Re: Details on AOL search log disclosure

[security curmudgeon <jericho () attrition org>]

: Now that we all have the list -- how ethical are we being by using it, 
: for whatever purposes?
: 
: Which ethical guidelines apply in this circumstance.
: 
: (would type more but sliced hand opened a harddrive last night)

Hopefully more will pipe up on this isssue, especially any lawyers 
lurking around.

There are a couple issues that I see here. First, having the list in 
general can be debated. If I have such a list, is it unethical? It depends 
on how I obtained it really. If I hack a server or trick a person into 
giving it to me, no. If I get it from a popular torrent site and thousands 
of people are reading through it as I download it, i'd say no. Just 
possessing it in that circumstance isn't necessarily unethical but again, 
what am I doing with it? Another key point to think about when debating 
the "possession of such a list" angle, is if the victim knows about the 
disclosure. In the case of the AOL list, they know it was leaked out so I 
don't see myself (or anyone on this list) having an obligation to report 
it to them. If I was under the impression that AOL wasn't aware, it would 
be an ethical duty to report it to them or law enforcement.

Moving on from that issue, once we have the list and resolve any ethical 
dilemna in possession.. what are we doing with it? Anyone doing analysis 
on the content of the list attempting to determine the extent of 
disclosure, I don't see a problem with that. Obviously if you are browsing 
it looking for sensitive information to use in a crime or questionable 
activity, sure it crosses the boundary of ethical use.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 296 incidents over 6 years.