Ethical or not? 6

[trojanman]

Let's say that youre at a convention with thousands of users, all of which are on laptops. You're pretty certain that you're the only one with IS knowledge. During
the course of the day you decide to make a few pen tests. A few port scans here and there and you discover that many users can be breached because of a lack of a firewall.

Do you:

A) Place a text document on their desktop that reads "Turn on your firewall".

B) Upload a trojan and play games with their pc.

C) Reboot their computer serveral times and hope that they figure out what is happening.

D) Discontinue all activity and leave them alone.

Answer honestly.

 

[LawnBoy]

D" is the only legal option listed.

 

[trojanman]

Legality aside, what would you do?

 

[LawnBoy]

D. I don't wear this white hat just for looks.

In the situation you describe, displaying my 733t h4><or ski77z could only jeopardize my employment. And what would it prove? When those users leave the conference they'll be talking about how somebody "hacked" the network, not about desktop security.
"Oh, you got hacked too? You know, they say you can't stop the really good ones..." with external references and validation aplenty. Most of them would leave with an exasperated sense of helplessness, which is exactly the opposite of the point you would be trying to prove.

My .02. "I am not a psychologist, nor do I play one on TV."

 

[trojanman]

Ah, but who better to do a pen test than a white hat? Im sure the helpless users would rather you break in than some german kiddie with a metasploit kick.

Im more on the grey side so I choose A.

 

[zarkon4]

I say D as well, most users don't have any idea what a firewall is much less how to turn it on.
Where I work we have an application that the users can click on which indicates they are going mobile. The app turns on the firewall and also performs other various tasks.

If the users at the conference were "unsecure", I look at it as a reflection of their IS dept.

 

[Spirit]

Sorry trojanman (worried about the tag now!)

I am with D too. Just because I can doesn't mean I would.

Its like being in a beatiful rose garden, I can look at the flowers, smell the flowers but I'd never pick the flowers....

And sorry I'd be more interested in the conference content than others' laptop security.

Iain

 

[trojanman]

If the users at the conference were "unsecure", I look at it as a reflection of their IS dept.

Agreed, which is why we have the firewall enabled via GPO. My point is, we should educate the uneducated whenever possible. Thats my humble opinion at least.

And for the record, I dont condone the use of trojans and/or malware for "malicious" intent.

 

[Spirit]

But what if they don;'t have an IS / IT Department and are a normal joe / jane bloggs?

I totally agree that education is the only way in terms of PC security all it takes is one user going to one dodgy website!

If I was to do anything and was THAT bored I'd have a look at what MP3's they've got and "borrow" any I fancy

I wonder how long it would take them to actually see the Text document that says switch o your firewall!

 

[rn4it]

I have to say D as well, in the situation you gave it's not really your place to do any of the other options. It would be a little different if you where giving a lecture on wireless security and pentration testing. Then I'd say take a peak around. I have some tools to perform penetration and surveying tools. I will not use them to recon a system that I'm not in change of securing with permission of that company. If I'm using a wireless tool and I see a unsecured AP and I know the person I would mention that they seem to be unsecured and they may want to secure it. my 2cents

 

[LawnBoy]

I agree that education is key, but I don't think it can be accomplished by obtaining access without permission.

I was demonstrating a friend's lack of security to him a few months back. I consider this guy to be a fairly savvy user, but when I changed his desktop background he exclaimed "Dang! You got right through my antivirus!"

Hacking someone will not educate them. Talking to them will.

 

[Roadki11]

I am going to play the devils advocate here. I think its retarded to afford privacy and protection rights to any machine(user) that voluntarily puts its self in a public forum. This could be a public "private" network at a conference, an internet café, or on the internet. Would you walk around with your drivers license taped to your forehead and have an expectation of privacy or security? Of course not, you keep it in your wallet in your pocket, maybe even secured with a chain to your belt if you are one of those types. If you don’t know a public network is not trustworthy and that you should take steps/measures to protect your hardware then you are fair game. Now the attempt to or successful defeat of firewalls or other protective means is a whole other ballgame. That move into breaking and entering and as far as the laws in my state, I could shoot you!

