Printable View
no,they shouldn't,hackers are of two types 1.for their enjoyment,2.for others enjoyment
1-> they do just for fun
2->they do for revenge
2nd grade hackers must be punished
actually a hacker 's worth is priceless,think once how much he must have known to hack others ,first hatsoff for his knowledge ,then others come into consedaration...
IMNHO -
Just becuase someone is stupid and leaves a gapping hole in there site doesn't mean you are allowed to explore it. If you do, that forced them to examine and then fix it, and that costs moeney. That is cost, and that is why you can go to jail or get sued. Why? Cause you took an affirmative action by intruding into that system...hence you are culpable for those damanges!
Heres the problem, just becuase you didn't mean to cost the company money doesn't mean you didn't. That kinda cost can cripple a small or starting biz (which maybe why they have crappy security). Should those people and there investors be penalized because you want to check out there security univited?
Just playing devils advocate to the normal "If I didn't make money than whats the harm" view that we normally find on AO...
jcmcb, so what you are trying to say is if you notify a company about a security flaw with their site, and since it costs the company money to pay whoever to fix the flaw, YOU are then costing the company money? I guess theoretically, that is true.
In that case, I think it is a sad, no scratch that, GREEDY world where some company would take you to court for that.
jcmb, i think your missing the bigger picture...if you find a hole and without doing any distruction notify them, you SAVE them money. think about what would happen if sombody found it and exploited the hole for their own gain. then the company not only has to fix the hole, but the have to fix whatever damnage was caused by the malicious guy who got in. then, they might have to deal with a loss of buisness because other people dont want to deal with them because they got hacked...all of which could have been stoped by you simply finding a hole and telling them...
if you see a hole, i say it is your duty to check it out and inform the owners of the box. if you dont, that is when i say you are responcible, because you could have stoped all that extra damnage from occuring by just sending a little email.
jared_c - I am with you about the greedy bit, but (with all respect to James Brown) this is a Capitalist world, and thanks to the US (and Prez Reagan, curse him) Greed is now a virtue...
8*B@LL - I think your are missing the bigger picture. It doesn't matter why a person finds a flaw, it still costs that company real money to fix it, and they are going to blame you for the cost of repair, especially if you are going to announce the flaw. Now I think that finding flaws and reporting them is a good thing, but not if your not invited/asked. I think if you (not you specifically 8, but you then general hacking community) were to offer there services for free to small companies, I think you would find a receptive audience, who might even pay you to fix it. But I object (and as a small biz owner I think I can speak for some of us) to unwelcome persons telling me about my vulernabilities. Why? Because I don't know who you are! For all I know your some guy who is going to blackmail me for the security of my data. Paranoid? Maybe, but these small biz are the lifes work/dream/goal for people, and they take them seriously.
I don't want anyone to think I am saying that alturistic hacking is a bad thing, just that it can and will be perceived as a bad thing, and possibly get you in trouble...
jcmcb, I too am a small business owner. If someone found a security vulnerability on one of my web servers, whether I asked them to or not, I would be very happy if they notified me about it. If intentions were good, and no damage was done, I would definitely thank them for letting me know about the problem.
I think the problem is that a lot of companies would be embarrassed if put in that position. I remember a client sent me a virus. It was one of those viruses that forward to everyone in your address book. I called up the client and told them that they were infected and that they sent it out to everyone in their address book. The person was quite rude about it and didn't even say thank you. My guess is it was because he was embarrassed that he was foolish enough to get the virus.
Now my question is: Since I called this person and notified them that they had a virus, am I now responsible for the time it takes for them to fix their system? According to your theory I would be.
The fact is if the vulnerability is there, it is there whether I tell him about it or not. If I notify the person about it, it is their decision whether or not to fix it. Not my decision. I shouldn't be held responsible for the cost of their decision to secure their server.
jcmcb, just so you know this post isn't meant in any way to offend you. I'm just saying how I would handle the situation, and what I think.
Well if you're hacking and causing problems, then yes, there needs to be punishment. And as was previously said, depending on how much damage or how many problems you cause should depend on whether or not you get jail time. As for finding security holes...if you come across them on accident thats one thing. If you are trying to hack and finally get in, I can see how companies would get mad. If people didn't try then they wouldn't need to worry. Once a hole is found it can be exploited and then a new security system needs to go into place, which does indeed cost a lot of money. If you want to hack legally, get a job working for securing a company's network. If you find a hole, you might get a promotion instead of a fine. Just my two cents.
exactally as i said. if you dont do anything wrong, and do something good by telling them, why be punished?
i dont know how putting a hacker in jail helps stop hacking. if the government thinks that arresting a hacker for 1s and 0s will make fear in the hacker community they are so *****ing wrong. although i think if the hacker was a script kid then he should be put banned from using a computer for a reasonable amount of time. (resonable being less than a month)
as far as deleting files goes, i know if a real hacker hacked into micros0ft.com he will tend to crash the system. while on the other hand if any of you hacked into linux.com you probably wont because you know that *nixes have helped hackers spread, and you will most likely report the flaw, unless you have a beef against Linus T.
erm...that is so wrong...a "real" hacker wouldnt crash ANY system they got into, just explore it. ever heard of ethics?