Discussion on:

Fighting fire with water

Do you think rehabilitation through positive application of their skills is a realistic goal for dealing with cybercriminals? Is a malicious security cracker recoverable at all if he or she is a professional criminal, rather than just a malicious security cracker hobbyist?

Can you think of any improvements to my idea -- or good reasons to scrap it entirely?

But I'd scrap it.

The scriptkiddies that they mentioned in the original article don't really know what they're doing, they buy "hacking" tools and such and try them out. They get easily caught because of their lack of skills.

Having them do community service will be like sending them on a free training course on how to do it properly. I agree that the majority of them would enjoy the course, learn the error of their ways, and go straight. But you'll be giving these criminals the skills to do their crimes better.

What next? Sending muggers on an unarmed combat training course? Or security systems installation courses for failed burglars?

We could always put the "script kiddies" to work in tech support, cleaning the worms, trojans, viruses, etc. off of infected computers. That would potentially keep them from simply learning how to perform their criminal acts more effectively.

The more knowledgeable hackers could be put to work as per the original plan, since they already know what they're doing. They could also be put to work training end users how to protect themselves against malicious code. Who better than a hacker to teach someone how to avoid being hacked? There was a show on cable (dunno if it's still on) where a reformed thief would break into a willing person's home, then they'd show the person how to protect their home, and then the thief would try again, almost always unsuccessfully.

I don't know if Tiget Team is still on but I caught one episode and would have the season on DVD tomorrow if it was available at HMV. Same idea, a "reality tv" film crew follows a team of security testers through a contract per week. The one I caught was them breaking into a high end car dealership.

I'll have to have a look around for the show you mention. Have a name off hand?

There were two episodes of that shown in December to premier the series. One of them was the car dealership episode. I don't believe there have been any more since then, though.

Maybe the ratings weren't high enough -- or maybe the show fell victim to CourtTV's changing format around the same time.

From the lack of all advertising since, I think your second theory may be correct. Booo! three "batchelor" spinoffs, two "top model" spin offs, two cooking shows, a driving show.. finally a "reality tv" that didn't leave me feeling dimmer and 60 minutes older and it get's tossed.

But this from an industry that canned Firefly after seven episodes but continues to run Raymond.

I'll have to do some proper research and see what happened to the show or if I can at least track down that second episode.

I think the name was "It Takes A Thief." It's been a while since I've seen it, but that could just be because I'm not flipping channels when it's on.

nt

on saturday nights.
I think on MSNBC

Get the kids to clean up the same kind of mess they create.

This technical support is what is truly needed also...

I just wonder if people(who they are trying to help clean the machines) would trust them.

Dan

Well, you'd have to have oversight to make sure they're doing what they're supposed to. Can't just turn them loose without someone making sure they're doing their job and not adding to the problem.

Even with oversite... I am not sure if the burned public, even with oversite, would have enough trust to allow the help from these individuals..

Dan

I figured if they can keep trusting Geek Squad, they can keep trusting these kids

...is judicial jurisdiction. Besides the script kiddies, most real crackers and hackers come from outside North America. Such camps, although a possible punishment alternative, will be deserted.



TCB

I like that you mentioned "payment of the offender's 'debt to society.'" If I saw a referendum for your proposal, which included an absolute requirement of full restitution of all direct and consequential damages, I'd vote "Yes." Anything short of that, "No."

Also, it would be helpful to require a televised Q&A, to which the likes of Bruce Schneier and yourself are invited, to inquire about the crackers' development process. Presumably in some cases at least, knowing how the crackers find exploits will help software architects design fewer.

I like being mentioned in the same sentence as Bruce Schenier.

(edit: . . . in a positive light like this.)

I also think your idea may have merit, completely aside from your inclusion of me in the panel.

most open source projects are struggling to get good coders, they don't have the manpower to implement a security audit process on their code base to verify the code supplied by the miscreants.

This would limit it to only those projects with the member base to put a security audit process in place. That would tend to kill off smaller projects fairly quickly.

That's why there's a "probation officer" type to oversee everything -- someone to keep a close watch on the doings of his charges with regard to the development process and the safety of the submitted code. Read up on the Google Summer of Code process to get a better idea of what I'm thinking -- the "probation officer" would be like a much more directly involved, strict "mentor" in the GSoC process.

strict mentoring you would be needing a 1 to 1 ratio in far to many cases.
I'm sure the smaller projects wold love to get 5 offenders, if they also got 5 "mentors"
even then, they would need to have at least one project member verify code.
[ since the mentors are human and can make a mistake / miss some code ]

The security audit of the code base is a good idea anyway, for all projects, it's just a significant time eater before a release or a constant time eater.

maybe the whole idea would need to have the offenders code put in for review by a team of mentors before it gets submitted to the project(s) to really be implementable.

The larger projects, which have the members, wouldn't benefit as much from getting these extra bodies as the smaller projects would. A plan that focuses on making it work for the smaller projects will benefit all open source.