On Mon, 28 Apr 1997, Chris Inskeep wrote:
> Let's take this a little further and, hopefully, take the decimal level
Let's not just take it further ... let's take it to an entirely different
subject to `prove' our point...
> down a bit. There has been a discussion for years that a group of real
> security people should launch a highly damaging attack against several
> very high visibility targets -- electic utilities, telcos, etc. as a
> wake up call for the non-believers. Seems a bit unethical to most,
It is not unethical ... it is criminal. If l0pht did indeed scan the
aforementioned ports, that's all they did - scan them. Big deal. Now,
imagine that they (or any other party) found a security hole and gained
access to your system. This is something to take note of. You have two
choices: You can determine that you don't care and leave things be, or you
can determine that you do, and take the appropriate (does that word mean
anything anymore?) actions, eg, shut down the hole. What you suggest is
entirely different: "...a highly damaging attack...".
Now, just in case there is any misunderstanding here, here is an example
that is actually relevant: handguns. Like "hacking knwoledge", you may
posess a hundgun. Like "port probing", you may make it known that you
have a handgun. Like waving your gun around, you may not actively break
into a system (though it in and of itself does no damage and makes the
surrounding people take notice). Like instanciating "...a highly damaging
attack..." you will go to jail if you shoot someone/something.
Do you understand the difference?
> Seems that most professionals believe that ethical research is one
> thing. Playing cowboy on the Internet is something else. Now you can
> tell me to piss off....
Seems to me that you just said that one thing is one thing, but another
thing is something else. I have no idea what you mean by that ... shall I
contact the FBI or the patent office? Either way, I'll oblige you by
telling you to "piss off....".