zlacker

[return to "Kevin Mitnick has died"]
1. ChuckM+Jd[view] [source] 2023-07-20 01:56:07
>>thirty+(OP)
I was not aware he was ill. Always sad to hear people that are taken by cancer.

I didn't know Kevin, but am friends with Tsutomu Shimomura who worked with authorities to get him arrested. Tsutomu worked with me a bit when I was at Sun trying to get a cryptographically secure subsystem into the base system specification. It was fun to listen to his side of this story.

The 80's was a really weird time for computer enthusiasts, and it was the period of time when what was then considered the "hacker" community schismed into what today we might call "white hat" vs "black hat" hackers.

As a person who considered themselves to be part of that community I was personally offended by how the story of Kevin painted everyone who thought of themselves as a "hacker" as a criminal. It made for good story telling to make these folks "pirate" or perhaps more accurately "privateer" types in their swashbuckling ways of sticking it to the man. People would say, "Exposing security holes is like solving puzzles (which is fun) and important because if I don't do it, well somebody 'bad' will." And while I'm here, why not make it hurt for them a little bit to incentivize them to fix this problem quickly!"

I didn't disagree with the importance of pointing out security problems, but the flamboyant way it was done scared the crap out of people who were both clueless and in a position to do stupid things. As a result we got the CFAA and the DMCA which are both some of the most ridiculous pieces of legislation after the so called "patriot" act.

The damage that did to curious people growing up lost the US a significant fraction of their upcoming "innovation" talent. While not diminishing the folks who leaned in to the illegality of it.

◧◩
2. within+TS[view] [source] 2023-07-20 10:01:42
>>ChuckM+Jd
Pro-tip: CFAA only applies if you cross state lines between you and the server. Otherwise, state laws applies and there are/were some states that never passed any 'anti-hacking' laws.

Source: experience.

◧◩◪
3. marcus+lc1[view] [source] 2023-07-20 12:57:28
>>within+TS
Pro-er tip: if you are in the US and access a computer over any kind of service provider network (Internet, leased line, etc.) you should operate on the assumption your traffic is crossing state lines and the CFAA applies to your activities.

Tools like traceroute cannot show you where your traffic is physically being sent because: there may be no geographic information in the router reverse DNS records, that information might not be accurate if it is present, and layer 3 tools cannot show you the underlying layer 1/2 path (which might be wildly different than the layer 3 hops would suggest.)

◧◩◪◨
4. EMCyma+KI1[view] [source] 2023-07-20 15:19:01
>>marcus+lc1
How can the DNS records not be accurate?
◧◩◪◨⬒
5. marcus+qX1[view] [source] 2023-07-20 16:13:27
>>EMCyma+KI1
You can make a reverse DNS record (or any DNS record, for that matter,) say anything at all. There isn't a National Committee for the Verification of DNS Updates checking this stuff out and demanding in-person inspections and notarized affidavits swearing that 100% of all information in the DNS is accurate and means whatever the end-user might infer it to mean.

For instance, part of the tracroute from my house to Google looks like this:

6 be-33112-cs01.doraville.ga.ibone.comcast.net (96.110.43.81) 19.602 ms

7 be-33142-cs04.doraville.ga.ibone.comcast.net (96.110.43.93) 22.738 ms

8 be-302-cr13.56marietta.ga.ibone.comcast.net (96.110.39.49) 23.202 ms

You can see these hostnames are obviously meant to encode some geographic data -- strictly for the convenience of the provider, it doesn't mean anything else -- but you, as the user, cannot tell from these records that these routers are actually where you think they are, based on the host names.

Another issue is the server you're communicating with might take a completely different path to get back to you, and you'd have no real way of knowing that.

[go to top]