New post
Who is responsible when a software app is used for nefarious purposes?
Discussion on:
View:
Show:
Although the gun analogy fits, I would rather use the kitchen knife analogy since even as a Second Amendment proponent I will admit that the basic purpose of a gun is to kill whereas knives (excluding those oddball specialty collector type things) are tools for anything from dressing a carcass to whittling a toy horse. The main purpose depends on the knife but while they are not primarily weapons, they can easily be used that way. Many of the tools used by security professionals and hackers were not originally intended to be digital weapons but they have been turned to that purpose.
We can never be sure that the tools we design will not be turned to nefarious purposes, but the vast majority of humanity are not bad people. Unfortunately the bad few spoil it for the rest of us.
We can never be sure that the tools we design will not be turned to nefarious purposes, but the vast majority of humanity are not bad people. Unfortunately the bad few spoil it for the rest of us.
You make a good point. Do you see any possible answers. Do you think what Anonymous is doing is effective -- positive or negative?
I like the knife analogy. But have you killed a target lately? Most guns are never taken anywhere but to the range.
I will start by saying that I am not a programmer, I am an artist. But sometimes someone can look at a situation from another angle and be of help. I was wondering if there could be a way of closing an app from any changes. In some programs you can lock the document from any changes. If something like this could be done for all the code in a program, to lock the code from changes, (like putting a sandwish in a zip-lock and closing it), and, IF someone was able to unlock and get inside to the program's code itself, there was a tracker mechanism that would show the IP address of the one who broke the program's locked barrier. The IP address would be similar to that ink inside a bag of money stolen from a Brink's truck or a bank, and the ink would show who the thief is. Perhaps what I am saying does not make sense or could not be done. But just thought I would offer up the idea for consideration.
You are providing information and ideas. That is what I had hoped for, particularly "outside the box" thinking.
IP Addresses have not proved very reliable in the past and are far more likely to be Spoofed or similar in the future particularly if the only Evidence Required is them.
Not something I would want to see adopted by anyone let alone the Legal System which already has enough problems. We don't need to make things worse.
As for Reengineering any Software it's not currently possible as even simple things like Dongels has been overcome for Copy Protection Purposes and that is by no means as necessarily Secure as some think it is.
While I adamantly Disagree with the Concept, Intellectual Property Theft is currently controlled to some extent by the Legal System which sort of works to some sort of Degree. The reality however is that anything can be reduced to Source Code reengineered and do what you like if there is someone motivated enough to do it. It's not restricted to Computers or Programming it's a Human Condition and there is currently no solution.
Of course if we where to do away with the Artificial Concept of Money and Power the need to do things like Reengineering Software for different purposes to what it was intended for, for nefarious Actions wouldn't exist as there would be nothing to gain from it but I honestly can not conceive of something like that happening any time in this society.
Many things are actually Improved or Created by altering Software and even M$ accepts this as they have made available Developer Editions of the Kinect Software to be altered and produce software that does things that they can not conceive of doing.
Col
Not something I would want to see adopted by anyone let alone the Legal System which already has enough problems. We don't need to make things worse.
As for Reengineering any Software it's not currently possible as even simple things like Dongels has been overcome for Copy Protection Purposes and that is by no means as necessarily Secure as some think it is.
While I adamantly Disagree with the Concept, Intellectual Property Theft is currently controlled to some extent by the Legal System which sort of works to some sort of Degree. The reality however is that anything can be reduced to Source Code reengineered and do what you like if there is someone motivated enough to do it. It's not restricted to Computers or Programming it's a Human Condition and there is currently no solution.
Of course if we where to do away with the Artificial Concept of Money and Power the need to do things like Reengineering Software for different purposes to what it was intended for, for nefarious Actions wouldn't exist as there would be nothing to gain from it but I honestly can not conceive of something like that happening any time in this society.
Many things are actually Improved or Created by altering Software and even M$ accepts this as they have made available Developer Editions of the Kinect Software to be altered and produce software that does things that they can not conceive of doing.
Col
Would the switch to IPv6, where everything has its own IP addr change anything?
Good questions.
Look at art. How hard is it to alter a piece of work? One made by another?
It's probably not easy to do it non-destructively - but how about if you have skill and craftsmanship equal to or surpassing that of the creator?
The bad guys do have the skills. They can reverse-engineer anything we've got, if there's enough money to be made from it.
And bits and bytes are a lot more forgiving of the counterfeiter, the brush-strokes of the creator do not make it through the compiler.
Look at art. How hard is it to alter a piece of work? One made by another?
It's probably not easy to do it non-destructively - but how about if you have skill and craftsmanship equal to or surpassing that of the creator?
The bad guys do have the skills. They can reverse-engineer anything we've got, if there's enough money to be made from it.
And bits and bytes are a lot more forgiving of the counterfeiter, the brush-strokes of the creator do not make it through the compiler.
And greetings to you as well! Your comments are very valid, regarding the comparison between altering a piece of artwork v.s. altering software. There is just more anonymity with altering software. That is the reason I was also talking about the thief being painted with paint who opens the stolen bag of money. I was hoping there was a way to do that digitally. That would pinpoint who the people are, who are doing the software altering.
We are all a little lazy (sometimes) and these guys are NO exception, IF the MAC address of the user who popped the lid on the software. The MAC address of the NIC they're using is unique to that NIC and while IP addresses can be dynamic MAC addresses are not and can be traced. If a black hat had to change their NIC each and every time they executed an exploit or communicated with the fellow conspirators they would either go broke in short order or they would help out the world economy by single-handedly keeping the likes of Cisco, Netgear, et-al in business, and as I said, we are all a little bit lazy, and if they don't change their hardware each and every time we will be able to track and catch them allot easier then trying to find them via their IP.
Thought this might help. L8R
Thought this might help. L8R
>They believe that ???hacking is cool??? and they???re ???fighting the system.???
> If we can figure out a way to change the current social perception of hacking, we???ll have less of a problem with participatory botnets, DoS, and tools like LOIC.
Yeah, there is a way: To change the current social perception of system.
> To stick with your firearm analogy
Bad analogy. Software is far easier to (re)produce than firearms. Regulating it in the same way as the firearms would require unacceptable level of intrusive surveillance.
> If we can figure out a way to change the current social perception of hacking, we???ll have less of a problem with participatory botnets, DoS, and tools like LOIC.
Yeah, there is a way: To change the current social perception of system.
> To stick with your firearm analogy
Bad analogy. Software is far easier to (re)produce than firearms. Regulating it in the same way as the firearms would require unacceptable level of intrusive surveillance.
I'd be curious to learn more about changing the perception.
I think my using firearms was more to raise awareness of a complicated problem.
I think my using firearms was more to raise awareness of a complicated problem.
Throwing a couple of Corzine- like people in jail usually helps. If they are too high above the law, tarring and feathering seems to be the next best alternative. I don't know about LOIC etc, but restoring the trust into the system would surely lower the number of participatory bots participants.
Firearms and ammo are fairly easy to regulate because ammunition is not easily produced. Necessary chemicals are difficult to obtain, and dangerous to handle. With computer & software development toos, this is obviously not the case. Any restrictions in this area would be like infamous Ceaucescu's typewriter regulation.
Firearms and ammo are fairly easy to regulate because ammunition is not easily produced. Necessary chemicals are difficult to obtain, and dangerous to handle. With computer & software development toos, this is obviously not the case. Any restrictions in this area would be like infamous Ceaucescu's typewriter regulation.
It can also be used for knocking people in. You are never going to change that. Ever.
I've used the word never a few times and lived to regret it each time.
The human race seems to have the remarkable ability to change and society along with it.
While this is more evident in more extreme situations, society generally changes at much slower paces, with the right guidance its can change for the better.
While this is more evident in more extreme situations, society generally changes at much slower paces, with the right guidance its can change for the better.
While America is a nice non-violent place (when compared to say Egypt, Africa, Syria, Iran, Iraq, etc.) it still has many hostile areas. How do you propose to change half a million people? And thats just here in America. What about those other areas that dont live like us? The utopian mentality kills me. I used to believe then I watched Nic Berg die the most gruesome death and thought long and hard about how anyone could change the mindset of those that killed him. I couldnt find a solution. They live and die by violence in that part of the world. It would take hundreds if not thousands of years to change, if it could at all. The mindset is very deeply seated (violence). Not sure what cave your living in but the human race in the middle east doesnt want to change. Change can only happen when a majority wants that change. Otherwise your wasting life time. Which leads to the issue - do most of the folks really want change?
They do want to change.
The fascist military regimes that oppress them (whether state, occupiers or tribal structures) are the ones propagating violence, and the ones resisting change.
Your failure to see a way, concerning the Nick Berg incident, is exactly that. Your failure.
You let yourself lose sight of the humans, focusing only on the beasts.
Then, failure complete, you let the humans be represented by, and obscured by the beasts.
Humans are not beasts. Even though we wear the same skin, we are not the same. Never forget it, or you'll be one of them, soon enough.
After all, it is by obscuring the humans behind the beasts that the military regimes succeed in propagating the violence. Only a fool would believe that "All Americans are the Devil" - yes - only a fool just like yourself - who loses track of humanity in the face of inhumanity.
Nothing personal.
The fascist military regimes that oppress them (whether state, occupiers or tribal structures) are the ones propagating violence, and the ones resisting change.
Your failure to see a way, concerning the Nick Berg incident, is exactly that. Your failure.
You let yourself lose sight of the humans, focusing only on the beasts.
Then, failure complete, you let the humans be represented by, and obscured by the beasts.
Humans are not beasts. Even though we wear the same skin, we are not the same. Never forget it, or you'll be one of them, soon enough.
After all, it is by obscuring the humans behind the beasts that the military regimes succeed in propagating the violence. Only a fool would believe that "All Americans are the Devil" - yes - only a fool just like yourself - who loses track of humanity in the face of inhumanity.
Nothing personal.
Thanks AnsuGisalas.
just think serveral hundred year ago we were just like them building armies fighting each other etc. And yet here we are controlling our violent impulse (to some degree) or finding some other means of venting those feelings than just simply kicking someone ass.
just think serveral hundred year ago we were just like them building armies fighting each other etc. And yet here we are controlling our violent impulse (to some degree) or finding some other means of venting those feelings than just simply kicking someone ass.
People change when they either want to change, or, if they have no other choice but to change. Best case would be to think of a way to make them want to change.
I think the issue here is the presence of tools vs. the presence of intent. A rock can be used to kill your neighbor or build a house. Regulation will never work because the issue is human nature. Especially in America we have this notion that bad things occur elsewhere and such things like DoS attacks surprise us. The tools are the tools.
The "gun" analogy is apt. Regulation has largely failed to prevent crimes but in many cases has emboldened criminals who are now fairly certain that their victims are not reasonably armed. Intent is the key, intent cannot be regulated, only weighed. Software, code bugs, dev tools SDK's all fall within the same jurisdiction of intended use. At least in my way of thinking
The "gun" analogy is apt. Regulation has largely failed to prevent crimes but in many cases has emboldened criminals who are now fairly certain that their victims are not reasonably armed. Intent is the key, intent cannot be regulated, only weighed. Software, code bugs, dev tools SDK's all fall within the same jurisdiction of intended use. At least in my way of thinking
You mentioned, "intent cannot be regulated, only weighed." Can you go into what you mean by weighed a bit more. I am interested as to what you mean.
The real question is why? Why is it appealing to hurt your neighbor? Am "I" really more important then the next person? It all comes down to just because you can doesn't mean you should. I really don't like doing this, My religion is "my religion" and I don't like preaching but really, a "little white lie", a sin is a sin no matter what. Why do I drive 5 miles an hour over the speed limit? Why? why? why? All these little things add up. At what point am I willing to step out from behind all the little whit lies I use everyday. There is not much difference is there?
I suspect you have sized up why this is and will continue to be a significant problem.
To this close knit group getting into a site taking down a site manipulating software or even have P2P music and movie sites . It boils down to 2 things for them 1. is Supply and demand . As long as people want first run music and movies someone will always try and supply it . And 2 . To these guys its like a game we played as kids called King Of The Mountain who ever cracks a site or has the best is the King for that time untill another comes along . The same analogy applies to those who write malware and viruses ,
You pointed out as a few other members that it is a human nature issue. Are you at all optimistic that some day it will resolve into a solution?
Face it, most of the underlying "stuff" the Internet runs on has been around since it's inception.
The internet was built by people with good, honest intentions. They had no idea people could suck so much.
Fix the transports and protocols, fix the problems. Well, a lot of them anyway.
The internet was built by people with good, honest intentions. They had no idea people could suck so much.
Fix the transports and protocols, fix the problems. Well, a lot of them anyway.
I was at university at that time and working with some minuscule part of the expanded ARPA network connecting universities. And, you are right. Security was not a worry. Most times, just getting traffic through was quite a thrill.
Applications don't 'go rogue' on their own; users take them there.
You sure have a way to simplify and say a great deal in a few words. Much appreciated.
Crime has been around since the beginning of civilization. Taking something at the expense of someone else isn't new. Destroying something that belongs to someone else isn't new. Only the tools have changed.
In 100 years it'll be something else.
Restricting access to tools that are used by criminals will not end crime. Take away a criminal's gun, he'll use a knife. Take away the knife, he'll use a stick. Take away the stick, he'll use a rock. Take away the rock, he'll use his bare hands.
We should continue fighting the crime, and quit worrying about the tools.
In 100 years it'll be something else.
Restricting access to tools that are used by criminals will not end crime. Take away a criminal's gun, he'll use a knife. Take away the knife, he'll use a stick. Take away the stick, he'll use a rock. Take away the rock, he'll use his bare hands.
We should continue fighting the crime, and quit worrying about the tools.
Do you consider the Internet and apps the same as your examples. Or can they be some how altered to change the outcome?
Tools are tools. A hammer is no different than a port scanner.
Could we change things to protect the "innocent"? Sure, at the price of usability and privacy. Is that the price we want to pay? A crippled, restrictive, and intrusive internet? And it still wouldn't be 100% successful. Nothing can be.
No, we need to see it for what it is. Criminal behavior, not criminal tools.
Could we change things to protect the "innocent"? Sure, at the price of usability and privacy. Is that the price we want to pay? A crippled, restrictive, and intrusive internet? And it still wouldn't be 100% successful. Nothing can be.
No, we need to see it for what it is. Criminal behavior, not criminal tools.
On top of those very valid points, reverse engineering the tool, sans limitations, is easy.
And the criminal powers active on the net have both the manpower and the budget for it.
Limiting security testing tools is like saying that the border patrols should be issued rifles with shortened barrels as a gesture of peaceful intentions (it has happened!), all it means is that a would-be aggressor can be confident in superiority of arms, since the lawful users only have the limited apps.
And the criminal powers active on the net have both the manpower and the budget for it.
Limiting security testing tools is like saying that the border patrols should be issued rifles with shortened barrels as a gesture of peaceful intentions (it has happened!), all it means is that a would-be aggressor can be confident in superiority of arms, since the lawful users only have the limited apps.
The last thing we in the security community need are more laws making a difficult job more difficult. It's bad enough that the DMCA prohibitions on "circumvention" are driving U.S. security research offshore.
We have a problem in which there is a massive disparity of force and work factor biased in favor of the attackers. The software equivalent of "gun control" might stop a hobbyist but not a well-funded dedicated fraudster or attacker.
@flhtc is right in that there are architectural problems that need to be addressed, but it will take a long time to do that. I was on a panel last year with someone who drew the analogy that "The Navy doesn't design a ship with the assumption that water will never get inside the hull." Right now there is almost no intentional design on continuing to operate in degraded modes in the face of compromises.
Rather than spending time worrying whether someone will download a tool, those resources would better be spent on hardening our architectures and learning how to operate in a real world where systems get hacked and people have to continue to run a business.
We have a problem in which there is a massive disparity of force and work factor biased in favor of the attackers. The software equivalent of "gun control" might stop a hobbyist but not a well-funded dedicated fraudster or attacker.
@flhtc is right in that there are architectural problems that need to be addressed, but it will take a long time to do that. I was on a panel last year with someone who drew the analogy that "The Navy doesn't design a ship with the assumption that water will never get inside the hull." Right now there is almost no intentional design on continuing to operate in degraded modes in the face of compromises.
Rather than spending time worrying whether someone will download a tool, those resources would better be spent on hardening our architectures and learning how to operate in a real world where systems get hacked and people have to continue to run a business.
Since the internet is the last final frontier, the wild west if I may, maybe its time to send in a new sherif. We founded the internet on the premise of the wild west, were everyone was free and allwowed to wonder about at will. Maybe its time to hand out everyone social security cards, or permanate I.D.'s to every man woman and child who gains access to the internet. Maybe we could set up check points so users would show their papers before proceeding. Maybe we could use bio metrics or DNA imprints into Mac addresses...Maybe we could implant RFID tags into everyone that could be read by bluetooth scanners on hardware that assecces the internet. Since internet accesss is not in the constitution we can regulate it anyway we want. Oh, but we are working towords all these measures, arent we?
As with real weapons, shall we take the ability of the people to fight tyranny and injustice out of the hands of the people? Before you decide to only make the guns(software tools) available to a certain privlaged few, maybe you better ask why they are the only ones who should have access to them.
As with real weapons, shall we take the ability of the people to fight tyranny and injustice out of the hands of the people? Before you decide to only make the guns(software tools) available to a certain privlaged few, maybe you better ask why they are the only ones who should have access to them.
I grew up on western movies and see many similarities. Life was a tad simpler then.
You mention:
"There is a massive disparity of force and work factor biased in favor of the attackers."
Are you referring to how attackers only need one way in, whereas defenders have to protect all possible avenues?
"There is a massive disparity of force and work factor biased in favor of the attackers."
Are you referring to how attackers only need one way in, whereas defenders have to protect all possible avenues?
Color laser printers print a few tiny dots of yellow to help secret service to identify printers used to make counterfit money. One of your experts mentioned "finger printing" at the same time saying that it can be easily defeated. What might help is to embed the MAC address into certain tools that are being used to create distributed denial of service. When a legitimate app tool for checking security is used to attack, the attack would leave bits of information about the originating computer.
I read about producers putting microchips in their oil so that if a shipment gets highjacked that the microchips could be used to prove who has the rights to trade the oil. This is a bit behind the idea of imbedding unique information that can be use to find the source of control. The microchip idea works fairly well with lost pets, the hitch is the type of microchip, whether the animal is registered in the owners name and also if the shelters have the time to check the chips.
I read about producers putting microchips in their oil so that if a shipment gets highjacked that the microchips could be used to prove who has the rights to trade the oil. This is a bit behind the idea of imbedding unique information that can be use to find the source of control. The microchip idea works fairly well with lost pets, the hitch is the type of microchip, whether the animal is registered in the owners name and also if the shelters have the time to check the chips.
I had not heard that about microchips in oil. That is something. I suppose they could be RFID and read as the oil flows through a pipe. Thanks for sharing.
I think you have a well-rounded set of go-to experts, Michael.
If one of them fails the test, that's OK.
It's good to know what the opposition is thinking, after all.
I've expressed elsewhere* that I do not believe Anonymous to be angels, but that the Establishment in opposition to them inspires even less faith in me. As such, I think it's a very good idea to resist the ideas of that opposition. If Anonymous can goad them into fielding their suggestions, and if the public can be mobilized to tear those suggestions apart - then, overall, we progress.
Your question is also very useful. It is inevitable that the pro-control powers will suggest all sorts of back-doors and remotely triggered obsolescence devices. So it is very very useful to collect the testimonies in advance, that this will not work, that it is a hare-brained notion that cannot serve its stated purpose (but which can be abused for unstated purposes, oh yes).
Thanks!
* http://www.techrepublic.com/forum/discussions/102-374984-3592839
If one of them fails the test, that's OK.
It's good to know what the opposition is thinking, after all.
I've expressed elsewhere* that I do not believe Anonymous to be angels, but that the Establishment in opposition to them inspires even less faith in me. As such, I think it's a very good idea to resist the ideas of that opposition. If Anonymous can goad them into fielding their suggestions, and if the public can be mobilized to tear those suggestions apart - then, overall, we progress.
Your question is also very useful. It is inevitable that the pro-control powers will suggest all sorts of back-doors and remotely triggered obsolescence devices. So it is very very useful to collect the testimonies in advance, that this will not work, that it is a hare-brained notion that cannot serve its stated purpose (but which can be abused for unstated purposes, oh yes).
Thanks!
* http://www.techrepublic.com/forum/discussions/102-374984-3592839
Funny, but tools being used by hackers to detect vulnerabilities are being used in the manner for which they were intended; to find vulnerabilities. It is the responsibility of the companies, or "victims" to fix those vulnerabilities. If you find your system can't handle the load of a stress test, then I suggest it's you and your second (or third) rate system that's the problem, not the stressers.
If you find people breaking into your house through your windows using a pry bar, you don't outlaw pry bars; you reinforce your window.
If you find people breaking into your house through your windows using a pry bar, you don't outlaw pry bars; you reinforce your window.
I guess I am not opposed to testing for vulnerabilities. It's what they do after they're found that hurts us.
I am fortunate to know lots of really smart people who are excited and more than willing to share their expertise.
You don't reinforce the windows -- you take out the guy who's breaking them. Until the human race becomes rational and civilized, we will be forced to defend ourselves against the barbarians, both external and home-grown. Eliminating the threat is always the best defense.
Now all we need is the wisdom, intelligence, and perspicacity to determine where the threat lies....
Now all we need is the wisdom, intelligence, and perspicacity to determine where the threat lies....
I'm glad to see the general consensus is to NOT restrict availability of software. Just like guns: if you outlaw guns, only outlaws will have guns."
The heavy-handed solution is near universally the worst in the long run, yet it's the first thing governments and corporations reach for in most instances. That leads me to believe the agenda is usually something quite different from the stated one.
The heavy-handed solution is near universally the worst in the long run, yet it's the first thing governments and corporations reach for in most instances. That leads me to believe the agenda is usually something quite different from the stated one.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
