Re: Netgate.net.nz/ORBS spam colusion
After all the bashing, I get to gloat a little. I see the guy in Russia took his model from ORBS, and did exactly the same thing: He apparently used a security exploit to get data, and published that data. So far, it doesn't sound like he made any credit card charges. Sounds like he didn't actually damage the compromised system. According to Derek Balling and a few others, he should be free and clear. According to those few people, the cracker hasn't done anything wrong. According to those same people, CD Universe accepted the consequences of having an insecure server. Anybody could accessed the data. So it must be publicly available information then. He just published some publicly available data. US law doesn't apply to Russians. The fault here is with CD Universe for operating an insecure server. There is no fault with the guy who published the credit cards. He is not responsible if other people misuse that data. Wrong. If it wasn't already clear to reasonable people, it certainly is now. Those people who made those stupid assertions are clearly full of crap. Now what happens to the Russian ISP that refuses to shut down the site? Yep. You guessed it. --Dean Around 05:37 PM 1/10/2000 -0800, rumor has it that Randy Bush said:
And if anything disparaging about the chinese government were to appear on his web site, he could be extradited and put to death! Who gets his organs.....
warning, there may not be a full set
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
At 04:49 PM 1/11/00 -0500, Dean Anderson wrote:
I see the guy in Russia took his model from ORBS, and did exactly the same thing: He apparently used a security exploit to get data, and published that data. So far, it doesn't sound like he made any credit card charges. Sounds like he didn't actually damage the compromised system. According to Derek Balling and a few others, he should be free and clear.
Whoa whoa whoa... back up there. Don't even think that you get to put words in my mouth. What *I* have said is that a person is subject to the laws and regulations of the country they live in (plus those they are a citizen of, if those are not the same country), and not subject to the whims of other countries, so that's how I see it "from a legal standpoint". If the laws of his nation say that what he did, specifically, is a crime, then he can (and should) be held accountable to them. That's what sovereignty is all about. Philosophically, I disagree with "anti-cracking" laws, by and large, because (short of password theft or confidential information and NDA violation-style cracks) any information a cracker can access, ANYONE can access, if they know enough about the system. What, specifically, makes the cracker "bad"? YOU (the proverbial you, although your mail servers are a decent example) are making (the data|your servers) available, not the cracker. If you are stupid enough to do so, I see no moral obligation on any user who discovers this to feel it needs to stay quiet. If you bring it out into the light, it tends to get fixed and people realize how poor the security at that site is. If you cover it up and go quietly about it or (worst) tell NOBODY, then nobody knows how poor the security is, or how little that site should be trusted with data/money/services.
According to those few people, the cracker hasn't done anything wrong.
Never made that claim. Could you show me where I said that? I'll say it now, that I don't think he's done much of anything wrong, because (personally) I believe that crackers, by and large, are a good thing. They find the holes the rest of the world overlooks and misses. They bring them to our attention -- often in a flamboyant manner or one that some people might consider "reckless" -- because most of the time, reporting the problem to the people who lack security falls on deaf ears.
According to those same people, CD Universe accepted the consequences of having an insecure server. Anybody could accessed the data.
So long as the Russian Cracker was not using a password or such that he stole from someone (and using a default password is not stealing a password, since the password is public knowledge), I would concur with that. (I haven't read the details on how exactly the Russian cracked CD Universe, so I can't say that for certain, but I think this fairly well defines where I personally would draw the line).
So it must be publicly available information then. He just published some publicly available data. US law doesn't apply to Russians. The fault here is with CD Universe for operating an insecure server.
Yes, in fact, the ultimate fault does lie with CD Universe. CD Universe compromised their users' data, not a Russian hacker. The Russian Hacker merely publicized that compromise.
There is no fault with the guy who published the credit cards. He is not responsible if other people misuse that data.
Correct. In the same way that ancient Chinese scientists are not responsible if you buy an Uzi and kill someone just because they invented gunpowder. You are responsible for your own actions, just as the perpetrators of credit-card-fraud are responsible for THEIR own actions.
Wrong. If it wasn't already clear to reasonable people, it certainly is now. Those people who made those stupid assertions are clearly full of crap.
