I was wondering why you think that finding a security hole in someones system is ok. Even if you tell them about it and how to fix it.
Printable View
I was wondering why you think that finding a security hole in someones system is ok. Even if you tell them about it and how to fix it.
well, it might me ok, its actually good, because your helping them, but just start readin some magz like 2600, especially the posts, then you will see that is more complicated then you think. especially with large companies, first they will probably ignore you, and when you show them that there really is a security issue, they will probably accuse you of hackin into their system and bring you to court. i know it sounds strange, but that's the way it has happened lots of times, cuz when it comes to stuff like that, most of the admins are *******s, cuz they don't want to loose their job. just think about it, a company hires an admin for their security, pays him hella momey, and then some kid from somewhere tells their admin, that there is a major security issue in their system. i mean, what would you do? prolly the same as they do. and then if you really "hacked" into their system, then your busted. if you didn't and you tell them, it will still be hard to convince the court, that you didn't, cuz as soon as they name you a hacker, there is no way to make 'em believe, since they can't stand that stuff and are *******s anyway.
Well, it's hard to answer but usually, it's that someone who decided if it's ok or not. Some people can take critic and some cannot. If you find a security hole on a system and that someone cannot accept the critic, he's gonna be realy mad at you and maybe try legal action on you. But if the that someone can accept the critic, he may reward you. In the end, it all depend on the person personnality that own the system.
Hope it help.
well if it depends on the personality of the admin then we are all busted anyway :)
Well it really is a matter of what th3 hacker is doing if he is a blackhat and distroys the data or alters it. But if he is a white hat and only violates the systems because he wants to learn how the network is configured and the information contained with in the system. That is ok i Guess
the study of security flaws and exploits to the point where you can preform them not only gives you a greater knowledge of computers and networking. it increases ones awareness of security, puting it formost in your mind when your setting a network up.
As far as telling admins about flaws you find, there even a procedure to cya there. Always use an anomalizer. if you email them from your own address they might get insulted and press charges against you.
let it be clear that there is a difference between finding a security hole and exploiting it, If everyone who finds a hole tolls the admin of that insecure system about it, the entire internet would benifit, fewer zombies, virus diseminators, etc.
In my opinion "helping them" is wrong. Its just like going to someones house and breaking in non destructivly then telling them how you got in there or just breaking in to learn about lock picking. Personnally i would want someone to do that to me. Just because you want to help people by breaking in to there houses and telling them how there to fix the problems doesnt mean you can do it. The only time you have the right to enter someones machine is if they tell you you can. No matter how look at it Being a white hat hacker, or a Black hat doesnt matter. They both do things against the law. And both go to jail.
Am I correct?
Oh yea by the way 2600 is full of hacker idiology and propaganda. Just look at how they talk about Kevin Mitnick and everything as if he wasnt guilty read it with a open mind approach and you'll see its all propaganda.
Why it is ok hmmm...tough question I wouldn't say it was ok unless you have there permission to hack. BUt if your going to hack the best thing to do would be to tell them. Finding a security hole is usually benificial to the admin because sometimes they don't even know that a hole is there. Telling them about it increases security for a network and how could that not be good. It all depends on the hacker.
well since we are talkin bout security holes here anyway, there seems to one in antionline.com. last time i wanted to log in using cookies (too lazy to type in username and password) i logged in as a different user. so i saved the cookie, closed my explorer and connected to antionline again. and again i was logged in as that same, but still different, user. so my question here is, how the hack did that cookie come to my computer? i couldn't figure it out yet, didn't have the time, but we will see. just tell me if you guys had the same problem someday, sometime?
well, and even if 2600 is all propaganda, as long as it is interesting, which it definitely is and as long as they fight for their rights, why not support it. i mean, you jsut gotta start readin some stuff like 1984, animal farm or brave new world, but you gotta really read it, so that you understand it. then listen to some music like rage against the machine and you will see what bullshit is really goin' on. and when you have done that, then you will jsut love 2600, because of their propaganda, because they fight against a system that totally sux. i can't really say that, cuz i'm german, but i've been here since 7 month now and since i read those books and listen to that music, i really start to see things a different way, a more mind-opened and real way, and that is the system sux. and as long as that is the system we live in, there won't be any chances to do what you want to do, without getting at least some problems with the law.
yes but it doesnt matter wether it helps the sytem or not or how helpfull it is its still wrong in the eyes of the law.
well, than it is wrong in the eyes of the law. if people would have never done anything that is wrong on the eyes of the law, dude, we would still be in the freakin stoneage. just think about government. that stuff is wrong in the eyes of the law, i mean they have been lying to you since 4ever. corruption was the only thing there in the 1800's and 1900's and you think that wasn't wrong in the eyes of the law. the problem with all the people is, that most of them just don't realize, what the hell is goin' on on this f****n planet, cuz they don't care or they r too stupid to open their eyes. so don't tell me propaganda is bad, especially in the case of 2600, cuz propaganda is the only thing we have left to organize against the system. you should really read some stuff like 1984, your view of the world will be changed overnight, but only if you want to.
*SSJVegeta-Sei sees all of the n00bs with silly opinions and begins playing around with his lighter, mentally telling himself that he will NOT flame, but not really believing it, and waiting for the first comments about the overuse of 1984 to come in, and also wonders what branch of the government xifon works for*
SSJVegeta-Sei
*viperbite sees SSJVegeta-Sei acting gay because all he wants to do is flame. And things of how big of a LLAMA SSJVegeta-Sei is*
xactly, viberbyte, give 'em **** to eat
xifon hates the govenrment, loves 2600 and 1984 and if you have a problem with that, well, then it is YUOR problem. i only use 1984 to show some people how small viewed they are, especially when it comes to the government. i might as well list fight club, matrix, cube or your favorite movie. people like you still don't get it and will never so stop talkin **** bout other people who at least have an opnion.
Dear Mr. Viperbite -
I feel that now you have given me leave to actually make my points. I was going to keep my mouth shut, but since you seem to have quite a healty mouth on you yourself...
1. First, I have to make a point about the "gay" comment. I am not gay, but despite that, in this 21st century, if you think that sexual orientation is a good source of insult, or that someone should be discriminated against due to sexual orientation, you need to grow up.
2. Llama?
3. We here at AntiOnline consider ourselves White Hat hackers - that is to say, we don't do anything that hurts other people in our hacking. Have you ever driven over the speed limit? Downloaded an MP3? Jaywalked? Let he who is guiltless cast the first stone.
4. "I was wondering why you think that finding a security hole in someones system is ok. Even if you tell them about it and how to fix it."
I was wondering why you think that coming in here with your holier-than-thou attitude and telling us what do do is ok, but then that's just my opinion, and it's obviously not as important as yours.
5. "In my opinion "helping them" is wrong."
I'll keep that in mind in regards to you.
6. " Oh yea by the way 2600 is full of hacker idiology and propaganda. Just look at how they talk about Kevin Mitnick and everything as if he wasnt guilty read it with a open mind approach and you'll see its all propaganda."
So is everything that you are saying, just on the other side of the street, so to speak.
p.s. you should spellcheck your rants.
I think that will do for now.
SSJVegeta-Sei
IMO,
In one sentence, its okay when there is no intent AT ALL to be malicious or read not publicized information about or on the network, it is not okay when there is an intent to be malicious or read information on or about the network.
how about if you tried someones door when they were not home, found it unlocked, but didn't enter. later you called them from a phone booth to tell them, without incriminating yourself. that is neither immoral or illegal.Quote:
In my opinion "helping them" is wrong. Its just like going to someones house and breaking in non destructivly then telling them how you got in there or just breaking in to learn about lock picking.
not as much fun as computer security but the same principle.
we now live in a world where you can get sued for helping some one who's hurt. Does that mean you can no longer help anyone. No, you can help someone inspite of the law, not give your name and take off when it over.
there are good hackers and bad hackers the good one tell whoever has the problem the problem and they fix it but black hackers take advantage of that and use it for blackmail or money which is wrong
Well lets consider the definition of wrong thanks to www.dictionary.org:Quote:
1]Contrary to conscience, morality, or law; immoral or wicked.
2]Not required, intended, or wanted.
