it was ridiculous as to how silly some of the web pages were written. Simply using view source option in your web browser would give you all of the directory names and file names you needed. I remember when I was working with ColdFusion that there was a very easily stopped weakness that the company I worked for didn't prevent. It was painful to some but humorous to many others. They only had themselves to blame. Lots of really ridiculous mistakes have been made over the years by "Master Web Designers and Builders".

I see some of the stuff that goes on today and just chuckle while the 'victims' (victims of their own stupidity) cry foul and blame it on the Russians. The victims aren't even aware of when or even if they were really hacked much less who did it if it even happened.

Rumors are that the NSA and FBI field agents are so angry with what went on with the Justice Department and FBI director that they did the hacking and released the information. After all, the FBI director did say the findings would be released.

And with the TOR product available to anyone that wants it you can be in your kitchen in Houston, TX and have a Russian IP address.

Things are just crazy! You've gotta take things with a big old block of salt these days and try to keep laughing.

pgmrdan
10-12-2016, 05:27 PM
I have been using PGP since the early 90s and post whatever I want to whomever I want :) JR

How do you like PGP JR? I hear it's pretty good. :)

Joel
10-12-2016, 06:08 PM
Hmm, in your first post, you said that you "didn't care about the political BS going on about hacking", so we played along.
I see many errors in your reasoning and have plenty to respond to, but since you now demonstrate that your real problem is indeed political, what's the point.

Pretending that the post's relate to ordinary people, I will say that you are rather cocky about it now - but when you are 70 or so years old and perhaps many years past trying to keep up with the latest technology, YOU will be the dumb-ass expected to know everything about all technologies, and that others will take advantage of, and that jerks will make fun of. You apparently expect everyone to know what you currently know about a very specific field, which is in itself, absurd. It seems as if you laugh at people you consider 'stupid' a lot, but worry not - your mechanic, lawyer, or anyone else that knows more than you about something, may be (unfortunately) laughing at you in kind. We are all pretty damn stupid about a great many things, some more than others to be sure, but we don't need to be self-righteous twits about what we do know.

Evan
10-12-2016, 09:02 PM
Doc I know what you're saying but if a server is accessible from the internet it's fair game.

The heck it is, no more than my car is when it is locked. Break into my car or my server and that is breaking the law. Both can be broken into as can just about anything on the planet but that does not make it "fair game". I have FTP access on my server but anonymous access is disabled. Passwords are very strong. My e-mail system is heavily filtered to the point it won't allow zip files to be accepted. My server is locked just like most things I wish to secure. Everything I own is either directly visible to the general public or the container is. That sure doesn't make it fair game.

pgmrdan
10-12-2016, 09:03 PM
Hmm, in your first post, you said that you "didn't care about the political BS going on about hacking", so we played along.
I see many errors in your reasoning and have plenty to respond to, but since you now demonstrate that your real problem is indeed political, what's the point.

Pretending that the post's relate to ordinary people, I will say that you are rather cocky about it now - but when you are 70 or so years old and perhaps many years past trying to keep up with the latest technology, YOU will be the dumb-ass expected to know everything about all technologies, and that others will take advantage of, and that jerks will make fun of. You apparently expect everyone to know what you currently know about a very specific field, which is in itself, absurd. It seems as if you laugh at people you consider 'stupid' a lot, but worry not - your mechanic, lawyer, or anyone else that knows more than you about something, may be (unfortunately) laughing at you in kind. We are all pretty damn stupid about a great many things, some more than others to be sure, but we don't need to be self-righteous twits about what we do know.



Nope, nope, nope, nope, and nope.

In my first post I said, "I don't care about the political BS going on about hacking." And I don't. Blaming the hacking on the Russian government is political BS.

You want to believe the BS then go ahead. I ain't buying into it.

AD5MB
10-12-2016, 10:03 PM
reality check #1:

if you catch a person in the act
without knowing what act you caught them at
and they look shameful and guilty
you know
they know
they are doing wrong

and that's a problem. the deliberate, willful, planned, organized effort to do what you know perfectly well that they should not. the punishment is not for the action taken, it's for the arrogance and willfulness demonstrated by committing the act. it's the attitude, not the action, that is the problem.

Reality check #2:

there is precisely no difference between hacking a computer system and taking an upskirt photo of a female. the arguments presented for one work equally well, or poorly, for the other.

Reality check #3: maybe 50 years back, the Archbishop of France declared that speeding is a deadly sin. The sin of conceit. You must pass a test to get a drivers license in France. The test includes the ability to read a speed limit sign. If you have a drivers license you inherently must be aware of the concept of a speed limit, and you must know the speed limit where you are driving. Ergo, if you are speeding you have decided that you do not need to obey what you know is the law, and you are demonstrating the sin of conceit.

What would be a reality check if you had lived my life and put up with the people I have had to tolerate:

"I said no. No means no. No does not mean argue with me. no does not mean try to change my mind. no means no. If I have to tell you again, we're going straight to no and your whole face hurts."

...and the next thing you know, you are punching the fool in the face, because he says "I won't take no for an answer" and repeats the question after hearing that. this has been going on since 1981.

There is precisely and only one argument in all the universe:

"You have to do what I tell you because I'm the boss over you. So There"

In America there is one counterargument to the one argument in all the universe:

"We hold these truths to be self evident: That all men are created equal." This argument inherently trumps the one argument in all the universe, in the USA.

when you realize this, you realize that argument is a game, a game with no referee, no scoring system, no prize, no "entries must be submitted by" date, no point and no end. so you stop playing the game, and you start to grow up. the problem comes from people around you who refuse to stop playing the game.

compare what you read above to what you see around you. continue to do so until the reality sinks in. hacking behavior is inexcusable and pointless. the violation is inexcusable. the hacker know this. and that makes it OK by me to go straight to "No and your face hurts", because he knows full well that what he's doing is wrong, and he does it purely out of arrogance and conceit.

wierdscience
10-12-2016, 10:19 PM
What happens when damage is done,or when that damage deliberate or not has real consequences?What happens when the nuke plant next door is hacked by kids bumbling around and the reactor runs away?

An interesting talk given at a DARPA conference by Dr Kathleen Fisher on the security of embedded systems.

https://www.youtube.com/watch?v=3D6jxBDy8k8

Mike Amick
10-12-2016, 10:25 PM
No offense Dan .. but .. your opinion is absolutely flabbergasting coming from an IT guy.

You talk like people can just accidentally stumble into a system and read/copy or whatever.

Fact is .. you would have to run software that is illegal to use (not to own). Normally this
software is written by very very talented (and rare) people and distributed to script kiddies
who use this software to break into systems.

BTW .. the systems you worked on with the Faraday cages, I believe were not so much for
security ... but .. more to protect the equipment from EMP's.

J Tiers
10-12-2016, 10:46 PM
No offense Dan .. but .. your opinion is absolutely flabbergasting coming from an IT guy.

No kidding.....


You talk like people can just accidentally stumble into a system and read/copy or whatever.

Fact is .. you would have to run software that is illegal to use (not to own). Normally this
software is written by very very talented (and rare) people and distributed to script kiddies
who use this software to break into systems.

BTW .. the systems you worked on with the Faraday cages, I believe were not so much for
security ... but .. more to protect the equipment from EMP's.

Agree generally (maybe not the details) that breaking into a secure system is an intentional act, done for a purpose.

Now, about that last bit. If you ever saw the goon squad rush into a secure facility and find the terminal with a certain thing on the screen, you might not be so sure about that last "BTW". The screen would keep in all the stuff radiated from CRTs. They used to do the above at a secure facility near here.... the security folks would try to intercept signals carrying secure data, and if they found a CRT that they could read from outside the building, they would pounce on it and shut it down.

JRouche
10-12-2016, 11:26 PM
How do you like PGP JR? I hear it's pretty good. :)

It is ever changing like everything else. Want my Pub Key ;) JR

Mike Amick
10-12-2016, 11:40 PM
If you ever saw the goon squad rush into a secure facility and find the terminal with a certain thing on the screen, you might not be so sure about that last "BTW". The screen would keep in all the stuff radiated from CRTs. They used to do the above at a secure facility near here.... the security folks would try to intercept signals carrying secure data, and if they found a CRT that they could read from outside the building, they would pounce on it and shut it down.

Yea Jerry .. you might be right about that is this case ...

I know we have this company in San Diego near the tracks that I used to go by all the time and they
had equipment set up on a big platform ... with very serious looking shielding around it. I looked them
up, and their company purpose was shielding equipment from the effects of EMP'S.

But I definitely remember some tech articles explaining how you can mirror information displayed on
a CRT at a distance. Im pretty sure the technology involved the internal workings of the CRT .. not the
CPU ... so it would be interesting to see if the technique could be duplicated on an LCD monitor.

danlb
10-13-2016, 01:44 AM
No offense Dan .. but .. your opinion is absolutely flabbergasting coming from an IT guy.

You talk like people can just accidentally stumble into a system and read/copy or whatever.

Fact is .. you would have to run software that is illegal to use (not to own).

Actually, you are wrong about that. There are many ways to get into a system without using any special / illegal software.

Badly written web pages are rife with mistakes that leak information. Some fail to initialize all data before presenting a form, so you end up with the data from the last user. Some use your IP address as a key to track your work session, so anyone else sharing your router may end up seeing your data.

Then there are the ones where they have databases that store all the information and don't do a proper job of checking what the user types. When you type your username DAN5 and mistakenly type DAN% you end up with an SQL dump of all the records that start with DAN.

And of course there are the ones that you truly stumble into. I logged into a web based email site using my normal username and password. I forgot that my username there was different because my normal one was already in use. Evidently the other person had chosen the same password that I used. I accidentally logged into his/her account.

Last, the problem of "abandoned terminals" is very wide spread. a) In the exam room of the doctor's office was the previous patient's record. We were alone there for more than 20 minutes waiting for the doctor. b) at the library you can often find an unused public terminal logged into someone's email, or a record of their email in the browser history. I see that often at work too.

So the point of this post is that millions of people over the last 20 years have found themselves accidentally looking at other people's mail/data/pictures. No special skills or software or hardware needed.

Dan

Paul Alciatore
10-13-2016, 03:08 AM
My opinion is that anyone who stores personal or company data that they consider private, "in the cloud" is just plain stupid. It you put it "in the cloud" you have to assume that it will be hacked. If it is company data, then you should assume that your competition will get it and use, probably against you and your company.

Also anyone who uses a "free" e-mail service, like G-mail or others, is likewise giving it away at least to the company, like Google, which is providing that "free" e-mail service. Google and others who provide these "free" e-mail services are actually advertising companies who mine those e-mails to get data on your and your interests and spending habits. They you wonder why you get so many ads for things that you have already purchased. Or things that you only mentioned in a conversation with a friend. There is no such thing as "free". You pay the price in a lack of privacy.

I store all my data in a hard drive that is sitting on my desk. It is within an arm's reach. For backups, I use additional hard drives. For protection against loss by fire or flood, one such back-drive can be stored in a separate building, like a bank box. Tip: if you live in a flood prone area like me, ask the bank if their boxes are water proof. Most are NOT. Get one at the top. And I pay for my e-mail service: I do not use a free one.

MrFluffy
10-13-2016, 04:30 AM
Two schools here, first you can often find errors in systems that allow you further access with no specific resort to a tool, I work checking systems for these and I hand craft all our exploits and tools. I've found these in public sites by accident, but at that point I either close my connection and walk away or notify the admin. Now the former as once someone tried to sue me for helping them and being a good netizen, but if I have a real soft spot for what the site is about and trying to achieve I may notify them anonomously just to help them along.

Second, if the server is locked down well and requires a sequence of events, ie you get x privilege level by doing y, then have to do a second operation to elevate your privileges out a secure container zone or sandbox as its called, then I see no difference between that and seeing a locked car and picking the lock then trying to hotwire it once inside. Everyone knows its illegal and what your up to, the owners have taken some effort to secure it and its not like you can accidentally do a intentional sequence of events and end up in control of that server/car.
Something like url manipulation to access "private" content isnt secured anyway, with AT&T and their prosecution against weev a few years ago, I felt that whomever put that system live in that state should have been in the dock, not him, and he certainly shouldnt have got jail time for doing something people do idly when browsing and think "what if..." out of idle curiosity. But lets be real, he got jail because he embarassed their experts and thats more dangerous a thing to do than to have massive ill intent.

Also banning the tools wont stop this, as most of the "tools" are just gui front ends to little scripts or sequences that break things, and take away the gui click element, the scripts and know how will still be shared. If we use a nessus server to do a automated vuln scan, I'll still pick the little script apart and reproduce it manually to check its valid and the exploit actually works. I could just as easy to go to the cve database and browse the usual places for this info too.
So you'd just be skimming off 1% of the users of these things by making it more difficult and likely push them into learning how to do it for themselves. And whats a hacking tool anyway? I use nmap every day for legitimate non hacking purposes, netcat when nmap is not available, a c compiler? its like the shop equivalent of a hairdresser trying to ban spanners because they might be used to circumvent epa controls on a cab (yes that is intentionally wrong on several levels).

There is way way way too much cloud and lack of seperation. Even secure networks run the risk that their ax25 links etc are carried over ip at some point in the transit and we're creating the perfect storm when the hammer goes down on a sustained global attack. But hey, shared ip links are cheap, and its all about the bottom line.

J Tiers
10-13-2016, 11:48 AM
It's a stupid discussion.

danlb is suggesting that there is a huge difference between

A) Breaking the door/picking the lock, and stealing information or goods from a house.

B) Finding a key that fits, using it, and then stealing information or goods from a house.


There is not. The key act is the stealing. How you get in, or what color shoes you have on when you do it, are secondary considerations. Yes, there is such a thing as "breaking and entering", but here the issue is the "stealing".

No "thing" was stolen? It's all still there? Not so fast, boy....

Intellectual property is recognized, can be bought and sold, and so is also capable of being stolen. And, the act of stealing it MAY actually destroy it. Information relating to a patent application that is not filed yet can be stolen. In that case, it may then be impossible to get a patent, since the information may be deemed to be "disclosed". Or, someone else may be enabled to take out the patent (under the new rules of "first to file"). That would definitely be depriving the company of the use of their intellectual property.

And, in the US there is the DMCA.

danlb
10-13-2016, 01:12 PM
It's a stupid discussion.

danlb is suggesting that there is a huge difference between

A) Breaking the door/picking the lock, and stealing information or goods from a house.

B) Finding a key that fits, using it, and then stealing information or goods from a house.


