January 30th, 2003, 01:19 AM
How to Not Get Wrongly Arrested
First of all...I say all of this under the assumption that you're not doing anything illegal. Otherwise, you probably should get arrested. (There are exceptions, but this is not the place to discuss them. Cosmos!)
It occured to me after some recent experiences of mine to post a tutorial on how to avoid trouble for doing innocent things, because there are many people who don't understand how things work, and punish people by default, because they don't know any better.
Step One: Don't do anything illegal/stupid.
If you do, you will inevitably be caught or arrested, if not for on thing, then for another. If you do something illegal or stupid, I can't help you much. I don't think even most of the people here at AO would help you get out of this. You're on your own here.
Step Two: Information is power. A lack of it is too.
If you find some way into or out of a system, then don't go ahead and tell everyone, bragging about it. That's just plain stupid. If something happens, everyone will think it was you, even if it wasn't. A lot of people will also have you arrested just for thinking you WILL do something.
If you need to tell someone what happened, for advice on what to do next, then be careful who/how you tell. Don't go telling your three year old neighbour, who will inevitably go and tell his parents, who will call the police. Tell someone who understands these things, and who you trust.
If you need to post the information in an open forum, do it on message boards or e-mailing lists, always annonymously. It will make your life much easier.
Step Tree: Just because you can...
If you can do something, that's not a reason to do it. Everytime you find a way to root, or someone else's files, walk away. Don't go looking at things you shouldn't, because that is stupid, and can easily get you put in jail.
Remember, if you do one small thing, and something else big happens, if they can pin the smaller thing on you, its a short step to the big thing, easily quadrupling any fines/sentences.
Step Four: Burn everything.
Don't keep records of what you've found. If you later get caught for something, these will link you to a lot of other possible crimes, and can be used as collaborating evidence. Plus, a friend can always look on your computer, and find password and username lists, DNS and IP Addresses. Its just plain stupid.
Step Five: Anonymity.
If you are going to report what you found, as many honorable people will do, make sure you do it anonymously. Some Admins will feel vengeful, or just not understand, and have you arrested. Its just annoying. "No good deed goes unpunished..." Its best to be the Anonymous Vigilante.
Step Six: Change nothing
If you find your way into some system, even if its just to look around, don't change anything. If you find some way to fix a problem with some network or computer you find yourself in, don't patch it yourself. If you make a mistake, or another one appears, it will be blamed on you. Instead, report it to the Admin, and tell them how to fix it. (Read Step Five.)
Step Seven: Silence is Golden
If you never tell anyone you know anything, no one will want to blame you. You appear as innocent as you are.
Step Eight: Credit Ain't Always Good
Never take credit for anything, whether you did it or not. You can always be blamed, and that's never good. Remember, fame from cracking is fleeting. But fame from honor and intelligence, earned over time, lasts forever.
Step Nine: Never assume
Even if you don't look around networks, aren't even a White Hat Hacker, or a security guru, you can always be blamed for something. I know people who have been suspended from their schools/universities for accidentally going to a "hacker" website, and these people know next to nothing. So if you actually know things, you are at a much higher risk of getting in trouble, even if its for nothing.
"The truth doesn't matter. It only matters what they think is the truth. Our job...our job is to make them see our truth."
Step Ten: If You Report...Don't.
Even if you report a problem in a network, deny doing so afterwards. The deed is done, but you don't have to take the "fall" for it.
There is no such thing as total security, but if you follow these steps, you're a LOT less likely to be wrongly accused, or punished for trying to help.
And, if you ever maliciously break the law or do something royally stupid, you deserve to get caught and punished, I will not help you here.
I don't want this tutorial to make everyone so paranoid they never report the flaws they find. By all means, do so. Just be careful how you do it, and who you tell.
One perfect way to do it...is send a "general" warning to the administrator of the network you feel is at risk. "Do YOU have any usernames with the password the same as the username, or the person's name? If so, change it!" This sort of thing will almost always work.
"If the deed is true, and the heart pure, despite any punishment, the person will come out the better for it, and so will those he helped."
I hope this will help people figure out how to do things when they report problems, which they should always do.