Re: what to do with a script kiddie

[Dave Dittrich <dittrich () u washington edu>]

(I'm going to weigh in on this quickly, while the discussion is still
fresh.)

> Lance Spitzner wrote:
> > On Jun 4, 2005, at 11:05, Stejerean, Cosmin wrote:
> >
> > > You should join his IRC channels and try to have a conversation
> > > with the guy, see where it goes.

First off, in my opinion, no, you shouldn't!

> <snip>
> > - Ethical: The second issue is one of ethics.  The Honeynet Research
> >  Alliance is in the process of reviewing and better documenting these
> >  issues in their charter, which you can find online now at
> > http://www.honeynet.org/alliance/charter.txt.  The suggestion above
> > would most likely violate current ethical guidelines.
>
> Hmmm. It's by no means obvious to me why it might be considered
> "unethical" to engage a wrong-doer in discourse, or to join an IRC
> channel that he had set up. There's no intrinsic harm to anyone in doing
> either.

You can't say there is no harm in engaging in coversation with someone
who obviously doesn't care about breaking the law through computer
intrusion.  They may try to retaliate against you, in any of a number
of ways (DDoS comes to mind, for some strange reason... ;)  They
may chose to destroy evidence on all systems they control by deleting
everything, causing significantly more damage than they otherwise
would consider if they didn't know they had been discovered. There
are many reasons why it is a Bad Idea to engage with an attacker,
to try to take over their systems, disable them, etc.  This is a
complex area of ethics and the law that is not well understood
by the general public, and can cause great harm if not done by
people who are well versed in the risks and perceived benefits.

The default should be "don't do anything that lets the attacker know
about the fact you have discovered their actions," and "don't do
anything that affects (alters, disables, etc.) other computers you do
not own."

> Perhaps "ethics" is the wrong term; aren't we really talking about
> how to snoop on snoopers without putting onself in peril of legal
> action?

Snooping on snoopers *itself* puts one in peril of legal action.

>  From a truly ethical POV, it seems to me that passive observation
>  of potentially criminal acts is more unethical than intervention.

This is a matter of both laws and ethics.  Those are not exclusive
(regardless of lawyer jokes to the contrary. ;)

"Passive observation" for no purpose other than watching someone
commit crimes can be a violation of electronic communication privacy
laws (i.e., "wiretapping").  Laws like the Wiretap Act (in the U.S. -
its not clear to me what jurisdictions apply here) have exceptions
for things like protection, fraud investigation, and for law
enforcement purposes with warrants and court orders, but otherwise
make a private citizen just monitoring for the fun of it a crime.
There was a case in Washington State (which has one of the most
restictive communication privacy laws in the country) where evidence
of drug dealing obtained by a neighbor overhearing a conversation on a
cordless phone was excluded by the court because the interception by
the neighbor was deemed illegal.  In the case of the cell phone
interception of Newt Gingrich discussing questionable political
issues, I believe the House Rep who *received* the tape (coincidentally
also from Washington State) was being investigated for violations of
the Wiretap Act.

--
Dave Dittrich                           Information Assurance Researcher,
dittrich () u washington edu               The iSchool
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5