Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Ethical or not? 6

Status
Not open for further replies.
trojanman

trojanman

IS-IT--Management
Jun 14, 2006
280
US
Let's say that youre at a convention with thousands of users, all of which are on laptops. You're pretty certain that you're the only one with IS knowledge. During
the course of the day you decide to make a few pen tests. A few port scans here and there and you discover that many users can be breached because of a lack of a firewall.

Do you:

A) Place a text document on their desktop that reads "Turn on your firewall".

B) Upload a trojan and play games with their pc.

C) Reboot their computer serveral times and hope that they figure out what is happening.

D) Discontinue all activity and leave them alone.

Answer honestly.

 
Sort by date Sort by votes
True, and if you were to knock on my door and let me know, I would be grateful. I wouldn't be very happy if you opened my door, walked into the living room and handed them to me there.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.
 
Upvote 0 Downvote
I have no intention of trying to define the word 'hacking'. I used the word, in the context of this discussion, to keep from having to type "obtaining access without permission" over and over. I assumed the people following this thread would understand that, an assumption I still hold.

So back to your rebuttal:
trojanman said:
what are you going to do, walk up to them and say "Hey, I nmap'd your box and found out that I can exploit IPC$ because you have no Administrator password and your firewall is turned off?
Click to expand...
Nope. Nobody hired me to, and I'm not the poster child for Desktop security. It's really none of my business what some total stranger has running on his/her laptop. I only feel responsible for my users.

My direct question to you is: What do you think you would accomplish by leaving a note that said "Turn on your Firewall"? Remember, you've done this to a non-technical crowd in a non-technical setting, they're going to have a non-technical reaction. You're going to have at least one braggart claim that his laptop is "as secure as Fort Knox!" You're going to have this non-technical crowd come to a consensus about what happened, and that consensus will be chock full of misinformation and confusion.

All you could possibly hope to accomplish is to spread Fear, Uncertainty, and Doubt. I can't see that this educates anybody.
 
Upvote 0 Downvote
While I find A to be the funniest one, D is the only choice. If you really want to, go talk to them.
You can't do anything unless you've been asked to. That's part of the white hat.

"That time in Seattle... was a nightmare. I came out of it dead broke, without a house, without anything except a girlfriend and a knowledge of UNIX."
"Well, that's something," Avi says. "Normally those two are mutually exclusive."
-- Neal Stephenson, "Cryptonomicon"
 
Upvote 0 Downvote
Grenage said:
If someone broke into my house and left a note saying "you left your window open", or moved objects around until I noticed, then regardless of their burglary experience - I'm going to be angry.
Click to expand...

I understand. Interesting that you put a house and a pc in the same context.
 
Upvote 0 Downvote
LawnBoy
My direct question to you is: What do you think you would accomplish by leaving a note that said "Turn on your Firewall"?
Click to expand...

I'm a sysadmin, I like to help people. If I can get the word across [remotely or not] that someone is vulnerable to various threats, I feel that it is my unspoken duty to inform/educate them...even if it is just one sentence.



And I apologize for my bad html/xml tags.
 
Upvote 0 Downvote
Sounds like you're a nosy person, not a sysadmin..
I'm a sysadmin, and helping people is *not* putting them in trouble or scaring them (most of the time).

Technology is at a somewhat delicate spot, we're before the Asimov stuff but already at a level where most people have no idea what's going on. Gotta be nice. Make an announcement. Talk to people. Just don't be sneaky. That's not helping, that's making yourself feel good because you have knowledge and power that you used.

"That time in Seattle... was a nightmare. I came out of it dead broke, without a house, without anything except a girlfriend and a knowledge of UNIX."
"Well, that's something," Avi says. "Normally those two are mutually exclusive."
-- Neal Stephenson, "Cryptonomicon"
 
Upvote 0 Downvote
I'm a sysadmin, I like to help people
Click to expand...

...whether they want your help or not, it would seem!

Breaking in to someone else's property (which is exactly what leaving a text document on a stranger's desktop is) is not ethical, and (I hope!!!) not legal either.

I suggest that these may be more appropriate way of performing your "unspoken duty":

1. Ask every client/associate/friend/stranger you see with a computer if they have taken security measures on their computer (firewall, anti-virus, etc). If they say no, or look at you blankly, offer your assistance.

2. Put up a web page, or find an existing web page that details basic security "good practices", and point them to it.

The point here is direct communication. If they accept your help, they will be better off for it. If they say "go away", well it's their loss.

 
Upvote 0 Downvote
trojanman : I am both sorry and glad that you find it rude.
How rude would you find it, if someone left a text file on your computer that said, "Turn on your firewall" ?

"That time in Seattle... was a nightmare. I came out of it dead broke, without a house, without anything except a girlfriend and a knowledge of UNIX."
"Well, that's something," Avi says. "Normally those two are mutually exclusive."
-- Neal Stephenson, "Cryptonomicon"
 
Upvote 0 Downvote
Considering my passion for infosec, I wouldnt be offended at all. In my opinion, if someone were able to breach my box, that just shows a lack of responsibility/knowledge on my part.

I know that I cant help/protect everyone but it gives me a sense of accomplishment knowing that I tried.


For the record, the scenario in my very first post is hypothetical. The purpose of this thread was not to stir up drama, I just wanted to get peoples perspectives on the matter.
 
Upvote 0 Downvote
if someone were able to breach my box, that just shows a lack of responsibility/knowledge on my part.
Click to expand...

To use the house analogy again, thats very much like someone going into your house just because you left the door open. True, you'd be responsible for leaving it open, but that doesn't mean it's ok for someone to enter.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.
 
