[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Prosecution of Cracking Security Systems



At 9:42 PM 9/20/95, Brian Davis wrote:

>Certainly, Cypherpunks has gotten press lately, and what I've seen has
>been good press.  Capitalize on it.
>
>Finally, I've got to say that, as someone new to the concepts discussed
>here, I found it extremely cool to read about the latest break here and
>then see it in the news a day or two later.


Indeed, it gives you a day's head start in preparing a prosecution!

(Just kidding, of course. Brian may be a DA, but he's showing signs of
being "one of us.")

And on a serious note, the cracks of these various systems are helpful to
the overall community. Better locks.

To pick up on a point Brian made several days ago about whether or not
hackers who break into systems should be applauded, criticized, prosecuted,
whatever, this is how I see things, in direct parallel with the recent
Netscape cracks:

* Situation 1: A person who enters my home by bypassing locks cannot claim
to be "just testing security" and should be prosecuted for trespass, if
nothing else.

* Situation 2: However, a person who publically demonstrates that a
well-known type of lock is weak and can be easily bypassed is well within
his rights and is, I think, doing the community a favor. I mean that he
demonstrates this on a lock, or system, and not by breaking into a system.
(It may be true that some number of potential thieves use the knowledge
that a given lock is weak to commit crimes, but that's not the
responsibility of the person demonstrating the weakness.)

(Sidebar: There are some subtleties. What about someone who breaks into a
computer system and leaves a harmless message announcing his intrusion?
What about someone who enters my house while I'm asleep and leaves a
message saying "Get better locks!"? What about Randall Schwartz and his
security checks of his employer, Intel?)

It seems clear to me that the breaking of Netscape's security is an example
of Situation 2. And many cracker break-ins are Situation 1, though in many
cases the crackers are not full-fledge criminals and may think they are
just testing security. (This goes to motive, I'm sure Brian would agree,
and may be why a 16-year-old cracker gets a suspended sentence instead of
hard time.)

(A more problematic case is what about systems with very weak or no
security? This is somewhat like a yard with no clearly marked boundary, no
fence, etc., or like a beach towell with valuables left on it. We've
debated issues like this several times on the Cyberia list, so I won't
here.)

One thing that worries me is that some of the proposed laws about
intellectual property and enforcment of copyrights may make it illegal to
try to break the cryptographic protections of systems, even systems one has
control over. (Some similarities to the "no reverse engineering"
shrink-wrap licenses.)

It's conceivable that Netscape Communications could, under these
"anti-hacking" laws, seek a prosecution of some future Goldberg and Wagner.

My guiding principles about locks and security are these:

* Theft is theft, even if a bicycle is left unlocked or a house door is
left ajar.

* However, the first line of defense is for a property owner to lock his
property up, to place fences around property, etc. Cops cannot protect in
all situations, which is why security services and tools exist.

* Since enforcement resources are limited, I can understand why the
investigation of a theft involving unlocked, unsecured property is given
low priority. This doesn't make the theft "right," and if the thief is
somehow caught he cannot use the "But it was unlocked!" defense.

(These problems are lessened in a system where people pay for protection,
as with insurance systems, and of course as with anarcho-capitalism of the
sort discussed by Benson, Friedman, and others.)

--Tim May




Notice: With 1000 people on the Cypherpunks list, and many on other lists I
am on, nearly every article I write generates at least one question,
request for more information, dispute with my choice of words, etc. I have
been trying to respond to these, usually privately, but the burden has
become too much, and I no longer plan to respond to trivial or ephemeral
points. If you don't hear from me, this is why. Some requests for pointers
to information will still be handled, but I advise people to learn how to
use the archives and/or search tools.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."