What is Ethical Hacking to you??
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: What is Ethical Hacking to you??

  1. #1
    Junior Member
    Join Date
    Jul 2002
    Posts
    11

    What is Ethical Hacking to you??

    hi, i'm not sure if what i'm asking here has been asked before.
    i got into a discussion with a friend(programmer) recently.
    we were playing a new game incorporated into a forum both of us were in and was put into beta testing.
    as with any new games, there's bound to be bugs and he managed to find them.
    he was happily playing with the game using the bug till confronted by the other members of the forum who were unhappy with his actions. he claimed that he was merely testing out the exploits to confirm them before reporting to the owner of the game.
    if he were to just spawn 1 or 2 items, cash and increase the stat by a little for testing purposes, i'd take it that he is just trying to confirm the bugs but he went as far as too gaining the maximum amount of items, cash and increase his character till near invincible status.

    is that still considered ethical?? even if he did report the bug later on to the owner??

    sorry if everything is too confusing. my english isn't really that good.

  2. #2
    Banned
    Join Date
    Apr 2004
    Posts
    843
    Well lets take this into consideration... what ever you call yourself be it hacker/cracker or as I like to call myself just a average guy who is sick of little children nameing everything they see online... I'd just like to go online for once without being surrounded by peaple who want to be appart of a big scene. But what ever you call what you are or what you do with the time you have... be it the ability to programing or just the enjoyment of computers. A phrase comes to mind "who cares".

    And with that said If you need someone to tell you what is right and wrong then find a priest or something. I know it sounds sarcastic but seriously dude.

    Before we judge whats right and wrong FOR YOU... you never said how he was testing this. For all we know it could have been over a small LAN, over the localhost through loopback addressing if possable, & (ect). As for the way he handeled this... so he braged a bit so what? I turn on my computer and 99.9% of the dumb kids out there are usually looking for a way to appear to have know-how infront of others & to make a name for themselves. But either way the information is out there.

  3. #3
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    Shouldn't this be in Cosmos? It's nothing to do with SEC as far as I am concerned...

    "right" and "wrong", such big words. Is it right to break hearts? Is it wrong to relieve somebody of funds or items? I don't know, but priests don't come within 9 metres of me, and mental help is poorly organized around here. So I don't have my answers...
    /\\

  4. #4
    Well lets take this into consideration... what ever you call yourself be it hacker/cracker or as I like to call myself just a average guy who is sick of little children nameing everything they see online
    As humans, it is our nature to place a label upon things, so that we may better understand them, and recognize them apart from other things.

    And with that said If you need someone to tell you what is right and wrong then find a priest or seek out for some mental help or something. I know it sounds sarcastic but seriously dude.
    There are no need for insults here. People sometimes must question actions as wrong and right, as those lines can be blurry to even the most devoute priest. To ask, to be informed, and to seek others to help you understand is no different than a child learning to apologize. We must each have a time to learn the rights and wrongs of everything, even if our heart speaks it, and may thus need the backing of others.

    Shouldn't this be in Cosmos? It's nothing to do with SEC as far as I am concerned...
    AO isn't just about system security alone, nor is Cosmos just for debates. The question they have is a true honest newbie question, in which they are curious about the ethics of someone else. To know right from wrong helps them plan their path better.


    To the parent poster, I offer my thoughts:

    - The moment he found the bug and had basic information, he should have reported it. Even without basic information, even the knowledge of such a bug should have been reported ASAP.

    Why? Because if he honestly was there to help, he would not have continued using it. I do not feel his heart was set on help, rather than "Taking advantage" until he was caught. He was in the wrong, but that is merely my opinion.

  5. #5
    Junior Member
    Join Date
    Jul 2002
    Posts
    11
    first off, thanks for both replies.
    just to clarify something, i am no hacker nor expert in computers.
    i'm just a regular computer user.
    i'm not exactly sure where this thread should go to, if it is the Cosmos, then i hope the moderator will help me move it there.

    i don't mean for this to be a right or wrong discussion.
    what i want to know is,

    should an ethical hacker exploit the bugs he/she discovered and report it later on
    or
    report the suspected exploit the moment it is discovered whether or not it is a confirmed that the exploit really works.tests can be carried out later after reporting it,right??

  6. #6
    In responce to your new post, I say this:


    An exploit should be announced the moment it is discovered, but make sure to have an example. One example, two if the problem allows more than two things. However, you do not CONTINUE to test it to every aspect. You are only there to help them find the existance of bugs and with support to prove it does exist. Leave indepth testing and exploitation testing up to them, or until they give you permission to further explore.

    Even then, you should never do what your friend did. As it would be similar to finding a hole in a bank's servers, exploiting it and stealing all the money, and then letting them find out for themselves.

  7. #7
    Junior Member
    Join Date
    Jul 2002
    Posts
    11
    Originally posted here by pooh sun tzu
    In responce to your new post, I say this:


    An exploit should be announced the moment it is discovered, but make sure to have an example. One example, two if the problem allows more than two things. However, you do not CONTINUE to test it to every aspect. You are only there to help them find the existance of bugs and with support to prove it does exist. Leave indepth testing and exploitation testing up to them, or until they give you permission to further explore.

    Even then, you should never do what your friend did. As it would be similar to finding a hole in a bank's servers, exploiting it and stealing all the money, and then letting them find out for themselves.
    yup, i did quote the example of finding a bug in the bank servers and exploiting it but he kept arguing that he was just merely testing and meant no harm.
    i needed some expert views on this because he kept saying that we do not have the mentality of a tester to understand his point of view.

    thanks a lot. i welcome all views on this.

  8. #8
    So he feels that if he breaks into a bank, steals the money, that he can merely tell the police/fbi that he was "merely testing, and meant no harm"?

    Point in case, it went beyond "wow, look what I found by accident" into a crime. As for mentality of a tester, I'm a beta tester for Vendetta, many Opensource projects, Microsoft, Ragnarok Online (years ago), and many Ragnarok Online emulators. Many of us are beta testers and understand the limits, so we understand how to test from a beta testers point of view.

    Your friend turned it into a crime the moment he realised what he was doing, and decided to continue doing it instead of reporting it.

  9. #9
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    I did not mean to sound... like I know everything. I do not . Just a thought.

    I agree with pooh sun tzu on this one, going more than just finding the exploit goes into something else than beta-testing. In the case of the game it was cheating, in the case of applications and programs it is considered illegal [well, in France it is illegal altogether to even say you found an exploit, as per Bug-traq newsletter and posted by MsMittens on AO]. Was it "wrong" or "unethical"? In your friend's case I just think it's unfair given that it was known the server was still in developing. In general I refrain from formulating an universal recipee, I acknowledge that certain circumstances might call for certain variance in the way this problem is tackled.

    [edit]
    If some of this seems redundant with the above post, it should be known I was posting at the same time with pooh
    [/edit]
    /\\

  10. #10
    Banned
    Join Date
    Apr 2004
    Posts
    843
    Yes pooh sun tzu... since it is in the beta version companies I beleave under certian promisses you are forced to make and under the law I also beleave that you are not even supposed to talk about the game when its still in its beta stages. And yes he could have told the company about this. But if that were not the case here you'd make that sound as if talking to a guys on a board or whatever about it before any offical reports are made and sent out to peaple is somehow "less ethical" than posting it all over sites just like bugtraq and securityfocus where thousands if not millions will see it and start a war over who can produce the best exploits and patches in the fastest ammount of time.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides