Firewall Wizards mailing list archives
Re: Re: Ethics, morality and the industry
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Sun, 31 Oct 2004 19:53:54 +0530
On 31/10/04 01:09 -0500, Vin McLellan wrote: <snip>
Personally, I think guys like Abagnale and Mitnick reek of self-aggrandizement and cheap thrills, but someone like Randall Schwartz -- who was praised by someone in this thread -- is far more dangerous because of his long campaign to cloak his egregious behavior as an Intel contractor with a patina of remorseless self-righteousness. System admins who go bad worry me more than hackers.
As I have heard of it, Randall was convicted because he did not have the authorization to run a password cracking program. It was never claimed that he actually broke in, destroyed or accessed confidential data, merely that he ran a program that would have enabled him to do so. He also did it to point out a known weakness (and that is still the biggest weakness to enforcable security that we have). IIRC, he also ran the crack program after telling management about it, and finding them lax about the issue because it wasn't shown to be sufficiently dangerous. IMO, full disclosure is analogous to this situation. Companies will not react until exploits are published, hence the only way to get them to act is to make a working exploit public. Announcing that a host has weaknesses is bad. Making those weaknesses public and specifying the host(s) concerned is criminal. For example, consider the statements: There is a bug in software foo which can lead to root. The host bar is running software that can [possibly] be exploited. The host bar is running software foo with the exploit baz <a>here</a> The first is acceptable, within the guidelines of full disclosure. The second, sent to the administrator(s) of the host bar, is acceptable. Publishing it to the world /may/ be acceptable, if the site is large enough and public enough to create a large risk (For example, the recent XSS vulnerability in gmail). Publishing the third is just criminal.
Malware authors, the arsonists of cyberspace, are a special case, but I haven't seen anyone yet celebrating their own orgy of distruction on the conference circuit. Of course, without someone like Murray or Schimdt drawing a moral line -- and their peers endorsing their decision -- I suspect we would see them too on a CSI conference program before long.
That point is valid. The question, as always, is where the line should be drawn, and the answer, as always, is "It depends on who is drawing the line". Mitnick and Abnegale exposed a hole in the security architecture. We depend on the users to not violate protocol. There are no defenses against user failure. There has been enough ranting about bad software development techniques that most serious programmers understand the need for writing secure code. The people who need to know about bad user practices are the management. So if Mitnick is preaching to them about how he broke the unwritten assumptions of security practices, and that is something that they have not yet understood, then it is a good thing. If Mitnick is preaching to the converted, it is a bad thing. Morality is generally contextual. <extreme example> Killing is bad. Killing those who are trying to kill you is not necessarily bad. Killing for food is not necessarily bad, but slaughtering animals for fun is. If you are a Jain, then all killing is bad. If you are not, then killing may be bad depending on context. </extreme example> All of us draw our own lines of where we stand of different issues. Some may do so more publicly than others. In the grey area where actions may be classified on either side of the line by different people, I prefer to let everyone keep their own principles and stand by those. I stand by mine. But whatever you choose to do, stand by your principles. That stance will always have my applause.
"Netsky, Blaster, and me: What I did during my summer vacation and why it is all the users/vendors/network's fault that Cyberspace burnt."
What is a vacation? <g, d & r> Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Re: Ethics, morality and the industry, (continued)
- Re: Re: Ethics, morality and the industry Paul Foster (Oct 29)
- Re: Re: Ethics, morality and the industry Marcus J. Ranum (Oct 29)
- Re: Re: Ethics, morality and the industry Marcus J. Ranum (Oct 29)
- Re: Re: Ethics, morality and the industry Paul Foster (Oct 29)
- Re: Re: Ethics, morality and the industry Paul D. Robertson (Oct 29)
- RE: Re: Ethics, morality and the industry Eugene Kuznetsov (Oct 29)
- Re: Re: Ethics, morality and the industry Mark Teicher (Oct 29)
- Re: Re: Ethics, morality and the industry Mark Teicher (Oct 29)
- RE: Re: Ethics, morality and the industry Alan Holmes (Oct 30)
- Re: Re: Ethics, morality and the industry "Vin McLellan" (Oct 31)
- Re: Re: Ethics, morality and the industry Devdas Bhagat (Oct 31)
- Re: Re: Ethics, morality and the industry Christopher Hicks (Oct 31)
- RE: Re: Ethics, morality and the industry Alan Holmes (Oct 30)