|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Netgate.net.nz/ORBS spam colusion
Derek -- I agree with many of your points, but one thing you seem to overlook here is that the public distribution of credit card numbers belonging to CD Universe customers hurts more than just CD Universe. It can cause those customers financial harm and/or significant inconvenience. Are you suggesting that they deserve it because they chose to be CD Universe customers without having first probed CD Universe's systems to make sure no holes existed? I'm not sure I can agree with that. First off, it's not unreasonable for a consumer to be allowed a certain basic level of trust in financial transactions, whether online or off. If a customer purchases over the Internet using a secured connection s/he is entitled to a reasonable expectation that their information will remain secure. Credit card companies recognize this by limiting the customer's liability in cases where a credit card number is stolen. They recognize that you can't background check every sales clerk you hand your credit card to in a store or restaurant, or monitor the trash behind every place you shop in to make sure nobody's fishing receipts out. Second, a person's credit information is confidential. By your definition, the Russian Cracker did wrong to hack those files. And since aiding and abetting the commission of a crime is also a crime (in the US at least, I don't know about Russia), he should also bear blame if someone uses those credit card numbers to make fraudulent purchases. CD Universe deserves to be slammed for letting their credit card files be hacked. But those credit card owners are not at fault, and that Russian hacker is not innocent. ============================================== Rachel Luxemburg [email protected] Visit SoundAmerica http://soundamerica.com -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Derek J. Balling Sent: Tuesday, January 11, 2000 2:55 PM To: Dean Anderson; Randy Bush; David Lesher Cc: nanog list Subject: Re: Netgate.net.nz/ORBS spam colusion At 04:49 PM 1/11/00 -0500, Dean Anderson wrote: >I see the guy in Russia took his model from ORBS, and did exactly the same >thing: He apparently used a security exploit to get data, and published >that data. So far, it doesn't sound like he made any credit card charges. >Sounds like he didn't actually damage the compromised system. According to >Derek Balling and a few others, he should be free and clear. Whoa whoa whoa... back up there. Don't even think that you get to put words in my mouth. What *I* have said is that a person is subject to the laws and regulations of the country they live in (plus those they are a citizen of, if those are not the same country), and not subject to the whims of other countries, so that's how I see it "from a legal standpoint". If the laws of his nation say that what he did, specifically, is a crime, then he can (and should) be held accountable to them. That's what sovereignty is all about. Philosophically, I disagree with "anti-cracking" laws, by and large, because (short of password theft or confidential information and NDA violation-style cracks) any information a cracker can access, ANYONE can access, if they know enough about the system. What, specifically, makes the cracker "bad"? YOU (the proverbial you, although your mail servers are a decent example) are making (the data|your servers) available, not the cracker. If you are stupid enough to do so, I see no moral obligation on any user who discovers this to feel it needs to stay quiet. If you bring it out into the light, it tends to get fixed and people realize how poor the security at that site is. If you cover it up and go quietly about it or (worst) tell NOBODY, then nobody knows how poor the security is, or how little that site should be trusted with data/money/services. >According to those few people, the cracker hasn't done anything wrong. Never made that claim. Could you show me where I said that? I'll say it now, that I don't think he's done much of anything wrong, because (personally) I believe that crackers, by and large, are a good thing. They find the holes the rest of the world overlooks and misses. They bring them to our attention -- often in a flamboyant manner or one that some people might consider "reckless" -- because most of the time, reporting the problem to the people who lack security falls on deaf ears. >According to those same people, CD Universe accepted the consequences of >having an insecure server. Anybody could accessed the data. So long as the Russian Cracker was not using a password or such that he stole from someone (and using a default password is not stealing a password, since the password is public knowledge), I would concur with that. (I haven't read the details on how exactly the Russian cracked CD Universe, so I can't say that for certain, but I think this fairly well defines where I personally would draw the line). >So it must be >publicly available information then. He just published some publicly >available data. US law doesn't apply to Russians. The fault here is with >CD Universe for operating an insecure server. Yes, in fact, the ultimate fault does lie with CD Universe. CD Universe compromised their users' data, not a Russian hacker. The Russian Hacker merely publicized that compromise. >There is no fault with the >guy who published the credit cards. He is not responsible if other people >misuse that data. Correct. In the same way that ancient Chinese scientists are not responsible if you buy an Uzi and kill someone just because they invented gunpowder. You are responsible for your own actions, just as the perpetrators of credit-card-fraud are responsible for THEIR own actions. >Wrong. If it wasn't already clear to reasonable people, it certainly is >now. Those people who made those stupid assertions are clearly full of crap. I guess I'm full of crap then. It wouldn't be the first time I've been told that before, but coming from you, I feel much better now, since it now very-effectively lowers the credibility of all the rest of the people who have said that by the very nature of being lumped together with the likes of you. :) >Now what happens to the Russian ISP that refuses to shut down the site? >Yep. You guessed it. OK, I'll bite,... what do you think happens? Do you think the FBI is going to go over there and ask the successors to the KGB (same uniform, different TLA) "pretty please can we arrest these people"? Are you really that ignorant? I'm suspecting the answer is "nothing" will happen to the ISP, but they might volunteer to take it down for PR reasons, but not because anyone has any authority or moral responsibility to make them shut it down. My $0.02 worth, I speak for nobody but myself. D
|