RoadKi11

 

[trojanman]

Hacking someone will not educate them. Talking to them will

Not one entity, not even the Patriot Act or the Computer Fraud and Abuse Act has an absolute definition for "hacking".

That being said, what are you going to do, walk up to them and say "Hey, I nmap'd your box and found out that I can exploit IPC$ because you have no Administrator password and your firewall is turned off? Granted you can find out who they are personally out of the thousands of people there.

 

[sleipnir214]

Not one entity, not even the Patriot Act or the Computer Fraud and Abuse Act has an absolute definition for "hacking".

You asked a question about ethics, not law, so don't starting dragging pseudo-legalese into this. Particularly when you, yourself posted,

Legality aside, what would you do?

Although the two often overlap, ethics and law are not the same thing. And it also should be kept in mind at all times in an ethics discussion that the word ethics comes from the Greek ethos, meaning "character".


First, when you are given permission to use some else's property, there are always explicitly- or implicitly-defined limits to what you can do with the property, and you have an ethical obligation to abide by those limits.

If I loan you my car to go to the supermarket, you would be behaving unethically to drag-race in my car. You have violated the implicit limits on the use of the car.

So your most ethically-correct behavior would have been:

E. to not have been screwing around on someone else's network in the first place.

Because when the organizers of the meeting granted you permission to use the network, I do not think it reasonable to expect that they intended that you would use the network to scan other participants' computers.



Second, it is unethical to use someone's property without his permission.

The fact that you might do less harm than a hostile hacker does not give you permission to use the property -- that's saying you somehow have permission to use my car any time you like simply because less-responsible someone else who might have used it would have wrapped the car around a tree.

The fact that you have the best of intentions does not give you permission to use the property. That's saying you have permission to use my car any time you wish so long as you get the car a tune-up and leave it back with me with a full tank of gas.

So option A is unethical. And I don't think anyone would argue that B and C are unethical, too.



But what should one do? I would, understanding that the organizers would be reasonably expected to be disapproving of my scanning their network without permission, contact the organizers of the event and tell them what I found out and how. And I would accept with good grace whatever reasonable penalty they imposed. (And as an aside, getting banned from that network for the rest of the event is a reasonable penalty for scanning their network -- after all, it's their network and they can withdraw whatever use-permissions they have granted.)



Want the best answers? Ask the best questions! TANSTAAFL!

 

[eyec]

my personal ethics require D

for future business (fixing and telling them for the umpteenth time about firewalls, AV & adware programs, and just plain good computing sense) i get to clean up the boxes.

so, again D

 

[trojanman]

You asked a question about ethics, not law, so don't starting dragging pseudo-legalese into this. Particularly when you, yourself posted,

I was just making a reference and a point in rebuttal to Lawnboy's reply. Everyone has a different opinion about what "hacking" really is.

You yourself have quoted the great ESR (your sig?) and to quote his very words:



There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term ‘hacker’. Hackers built the Internet. Hackers made the Unix operating system what it is today. Hackers run Usenet. Hackers make the World Wide Web work. If you are part of this culture, if you have contributed to it and other people in it know who you are and call you a hacker, you're a hacker.

There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ‘crackers’ and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end.

The basic difference is this: hackers build things, crackers break them.


And...


Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude.

 

[sleipnir214]

You can quote esr all you want and it still won't touch on ethics.

And when LawnBoy states, "Hacking someone will not educate them. Talking to them will." and your rejoinder is to go off on a tangent about the lack of legal precedent for the definition of hacker, you're just trying to side-step his point rather than responding to it.



Want the best answers? Ask the best questions! TANSTAAFL!

 

[trojanman]

Do you even read my replies in their entirety?

 

[Grenage]

If someone broke into my house and left a note saying "you left your window open", or moved objects around until I noticed, then regardless of their burglary experience - I'm going to be angry.

D. is the only option, legally and ethically.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[Spirit]

But if you leave your keys in the door, would you want an honest person to ring the bell and tell you or them to sit there until an unscrupilous person (with better spelling than me) comes along?

Iain