> > > So what do you guys think about part time hackers that
> > > attempt a breakin, post general results on a website,
> > > and then ask for payment to fix your problems?
...
> > Gee sounds like a classic mafia protection racket. Pay us or
> > your business will suddenly have some broken windows. Most
> > places call this extortion.
...
> It's only extortion if there's a threat implied.
>
> Think of it this way:
> 1) If there is an exploitable hole, your box is insecure.
> 2) Assuming I don't cause any damage[*], all I'm doing is
> alerting you to a security problem.
>
> It's not really ethical to do this, but it's not
> extortion either. It's more like a locksmith walking into
> your locked office at night, and leaving a note that says:
> "Your locks suck - I was able to pick them in under 30 seconds.
> Call me at <number> and we'll talk about getting you some real
> security".
>
> Yes he was trespassing, but it's not extortion. Some
> might call it "breaking and entering", but assuming the lock still
> functions (in what is now recognized as a limited capacity), I
> wouldn't agree with the "breaking" part.
Unfortunately, computer crime seems so harmless and unreal for the most
part, that we sometimes fail to see the obvious analogies between it and
"real" crime.
If someone hacks your site, puts the results on a website, and asks for
money to fix the problem, they have committed a crime. They have violated
the property and privacy of you or your business, made your business secrets
public, and have put you in a position where it is in your interest to pay
them money to prevent others from committing the same crime. That is
extortion, among other things.
Let's go back to your locksmith example. Someone defeats your security
mechanism by picking the lock, then they leave a note offering their
services to fix the weak lock. First of all, it's not an exact analogy; it
would be closer to the hacking example if the "locksmith" put a big sign on
your lawn instead. Leaving that aside, how should we interpret that note?
Did we ask the "locksmith" to do this for us? What else has he done, beside
leave a note? What will he do if I don't pay him to fix the lock? If nothing
else, I'm going to feel a bit violated. If what he's doing is really all
right, am I wrong to drop him with the 12-gauge when he comes in?
It's really quite simple. If it's not your server, then you are completely
in the wrong if you violate its security, even if you don't have malicious
intent. There are limitations to acceptable business solicitation practices.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
