Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
RE: [suse-security] sysadmin ethics after security breach
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Fri, 25 Jan 2002 10:48:28 +0100 (CET)
  • Message-id: <XFMail.020125104828.bolo@xxxxxxx>

On 24-Jan-02 Matt Hubbard wrote:
> List,
> Assuming you can positively identify the origin of a successful crack
> (and that's a big assumption considering drones, spoofing, etc.) what
> does the community of sysadmins think about vigilante justice? Should we
> just counter-strike if there is no legal recourse? As a young sysadmin,
> I am looking for a moral principle. Responding in a legal manner is what
> distinguishes us from the cracker, right? Still, I get very angry just
> thinking about the possibility of a successful attack on one of my
> systems. Any thoughts? Apologies if this seems off topic - but I am
> studying many of the popular attacks and as a result I am in the
> difficult position of knowing how to use them (as well as defend against
> them).

this has been discussed before, and it all boiled down to the conclusion that
active retaliation is not a very clever idea.

For an admin, it's first and foremost a question of legality vs. illegality. If
you whack a box or boxes of attackers, you basically descend to the same level
as your opponent. This makes you sueable like the next 3l33t hAxx0r d00d, which
may be a problem if you're the admin of a commercial organisation/company.
Chances are good that you may disrupt your organisation's integrity, thus
damaging your public standing, which is always a reason to get burned. What's
more, you may be accused for the very same evil deeds than the guy you
counterstriked against, and may loose your credibility, and finally your job.

But this is a theoretical discussion only, since cases are rare where crackers
can be fully identified. Going the legal way against crackers may be a
dreadful, time consuming process, and often leads to nothing, except for loss
of money and time.

The hardest thing I had to learn was not to rate attacks against networks
administered by me as attacks against myself. It's hard to keep cool, but it's
essential, since rage and aggression only lead to actions which you may regret
later on.

Tightly securing your system, building up and keeping a good relationship
between you and your upstream providers, and a constantly revised security
plan is pretty much all you can do to prevent loss of data/fraud/cracks. It's
also a good idea to talk with your legal department/company lawyer about this
topic, in order to setup legal strategies.

You may want to take a look at the book "Computer Crime - A Crimefighter's
Handbook" (O'Reilly, ISBN 1-56592-086-4, about $25), which covers many topics
discussed here, like security policies and plans, prosecuting computer crime,
types of attacks, legal backgrounds, etc.

Boris Lorenz <bolo@xxxxxxx>

> Matt Hubbard

< Previous Next >