There is not. The key act is the stealing. How you get in, or what color shoes you have on when you do it, are secondary considerations. Yes, there is such a thing as "breaking and entering", but here the issue is the "stealing".

No "thing" was stolen? It's all still there? Not so fast, boy....


No, you are misreading what I wrote. The discussion is about accessing a site, not about stealing the contents.

However, To use your analogy,

There is a huge difference between
a) picking a lock and then stealing a suitcase from a hotel room
and
b) putting your key card into the wrong door in the hotel, finding that it works, entering and looking around until you realize it's not your room.

There is a big difference between
c) using a tool to break into a locked car (without damage) and searching it (fruitlessly) for something to steal and then leaving.
and
d) putting your car key in the door of the wrong red 2004 Camry and getting in when it works, then leave after looking around and finding it's not your car.

In all these cases, the intent makes a difference. In case B and D you actually manage to accidentally "break in" to someone's physical space and you leave with information about that space. That information is not stolen, it's simply accumulated in the person's memory.

To bring it back to the subject;

There is a big difference between
e) using hacking tools to corrupt data in a system in order to gain access
and
f) discovering by accident that the web site lets you enter random social security numbers in order to get their tax return information.

One might cause damage that deprives the owner of the use of the system or data. The other is like looking around the wrong hotel room in that the information is not changed and no one is deprived of the use of anything.


I will not go into the subject of when someone breaks into your server and steals your intellectual property. It becomes very nebulous when an 18 year old hacker in china "steals" your cad file for making a model T Ford headlamp bracket. It becomes even more nebulous when you post that file on a web server, then state that anyone can look at it but no one is allowed to use it. (that's an actual example I've seen)

Doc Nickel
10-13-2016, 02:32 PM
It becomes even more nebulous when you post that file on a web server, then state that anyone can look at it but no one is allowed to use it. (that's an actual example I've seen)

-That's not nebulous at all. Take Mickey Mouse- you can watch the videos all day long, you can wear the clothes, even wear the mouse ears hat if you like. But paint him on the walls of your daycare or use the logo for your pet store? Can't do that.

It's called copyright.

Doc.

pgmrdan
10-13-2016, 02:43 PM
The heck it is, no more than my car is when it is locked. Break into my car or my server and that is breaking the law. Both can be broken into as can just about anything on the planet but that does not make it "fair game". I have FTP access on my server but anonymous access is disabled. Passwords are very strong. My e-mail system is heavily filtered to the point it won't allow zip files to be accepted. My server is locked just like most things I wish to secure. Everything I own is either directly visible to the general public or the container is. That sure doesn't make it fair game.

It's not legally fair game but to a hacker it's fair game.

Evan, knowing you and reading what you have done probably 99.9% of the businesses on the internet aren't as secure as you are. And I doubt anyone on this whole forum has as secure a setup although I applaud Paul A. for doing a LOT more than the great majority of folks.

If this discussion gets a few people to at least think about this stuff then I think it's worth it.

pgmrdan
10-13-2016, 02:57 PM
No offense Dan .. but .. your opinion is absolutely flabbergasting coming from an IT guy.

You talk like people can just accidentally stumble into a system and read/copy or whatever.

Fact is .. you would have to run software that is illegal to use (not to own). Normally this
software is written by very very talented (and rare) people and distributed to script kiddies
who use this software to break into systems.

BTW .. the systems you worked on with the Faraday cages, I believe were not so much for
security ... but .. more to protect the equipment from EMP's.

Faraday for electronic bugs.

"Fact is .. you would have to run software that is illegal to use (not to own)."

The fact is that your statement is fiction. You made that up. Are you saying using ping is illegal??? It can be used to survey IP address for multiple pieces of information about a target. It comes standard with Windows, UNIX, Linux, etc. along with a handful of other tools useful for surveys.

"Normally this software is written by very very talented (and rare) people and distributed to script kiddies
who use this software to break into systems."

Don't kid yourself. There are books and books of stuff written on this that a young kid can use to write their own tools. Yeah, script kiddies grab stuff off of websites and run it but those who wrote it don't have to be that bright.

"You talk like people can just accidentally stumble into a system and read/copy or whatever."

Nope ... but almost that easy for some sites. And if someone has a grudge against a company they can systematically (and very easily) survey a business' internet access and do stuff that may never be noticed.

Evan
10-13-2016, 03:07 PM
so it would be interesting to see if the technique could be duplicated on an LCD monitor.

No. The CRT has powerful electrostatic fields used to direct the electron beam. Not known by many the electron beam is moving at around 1/10 light speed which is why it needs such powerful fields. Without the scanning signal timing the other collected signals are worthless.

An LCD or similar uses very low current and low voltage signals with a readable distance of centimetres if at all since most of the hardware and cables are shielded to prevent interaction with cables centimetres away.

I have always wondered just how good those CRT transmitted signals can be mirrored. There is (was) an awful lot of noise around including who knows how many other monitors in the vicinity. I have a feeling that the ability to really get a signal clean enough to actually reveal what was on the screen would be extremely rare in the real world.

As for the internet and my data available on same I make the assumption that anything I post on line in any way will be seen by anyone and is available to anyone even with the security I have in place for some things. All I care about is that my system continues to operate correctly. If I want to post something such as the thousands of pictures I have on this forum I will post it with the assumption that they will all be taken by anyone that wants them. In the case of pictures that may have some value I only post them at low resolutions compared to the original. I never post anything that can be of value in a way such as identity theft. For example, I have a Facebook account. I do not post my real birthdate there. I also have a page with images of my MRI scans but all possible info that identifies me is removed from those pics and there is no text content on that page in a text format, only graphical and that is obscured in certain ways to prevent screen reading. That prevents Google from logging it. The page is not hidden other than by obscurity.

If somebody creates a website where certain information should be hidden by law and that information can be accessed by accident then that is the fault of the web designer. However, there are still laws in place the directly prevent anyone from distributing or otherwise using such information.

I try to follow the law as best I can even when the law deserves to be changed. I even fully stop at stop signs. I haven't had a driving ticket in nearly 40 years and have never had a road accident. I don't speed either. It pays off too. My driving record has saved me something like $15,000 in car insurance over the years compared to the average driver and far more compared to a bad driver. I have never even had a parking ticket in 30 years.

pgmrdan
10-13-2016, 03:33 PM
My opinion is that anyone who stores personal or company data that they consider private, "in the cloud" is just plain stupid. It you put it "in the cloud" you have to assume that it will be hacked. If it is company data, then you should assume that your competition will get it and use, probably against you and your company.

Also anyone who uses a "free" e-mail service, like G-mail or others, is likewise giving it away at least to the company, like Google, which is providing that "free" e-mail service. Google and others who provide these "free" e-mail services are actually advertising companies who mine those e-mails to get data on your and your interests and spending habits. They you wonder why you get so many ads for things that you have already purchased. Or things that you only mentioned in a conversation with a friend. There is no such thing as "free". You pay the price in a lack of privacy.

I store all my data in a hard drive that is sitting on my desk. It is within an arm's reach. For backups, I use additional hard drives. For protection against loss by fire or flood, one such back-drive can be stored in a separate building, like a bank box. Tip: if you live in a flood prone area like me, ask the bank if their boxes are water proof. Most are NOT. Get one at the top. And I pay for my e-mail service: I do not use a free one.