I guess I'm full of crap then. It wouldn't be the first time I've been told that before, but coming from you, I feel much better now, since it now very-effectively lowers the credibility of all the rest of the people who have said that by the very nature of being lumped together with the likes of you. :)
Now what happens to the Russian ISP that refuses to shut down the site? Yep. You guessed it.
OK, I'll bite,... what do you think happens? Do you think the FBI is going to go over there and ask the successors to the KGB (same uniform, different TLA) "pretty please can we arrest these people"? Are you really that ignorant? I'm suspecting the answer is "nothing" will happen to the ISP, but they might volunteer to take it down for PR reasons, but not because anyone has any authority or moral responsibility to make them shut it down. My $0.02 worth, I speak for nobody but myself. D
What *I* have said is that a person is subject to the laws and regulations of the country they live in (plus those they are a citizen of, if
From: Derek J. Balling <dredd@megacity.org> those are
not the same country), and not subject to the whims of other countries, so that's how I see it "from a legal standpoint". If the laws of his nation say that what he did, specifically, is a crime, then he can (and should) be held accountable to them. That's what sovereignty is all about.
A person is subject to the laws and regulations of any country with the power to make him subject to those laws and regulations. See, for exmaple, Manuel Noreiga from Panama. He was neither a citizen nor a resident of the USoA when the USoA decided to make him subject to its drug laws. Since the USoA had more military capability than him, he was arrested. On the other hand, if Germany decides to indict an American citizen living in the USoA for distributing neo-Nazi propoganda (and Germany did just that), the aforementioned citizen isn't really subject to that indictment, because the USoA won't extradite him (the first amendment, and probably also the terms of the extradition treary, prevents them) and Germany doesn't have the ability to come and get him. The USoA routinely indicts persons that are neither residents nor citizens of the USoA, although generally the indictment is for something they did in or to the USoA. -- Brett
At 05:30 PM 1/11/00 -0600, Brett Frankenberger wrote:
A person is subject to the laws and regulations of any country with the power to make him subject to those laws and regulations. See, for exmaple, Manuel Noreiga from Panama. He was neither a citizen nor a resident of the USoA when the USoA decided to make him subject to its drug laws. Since the USoA had more military capability than him, he was arrested.
I would agree with that assessment (from a "realistic" standpoint, but certainly not from a moral standpoint, if that was the case, we could make China open to freedom simply by virtue of saying "If you don't, we'll nuke you").
On the other hand, if Germany decides to indict an American citizen living in the USoA for distributing neo-Nazi propoganda (and Germany did just that), the aforementioned citizen isn't really subject to that indictment, because the USoA won't extradite him (the first amendment, and probably also the terms of the extradition treary, prevents them) and Germany doesn't have the ability to come and get him.
The USoA routinely indicts persons that are neither residents nor citizens of the USoA, although generally the indictment is for something they did in or to the USoA.
Correct. Indictments are easy to get. All that means is that the subject may never travel to a country who is a lackey for^W^W^W^Whas US-favorable extradition terms. D
Derek -- I agree with many of your points, but one thing you seem to overlook here is that the public distribution of credit card numbers belonging to CD Universe customers hurts more than just CD Universe. It can cause those customers financial harm and/or significant inconvenience. Are you suggesting that they deserve it because they chose to be CD Universe customers without having first probed CD Universe's systems to make sure no holes existed? I'm not sure I can agree with that. First off, it's not unreasonable for a consumer to be allowed a certain basic level of trust in financial transactions, whether online or off. If a customer purchases over the Internet using a secured connection s/he is entitled to a reasonable expectation that their information will remain secure. Credit card companies recognize this by limiting the customer's liability in cases where a credit card number is stolen. They recognize that you can't background check every sales clerk you hand your credit card to in a store or restaurant, or monitor the trash behind every place you shop in to make sure nobody's fishing receipts out. Second, a person's credit information is confidential. By your definition, the Russian Cracker did wrong to hack those files. And since aiding and abetting the commission of a crime is also a crime (in the US at least, I don't know about Russia), he should also bear blame if someone uses those credit card numbers to make fraudulent purchases. CD Universe deserves to be slammed for letting their credit card files be hacked. But those credit card owners are not at fault, and that Russian hacker is not innocent. ============================================== Rachel Luxemburg rslux@link-net.com Visit SoundAmerica http://soundamerica.com -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Derek J. Balling Sent: Tuesday, January 11, 2000 2:55 PM To: Dean Anderson; Randy Bush; David Lesher Cc: nanog list Subject: Re: Netgate.net.nz/ORBS spam colusion At 04:49 PM 1/11/00 -0500, Dean Anderson wrote:
I see the guy in Russia took his model from ORBS, and did exactly the same thing: He apparently used a security exploit to get data, and published that data. So far, it doesn't sound like he made any credit card charges. Sounds like he didn't actually damage the compromised system. According to Derek Balling and a few others, he should be free and clear.
Whoa whoa whoa... back up there. Don't even think that you get to put words in my mouth. What *I* have said is that a person is subject to the laws and regulations of the country they live in (plus those they are a citizen of, if those are not the same country), and not subject to the whims of other countries, so that's how I see it "from a legal standpoint". If the laws of his nation say that what he did, specifically, is a crime, then he can (and should) be held accountable to them. That's what sovereignty is all about. Philosophically, I disagree with "anti-cracking" laws, by and large, because (short of password theft or confidential information and NDA violation-style cracks) any information a cracker can access, ANYONE can access, if they know enough about the system. What, specifically, makes the cracker "bad"? YOU (the proverbial you, although your mail servers are a decent example) are making (the data|your servers) available, not the cracker. If you are stupid enough to do so, I see no moral obligation on any user who discovers this to feel it needs to stay quiet. If you bring it out into the light, it tends to get fixed and people realize how poor the security at that site is. If you cover it up and go quietly about it or (worst) tell NOBODY, then nobody knows how poor the security is, or how little that site should be trusted with data/money/services.
According to those few people, the cracker hasn't done anything wrong.
Never made that claim. Could you show me where I said that? I'll say it now, that I don't think he's done much of anything wrong, because (personally) I believe that crackers, by and large, are a good thing. They find the holes the rest of the world overlooks and misses. They bring them to our attention -- often in a flamboyant manner or one that some people might consider "reckless" -- because most of the time, reporting the problem to the people who lack security falls on deaf ears.
According to those same people, CD Universe accepted the consequences of having an insecure server. Anybody could accessed the data.
So long as the Russian Cracker was not using a password or such that he stole from someone (and using a default password is not stealing a password, since the password is public knowledge), I would concur with that. (I haven't read the details on how exactly the Russian cracked CD Universe, so I can't say that for certain, but I think this fairly well defines where I personally would draw the line).
So it must be publicly available information then. He just published some publicly available data. US law doesn't apply to Russians. The fault here is with CD Universe for operating an insecure server.
Yes, in fact, the ultimate fault does lie with CD Universe. CD Universe compromised their users' data, not a Russian hacker. The Russian Hacker merely publicized that compromise.
There is no fault with the guy who published the credit cards. He is not responsible if other people misuse that data.
Correct. In the same way that ancient Chinese scientists are not responsible if you buy an Uzi and kill someone just because they invented gunpowder. You are responsible for your own actions, just as the perpetrators of credit-card-fraud are responsible for THEIR own actions.
Wrong. If it wasn't already clear to reasonable people, it certainly is now. Those people who made those stupid assertions are clearly full of crap.
I guess I'm full of crap then. It wouldn't be the first time I've been told that before, but coming from you, I feel much better now, since it now very-effectively lowers the credibility of all the rest of the people who have said that by the very nature of being lumped together with the likes of you. :)
Now what happens to the Russian ISP that refuses to shut down the site? Yep. You guessed it.
OK, I'll bite,... what do you think happens? Do you think the FBI is going to go over there and ask the successors to the KGB (same uniform, different TLA) "pretty please can we arrest these people"? Are you really that ignorant? I'm suspecting the answer is "nothing" will happen to the ISP, but they might volunteer to take it down for PR reasons, but not because anyone has any authority or moral responsibility to make them shut it down. My $0.02 worth, I speak for nobody but myself. D
participants (4)
-
Brett Frankenberger
-
Dean Anderson
-
Derek J. Balling
-
Rachel Luxemburg