Re: So, did the BBC cross the line?

[nick hatch <nicholas.hatch () gmail com>]

On Sat, Mar 14, 2009 at 1:41 PM, Gadi Evron <ge () linuxbox org> wrote:

> These of course, are just my opinion. Further, while my ethical convictions
> on this issue are strong, I am unsure how long they will remain practical.
Indeed. IRC serves as a good metaphor to conceptualize the C&C structure of
botnets, but it seems clear that passive observation via an accessible
channel (whitest of white) is not often a feasible option anymore. At this
point, you're going to /need/ to execute code on clients for even the most
basic of research, which could be conceivably illegal.

If one assumes that the bot itself is unwanted by the owner, one could view
the communications of the bot as tainted and wholly outside the concerns of
the owner. (I've heard similar arguments used to justify IDS/remediation on
campus networks when privacy concerns are raised.) From this view,
interacting with the network for passive-ish surveillance would be fair
game: you're not causing their computer to do anything different from what
it was doing before. Cautious poisoning of the C&C could arguably be on the
light side of grey, because you're disrupting the communications which were
never authorized in the first place.

Sending spam (even to an endpoint under your control), playing with your new
bot-cat, uninstalling the bot, etc are all actions which are fundamentally
different from what the bot was doing at idle, are unauthorized, and could
affect the OS or network of the client. Seems that everyone agrees that
things are pitch black by this point.

Gadi's examples make a lot of sense to me.

-Nick

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.