Paul,

I like the way you think!!! :)

All,

And then there's good old facebook. That tool the NSA likes. It creates huge databases on people about their interests, activities, friends, relatives, etc. and guess what. The NSA doesn't even need a warrant to get the information in the facebook databases. Facebook and the NSA cooperate. And talk about a bonanza of information. All those selfies and other photos that people put on facebook that get scanned by facial recognition software. Wow! What more could the NSA ask for?

And the sheeple just keep feeding information into facebook all day long, every day.

Mike Amick
10-13-2016, 03:36 PM
The fact is that your statement is fiction. You made that up. Are you saying using ping is illegal??? It can be used to survey IP address for multiple pieces of information about a target. It comes standard with Windows, UNIX, Linux, etc. along with a handful of other tools useful for surveys.



Whoa Dan .. I'm not an IT guy .. you obviously are .. (although one with a flabbergasting opinion) :rolleyes:

But my head is in a different place. Many serious hacks come in the form of a virus that infects
the system and opens access for the hacker.

And I still believe that the most "notorious" "Viruses" are written by pretty smart guys. Now you may
be able to do that, and good for you if so.

But I'll even add that as far as reported authors .. it seems that the Europeans are well represented.

I am not talking about network tools as you are implying. Ping away.


As far as stumbling into a system ... thanks to many for giving me examples of how that actually
can happen.

pinstripe
10-13-2016, 03:43 PM
Are you saying using ping is illegal??? It can be used to survey IP address for multiple pieces of information about a target. It comes standard with Windows, UNIX, Linux, etc. along with a handful of other tools useful for surveys.

Like most tools (software and otherwise), it can be used legally or illegally. Yes, it is illegal to use ping to flood a network that you have not been given permission to flood. He did say that having the tool is not illegal, only using it [for naughty things]. Yes, I added the bit in brackets, but I think it was pretty obvious considering that's what this discussion is about.

With regards to CRT/LCD. Not the same as what was discussed above, but there is a YT video where the guy shows how you can analyse power consumption to determine which TV channel the people inside are watching. I think it's a Defcon talk, but I couldn't find it. I'm pretty sure he was doing it with modern TVs.

pgmrdan
10-13-2016, 04:00 PM
Like most tools (software and otherwise), it can be used legally or illegally. Yes, it is illegal to use ping to flood a network that you have not been given permission to flood. He did say that having the tool is not illegal, only using it [for naughty things]. Yes, I added the bit in brackets, but I think it was pretty obvious considering that's what this discussion is about.

Unless you coordinate a Denial of Service attack against a target among your 1,000 closest friends it's unlikely you're going to use ping but if one looks up the ranges of IP addresses a potential target uses then ping can be quite useful for gathering lots of information such as banner, active IP's, operating systems (from the banner information), etc.

The High Orbit Ion Cannon seemed to work well for the Anonymous group when used against the church of scientology and against that christian church full of bashers of alternative lifestyles in DDos attacks.

pgmrdan
10-13-2016, 04:15 PM
And I still believe that the most "notorious" "Viruses" are written by pretty smart guys. Now you may
be able to do that, and good for you if so.

Although I'm an old coder with quite a bit of experience in business applications, just for the record, I don't know if I could write a virus or not because I've never tried and I never will try.

Most of what I've read is from the viewpoint of defending myself from such mischief. If you realize that these hackers are primarily curious and seeking a challenge then you might be better able to protect yourself. And most of the time they seem to be innocently doing this type of stuff to impress themselves and their buddies and for no other reason. Hardly cause to lock them in a cell.

I just think that the Web Masters (???) should better learn their trade and take responsibility for their incompetence when it allows access by a hacker.

But of course nothing is fool proof so you need to be defensive like some of the guys here have stated they are.

J Tiers
10-13-2016, 04:19 PM
There is virtually no 'net analog to "putting your keycard into the wrong door", because you would need BOTH to be at the wrong place entirely, AND have the password. Fat-fingering is pretty dubious as an explanation for why you got BOTH correct.

Even if it IS on the cloud, that STILL does not make it fair game. People have an "expectation" of at least basic privacy when they need a password to access their data. Valid or not, thet "expectation" is enough to convert innocent fooling around into "hacking" in violation of law.

Taken your way, you are saying that it's OK to view anything that is openly displayed on the internet. Thank you Captain Obvious. We didn't know that :rolleyes:

The hidden agenda in your statements is that if you CAN get access, it STILL is fair game to look through it, and that is a dangerous assumption. As if you randomly typed a password, and were let in where you should not be. Or even if you were accessing YOUR data, and mistyped something..... Although I think that is rather unlikely to happen, and unlikely to be accepted as your excuse.

pinstripe
10-13-2016, 04:23 PM
Nothing wrong with using ping to scan IPs and collect the returned information. It can be legitimate research, and you are not harming any system. If a system is harmed because it cannot handle a valid ping request, then it's not your fault.

Start poking around the systems trying to find a way in, and you might find yourself on the wrong side of the law. At what point is the law broken? I don't know, but you will have a pretty good idea when the adrenaline hits you :)

Evan
10-13-2016, 04:43 PM
I suggest you look up "ping storm".

dan s
10-13-2016, 04:43 PM
I'm A web application developer/architect, and hackers deserve a bullet in the head as far as I'm concerned.


DOS attacks/hacks are a real problem. I routinely work with the IT department to temporary block (DNS firewall level) large regions from accessing our company websites. A while back we blocked ~3/4 of china for 48 hours.

XSS attacks are constantly something I have to remind/reprimand junior developers about. These are the ones that really hurt blissfully ignorant users.


I could go on and on about this ad nauseum.

pinstripe
10-13-2016, 04:50 PM
Although I'm an old coder with quite a bit of experience ... Most of what I've read ... these hackers are primarily curious and seeking a challenge then you might be better able to protect yourself. And most of the time they seem to be innocently doing this type of stuff to impress themselves and their buddies and for no other reason. Hardly cause to lock them in a cell.

It's not 1990 any more. The penalties are too severe for most people who want to have a bit of fun. There is plenty of money to be made from unethical hacking, malware, etc. Infrastructure has been destroyed, and people may have already been killed by Stuxnet. Nations are attacking each other, and it will only increase when a war breaks out.



I just think that the Web Masters (???) should better learn their trade and take responsibility for their incompetence when it allows access by a hacker.

I don't think you realize just how difficult it is. Incompetence is sometimes a factor, but it's not always. The operating system may (does?) have thousands of undisclosed bugs. How do you protect yourself against that? Anyone who understands security will tell you that nothing is secure. It's about having layers of protection, and hoping that you have enough layers to keep the bad guys out. If the bad guys are well funded and motivated, then that may prove impossible.

pgmrdan
10-13-2016, 05:12 PM
I don't think you realize just how difficult it is. Incompetence is sometimes a factor, but it's not always. The operating system may (does?) have thousands of undisclosed bugs. How do you protect yourself against that? Anyone who understands security will tell you that nothing is secure. It's about having layers of protection, and hoping that you have enough layers to keep the bad guys out. If the bad guys are well funded and motivated, then that may prove impossible.

Actually I do realize, at least somewhat, how difficult it it. It's a very complex issue and you are supporting my point. Valuable information should not be accessible on the internet without realizing that you're running a risk of someone accessing that information that you don't expect.

Quite a few years ago I remember an article in Datamation where several large companies had made the decision NOT to use servers. One of the reasons was security. I'd like to find that article again and see how many of those companies still don't have server farms.

