Vulnerability Development mailing list archives
Re: Oracle (aiding and abetting)
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Tue, 1 Feb 2000 21:55:29 -0800
Shashi Dookhee wrote:
Um, why exactly was this message allowed to go through? Help someone not get caught entering a system without authorisation? C'mon, be serious... As a Systems Administrator, I take offence to this! :) I mean, this guy obviously doesnt even know much about computing since he dont even know what type of network he's on (for sure)... Sort it out, B-Boar ;)
I let a reply through from the original poster which was semi-inflamatory, but I've given him special permission to speak. I'm going to address my part, and then drop the subject about helping out bad guys (the Oracle thread can continue if there is more technical info to come.) First of all: Is the list going to help the "bad guys"? Sure. Is it going to do it overtly? Not always. Much of this list is dedicated to developing things that will aid in unauthorized access. I see protecting and attacking as two sides of the same coin. I need to be able to do one to do the other. The difference here is that we've got someone who appears to be admitting to unauthorized activity. There are several reason I may let such a post through: -He may be authorized, though not by the DBA. In my day job as corporate security guy, I would often break into systems. Sometimes, I would do so to prove a point, and purposely not tell the admin. I did this with several Lucent systems (the we owned), and they failed miserably at noticing/reacting. -He may be incriminating himself. Frankly, some folks may put me in a spot that may legally obligate me to turn them in (BTW, please don't do that.) I'm of the opinion that making such a post public is one way to help relieve myself of such a burden. There are a number of law enforcement and government subscribers to the list; they just don't post. -He may not be doing anything illegal where he's at, but perhaps the admin could be alerted. Some folks aren't aware that Hotmail logs your IP address when you use it. Others are painfully aware of that, and take measures to accommodate that. This guy gives every appearance of being outside the US. -He may be lying about how bad he's being, just for fun. So, folks shouldn't assume I let posts through regardless or without thought. While we're on the subject, what DON'T I let through? So far, I've denied posts regarding vulnerabilities at specific sites, and posts where the poster has stated or given the appearance they are trying to be anonymous, but the headers give them away. (For the latter case, it's nearly always for fear of repercussion at work, and nothing to do with breaking the law.) Should it come up that some poster out-and-out admits to a crime, I may have to turn them in, I may just let the post through so they can incriminate themselves, or I may just drop it. If you're not sure, send my a hypothetical note first. If you're looking for journalistic protection of source, I can point you at folks who can make a much better case at being journalists than I. BB
Current thread:
- Re: Oracle Shashi Dookhee (Jan 30)
- Re: Oracle (aiding and abetting) Blue Boar (Feb 01)
- <Possible follow-ups>
- Re: Oracle Lars Roeglin (Jan 31)