Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Vulnerabilites in new laws on computer hacking
From: Bigby Findrake (bigbyephemeron.org)
Date: Mon Feb 20 2006 - 15:39:11 CST
On Wed, 15 Feb 2006, Anthony Cicalla wrote:
> I would have to say that I agree with you in what you have said. I am a
> young security professional with a cissp, but growing up I did not have
> the $ to be able to purchase vmware and all the software to setup a test
> environment. I also bet that most of you between ages 12 - 16 had the
> minimum 500.00 for a pc and another 300.00 for vmware and the list goes
> on and on. To learn computer / network security is expensive and the
> materials are costly in a lot of situations.
Perhaps this is beating a dead horse, but could someone explain to me why
the addition of a $50 computer found at a garage sale, a $10 NIC, and a
$20 switch or hub to any would-be-infosec's arsenal wouldn't suffice for
this purpose? We're not trying to brute force 4 kilobit pgpkeys, we're
trying to present a host to attack. FreeBSD, NetBSD, OpenBSD, Linux...
all free operating systems. Isn't there an x86 version of solaris that's
free? $500 computers aren't needed for this testing. I suggest that the
necessity for more expensive hardware is the exception, and not the rule.
Bochs may not be speedy, but it works.
I would also suggest that anyone who finds that money is an obstacle is
looking for excuses. I have often found ways to make outdated hardware
useful in a variety of situations.
> If we are going to make stricter laws why do we not have something setup
> for more positive learning. Maybe a sponsored couple of sites to teach
> this and be legal targets for script kiddies. Just some of my thoughts
> on the matter. After saying this I don't support illegal activities but
> if we want the kids to learn and not go to jail for being curious then
> we as a community need to look at this and provide a positive outlet for
> this type of activity.
> -----Original Message-----
> From: self-destructionitsbest.com [mailto:self-destructionitsbest.com]
> Sent: Saturday, February 11, 2006 8:35 AM
> To: bugtraqsecurityfocus.com
> Subject: Vulnerabilites in new laws on computer hacking
> It'd be interesting to see if this post gets approved by the moderators of
> As all of you know, this forum (bugtraq) is constantly monitored not only by
> crackers and infosec professionals, but also by government and
> law-enforcement agencies.
> The reason why I'm posting this message is because I'd like to bring
> attention to the new laws on hacking.
> As everyone knows, laws on computer hacking are going tougher. There are
> however, some negative consequences.
> "Advanced societies" are updating computer crime laws faster than the rest
> of the world. This means that new generations of these more "advanced
> societies" will have no clue about how remote computer attacks are carried
> out. Future generations of security "experts" will be among the most
> ignorant in the history of computer security.
> New generations of teenagers will be scared of doing online exploration. I'm
> not talking about damaging other companies' computer systems. I'm talking
> about accessing them illegally *without* revealing private information to
> the public or harming any data that has been accessed. To me, there is a big
> difference between these two types of attacks but I don't think that judges
> feel the same way. Furthermore, I don't even think that judges understand
> the difference.
> Now, I'm not saying that I support accessing computer systems illegally. All
> I'm saying is that by implementing very strict laws on "hacking", we will
> create a generation of ignorant security professionals. I think to myself,
> how the hell will these "more advanced societies" protect themselves against
> cyber attacks in the future?
> These new tougher computer laws will, in my opinion, have a tremendous
> negative impact in the defense of these "advanced societies". It almost
> feels to me like we're destroying ourselves.
> I know what you're thinking. You can learn about security attacks by setting
> up you're own controlled environment and attacking it yourself. Well, what I
> say is that this approach *does* certainly make you a better attacker, but
> nothing can be compared to attacking systems in real world scenarios.
> Now, I personally know many pentesters and I can say that most of them *do*
> cross the line sometimes when doing online exploration in their own free
> time. However, these guys would *never* harm anything or leak any sensitive
> information to the public. That's because they love what they do, and have
> very strong ethical values when it comes to privacy.
> I would say that most pentesters are "grey hats", rather than "white hats".
> In fact, I believe that the terms white and black hat are completely
> artificial because we all have different sides. The human mind is not
> binary, like black or white, it's something fuzzy instead, with many layers.
> The terms white and black hat were, in my opinion, created by business
> people to point out who the "good guys" and "bad buys" are.
> If I was the technical director of a computer security testing company I
> would try to find pentesters that are not malicious, but that do cross the
> line sometimes but at the same time, know when it's a good time to stop
> If you hire someone that has never broken into a system, this guy will not
> be able to produce valuable reports for customers because he will not be
> able to find vulnerabilities that can't be found running a scanner.
> In summary, I'd like governments of the world to rethink their strategy when
> fighting computer crime. Extremism never worked and never will.
> Remember, many of today's script kiddies will be the infosec professionals
> of tomorrow.
"I've tried to install this linux crap about nearly five times, but everytime
it stops with the error message: 'login:'
Fix that immediately or I'll go public with that." -- some random moron