Anyway, in the old days I worked for a company that had it's own private network of dedicated leased lines connecting mainframe computer, terminals, printers, controllers, front end processors, terminal control units, etc. together. Unless someone spliced a T-connection into some cabling the network was fairly bullet-proof.

Moving to today we have all sorts of potential points of failure. I don't know who sold these managers on these ideas but companies may as well be playing Russian roulette with their futures.

"Oh, no Mr. Bill. We've been hacked!"

Well duh!

Managers have been lulled into a false sense of security and now they're beginning to realize they've created a cornucopia free for the picking.

dan s
10-13-2016, 05:23 PM
Managers have been lulled into a false sense of security and now they're beginning to realize they've created a cornucopia free for the picking.

What are you talking about, it has nothing to do with managers. Most stuff is stored in systems that are accessible via the web because the end users/customers are lazy, ignorant, or a combination of both.

Dlane
10-13-2016, 05:45 PM
X2 Bullet between the eyes for hackers,

danlb
10-13-2016, 05:51 PM
There is virtually no 'net analog to "putting your keycard into the wrong door", because you would need BOTH to be at the wrong place entirely, AND have the password. Fat-fingering is pretty dubious as an explanation for why you got BOTH correct.

[ snip snip snip ]
The hidden agenda in your statements is that if you CAN get access, it STILL is fair game to look through it, and that is a dangerous assumption. As if you randomly typed a password, and were let in where you should not be. Or even if you were accessing YOUR data, and mistyped something..... Although I think that is rather unlikely to happen, and unlikely to be accepted as your excuse.

Sigh.

I took the time to give you real life examples and all you can do is make statements of disbelief. Then you have the audacity to invent a hidden agenda and assert that it is mine. Are you really as bored as I am? It would seem so if you put this much effort into trying to start an argument.

Try re-reading it with the mindset that someone with years of experience and training in computer and network security is trying to pass on information. Try assuming that there is no hidden agenda. Then use the proffered information when you are trying to decide whether hackers should be shot or simply imprisoned for life.


Dan :)

danlb
10-13-2016, 06:54 PM
-



It becomes even more nebulous when you post that file on a web server, then state that anyone can look at it but no one is allowed to use it. (that's an actual example I've seen)

That's not nebulous at all. Take Mickey Mouse- you can watch the videos all day long, you can wear the clothes, even wear the mouse ears hat if you like. But paint him on the walls of your daycare or use the logo for your pet store? Can't do that.

It's called copyright.

Doc.

I'd say that's a special case. Don't you find it odd that you can watch a micky mouse video all day on youtube for free, but are subject to prosecution if you download it to your hard drive and send it to your buddy? Copyright laws are quite strange. But enough said about that.

I was thinking more about the javascript code that is pushed to your computer (and therefore resides in memory and probably the hard drive) that has a copyright notice that prohibits copying or use. Of course you don't see that notice unless you are reading the script, but it's fairly common.

A more personal example is when I read a popular comic monday through friday at http://www.the-whiteboard.com/ . The content there is specifically to entertain people. By design, the owner wants me to look at it, and do it frequently. And it's quite appreciated.

BUT

At the bottom is the following disclaimer. The problem is that it prohibits unauthorized use of the text as well as the image. But I've no way to obtain authorization until after I access the page. And accessing it copies it to my machine. And reading the disclaimer before I'm authorized is a violation of the copyright! Oh NO! What is one to do! I'm probably in violation of the wishes of the creator by copying the following disclaimer too.

So it is somewhat nebulous. On the one hand anyone who accesses the page does so with without express permission. On the other hand the creator wants us to see it.



All images, text, graphics and characters are Copyright 2002 - 2015, Doc's Machine & Airsmith Services. All rights reserved. Unauthorized use, duplication, off-site posting or publication strictly prohibited.
If you would like to share the strip with others, please send them the URL and do not copy the strip itself, thanks. Any resemblence to persons living or dead would be an incredible, if not impossible, coincidence.
If you would like to use this strip in any non or for-profit publication, please contact us at docsmachine.com

Doc Nickel
10-13-2016, 07:05 PM
So it is somewhat nebulous. On the one hand anyone who accesses the page does so with without express permission. On the other hand the creator wants us to see it.

-While I appreciate the enjoyment of the comic, that entire statement almost sounds willfully obtuse.

The quoted copyright of course has nothing to do with the reading of the strip or the text involved. To believe or assume otherwise- let alone to state otherwise- almost has to be intentional ignorance or the desire to atrt or continue an argument. (Also known as "trolling".)

Copyrights are SPECIFICALLY intended so that a person (or corporation) can, in fact, distribute a work for other people to enjoy, and yet that work is still protected against other people copying it and making money with it. That's the entire point of a copyright.

Using the example of my comic, yes, clearly I want people to read and enjoy it, but also clearly I'd rather they not collect it all together, print it up as a book, and start selling copies. Or in the case of the text and graphics, to put up a "mirror" site with my text, artwork and strips, but, say, their own banner ads and this be making money off my works.

Doc.

danlb
10-13-2016, 07:17 PM
What are you talking about, it has nothing to do with managers. Most stuff is stored in systems that are accessible via the web because the end users/customers are lazy, ignorant, or a combination of both.


Well, my experience is different than yours. I left the security field after spending too many years trying to convince managers that security is more than a checklist of things to ignore. Security has a cost that is easy to see and count, and benefits that are invisible on the balance sheet. It was actually easier to implement security as a system administrator than it was as a security specialist. As a sysadm I could insist on properly installed, patched and configured software. I was even able to influence the choice of software in most cases. :)

Dan

J Tiers
10-13-2016, 07:22 PM
Sigh....Sigh....Sigh....

Try being clearer about exactly what you mean.

If all you mean is the Captain Obvious comment, we didn't need you to do anything but keep quiet. We know that.

So, The rest of your obfuscatory comments presumably mean something else.

The only logical conclusion is that you intend to justify poking around somewhere you should not have gained access to, using the justification that you got there by accident.

Frankly, that's bat**** crazy.

Getting in there by accident is not presumably a crime, as there was no intent to commit one, and the error was rectified as soon as noticed. Records of accesses would show your access was short and did not include prowling around. Depending on what entity you accessed, you may have some explaining to do, but clearly you had no intent to use the access you obtained.

STAYING there, and prowling around, is obviously within the definition of gaining unauthorized access to secured files. The files were secured and your access, although it perhaps was accidental through some means undetermined in this discussion, was not incidental and soon terminated, but prolonged, with considerable "snooping".

In general, there is no gradation of the crime depending on how secure the lock was. if premises are locked, even by a cheap flat key lock, then locked they are.... i.e they are "secured". As with doors, so with files and passwords.

Your arguments and those of "prgrmrdan" seem somewhat connected, so whichever "dan" gets hit by the stone can be "the dog that yelps".




Sigh.

I took the time to give you real life examples and all you can do is make statements of disbelief. Then you have the audacity to invent a hidden agenda and assert that it is mine. Are you really as bored as I am? It would seem so if you put this much effort into trying to start an argument.

Try re-reading it with the mindset that someone with years of experience and training in computer and network security is trying to pass on information. Try assuming that there is no hidden agenda. Then use the proffered information when you are trying to decide whether hackers should be shot or simply imprisoned for life.


Dan :)

Yes, you DO seem to have some sort of undercurrent going on here.... if you can't just say that prowling where you are not authorized is wrong, then we have every right to assume you are smudging the gray areas.

DO you say that access, accidental or not, that results in prowling through data is wrong?

Even if it were not illegal, although I believe it is in fact illegal in the US, it is rude and not done by gentlemen.

danlb
10-13-2016, 07:38 PM
Yeah Doc, I understand exactly what copyright is for. It was developed in an age where an artist spent huge amounts of time to make and distribute his work, and the lack of a mass production and sales channel limited their ability to make a living at it.

Copyright was implemented centuries ago to give artists a monopoly so that they would create more art and that was deemed to be in the public interest.

Yeah, It's a pet peeve of mine that copyright law now provides a perpetual monopoly to corporations, long after they have stopped making the art available for public consumption. The original artist often gets very little of the proceeds.

But it is the law and I respect it. I just wish that the law actually matched the digital reality. The idea that this post is copyright is kind of silly, but it is just because I typed it. If you copy it in it's entirety, I suspect that you are in violation of the copyright. Silly, right?

Dan
Copyright 2016. Quoting this text in part or whole is prohibited.

oldtiffie
10-13-2016, 07:48 PM
So far there has been a lot of discussion about "hacking" - just the software? - but you/they can do a lot of damage at the computer level by just inserting a "viral" (???) on a USB drive that someone could just wander in and insert it into a running computer and then remove the usb drive, put it into their pocket or brief-case and just seemingly innocently just "walk away" and out of the building.

Comments please???.

https://www.google.com.au/search?q=destroying+a+computer+with+a+usb+insert&rls=com.microsoft:en-AU:IE-SearchBox&rlz=1I7IRFC_enAU360&biw=1280&bih=585&source=lnms&sa=X&ved=0ahUKEwiy9IKL_NjPAhVY6GMKHZ_NDxEQ_AUIBygA&dpr=1.5

https://www.google.com.au/search?q=destroying+a+computer+with+a+usb+insert&rls=com.microsoft:en-AU:IE-SearchBox&rlz=1I7IRFC_enAU360&biw=1280&bih=585&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiwu4Sc_NjPAhVN7GMKHS1IDQ0Q_AUICSgC

lakeside53
10-13-2016, 07:53 PM
Doc I know what you're saying but if a server is accessible from the internet it's fair game.




... But that's like saying my house is fair game because its on a public road.

danlb
10-13-2016, 07:57 PM
Yes, Tiffe, that happens.

A common method of industrial espionage is to drop an infected thumb drive near the entrance of the targeted building. People plug it into their PC and more often than not end up being infected. Since the "virus" is usually an auto run program and since it is custom created for that particular company, they often are not detected by virus scanners.

Dan

danlb
10-13-2016, 08:10 PM
... But that's like saying my house is fair game because its on a public road.

I had to think about that.

No, your house is not necessarily fair game. But a system on the internet with a web server is expected to be available to the public. It invites people to look around. It's like having a fruit stand in the front yard. Wouldn't you expect people to stop and look around?

But that's for normal people like you and me. The hacker is more likely to be the guy who stops and picks up an apple that's fallen from your tree, or maybe he picks them from your tree. To him your system is "fair game" just because he can reach it.

BTW, I dislike hackers in general. Even if they do no harm, once I detect any success at all in their probes I have to take action. That's a pain in the butt.

Dan

dan s
10-13-2016, 08:27 PM
Even if they do no harm, once I detect any success at all in their probes I have to take action. That's a pain in the butt.


They all do harm, Every request to a server consumes bandwidth, cpu time, ram, disk space, etc, and thus $$$.

J Tiers
10-13-2016, 09:15 PM
I had to think about that.

No, your house is not necessarily fair game. But a system on the internet with a web server is expected to be available to the public. It invites people to look around. It's like having a fruit stand in the front yard. Wouldn't you expect people to stop and look around?

But that's for normal people like you and me. The hacker is more likely to be the guy who stops and picks up an apple that's fallen from your tree, or maybe he picks them from your tree. To him your system is "fair game" just because he can reach it.

BTW, I dislike hackers in general. Even if they do no harm, once I detect any success at all in their probes I have to take action. That's a pain in the butt.

Dan



OK, NOW with your latest statements, it has become clear that you DO NOT agree that any system on the net is fair game.

Or, you SORT OF don't agree.

It seems to be natural and maybe OK and expected for regular people to look around, but not for hackers? That seems to be a strange distinction, as regular people in general do not know HOW to do that if there is the slightest obstacle......

Looks like you STILL have a strange conflict of opinion.... Or have not made yourself clear.

oldtiffie
10-13-2016, 09:16 PM
Yes, Tiffe, that happens.

A common method of industrial espionage is to drop an infected thumb drive near the entrance of the targeted building. People plug it into their PC and more often than not end up being infected. Since the "virus" is usually an auto run program and since it is custom created for that particular company, they often are not detected by virus scanners.

Dan



Thanks Dan.

And what of the kids bringing hone "good" and "must have/try stuff" on a thumb (USB) drive and inserting it into USB port on other computers in the house - and what if all the computers in the house are net-worked?

Some adults are possibly as bad as the kids in that regard too.

And with thumb (USB) drives - who formats them before loading/un-loading stuff to or from the USB drive?

lakeside53
10-13-2016, 09:33 PM
That's really bad. We have a lot of Surface Pro's in retail environments on our heavily protected internal networks. They need to access our order entry and other core systems. The presence of the USB port is an issue. Unfortunately it's not as simple as "disabling" them in Windows or plugging with epoxy as they are required for other uses, and when the Laptop needs to be on the wired networks. We're experimenting with USB locks.. a physical device that plugs in and needs a key to remove.

Bottom line - don't let anyone plug anything into your usb ports, and know exactly what you are doing when you do it yourself.

J Tiers
10-13-2016, 09:38 PM
...

And what of the kids bringing hone "good" and "must have/try stuff" on a thumb (USB) drive and inserting it into USB port on other computers in the house - and what if all the computers in the house are net-worked?

Some adults are possibly as bad as the kids in that regard too.

And with thumb (USB) drives - who formats them before loading/un-loading stuff to or from the USB drive?

MOST adults a re just as bad, and some are worse, they turn off the AV stuff "because it slows everything down".

Nobody formats USBs if they want something OFF of them.

USBs are the work of the devil for sure, since they all come with software on them when new..... Anything with software can have bad software.

danlb
10-13-2016, 10:54 PM
Looks like you STILL have a strange conflict of opinion.... Or have not made yourself clear.

Don't let it bother you. If you ask a yes/no question and get a multiple choice answer, maybe the question question needs to be reconsidered, or the assumptions need to be reviewed.

It's really my fault. I'm analytical by nature, and have decades of experience in this particular subject. That leads me to think of way too many ways to look at every question and every answer.

Morally, you should be able to secure your server with a simple "keep out" notice.

Rationally, a person who follows all of the links on your web site is committing no damage, as that's what your system is designed for. (1)

Ethically, a person who tries to access information that you have tried to hide is wrong, and expecting hidden information to remain that way is naive on your part.

Legally, any particular action may or may not be a crime depending on where you are, where the systems are and what the jury feels like that day.

And then there is the question of "hackers". The term hacker has several different definitions and connotations. There are official definitions, and then there are the scholarly definition and the muddled definitions used by hackers themselves.

A hacker can be a bad guy, bent on doing harm.

It can be a curious person who just wants to see what he can do.

