North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: spam colusion

  • From: Rachel Luxemburg
  • Date: Tue Jan 11 20:03:49 2000

Derek -- I agree with many of your points, but one thing you seem to
overlook here is that the public distribution of credit card numbers
belonging to CD Universe customers hurts more than just CD Universe. It can
cause those customers financial harm and/or significant inconvenience.

Are you suggesting that they deserve it because they chose to be CD Universe
customers without having first probed CD Universe's systems to make sure no
holes existed? I'm not sure I can agree with that.

First off, it's not unreasonable for a consumer to be allowed a certain
basic level of trust in financial transactions, whether online or off. If a
customer purchases over the Internet using a secured connection s/he is
entitled to a reasonable expectation that their information will remain

Credit card companies recognize this by limiting the customer's liability in
cases where a credit card number is stolen. They recognize that you can't
background check every sales clerk you hand your credit card to in a store
or restaurant, or monitor the trash behind every place you shop in to make
sure nobody's fishing receipts out.

Second, a person's credit information is confidential. By your definition,
the Russian Cracker did wrong to hack those files. And since aiding and
abetting the commission of a crime is also a crime (in the US at least, I
don't know about Russia), he should also bear blame if someone uses those
credit card numbers to make fraudulent purchases.

CD Universe deserves to be slammed for letting their credit card files be
hacked. But those credit card owners are not at fault, and that Russian
hacker is not innocent.

Rachel Luxemburg            [email protected]
Visit SoundAmerica

-----Original Message-----
From: [email protected] [mailto:[email protected]]On Behalf Of
Derek J. Balling
Sent: Tuesday, January 11, 2000 2:55 PM
To: Dean Anderson; Randy Bush; David Lesher
Cc: nanog list
Subject: Re: spam colusion

At 04:49 PM 1/11/00 -0500, Dean Anderson wrote:
>I see the guy in Russia took his model from ORBS, and did exactly the same
>thing:  He apparently used a security exploit to get data, and published
>that data. So far, it doesn't sound like he made any credit card charges.
>Sounds like he didn't actually damage the compromised system.  According to
>Derek Balling and a few others, he should be free and clear.

Whoa whoa whoa... back up there. Don't even think that you get to put words
in my mouth.

What *I* have said is that a person is subject to the laws and regulations
of the country they live in (plus those they are a citizen of, if those are
not the same country), and not subject to the whims of other countries, so
that's how I see it "from a legal standpoint". If the laws of his nation
say that what he did, specifically, is a crime, then he can (and should) be
held accountable to them. That's what sovereignty is all about.

Philosophically, I disagree with "anti-cracking" laws, by and large,
because (short of password theft or confidential information and NDA
violation-style cracks) any information a cracker can access, ANYONE can
access, if they know enough about the system. What, specifically, makes the
cracker "bad"? YOU (the proverbial you, although your mail servers are a
decent example) are making (the data|your servers) available, not the
cracker. If you are stupid enough to do so, I see no moral obligation on
any user who discovers this to feel it needs to stay quiet. If you bring it
out into the light, it tends to get fixed and people realize how poor the
security at that site is. If you cover it up and go quietly about it or
(worst) tell NOBODY, then nobody knows how poor the security is, or how
little that site should be trusted with data/money/services.

>According to those few people, the cracker hasn't done anything wrong.

Never made that claim. Could you show me where I said that? I'll say it
now, that I don't think he's done much of anything wrong, because
(personally) I believe that crackers, by and large, are a good thing. They
find the holes the rest of the world overlooks and misses. They bring them
to our attention -- often in a flamboyant manner or one that some people
might consider "reckless" -- because most of the time, reporting the
problem to the people who lack security falls on deaf ears.

>According to those same people, CD Universe accepted the consequences of
>having an insecure server. Anybody could accessed the data.

So long as the Russian Cracker was not using a password or such that he
stole from someone (and using a default password is not stealing a
password, since the password is public knowledge), I would concur with
that. (I haven't read the details on how exactly the Russian cracked CD
Universe, so I can't say that for certain, but I think this fairly well
defines where I personally would draw the line).

>So it must be
>publicly available information then. He just published some publicly
>available data.  US law doesn't apply to Russians.  The fault here is with
>CD Universe for operating an insecure server.

Yes, in fact, the ultimate fault does lie with CD Universe. CD Universe
compromised their users' data, not a Russian hacker. The Russian Hacker
merely publicized that compromise.

>There is no fault with the
>guy who published the credit cards.  He is not responsible if other people
>misuse that data.

Correct. In the same way that ancient Chinese scientists are not
responsible if you buy an Uzi and kill someone just because they invented
gunpowder. You are responsible for your own actions, just as the
perpetrators of credit-card-fraud are responsible for THEIR own actions.

>Wrong.  If it wasn't already clear to reasonable people, it certainly is
>now.  Those people who made those stupid assertions are clearly full of

I guess I'm full of crap then. It wouldn't be the first time I've been told
that before, but coming from you, I feel much better now, since it now
very-effectively lowers the credibility of all the rest of the people who
have said that by the very nature of being lumped together with the likes
of you. :)

>Now what happens to the Russian ISP that refuses to shut down the site?
>Yep. You guessed it.

OK, I'll bite,... what do you think happens? Do you think the FBI is going
to go over there and ask the successors to the KGB (same uniform, different
TLA) "pretty please can we arrest these people"? Are you really that

I'm suspecting the answer is "nothing" will happen to the ISP, but they
might volunteer to take it down for PR reasons, but not because anyone has
any authority or moral responsibility to make them shut it down.

My $0.02 worth, I speak for nobody but myself.