According to the first definition reporting a hole to an admin is not wrong, you are doing something that is totally un-selfish, and using your valuable time to do it! But, if you consider the second definition, you will see that your reporting the hole was not required, the hole was not intended to be there, and your help was not wanted from the admins so the fact that you are a whitehat who wants to help the computing community makes no difference. Your goin' to jail (maybe).
I believe that if your going to search for an exploit in a system then you must either use it your advantage or report it, if you do nothing then you do not exeplify what I believe a hacker or a security buff is. If you do report if tho, don't take credit for the find or...post it on a popular vulnerability website where the admin will eventually here about it and then all those who read it will know that you "L33TgUy" found the exploit and then there is no case against you because it cannot be proven.
It depends also on WHAT kind of exploit we are dealing with here. If I am testing a company to see if I can do a buffer overflow or DDOS attack, and I start crashing systems. Then I have done damage, and even though I can tell them how to fix it...they will be intimidated and push the full extent of the law in my face.
However, IMHO, if I find an exploit that gives me some sort of user or (heavenly granted) administrator/root level access...but does no damage to the system, then I do believe you have done the company a good thing.
The problem with paralelling this to a house, is that no one will attack a house, or I should say put much effot into a house. Likewise I will not put much effort into hacking Joe-Blows computer downstairs, but instead I would pool my resources to strike at ebay or something.
So if we change our metafor (or however you spell that) to that of breaking into a billion dollar holding bank...then instead of stealing you tell the security where they were laking....I doubt they will harm you. You have indeed helped them, and shown your good and honest heart
First of all I’m sick of hearing the whole hacking is like breaking into someone’s house bit.
Second you tell me witch is worse.
1. Hacker finds hole in system and tells system admin, no harm done right?
2. Hacker finds hole but does not tell system admin because he’s afraid he will get in trouble. Next day evil hacker number 2 comes along and finds same hole and causes lots of damage.
to make a parallel with a house is a good idea because ur computer is ur property and contain private info just like ur house...
It's illegal to use hacking techniques to penetrate an unknown system. Most times when security flaws are found it happens in one of two ways:
1. A smart guy sets up his computer and tests it for security flaws with another of his computers. He owns both machines and thus the law is intact.
2. A pro is hired by firm to do a security check-up, he finds some new and voila he gets a bonus... a professional hacker...
I would have no right what so ever to e.g go and see if someone's front door was left open. I do however havce the right to leave my own frontdoor open and use my own house to make a point or test something. In court there often isn't much doubt about computer crimi. If you penetrate a system you don't the right to be accessing then you break the law, where the big troubles start is when the judge has to figure out how big a sentence the computer criminal should have. And we all know that 5 years behind bars for defacing a website is insane but it happens.
Many of you AO users might think that trying to access someone's 'puter isn't illegal because, what's the big deal, right? And often it isn't a big deal but I can be and that's why it's illegal. So to hack legally simply make your breakin attempt the same way that you might make an physics experiment. that's the only professional way to do it, and oh yea, probably also the only 100% legal way :D
this is a typical problem for many hackers. but normally when a hole is this situation the hacker almost stumbled upon it. This means that the hacker didn't do anything out of the ordinary to find it. If that's the case then simply tell the admin and if he starts make any trouble then don't worry because if the security flaw was that obvious then the admin will get his ass kicked in court.Quote:
Originally posted here by cwk9
First of all I’m sick of hearing the whole hacking is like breaking into someone’s house bit.
Second you tell me witch is worse.
1. Hacker finds hole in system and tells system admin, no harm done right?
2. Hacker finds hole but does not tell system admin because he’s afraid he will get in trouble. Next day evil hacker number 2 comes along and finds same hole and causes lots of damage.