It can be a good guy who is checking for unpatched code so he can report it to the company... and on and on.

You can see why a yes/no question is not always answered the way you'd like?

Dan

(1) If you think that a person accessing your web site is damaging it by using cpu cycles, you don't really understand what a cpu does when idle.

J Tiers
10-14-2016, 11:51 AM
....
And then there is the question of "hackers". The term hacker has several different definitions and connotations. There are official definitions, and then there are the scholarly definition and the muddled definitions used by hackers themselves.

A hacker can be a bad guy, bent on doing harm.

It can be a curious person who just wants to see what he can do.

It can be a good guy who is checking for unpatched code so he can report it to the company... and on and on.

You can see why a yes/no question is not always answered the way you'd like?

Dan

(1) If you think that a person accessing your web site is damaging it by using cpu cycles, you don't really understand what a cpu does when idle.

A "Hacker" depends on context.

In this context, we obviously mean a person deliberately seeking access to your secured information without authorization, period. Motivations do not matter.

That disposes of the casual person who blunders in without intent. It also disposes of the "black hat crew", as they are authorized to attempt a break-in.

The remaining people, "trying to see what they can do", or attempting to get information, tie up the site, hold data for ransom, etc, are committing a crime in the US.

Someone DID mention CPU cycles, dunno who, don't care.

Their point DID have some validity. What is a DDOS attack? It is an attempt to use ALL the CPU cycles and deny them to legitimate users, blocking access to a site or file system. That has little to do with what a CPU does when idle, which is whatever it is programmed to do, often file system cleanup, maintenance, etc.

The fact that it is busy with maintenance when not otherwise occupied is irrelevant, since one or many "hackers" entering the system will in fact displace legitimate users to some degree, not to mention displacing maintenance activity. Perhaps more than usual, as they often, in pursuit of their goals, will search through files and so provide a large number of retrieval requests.

That's not a big point, however, since the act of gaining unauthorized access is itself the crime in the US.

No, I don't really see that there is any doubt about what is meant, nor should the "question" (if there was one) be answered with another question. Seems quite clear and easy to grasp.

pgmrdan
10-14-2016, 12:09 PM
... But that's like saying my house is fair game because its on a public road.

I clarified this once. I should have said that it is fair game as far as a hacker is concerned.

pinstripe
10-14-2016, 12:24 PM
Yeah Doc, I understand exactly what copyright is for. It was developed in an age where an artist spent huge amounts of time to make and distribute his work, and the lack of a mass production and sales channel limited their ability to make a living at it.

The amount of time is irrelevant. One might write a song or paint a painting in a few hours. Some software has millions of man hours invested into it. Doesn't make any difference from an ownership/copyright perspective.



Yeah, It's a pet peeve of mine that copyright law now provides a perpetual monopoly to corporations, long after they have stopped making the art available for public consumption. The original artist often gets very little of the proceeds.

Yet you mocked Doc for putting a copyright notice on his work. Is he a corporation taking advantage of a poor starving artist? Plenty of independent artists and small businesses rely on copyright law to protect their investment.



Copyright 2016. Quoting this text in part or whole is prohibited.

Sue me :)

dan s
10-14-2016, 12:34 PM
Dan

(1) If you think that a person accessing your web site is damaging it by using cpu cycles, you don't really understand what a cpu does when idle.


You assume that where I work lets machines set idle. We do not, because that's a waste of $$$. Low cpu utilization is around 7-8% average is low 20's and high is between 70-80%.


I get the feeling you don't know much about web attacks. A lot of attacks start out by looking for known open source software, that could potentially be exploited. An actual user fat fingering and getting a 404, or a development mistake is one thing. hackers writing scripts to probe a system 10's 100's or even 1000's of times a second is something completely different.

For example I routinely see access logs full of requests like this. The domain I just looked at has never had WordPress installed on it, but the logs contained lots of lines like this.


GET /wordpress/wp-admin/ HTTP/1.1" 404
GET /blog/wp-admin/ HTTP/1.1" 404
GET /wp/wp-admin/
GET /wp-admin/css/colors-classic.css
GET /wp-login.php HTTP/1.1" 404

pinstripe
10-14-2016, 12:47 PM
I clarified this once. I should have said that it is fair game as far as a hacker is concerned.

Fair game for what? Sending a few properly formed pings? Yes. Sending malformed data to gain access or take the site down? No.

If you doubt this is the case, then try taking down a .gov or .mil site and see how you fare in court. The law is clear. You might not like or understand it, but it is what it is. Someone else's server, data, network, etc. are not fair game, even if they are insecure for whatever reason.

danlb
10-14-2016, 02:38 PM
Fair game for what? Sending a few properly formed pings? Yes. Sending malformed data to gain access or take the site down? No.

If you doubt this is the case, then try taking down a .gov or .mil site and see how you fare in court. The law is clear. You might not like or understand it, but it is what it is. Someone else's server, data, network, etc. are not fair game, even if they are insecure for whatever reason.

You are misinterpreting the remark. When pgmrdan said "it is fair game as far as a hacker is concerned" it should have been interpreted as:

A hacker will feel that there is nothing wrong with what he is doing. If you leave your site open to exploits, then the "bad hackers" feel there is nothing wrong with exploiting it. That is the meaning of "as far as the hacker is concerned" should be interpreted.

pinstripe
10-14-2016, 02:43 PM
Ok, got it. Thanks for clarifying.

danlb
10-14-2016, 03:30 PM
You assume that where I work lets machines set idle. We do not, because that's a waste of $$$. Low cpu utilization is around 7-8% average is low 20's and high is between 70-80%.

I get the feeling you don't know much about web attacks. ]

First, the last remark. I've worked in networks and systems for decades. Managing probes and attacks are part and parcel of the job. I'm curious, what did you do about that probe? Did you at least block the ip address that the probe came from? I'm not sure what software you use, but the /wp/wp-admin request did not return a 404, suggesting that WordPress might be installed.

Second, a person who does not fall into the "malicious hacker" category does no damage to your computer simply by accessing a URL that is "hidden". If you have "spare cycles" then the cpu is doing a "no operation" operation for that 1/16000000000 of a second that each cycle lasts (on a 1.6 GHz CPU), just waiting for something to do. CPUs don't get "used up". I grant you that you have to pay more for faster, more powerful systems to handle your anticipated load, and if 30% of your load is hackers, then that's an impact.

The DOS (Denial Of Service) attacks are a whole other mess. Since the idea is to overload your resources, the attack is limited by whatever router, switch, concentrator or firewall that gets maxed out first.

Dan

danlb
10-14-2016, 04:31 PM
The amount of time is irrelevant. One might write a song or paint a painting in a few hours. Some software has millions of man hours invested into it. Doesn't make any difference from an ownership/copyright perspective.


Yet you mocked Doc for putting a copyright notice on his work. Is he a corporation taking advantage of a poor starving artist? Plenty of independent artists and small businesses rely on copyright law to protect their investment.

Sue me :)

You are 100% correct on the first point. That's what the current law says. It's not what the original law was supposed to do. The original law was to encourage creation of art that would eventually fall into the public domain. I was to enable people to invest time and effort in their creations. If it takes you 10 minutes to write a poem, chances are that you will even if there is no way to monetize it.

The second point was way off target. I did not intentionally mock Doc in any way. I used his site as a reference in a (feeble) attempt to get more people to check it out. The fact that it has an example of a self canceling copyright notice was just coincidence.

