Hacking, Cracking and Exploiting.

Whats illegal and what isn't?

A lot of people say that when it comes to the web anything and everything is free. If you put it on the web your putting your self at risk to have it get stolen.

A lot of "Hacking" is really just exploiting bugs in applications. If we were to define hacking as "Gaining access to/altering information in a way it was not intended to be accessed or with out permission" a lot of things start to be considered hacking. The most common way to "Hack" into a website is to exploit poor programming with Sql Injections. Doing so can grant you access to a lot of information.

Let say, for example John has a website, where he uses some simple php to protect a section of his site with a simple username and password. The usernames and passwords are stored in a file publicly available called passwords.txt (Above the root of his web server, but not link to by anything). Its very simple to gain access to this sensitive information, all its really takes is calling up a file in your web browsers. Is this considered hacking? Using the definition I stated above, this would be hacking because your gaining access to information with out permission.

John figures out that this isn't a very safe way to protect his site so he does some research and learns about storing information in a database. He updates his website so it now goes to a database to check for the username and passwords.

John makes two big mistakes here. First he doesn't check to see if the user exists, so a NULL username with a NULL password will return true in his programing (This is an exploit), also he doesn't take into consideration sql injections.

The bad programing allows a user to easily login to his site without "permission" although his website clearly granted the user access. The sql injection opens a gateway into his database, allowing a knowledgeable user access to all his information, much like with the publicly store passwords file in his first website.

Now, the first scenario most people wouldn't call that "Hacking" just because the information is publicly available because you can easily see it in your browser. If that argument is made, I can state that in the second scenario the information is also publicly displayed in my browser, it just takes a little knowledge, much like knowing about the password file in the first scenario.

So when it comes to hacking, cracking and exploding, whats illegal and what isn't? You can say that both scenarios are hacking if you gain access to the information, but are both illegal?

I don't like the term "bad programming", I like the term "bad people" better.

We need to quit wasting everyones time with making applications more "secure" and start dishing out stiffer penalties for computer crimes.

Going into your neighbors mailbox and seeing what is in there is a Federal offense in the USA and can get you into serious trouble. I don't see why looking in someones email box shouldn't be the same.

Good question. I know that actually mounting a DoS attack is illegal in the US, since some kid in New Jersey went down about a month ago because he did it to some Scientology site, and the scientologists tracked him down and had him arrested by the FBI. Of course, if you do not have those kind of resources, AFAIK there is not some kind of police or agency that will do the work for you, which basically means (non-stupid) small time newbie crackers will practice attack a server where they know the owner will probably not be able to catch them, eg, your small private server.

As for anything else, I have no idea what laws exist but I agree with joebert.

Here's something I ran across a week or so ago:
http://ubuntuforums.org/showthread.php?t=1349678
Basically, this person was using "trojan" free gtk themes and screensavers (which don't work, so many people, after installing and realizing it doesn't work, will just forget about) to install what (I and others believe) are the nodes in a DoS network (don't know what the term is, but you get the idea) on unsuspecting linux boxes. It was done very simply with a shell script that pings another server (probably to pass on the ip) and then replaces itself using wget. The ones we found were not doing anything else at the time, but could be replaced at any time (and possibly had, then re-replaced).

I don't really know if that was very effective, ever used, or if anyone tried to track this person, but it was pretty amazing the number of people that showed up within hours of the first post saying they too had installed this screensaver, or something that did the same thing -- so that is potentially quite a list of ips someone had access to for the purposes of DoS'ing!

I know commercial software vendors have been sued for including stuff that amounts to malware or spyware, but I don't know if this is actually illegal, or if the people who distributed the screensavers could be held accountable -- I would guess not.

You would think if a DoS is illegal, software for creating a network for that purpose would be too, altho you'd have to prove that was the purpose, I suppose.