Also we have the right to observe. Hackers (any1 actually but it's mostly hackers who know howto) may drag all the info out of a system that the system leaves open to the public. But if this info shows a security hole then the admin must be contacted at this stage and not after the hacker have broken into the system. If the hacker break in, he/she breaks the law. it's ok to find errors but if the hacker wants to test his theory he must do it on a system he has the right to mess with...
about the "sick of the house bit". yea it's used often but it makes everything so very clear. of course u can't fully compare a 'puter with a house but it has to be compared with something. how else will we know if something is wrong? to know if something is good we must know when something is bad. we judge by comparing things... :) but maybe we can find some alternative to the house parallel...
i'm sure that somebody might come with "dude, don't be so pessimistic" but sometimes you just have to be. the problem with all those laws is just the past. i mean if there wouldn't have been any "accidents" with computer security, we wouldn't have all those laws about it. and our society would certainly have another view of us and wouldn't get its picuture from movies like swordfish or all the other bullshit that's going around. i mean, we are freakin humans, and a part of that is that we are more likely to remember bad things than god things. nearly nobody around us knows, that hackers were the one who made the internet accessible to the public (which is actually not true, cuz porn did it, but hackers were the one who builded the first network, if you can call those guys hacker, cuz todays definition of a so called "hacker" has been totally changed by mass media and government), hackers still are the one who make internet safer every day by exploiting. exploiting isn't bad, it can't be, you just try to figure out the world round you and what the hack is bad in that? what made it bad is false media reports on hacker that illegally "hack" into something to steel information or enrich themselves. but there we are already at another human weakness, egoism. personal enrichment, abuse of information and so on.
but this post wasn't designed to talk bout the weaknesses of humans (although i kinda did), it was designed to talk bout some major issues. we can't change the past (not yet :) ), so we gotta live with the present. and if we have some stupid ass laws bout that stuff, well, then we gotta deal with it and find ways to get around it, and to say something to the person to start the thread: just try it anounymously, you might not get the credit, but you also might not get the problems. at least you get the expirience, that one is priceless and nobody can take it away from you.
I agree. It's mainly a matter of: Are you after the credit or possibly a job with them? or Are you after problems and wanna avoid it. I think that you need to look at the goals of what your doing and base it from there.
todays cybercrime laws suck... big time! and innocent hackers get their asses in trouble way to often. And even when it's the real cyber criminals who get caught the get way to big sentences. this is a serious problem. And remember, hacker don't break the law because they don't abuse their knowledge.
but it's like I posted it earlier... We are legally allowed to grab all the info open for the public we can find. So we query ports etc. without breaking the law. or so we thought... hehe
Big firms might actually sue someone just because they see your IP in their log-files way to many places and because it pops up in their IDS. They don't really have any proper proof (because, hey the law wasn't really broken) but they do have money and a big bunch of extremely good lawyers..
the ugliest about this is that their own webserver probably automatically do all the same things against all their customers that the hacker did to them but they got pissed. this is where the law fails. and this is just one of many examples... a whole new law is needed.. a law made by hacker and computer experts in cooperation with government. the problem today is that it's just a bunch of dumb win98 using politicians who are sitting and accepting all new cybercrime bills... they don't know **** about 'puters! (most of 'em don't)
they seriously see any hacker as a potential terrorist...
Anything written is propoganda. The menu at your local favorite restraunt is propoganda. It entices you to BUY MORE. They have an agenda. The local daily newspaper has their own agenda. I have an agenda. By writing this reply, I want to sway your opinion. Same as the message originally asked of this group.Quote:
Originally posted here by Viperbite
In my opinion "helping them" is wrong. Its just like going to someones house and breaking in non destructivly then telling them how you got in there or just breaking in to learn about lock picking.</QUOTE>
Actually, it's more like finding the door to your neighbor's house standing wide open, with the keys still in the lock. I don't have to break into other people's computers to learn, but I will never own as many systems as are available on the internet. Does this mean that I launch attacks against random hosts with wild abandon? Absolutely not! But if I notice that my ISP is running an unpatched copy of ProFTPD, I'll tell them about it.
And tell them. And tell them again.
The problem here involves tape monkeys and SysAdmins who have a platefull of issues before I dragged my sorry-ass along with this eensy teensy vulnerability in a service that has worked quite well for the past 2 years, Thank-You-Very-Much. The last thing the IT department needs is some project to get done before midnight. Now I could shrug my shoulders and say "Oh well, not my problem." But I'd be wrong. It's my ISP, and it's a service I use, and it damn well IS my problem. Could I complain? Yes, but that's just pointing fingers and not getting the job done. I could fix the problem myself, but loading new software on a system would invariably cause more havoc when it's discovered that some script will not run, or the host keeps crashing, and honestly, I just don't know enough about the network to be able to make that kind of decision.
The question here is, how do I make it apparent to the people who need to know that there is a problem. I've found that the quickest way to do this is send a message from root to root, stating the problem, and also giving information on a solution. This is white hat. This is what I practice. Any system, service, or network I use needs to be secure. I want to be able to trust this ISP, or that email server. And honestly, when my DSL router gets shipped to me with out a login or password set, I get anxious.
<QUOTE>Oh yea by the way 2600 is full of hacker idiology and propaganda. Just look at how they talk about Kevin Mitnick and everything as if he wasnt guilty read it with a open mind approach and you'll see its all propaganda.
Don't decry propoganda until you understand how it works and permeates our society.
xactly, propaganda is the only thing we got left as i said before, and if you don't understand it then just keep it for yourself, cuz it's a shame. everybody knows that you can't trust the media. cuz the media is run by big companies and controlled by government (think bout that), so everybody who believes the media might as well believe in ET or the happy future your government says your gonna live, **** that ****, seriously.
and i don't think too that those idiots up there have any idea bout 'puters, otherwise they wouldn't make that big bullshit out of it.
I'm a little late in replying to this one, but just thought I'd put in my $0.02 on the "house/security flaw" issue. Almost anyone can walk up to a house to test the lock...but how many people even know HOW to find the 'house' when it comes to locating flaws in server/network security? I would like to think that most people that CAN perform such feats would enjoy notifying the proper people upon finding such holes. Kind of that warm and fuzzy 'I'm actually helping people' feeling. Laws be damned, eventually people will drop their pride and celebrate being notified of a hole that could have been a major disaster for their particular entity(company, VPN, home gaming system, whatever...) Hell, some people get paid mega-$ to do exactly that...but just because someone on the outside does it, it becomes illegal, even if no malice was intended? That's f***ed up. The laws that govern the exchange of digital information are outdated, and are based mainly in fear and a kind of 'cyber'xenophobia.
Hackers = good, and I'm forever impressed by their skills and what they use them for; Crackers=bad, and while I'm still impressed by their technical skills, thier sense of morality and justice are severely flawed.
The powers that be need only recognize the difference and adjust the laws accordingly...it must be possible by now, don't you think?
Ouroboros
Isn't it funny how some kiddies come here not knowing a damn thing about hacking and try to run us into the ground. If you don't agree with this web-site and others like it....then stay the **** away and quit wasting our time with your ignorance.
yes the laws need to be changed... but the problem is to get passed the money issue... big corporations have money, most hackers don't.. which means that hackers loose in court and big corporations buy power from the politicians and use that power to make more money so they once again can buy more power... u follow me, hehe... if there's power to take, they'll take it... not for any special reason, they just feel they need it... (ok, money is always a reason to them)Quote:
Originally posted here by Ouroboros
I'm a little late in replying to this one, but just thought I'd put in my $0.02 on the "house/security flaw" issue. Almost anyone can walk up to a house to test the lock...but how many people even know HOW to find the 'house' when it comes to locating flaws in server/network security? I would like to think that most people that CAN perform such feats would enjoy notifying the proper people upon finding such holes. Kind of that warm and fuzzy 'I'm actually helping people' feeling. Laws be damned, eventually people will drop their pride and celebrate being notified of a hole that could have been a major disaster for their particular entity(company, VPN, home gaming system, whatever...) Hell, some people get paid mega-$ to do exactly that...but just because someone on the outside does it, it becomes illegal, even if no malice was intended? That's f***ed up. The laws that govern the exchange of digital information are outdated, and are based mainly in fear and a kind of 'cyber'xenophobia.
Hackers = good, and I'm forever impressed by their skills and what they use them for; Crackers=bad, and while I'm still impressed by their technical skills, thier sense of morality and justice are severely flawed.
The powers that be need only recognize the difference and adjust the laws accordingly...it must be possible by now, don't you think?
