White hat hacking & Adobe

Subject: White hat hacking & Adobe
From: Andrew Plato <intrepid_es -at- yahoo -dot- com>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Thu, 16 Aug 2001 11:40:19 -0700 (PDT)

Good points, Bruce. I want to drill into one point in particular. You
mentioned white hat hacking. Which has limited relevance to tech pubs.
(Fearing Eric's impending squash of this topic.)

"Bruce Byfield" wrote...

> First, the programmer who was arrested was not directly involved with
> the development of the de-encryption software. This is a point that the
> FBI has deliberately obscured, and the mainstream press has not bothered

> to probe enough to find out what was actually happening.
>
> Second, the programmer's speech and research work are in the tradition
> of "white hat" cracking. In other words, neither he nor his company were

> actually using the software for illegal purposes; they were pointing out

> the flaws, and thereby opening the way for improvements. The company was

> not even selling the software to all comers. But it's worth noting that
> one of the major clients of the company he works for is the FBI.

I know a lot about "white hat" hackers. We deal with them a lot in
security.

I hold the philosophy that ANY unauthorized hacking - be it for noble or
illicit ends is wrong. If you break into my car and then publish how
everybody can break into my kind of car, sparking a rash of car thefts -
that is wrong. You committed and unauthorized break in and then tried to
back track on your illegal deeds by "disclosure." Disclosure does not
release you from liability.

White hat hacking has become the de facto excuse these days for hackers to
get around their illegal and destructive activities. Punk kids hack into
networks, locate all the security holes, then publish those holes under
the guise of "oh aren't I a wonderful person, I am helping to make things
more secure."

No, that's a criminal act. Trying to pass it off as a noble act of charity
is total crap.

There is this one guy, I won't name names, but he did exactly this to the
US military. Under the guise of helping them with security problems, he
planted Trojans (actually worms) in their systems. When they caught him,
he instantly yelled "Open source! I am only trying to make things better!"


Yeah right. Well, if he wanted to help - he wouldn't have put the hacks
there in the first place. What if the Chinese, Russians, or other
"potential enemies" had gotten a hold of these hacks and used them to
weaken our national defenses or steal our technologies.

Hence the problem - its all fun and cool when its somebody else's money or
lives.

Hey everybody, have a free copy of Win2k - its just Microsoft - they make
billions.
Hey everybody, have a big gas swilling SUV - who cares if the global
temperature is going up.
Hey everybody, here's the codes to launch Russia's ICBMs - who cares if 3
billion people are incinerated.
Hey everybody, let's crack Adobe PDF - who cares if some writers don't get
their royalties - they're just WRITERS, not real people.

Its really an issue of authorization. If Skylov approached Adobe PRIVATELY
and said "hey guys, I found a bug in your software, you might want to fix
it." That's cool. But he got up in front of thousands of people and openly
publicized this problem to the entire world. That's unfair. He didn't give
Adobe a chance to fix it on their own. He just blabbed to the world how to
do it. That's like yelling fire in a crowded theater. His disclosure is
synonymous with yelling "FIRE" in a crowded theater. Its wrong.

Now, Adobe's response was a little extreme. They could have handled it
better. But - I don't blame them. I think they should acknowledge the
weakness and go on record saying they will improve it. In the meantime,
Skylov should be punished as a message to other hackers - just because you
disclose, does not release you from liability.

Andrew Plato

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

*** Deva(tm) Tools for Dreamweaver and Deva(tm) Search ***
Build Contents, Indexes, and Search for Web Sites and Help Systems
Available now at http://www.devahelp.com or info -at- devahelp -dot- com

A landmark hotel, one of America's most beautiful cities, and
three and a half days of immersion in the state of the art:
IPCC 01, Oct. 24-27 in Santa Fe. http://ieeepcs.org/2001/

---
You are currently subscribed to techwr-l as: archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.


Previous by Author: Re: Biggest salary cut you've taken?
Next by Author: Re: Biggest salary cut you've taken?
Previous by Thread: ADMIN: It's about technical writing, right?
Next by Thread: On Documentation Process


What this post helpful? Share it with friends and colleagues:


Sponsored Ads