The third point was expected. People generally ignore copyright and license when it suits them, as shown in your post. I do my best to follow the law, and to follow the spirit of the law when the law is badly written.

dan s
10-14-2016, 05:18 PM
I'm curious, what did you do about that probe? Did you at least block the ip address that the probe came from?
we routinely block entire octets at the firewall. We have gone as far as contacting ISPs and having stuff cut off. We don't routinely do anything until we see a performance issue. If we went after every script kiddie, we would need a large dedicated team.



I'm not sure what software you use, but the /wp/wp-admin request did not return a 404, suggesting that WordPress might be installed.


That was me fat fingering the copy & paste they all 404ed.




I grant you that you have to pay more for faster, more powerful systems to handle your anticipated load, and if 30% of your load is hackers, then that's an impact.

That's what I'm talking about, the systems I work on handle about 15 billion requests a month, so the costs become a lot more apparent to the non technical people.

J Tiers
10-14-2016, 05:53 PM
....

People generally ignore copyright and license when it suits them, as shown in your post. I do my best to follow the law, and to follow the spirit of the law when the law is badly written.

False, really. Not the same thing at all.

You posted to an open site, and claiming copyright on your post is not going to fly, as I am pretty sure that there is an implied waiver of copyright inherent to posting here. Read your agreement again. If it is NOT there, it should be, and would be if the legal eagles spot that.

Linked images, linked text, etc, is not covered by that waiver, partly because you may not have standing TO waive the copyright. You are directing folks to a site where there is copyrighted material, which was posted by a third party to be looked at, or perhaps a license purchased, but not simply copied.

So, Doc CAN copyright material that is posted on his site. You CANNOT copyright your posts to THIS site. You CAn copyright posts to your OWN site, certainly. There is no obligation on the part of copyright holders to keep the material secret and locked up.

danlb
10-14-2016, 09:32 PM
we routinely block entire octets at the firewall. We have gone as far as contacting ISPs and having stuff cut off. We don't routinely do anything until we see a performance issue. If we went after every script kiddie, we would need a large dedicated team.


I understand what you mean about large sites. The last company I retired from was running well over a billion pages served per day. But even for big installations there are ways to automate the process at the web server, the load balancer or the firewall. One of the exercises in the F5 load balancer training classes was to create a rule that would block all traffic from an IP address that sends http requests that are signs of automated probes. You can create dynamic firewall rules at the web server itself with the right OS.

Ask your security experts to look into it. Blocking large network blocks always runs the risk of banning valid business users.

Dan

danlb
10-14-2016, 09:36 PM
People generally ignore copyright and license when it suits them, as shown in your post. I do my best to follow the law, and to follow the spirit of the law when the law is badly written.

False, really. Not the same thing at all.

You posted to an open site, and claiming copyright on your post is not going to fly, as I am pretty sure that there is an implied waiver of copyright inherent to posting here.

Please post the portion of the copyright laws (or DMCA) that says that there is an implied waiver of copyright. It's been a few years since I read it, but I don't recall a clause that says that copyright is void for people communicating electronically.

Dan

danlb
10-14-2016, 09:42 PM
So, Doc CAN copyright material that is posted on his site. You CANNOT copyright your posts to THIS site. You CAn copyright posts to your OWN site, certainly. There is no obligation on the part of copyright holders to keep the material secret and locked up.

Of course he can. Copyright is automatic, even without a notice. That's the law.

Dan

J Tiers
10-14-2016, 10:51 PM
Please post the portion of the copyright laws (or DMCA) that says that there is an implied waiver of copyright. It's been a few years since I read it, but I don't recall a clause that says that copyright is void for people communicating electronically.

Dan

It would be in the agreement when you signed up HERE. Not one thing to do with the DMCA.

If there is no such, there should be, as it is technically inherent to a BBS that copies are made on a local computer. And it is good protection for the site owner anyway

danlb
10-14-2016, 11:04 PM
It would be in the agreement when you signed up HERE. Not one thing to do with the DMCA.

If there is no such, there should be, as it is technically inherent to a BBS that copies are made on a local computer. And it is good protection for the site owner anyway

OK. Where does it say that?

Dan
P.S. It's technically inherent in all http based services like web sites that copies are made on a local computer. That was my point earlier, but thanks for re-affirming it.

oldtiffie
10-15-2016, 12:15 AM
There are some interesting reads re. "hacking" here:

https://www.google.com.au/search?q=google&rls=com.microsoft:en-AU:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7IRFC_enAU360&gfe_rd=cr&ei=f6sBWPfPFqru8weUqbi4Bg&gws_rd=ssl#q=hacking

JRouche
10-15-2016, 04:46 PM
It would be in the agreement when you signed up HERE.

Problem with that? You dont HAVE to sign up or agree to any terms to use this site.. JR

J Tiers
10-15-2016, 09:29 PM
Problem with that? You dont HAVE to sign up or agree to any terms to use this site.. JR

So I saw when I looked for the "terms of use" yesterday. There do not seem to BE any, unless they appear only at sign-up, which might make them moot and unenforceable. That is not common, but if the legal folks at VP are satisfied, I suppose we can be also.

Most sited have some terms of use. The Hobby Machinist site has a stack of them, but that is to be expected as Mr Timken appears to be a lawyer. Other sites have at least some that "your use of the site constitutes agreement to".

I believe it is shortsighted and even dangerous not to have any such, but VP must please itself in that matter.

One common term of use is that posts are automatically put into the public domain, which is a good reason to post links and not actual pictures, if you have any intent to retain copyright.

dave_r
10-16-2016, 04:00 AM
So I saw when I looked for the "terms of use" yesterday. There do not seem to BE any, unless they appear only at sign-up, which might make them moot and unenforceable. That is not common, but if the legal folks at VP are satisfied, I suppose we can be also.

Most sited have some terms of use. The Hobby Machinist site has a stack of them, but that is to be expected as Mr Timken appears to be a lawyer. Other sites have at least some that "your use of the site constitutes agreement to".

I believe it is shortsighted and even dangerous not to have any such, but VP must please itself in that matter.

One common term of use is that posts are automatically put into the public domain, which is a good reason to post links and not actual pictures, if you have any intent to retain copyright.

There was a TOS that you agree to when you sign up. Most recent TOS that I've read, the poster retains copyright to the material they post, both pictures and text, but grants the website permission to republish it. Sometimes a site will try to make it so anything you post, you assign the copyright to the site, but people notice, a small sh!tstorm happens, and then it goes back to the first one.

JRouche
10-16-2016, 05:04 AM
Awe chit. You guys can be dense. There is a TOS. Problem? you do not need to read or agree to the TOS. Internet, Rules not need apply, evidently (sad face),,,

PStechPaul
10-16-2016, 05:56 AM
Just caught up on this thread. One thing JTiers posted:


One common term of use is that posts are automatically put into the public domain, which is a good reason to post links and not actual pictures, if you have any intent to retain copyright.

There is really little difference between posting a link and an actual picture, as that just uses [ img ] tags to cause the browser to render the image in the web page, while clicking a link opens a new tab or window with the image. It may be a bit different if you upload your image to the site, as then you have lost control of it. You may still technically or legally have an implicit copyright on the image (and whatever text you write), but I think precedents have been set that draw the line of criminality when someone passes off someone else's work as their own and tries to profit from it. Such profit may be not only monetary, but also could include popularity or numbers of hits.