Ouroboros
that's the way it is. money is nearly always the issue. so why don't we just take all our money and burn it. would be hell of a fire. and we would do somethin against inflation to. :)
Besides the obvious answer, the destruction of hard currency is illegal in most countries ;).Quote:
that's the way it is. money is nearly always the issue. so why don't we just take all our money and burn it. would be hell of a fire. and we would do somethin against inflation to.
Firstly I know I go on about this analogy but hacking skill are like a martial art, they are skill it the INDIVIDUAL whom decide how to use those skills. Just because you can kill someone with a single strike does not mean you will, but a individual might. The law on cyber crime are too excessive in my opinion it like saying that every martial artist should never use or practice their skills. The law for martial art tends to in most cases (though there are exceptions) that if a martial artist uses there skill responsible practice them with consent of those whom they are practicing with no harm then its all legal. Now moving this into the “hacking” discussion, entering a system though a hole and altering the network of this hole is a good thing in theory though as many have stated this can be risky. Moving back to martial arts for a second, for a long time on a specific move I dropped my left hand opening my chin for a good belt to it, it was not until this was pointed out to me that I sorted it, this could have been dangerous in the fact the technique was used against an knife attack, if a REAL attacker saw this they could have put me down and well I would have been ****ed. This is the same as computer secretly, if you have a weakness it can be used, if the person using it has no intent of causing harm and informs the network/company of this fault then yes they have done a service and yes the company should be grateful. If the person cause damage in any way to the company though either the access or by publishing information that leads the company being harmed that is wrong and should be legislated against, at the moment this is not the case, the law are too tough and have serious lack of understanding, this need to change. On a lighter note if you really want to have a laugh at some of the laws still in power have a look at this site.
Kindred69
Its not ok, unless they request your help.Quote:
Originally posted here by Viperbite
I was wondering why you think that finding a security hole in someones system is ok. Even if you tell them about it and how to fix it.
Regards,
T6286
Everyone has the right to thier opinion,you dont have to like it or agree with it.
Like the saying goes" opinions are like *******s,everyone has one".
Crimina1
And some of us have two!Quote:
opinions are like *******s,everyone has one
Something similar to this tread happened to a relative of mine. My uncle (The one responsible for my addiction to computers) is the administrator at Revenue Canada in Toronto. He was surfing the net one day and found instruction on how to "hack" your system/network. He gave it a try and it worked. He went and told his boss who was estatic about the find and thanked my uncle. However, when his boss to his boss, he did not see it the same way and put both my uncle and his boss on suspension, pending an investigation. The investigation lasted 5 weeks (no pay) and the end result found my uncle was in good intentions. Then, my uncle had to take legal actions towards his employer to receive his backpay. (Which he did)
Basically, it all boils down to the perception of the person... or the eye of the beholder.
Don't ask. Don't tell.
-Bill Clinton-
:cool:
Well, here is my 0.02 part. First a reality check, most systems employ a firewall of some sort now so budding white hats even have a problem because even if you get past the wall and onto a server are you so sure the logs reside upon that server? Yeah the script kidds abound mostly. My point is what is the motivation to explore a network that does not belong to you nor do you pay for? To find out how it works. Sorry I'm a butt head Admin person those systems you pound away at are usually small business as in under 500 employees. My own system has about 50 users between them and the script kiddies I have to filter out so much noise. Would I apperciate a person breaking into my system the answer is NO why cause while the info is great you may not have any knowledge of the business their services and the emplyees and if they even have the way to pay for or assure that some outside geek consultant is securing the network or setting up the next visit. Forget the rattle the door anology you find one open fine a phone call get more attention then a email. It's a simple concept called respect. You find an open door on the block do you knock see if anyone is home if not close and lock the door? Will I be ok thanks perhaps if I have an open door hard to say, you mess with my 5 boxes and about 38 million a year of business that resides on them expect me to get pissy, LOL just like the company that stole our entire web site and I watched them change stuff live on-line! Yeah oh butt puckers it got a Fedreal Copyright Complaint they stole about 50k worth of stuff they did not develope..Money is always an issue especally when you pay for it and someone else just takes it. Respect but the knowledge you have and all those small business that have to hire a rent a geek to fix their systems and also set them up for the next visit :-) Who is really screwing who? Act with ethics and respect that is what you get :-)