Hacker Ethics Question

**Michael Cali** · February 6th, 2003, 04:25 PM

I don't care if the hacker is doing it to "show" me my weakness. I don't like other people poking through my stuff. What I say to do is to find out who he is and poke through his stuff...

(then lock down my server, etc)
hehe

**R0n1n** · February 6th, 2003, 04:35 PM

First, lets change thief to intruder then.

And second, in the real world, if you scan any mid to large size corporate network, and probably small ones as well, the Administrators are not going to be happy (assuming that they find out what you are doing), for a start how do you convince the Admin that you did nothing wrong?

There could aslo be IDS which you will trigger which creates Alerts and wake Admins up at 2am and make them unhappy as well.

Also, many companies will have a corporate security policy drawn up by management which will likely state that any scanning conducted against their network must be authorised by them, so you are therefore in breach of that and get in trouble that way.

So, I would tread carefully when thinking about any kind of white hat scanning, its good in theory but you could well upset people and get yourself into trouble. Especially with everyone being as paranoid as they are right now about cyber terrorism and the like..

**IchNiSan** · February 6th, 2003, 07:38 PM

Someone who finds a weakness in your homes security and uses that to enter your house, but does not steal anything, is STILL GUILTY of breaking and entering. Same goes with computer systems, if they gain unauthorized access to my systems by utilizing a security hole, they are breaking and entering.

Scanning is a bit of a different matter. If you just port scan my network, it will annoy me, but you really have not done anything wrong. Although why would you be portscanning me, if not to find out what services I am running that you may be able to exploit.

however, the vulnerability scanners, like those used to determine wether a webserver is vulnerable to a directory traversal exploit, actually attempt to break into the system, if only minimally.

Bottom line is this, certain people and organizations have been given certain rights to data/services on my systems. Everyone has been given access to read a website for example, but only certain other people have access to do other things. If someone not on that list is attempting to access some service they have not been given permission to access, such as by trying to use a vulnerability in a webserver to execute commands on the server, they are without question guilty attempting to break into my systems.

Preventing these people access is what firewalls and security etc are all about, if I have done a good job, these people are kept out. If I have not done a good job or someone else does something really really stupid without my knowledge, they get in. In either case, they are breaking the law by attempting to break into my systems(IMHO).

If I wanted your (white hat) help securing my system, I would ask for it, and pay you appropriately. I would also sign a contract stating that I had given you permission to conduct these activities. If anyone attempts to get in without that permission, with whatever intentions, they are going to get into a mess of trouble.

**Highlander** · February 6th, 2003, 07:44 PM

Better Be Careful on that....
It cost me 50 grand in lost sales and legal fees
when I did someting similiar.....

http://www10.brinkster.com/cecomet/

Not all Admins are receptive to being told they
do not have a secure system.

**tatui** · February 6th, 2003, 08:08 PM

Well, it might be quite hard to be sure that the intruder didn't do anything. Ok, he/she said so, but would you believe? To be sure, you will need to do an extensive check (and costly), and very often, restore things from backup. Not destroying any data doesn't mean they didn't have access to it, and it may be quite sensible. Having CC numbers stolen is way worse than having a webpage defaced..
Like it has been said, the person is already guilty for breaking into the computer. One could pay for a penetration test, but in this case, every part agree withe the terms. I think it would cost some thousands of dollars..
Resuming: even if nothing has been changed, checking for it and being annoyed because of the incident is already enough to upset the admin or even cause damagemoney loss. I wouldnt have a good time if I were the sysadmin..

<sarcasm @ kiddiots>Wait! Defacers do it for free! (j/k). And if you notice the defaced pages, they alway put their emails there, so that the administrator can get in touch with them... explain this to me: do they actually want a job? Lol.. (it's not intended to be taken seriously...)
</sarcasm>

***Tiger Shark*** · February 6th, 2003, 08:19 PM

Er Frank...... I don't think what you did can be classed as hacking..... I believe that you need to have passed through some form of warning or security into an area that you would not normally be allowed into to have it considered hacking..... specifically you must have "broken into"......

You were an authorized user of their system and had been given a username and password to authenticate yourself to their system. They, in turn, granted you access rights to portions of their system. It was they, not you, who granted you rights to areas that they did not wish you to see and therefore they granted you the right to see that data. They are the ones that control the ACL's and determine your access. You simply went where they had granted you rights on their system. It was their problem all along...... and their problem was incompetence, (the rights were improperly granted), negligence, (their system was clearly not tested by an independent security audit), which in turn led to the potential, (probable), disclosure of confidential client information, (which has a detrimental effect on thier share prices when the info goes public).

Question: Why did you not go on the offensive?

**kiowa-mike** · February 6th, 2003, 09:09 PM

although this sounds benign I am always skeptical of an intrusion whether or not the intruder claims his/her intent was not malicious. Why would they want into my system in the first place is the question I would have to ask myself and for the life of me I cannot come up with a benign answer....

**methdeath** · February 6th, 2003, 09:32 PM

I went home and really thought this all over. I think what this comes down to is that i personaly would not mind knowing the flaws on my system. I understand that company policy may mean that I would have to prosocute and that is unfortunante. After really putting my mind to it, I think that the breaking in is where the line is crossed. i was just curious as to how real system admins feel. I am not good enough to be called a white hat and am not quite old enough to be a system admin but the world of computers is a world all its own.

**Highlander** · February 6th, 2003, 09:52 PM

No I did not HACK or CRACK into the server
I had at the time, every right to access
the server via my FTP access to my website
at the time.

There system at the time was completely open..
You could browse any part of the server via your
personal FTP access and at the time were the only
game in town.

Please read what happen real carefully.

Like I said also some ISP's may not be very bright
when it comes to their own security

I could not find a Lawer who would go after that ISP.
I feel the lawer who went after them would have cleaned house.

***Tiger Shark*** · February 6th, 2003, 10:09 PM

Frank: I didn't accuse you of either...... In fact, quite to the contrary, I thought I laid out the fact that by definition you only went where an, (albeit numbskull), sysadmin said quite clearly in his ACL's where he wanted to let you go as an authorized user of his public resource.

What was it with the lawyers?????? Unlike them not to smell blood in the water......

Thread: Hacker Ethics Question

Thread Tools

Display

Computer Ethics

Read Carefully

Posting Permissions