Jail time for Script kiddies.

Hobbes · 30-01-2001 7:08pm #1

that's what IMO they should have.

1st offense - Confiscate thier machine.
2nd offense - Jail time.

Lenny · 30-01-2001 7:19pm

heeh
I'm sure they'd die without their box,
it should also be a fine for first offence

SantaHoe · 30-01-2001 7:43pm

1st offense: 5-year ban from all ISPs except AOL

2nd offense: good hard kick in the billox

satchmo · 31-01-2001 1:47am

heheh I'd tend to go with Dead{o}Santa on this one.

koriordan · 01-02-2001 3:21am

This board is pure flamebait.

Other similarly useless boards which one of you losers may wish to open:

"Emacs sucks"
"I hate micro$oft"
"KDE is better than Gnome"
"All music should be free"

and so forth ...

logic1 · 01-02-2001 4:39am

I can't believe my name sake would post such a flame. Tut tut. (whats wrong wiv AOL santa u fooker hehe)

.NORiordan.

Snaga · 01-02-2001 5:20am

koriordan as in itt koriordan?????

ecksor · 01-02-2001 5:23pm

Originally posted by koriordan:

This board is pure flamebait.

I couldn't disagree more.

Other similarly useless boards which one of you losers may wish to open:

"Emacs sucks"

Emacs is the best editor in the world, you idiot.

"I hate micro$oft"

Micro$oft 0wns you, p30n.

"KDE is better than Gnome"

You must be stupid to even think that.

"All music should be free"

There's a music board for this tripe, you know.

koriordan · 02-02-2001 7:53pm

Actually I don't know about Emacs. Mebbe it's great. For the moment vi(m) is more than I need so I'll stick with it.

My machine ain't happy with KDE or Gnome, so its X with sapphire or aewm for mee ...

I use M$ when I have to.

And while I'm at it, blaming script kiddies for yr ills is usually the preserve of folk not wanting to take responsibility for protecting themselves. The "Love Bug" was probably the best example - it wasn't a virus, it was just some arbitrary code embedded in a document. If you found some code that you didn't know what it did, would you run it ? Would you write a program that did ?

yes, I'm itt koriordan ... snaga = ejoyce ? I don't know gamer aliases, and don't much go in for anonymity I guess.

Hobbes · 03-02-2001 4:28am

I protect myself...

If a person puts a brick through my car window and steals my Stereo. Is that my fault because I didn't install bullet proof glass?

My actual point is, that a lot of script kiddies don't realise the extent of damage they are doing. If you equated the cost in damages from hacking/DoS/etc to the same damage of real life property then a lot of these people would be in Jail.

koriordan · 04-02-2001 9:35pm

Correct me if I'm wrong, but by definition "script-kiddies" are the ones who just use known exploits to breach security. Right ?

Way I figger, if an exploit is known the admin's gotta either
a) fix the prob.
b) apply a patch that fixes the prob.
c) replace the existing service with an equivalent.
d) discontinue the affected service.
e) take the calculated risk that he will be successfully attacked.

Options 'a' & 'd' aren't always available or within the admins' capabilities.
If options 'b' & 'c' aren't usually available to you, perhaps the source code of yr software isn't open enough ?

Option 'e' is the one that leaves you vulnerable to script-kiddies. What about the previous alternatives ?

Hobbes · 05-02-2001 2:45pm

Your arguing the wrong point.

Lets say instead of Mr Admin, it's Mr Hacker.

Does he.

1) Fix the bug, post the fix to the owners.

2) Create a program to exploit the bug and release it for all the script kiddies.

Oh yea, and open source != secure system. Just because you have access to the source code doesn't make something magically secure.

But back to my original point. People who use the programs to hack into other peopels systems/DoS attacks should be held accountable with serious fines/jail time.

koriordan · 05-02-2001 4:36pm

When an exploit is released, it becomes 'known', hence a 'known exploit'.

If it's known to script-kiddies, it should be known to YOU, via bugtraq or whatever other lists yr on.

I never said open source automagically meant secure. However, for any open-source package, there's almost always an open-source alternative - which means you can replace your software (option 'c'). Also, patches tend to come out more regularly for open-source software than closed source software - often before an implementation of an exploit becomes available (option 'b').

But back to your original point. Why do script-kiddies bother you so much ? Are you choosing option 'e' too often ? If so, given that you should have alternatives, you can't really complain.

Canaboid · 05-02-2001 5:09pm

So everyone who uses a PC with an internet connection needs to keep track of all the latest exploits and secure against them ?
OK, I'll tell me oul fella but he'll probably just look confused and not use the PC anymore.
You seem to think that this only applies

oh I can't be arsed......................

koriordan · 05-02-2001 6:27pm

Canaboid: No. Only people who feel they might be vulnerable to script kiddies, which is _generally_ only admins of boxen that have fixed external IPs.

Draco · 05-02-2001 6:28pm

You seem to be assuming that the patches are avalible before/at the same time as the tools exploiting it are for the little kiddies to fvck around with. I don't have time or the know how to start patching up open sourced stuff before I get hit by some little primate with a downloaded tool. In my office I have four machines all running dofferent oses. If I were to keep them constantly patched up, I'd have bugger all time to do anything else. Script Kiddies are little punks who need a swift kick in the ar$e.

Hobbes · 05-02-2001 7:40pm

I seem to be going around in circles. My point isn't that the admin should or shouldn't keep an eye on thier system. It's the admin's job.

My point was trying to get across was that it's time the script kiddies got a rude awakening to the criminal damage they are doing. It has nothing to do with what OS I run.

Some people still think the internet is still the wild west it was a few years ago.

koriordan · 05-02-2001 7:48pm

Draco: do all four, or any of these boxes have fixed external IPs ? When was the last time any of them was attacked by a script-kiddie ?

Hobbes: yeah, it's the admins jobs to keep an eye on the systems. If the admin is doing this, ye olde script kiddies shouldn't be able to cause criminal damage, no ?

ecksor · 06-02-2001 1:11am

Originally posted by koriordan:
Hobbes: yeah, it's the admins jobs to keep an eye on the systems. If the admin is doing this, ye olde script kiddies shouldn't be able to cause criminal damage, no ?

Kee-ryste. koriordan, you are completely missing the point of what is being said to you. Sure, system administrators should be patching their systems, and obvious holes shouldn't be left open on systems, but holes do appear in systems nonetheless. I don't leave my door unlocked when I leave my gaffe to go to work in the morning, but if I did, that wouldn't make it right for the local yob to come in and nick my telly. Leaving the door open might cost me my insurance, but the cops would still put the guy who nicked it in jail (if they could catch them). Use of the internet and computers has increased at a much faster rate than awareness of computer security issues over the last few years, which is going to give opportunistic attackers plenty of "low hanging fruit" to aim at for many years to come.

Are you honestly suggesting that kids who deface sites should just get a pat on the head and get sent on their way and the admins should get the blame for an intrusion? Remember, you are talking about criminal offenses.

Btw, if you couldn't see the attempt at humour I was making in my previous post, then I think you need to go outside and get some fresh air.

koriordan · 06-02-2001 1:58am

Ok, I'm getting a bit worked up, and a bit OT too. Sorry 'bout that. What I've been trying to get across is this:

Why do script-kiddies bother you so much ? Are you choosing option 'e' too often ? If so, given that you should have alternatives, you can't really complain.

To use the door analogy , if everyone (script kiddies et al.) had a key (exploit)for my lock (server ?), would I be justified in giving out if I get robbed (defaced) ? I don't think so.

It's much easier to assign blame to others, script-kiddies in this case, than to yourself, ie. to admit that you screwed up.

It's also much easier to ***** about script-kiddies than it is to do the correct thing, which is to keep up-to-date with exploits, and apply the patches as they come out (which is the hard option). As I said earlier, for open-source software, patches often come out before exploits are implemented.

Everyone screws up ! A good example would be the defacement of www.apache.org last year - the exploit was a well-known mysql one. In fact, there was even a warning, and solution, in the mysql setup docs about itwhich the guys at apache didn't follow. Luckily it was a bunch of good-natured folk who defaced em. They could've done much worse - it was a root exploit, so they could've stuck trojans into the apache downloads (imagine it: backdoors in the web servers of thousands of sites).

Closer-to-home: a friend of mine was the network security admin for a Dublin site of a medium-sized corporation. When the lovebug hit, he was truly lost. Even a simple solution, such as blocking all in/outbound mails with "I love you" as the subject, was beyond him - instead his solution was to join the other angry incompetents in calling for the write of the macro to be shot/hanged/eaten.

I'm not calling anyone here incompetent, I'm just commenting on human nature I guess - we don't like to take responsibility for our screw-ups. As a question, how many people here have had their boxen exploited ? Of these incidents, how many times was it (honestly now !) because the person responsible hadn't applied an existing patch for a known exploit ? (Not knowing about a patch release isn't an excuse ...)

Okay, that was a long one, and hopefully my last. X_OR, I had a feeling your prev post was humour, that's why in my reply to that one I also gave out about

people blaming script kiddies for [their] ills

. I was looking for some sort of a reaction ! Ok, so I was trolling, but it wasn't just pointless - I do believe in what I've said !

ecksor · 06-02-2001 7:25am

Originally posted by koriordan:
To use the door analogy , if everyone (script kiddies et al.) had a key (exploit)for my lock (server ?), would I be justified in giving out if I get robbed (defaced) ? I don't think so.

Your analogy is inaccurate. Exploits are more along the lines of someone picking or forcing a lock rather than having a legitimate key to it. Picking or forcing a lock is illegal, and stealing whatever is being protected by the lock is also illegal.
If someone breaks the law, then they run the risk of being punished for this, and it is not unreasonable for the parties harmed as a result of such activities to want justice to take it's course.

It's much easier to assign blame to others, script-kiddies in this case, than to yourself, ie. to admit that you screwed up.

This is just ridiculous. Sites should be well secured, but many sys-admins lack the necessary skill to do this properly. At any rate, poor security at a site is not an open invitation for someone to just come along and interfere with that machine. It is not justifiable behaviour.