Upvote 0 Downvote
In other words -- you have the very high and utopic ideal that computers are an open, free-for-all field where knowledge and skill is rewarded more than anything else. Congratulations, you've got the prerequisite to be either a hacker or a cracker.
You're also 30 years late. Now we have the backlash and everyone is scared crapless of people with more skill than them, which is why they are hired, found companies or go to jail. You need to comply with the law.
A more personal analogy is, sure, your pants are down, but that's no excuse to.. Well, you can guess the rest.

"That time in Seattle... was a nightmare. I came out of it dead broke, without a house, without anything except a girlfriend and a knowledge of UNIX."
"Well, that's something," Avi says. "Normally those two are mutually exclusive."
-- Neal Stephenson, "Cryptonomicon"
 
Upvote 0 Downvote
lol, Trevoke. I like your analogy a lot more than mine.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.
 
Upvote 0 Downvote
In other words -- you have the very high and utopic ideal that computers are an open, free-for-all field where knowledge and skill is rewarded more than anything else.
Click to expand...

No, I dont. There are too many variables involved to explain what I feel.

30 years late to what? Thompson and Ritchie revolutionizing humanity? We are at our peak of infosec, since 9/11 at least. There are councils, consortiums, and professional organizations who's sole purpose is to drive and support this movement. Why? Because bad people do bad things to innocent users.

Dont tell me what I "need" to do, I already see the big picture.
 
Upvote 0 Downvote
trojanman, I'm sure that we all know where you're coming from here, and it's decent of you to want to help people who are not as well informed on matters of computer security.

In a perfect world there would be no problem with what you propose, they would be grateful of your help. Unfortunately the world is not perfect, and your unexpected assistance in the form of a text document on their desktop would lead to thoughts such as "what else did they access, I don't know this person, maybe they stole my internet banking details".

The road to hell is paved with good intentions, as they say.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.
 
Upvote 0 Downvote
If he doesn't understand by now, I don't think changing the logic is going to make him get it. Just the name 'trojanman' ... :)

"We" are not at the peak of IS. We are at a peak of paranoia. There is a difference. And that is how the user understands it.
Bad people, also, do bad things to not-so-innocent companies. Users are mostly victims of scams. Phishing. If you want to educate people in not falling victim to phishing, it is commendable and please do it.
Please allow me one last small thing, and I promise I'll shut up and stop offending you and your sensibility...

Let's say that you're at a convention with thousands of users, all of which are on laptops. You're pretty certain that you're the only one with IS knowledge. During
the course of the day you decide to make a few pen tests.

Oh look mommy -- the sentence is bold is raw, basic social engineering, and what it means to me is "HEEEEY I CAN DO STUFF AND NOT GET NOTICED OR PUNISHED YEAAAAA"

How about...
You are at a convention with thousands of users, all on laptops. All of them have IS knowledge. You decide to make a few pen tests. You find that many of them have open ports and vulnerabilities.
Do you:
a) assume they're waiting for someone to fall into the honeypot?
b) take a chance and hope it's not a honeypot?
c) have no idea what a honeypot is?
d) leave well enough alone?
e) realize you simply can't educate people who don't want to be taught, and feel as frustrated as I do when I come across that problem?

"That time in Seattle... was a nightmare. I came out of it dead broke, without a house, without anything except a girlfriend and a knowledge of UNIX."
"Well, that's something," Avi says. "Normally those two are mutually exclusive."
-- Neal Stephenson, "Cryptonomicon"
 
Upvote 0 Downvote
Oops -- I forgot to say one thing.
I am not accusing you of having evil intentions, or accusing you of being stupid. My intentions are remote from both of these. I am trying to get you to understand what other people can feel about these theoretical actions, in the theoretical setting given, with the theoretical pattern of behavior given, and why it may be best to not do anything.

"That time in Seattle... was a nightmare. I came out of it dead broke, without a house, without anything except a girlfriend and a knowledge of UNIX."
"Well, that's something," Avi says. "Normally those two are mutually exclusive."
-- Neal Stephenson, "Cryptonomicon"
 
Upvote 0 Downvote
Trevoke,
Lol, I pick 'A'. Which brings up a good point, you never know what knowledge might be in a crowd. Assuming that you're safe when performing an illegal act is equivalent to the user thinking they're safe without a firewall. It's naiive.
 
Upvote 0 Downvote
~ 98 I had a similar experience which can be compared unfavorably to the OP's doctrine.

I inherited a k12 network with personally marginal
unix skills that was utilizing ancient RH installations
for a potpourri of services , FTP, mail,DNS, etc..

The students that had put the network together were
personally oblivious and unconcerned about securing the
schools network for posterity which is somewhat
understandable as they were not being compensated.

After working there for about 3 months, putting out fires ,etc.. and getting up to speed, one server using
WU-FTPD was compromised and the login banner was changed
to display a security company's logo and a come on for
the companies services.
Though they claimed not to have performed any 'major'
intrusion they were soon out of business.

Performing stupidities is best done with a dark beret on
and multiple layers of indiscretion between.
No one likes being rooted and takes it as a cautionary lesson.
 
Upvote 0 Downvote
In the event of discovering your actions, I would take any legal action against you that was possible - option E as proposed by sleipnir214 is the ONLY ethical option.

[vampire][bat]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
284
Johnkite
Johnkite
disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
82
disturbedone
disturbedone
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo
cambo2k
  • Locked
  • Question
Watchguard or Cisco?
Replies
1
Views
76
hairlessupportmonkey
hairlessupportmonkey
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
75
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top