Re: Re: Ethics, morality and the industry

[Devdas Bhagat <devdas () dvb homelinux org>]

On 31/10/04 01:09 -0500, Vin McLellan wrote:
<snip>
>     Personally, I think guys like Abagnale and Mitnick reek of 
> self-aggrandizement and cheap thrills, but someone like Randall Schwartz --  
> who was praised by someone in this thread -- is far more dangerous because 
> of his long campaign to cloak his egregious behavior as an Intel contractor 
> with a patina of remorseless self-righteousness.  System admins who go bad 
> worry me more than hackers.
As I have heard of it, Randall was convicted because he did not have the
authorization to run a password cracking program. It was never claimed
that he actually broke in, destroyed or accessed confidential data,
merely that he ran a program that would have enabled him to do so.

He also did it to point out a known weakness (and that is still the
biggest weakness to enforcable security that we have). IIRC, he also ran
the crack program after telling management about it, and finding them
lax about the issue because it wasn't shown to be sufficiently
dangerous.

IMO, full disclosure is analogous to this situation. Companies will not
react until exploits are published, hence the only way to get them to
act is to make a working exploit public. Announcing that a host has
weaknesses is bad. Making those weaknesses public and specifying the
host(s) concerned is criminal.
For example, consider the statements:
There is a bug in software foo which can lead to root.
The host bar is running software that can [possibly] be exploited.
The host bar is running software foo with the exploit baz <a>here</a>

The first is acceptable, within the guidelines of full disclosure.

The second, sent to the administrator(s) of the host bar, is acceptable.
Publishing it to the world /may/ be acceptable, if the site is large
enough and public enough to create a large risk (For example, the recent
XSS vulnerability in gmail).

Publishing the third is just criminal.

>     Malware authors, the arsonists of cyberspace, are a special case, but I 
> haven't seen anyone yet celebrating their own orgy of distruction on the 
> conference circuit. Of course, without someone like Murray or Schimdt 
> drawing a moral line -- and their peers endorsing their decision -- I 
> suspect we would see them too on a CSI conference program before long.
That point is valid. The question, as always, is where the line should
be drawn, and the answer, as always, is "It depends on who is drawing
the line".

Mitnick and Abnegale exposed a hole in the security architecture. We
depend on the users to not violate protocol. There are no defenses
against user failure. There has been enough ranting about bad software
development techniques that most serious programmers understand the need 
for writing secure code.

The people who need to know about bad user practices are the management.
So if Mitnick is preaching to them about how he broke the unwritten
assumptions of security practices, and that is something that they have
not yet understood, then it is a good thing. If Mitnick is preaching to
the converted, it is a bad thing. 

Morality is generally contextual.

<extreme example>
Killing is bad. Killing those who are trying to kill you is not
necessarily bad. Killing for food is not necessarily bad, but
slaughtering animals for fun is.
If you are a Jain, then all killing is bad. If you are not, then killing 
may be bad depending on context. 
</extreme example>

All of us draw our own lines of where we stand of different issues. Some
may do so more publicly than others. In the grey area where actions may
be classified on either side of the line by different people, I prefer
to let everyone keep their own principles and stand by those. I stand by
mine. But whatever you choose to do, stand by your principles. That
stance will always have my applause.

>     "Netsky, Blaster, and me: What I did during my summer vacation and why 
> it is all the users/vendors/network's fault that Cyberspace burnt."

What is a vacation? <g, d & r>

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards