BreachExchange mailing list archives
Re: Details on AOL search log disclosure
From: security curmudgeon <jericho () attrition org>
Date: Tue, 8 Aug 2006 18:54:01 -0400 (EDT)
: Now that we all have the list -- how ethical are we being by using it, : for whatever purposes? : : Which ethical guidelines apply in this circumstance. : : (would type more but sliced hand opened a harddrive last night) Hopefully more will pipe up on this isssue, especially any lawyers lurking around. There are a couple issues that I see here. First, having the list in general can be debated. If I have such a list, is it unethical? It depends on how I obtained it really. If I hack a server or trick a person into giving it to me, no. If I get it from a popular torrent site and thousands of people are reading through it as I download it, i'd say no. Just possessing it in that circumstance isn't necessarily unethical but again, what am I doing with it? Another key point to think about when debating the "possession of such a list" angle, is if the victim knows about the disclosure. In the case of the AOL list, they know it was leaked out so I don't see myself (or anyone on this list) having an obligation to report it to them. If I was under the impression that AOL wasn't aware, it would be an ethical duty to report it to them or law enforcement. Moving on from that issue, once we have the list and resolve any ethical dilemna in possession.. what are we doing with it? Anyone doing analysis on the content of the list attempting to determine the extent of disclosure, I don't see a problem with that. Obviously if you are browsing it looking for sensitive information to use in a crime or questionable activity, sure it crosses the boundary of ethical use. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 142 million compromised records in 296 incidents over 6 years.
Current thread:
- Details on AOL search log disclosure lyger (Aug 07)
- Re: Details on AOL search log disclosure Dennis Opacki (Aug 07)
- Re: Details on AOL search log disclosure Chris Walsh (Aug 07)
- Re: Details on AOL search log disclosure Joshua Reich (Aug 07)
- Re: Details on AOL search log disclosure lyger (Aug 07)
- Re: Details on AOL search log disclosure security curmudgeon (Aug 08)
- Re: Details on AOL search log disclosure Jon Passki (Aug 10)
- Re: Details on AOL search log disclosure Joshua Reich (Aug 07)