It's also much easier to ***** about script-kiddies than it is to do the correct thing, which is to keep up-to-date with exploits, and apply the patches as they come out (which is the hard option). As I said earlier, for open-source software, patches often come out before exploits are implemented.

Ah, an open source advocate. I hope that's going well for you. Once again, you are dodging the issue. Stuff slips through the cracks, sys admins don't update their machines for whatever reason, point still stands that people should not be running scripts against servers. The issue (I can see why hobbes felt he was going in circles) is that offenders are not being appropriately punished. Do you agree or disagree?

Everyone screws up ! A good example would be the defacement of www.apache.org last year - the exploit was a well-known mysql one. In fact, there was even a warning, _and solution_, in the mysql setup docs about itwhich the guys at apache didn't follow. Luckily it was a bunch of good-natured folk who defaced em. They could've done much worse - it was a root exploit, so they could've stuck trojans into the apache downloads (imagine it: backdoors in the web servers of thousands of sites).

Well, golly, that's an interesting one. I remember that incident, and if you re-read it and look a bit closer, you'll find that it was compromised as a result of configuration errors. Not something you can patch, which has been your magical solution to repelling attackers up to now. Security is not so cut and dry as you are implying. In fact, I'd go so far as to say that we need a complete rethink of the technologies we use if we're ever to achieve a reasonably safe environment on the Internet. Most of the Operating Systems we use have primitive at best mechanisms for enforcing security policy, and privileged applications are written much of the time in loosely typed, imperative languages which are not easily verified for correctness, have primitive mechanisms for passing information between components that tend to be very prone to subversion, and in the cases of most of the services you seem to be talking about, in a language with no built-in memory management. This is a recipe for the state of security becoming worse, not better, in my opinion.

As for the piece I cut about "Who here has had a site compromised because they didn't apply a patch, honestly now lads, own up, c'mon, don't be embarrassed" (I'm paraphrasing), I know of a site that was compromised a couple of years ago that was allegedly the result of a buggy ftpd (proftpd iirc). The sys-admin didn't apply the patch in time, and an attacker gained root on the machine. Time between the patch being released and the patch being applied? Approximately 6 hours.

Ok, so I was trolling, but it wasn't just pointless - I do believe in what I've said !

Well, good for you. You believe that it's ok to break the law, that it's up to people to defend themselves, and if you get successfully attacked, then it was your own fault for not being more like you. If you came across an old lady who had just been mugged, would you tell her that it was her own fault?

[This message has been edited by X_OR (edited 06-02-2001).]

ecksor · 07-02-2001 3:44pm

Originally posted by koriordan:
Are offenders being punished appropriately ? I don't know. What offenders have been punished in Ireland so far ?
People probably shouldn't be running scripts against servers. However, the damage caused is exacerbated by the negligence of many. I'm still thinking about what would be appropriate punishment, but I'd go closer to a slap-on-the-wrist than jail-time ...
Would I like to see jail time for script-kiddies ? No !

Right, so you've finally addressed the point that was raised on this thread. If you wish to veer off topic and troll like that in future, start a new thread.

I would suggest that you lack the experience to start preaching to people on here. On three occasions you admitted that you were unaware of the current trends of security incidents wrt types of attacks and their punishments. Quite simply, punishment of offenders of this type is generally less than satisfactory. Poor security does not excuse breaking the law.

koriordan · 08-02-2001 1:52am

Your analogy is inaccurate.

Analogies invariably are, so are probably best avoided altogether - I used that one there becuase you had used a similar one.

Sites should be well secured, but many sys-admins lack the necessary skill to do this properly

sys admins don't update their machines for whatever reason

Agreed on both points. I would then say that these are the two factors that allow most of the damage script-kiddies do.

Ah, an open source advocate. I hope that's going well for you

I speak specifically about security for open-source software because I don't know about security for closed source software. Regardless, my advocacy is _certainly_ not the issue.

that incident, and if you re-read it and look a bit closer, you'll find that it was compromised as a result of configuration errors. Not something you can patch

If you re-read my last post and look a bit closer, you'll find that I said: "there was even a warning, and solution, in the mysql setup docs about it which the guys at apache didn't follow". A configuration error. Not something which could've been patched, but something which could've been avoided had the apache guys read the docs.

a buggy ftpd (proftpd iirc). The sys-admin didn't apply the patch in time, and an attacker gained root on the machine. Time between the patch being released and the patch being applied? Approximately 6 hours.

Seems genuine ... no one can work 24/7; patches will be missed, logs will go unchecked. I would say, however, that genuine cases are the in the minority, and that most successful attacks are only permitted by the negligence of those who are responsible for security.

point still stands that people should not be running scripts against servers ... offenders are not being appropriately punished. Do you agree or disagree?

Are offenders being punished appropriately ? I don't know. What offenders have been punished in Ireland so far ?
People probably shouldn't be running scripts against servers. However, the damage caused is exacerbated by the negligence of many. I'm still thinking about what would be appropriate punishment, but I'd go closer to a slap-on-the-wrist than jail-time ...
Would I like to see jail time for script-kiddies ? No !

Jail time for Script kiddies.

Comments