RE: Hacker Research

[Meidinger Chris <chris.meidinger () badenit de>]

Lance: this is a bit off-topic, but I would be much obliged if you'd let it
through.

Hi Jerry,

I actually went to your site to look at the questionaire, with the intention
of filling it out. 

I ended up being so disappointed by the questions you were asking, that I
didn't bother.  

As for the constructive part:

1. Why do you focus on hacking web sites for all imaginable reasons? I do
not believe that anyone hacks web sites. Most people hack computers, or
really they convince programs running on those computers to do things they
were (often) not intended to do. 
1a. You also need to define hack. If I go to a poorly protected web site,
and it is faster for me to use "1' or '1=1" (without ") as a password than
it is for me to look for my actual password which is about 90 digits long,
is that a hack? or is that not a hack, because I have legitimate access to
the site? 
As far as the many hacking questions, a recommendation: define them more
exactly, and try to ask them more precisely. Hacking != Hacking

2. In your first 'moral test' (workers stealing tape transcripts) you seem
to lack any understanding of the (american? what about international?) legal
system(s). Admissability of evidence is a complicated topic, but there are
certainly scenarios in which the evidence gathered would be admissable in
court. Did you consider that the workers may have evaluated risk, and chosen
to take that risk to achieve a goal? Etc. etc., this could go on. I see that
the test was not in fact written by you, but that does not excuse you from
needing to fine-tune the questions to fit a 'hacker mindset' (if there is
one) or from understanding how to ask questions to get the information you
need. That test may be fine for John Q. Public, but I would anticipate that
the average hacker has more understanding for the vagaries of legal and
moral systems, and needs more exact information. You are probably thinking
that I am showing loose moral character by focusing on that question,
however, it is not irrelevant --> Would your answers to the question change
if I added these two sentences at the end: 'The two workers then fax copies
of the transcripts to the union as well as to the police (without removing
them from the building, or sullying the evidence). They append a page to the
fax sent to the police saying 'We (our names here) have broken into the
offices of (our company here) in order to retrieve these transcripts, which
are proof of our management's illegal activity. Please come and arrest us,
we accept the consquences.' 

So anyway, what I'm trying to get at is that you need to ask better
questions. If you want good data, don't leave your questions vague and open.
Define them with surgical precision, like any experiment following the
scientific method would, so that only one variable is unknown. Then ask
people to respond to that variable. 

Otherwise, you end up with things like this:

n. Did this email help/annoy you?
1. Least 2. Little 3. Mittle 4. Much 5. More

Cheers, looking forward to Questionaire v2.0

Chris Meidinger
IT Technology and Services

badenIT GmbH
Innovationstechnologie für Ihre Zukunft

Tel. +49 761 279 2280
Fax. +49 761 279 2200

Tullastrasse 70
79108 Freiburg
Deutschland 

> -----Original Message-----
> From: G Steube [mailto:mathguy () verizon net] 
> Sent: Tuesday, April 27, 2004 8:53 PM
> To: honeypots () securityfocus com
> Subject: Hacker Research
>
> Hi!
>
>  
>
> I am doing research about white hat hackers and ethics.  I 
> would appreciate your help in completing a survey at 
> http://www.whitehathackers.org/.  If you know of other people 
> who might be interested in completing this questionnaire, 
> please give them the web site address.  Thanks for your help.
>
>  
>
> Jerry
>
> G. Steube