Let's start with a variation on the topic that spawned the idea for this blog.
You work as a mid level analyist for a small information security consulting firm. One of the senior analyists (Bob) is on a week long 'unplugged' vacation. Bob hates out of office messages and forwards the phone calls from his desk phone to yours while he is away so you can take care of his clients if they have a problem.
While Bob is away, someone calls and not realizing he's not talking to Bob says in a hurried and excited voice, "You know that thing I was working on? Well, it worked but this thing is bigger than I imagined and the way I see it most systems on the internet are wide open to this and can easily be compromised remotely. I posted the vulnerability and exploit to hxxp://someadress/private/sploit.tar.gz username 'Bob' and password 'I0wnyou!' Pull it down and validate it for me, would you? I need to run but download it fast as I'm only leaving it up for 15 minutes." and hangs up without you ever speaking a word.
No number is shown on caller ID and *69 (in the United States this is a method of automatically calling the last person who called you) doesn't work.
In short, you suddenly are given a way for a very short period of time to access something that you find very interesting, almost exciting, that is not intended for you and you can not contact the person who is making it available.
Q1: Is it acceptable for you to connect to the website and retrieve the vulnerability and exploit? Why?
Q2: If you do pull it down, assume you validate the vulnerability and confirm the exploit works. What do you do? Why?
Welcome!
I wish I could say that this is something as noble as 'giving back' to the information security community but the simple fact is it will be a forum to discuss ethical issues in a calm, rational manner that need to be brought out into the open.
Information security (or the lack there-of) is becoming more a part of peoples lives, and affects more people each day whether they use a computer themselves or not as banking, utilities, transportaion, medical care and other critical industries are all heavily computerized.
We have all seen the effects and impact on individual people and businesses when breaches occur, and it does not take much imagination to speculate about the impact to economies when large enough attacks are realized.
Given the variety of laws around the world or lack there of, legality aside, a large 'gray space' between the 'white' of the defenders and the 'black' of the attackers exists. And because of that variety, discussions here will remove the legality of an action from the discussions. What may be a serious crime where you live, may be perfectly legal where the next blog reader lives.
When you remove the legal aspect of the issue, right and wrong in the traditional sense become a function of the individual's beliefs. Of course there are lines that should not be crossed and actions that are clearly wrong to all but the most criminal but with information security, again, eliminiting the varied legalities around the world, those are few and far between and even those become gray at some point.
This forum will look into that wide gray space and discuss what is found so that readers can make up their own mind and determine their own ethical compass.
There are a few things to keep in mind when reading from or posting to the blog:
1. There is no 'right' or 'wrong' answer. Different people may arrive at the same conclusion but by taking very different paths. The journey is just as important as the destination.
2. Some of the scenarios presented here will seem a bit unusual almost perfect. This is done intentionally as I am trying to make all the variables black and white to simplify the problem and isolate the specific ethical issue in question.
3. It was mentioned previously but it bears repeating, remove the legality of the issue from your thinking. Laws vary widely around the globe so again, to isolate the specific ethical issue at hand assume that your reasonable response would be legal.
4. Ethical issues can become emotional. Avoid being judgemental. It is our hope that you will encounter very different views from your own. Attacking people with differing views is not the way to get your point across. Clear, concice writing wins over flames every day of the week.
5. Don't assume or try to read between the lines. In the scenarios, there is no hidden information. All the information that you have in order to make your decision is presented. The 'in short' section is a straigtforward explanation of the scenario with all the detail removed.
6. During testing of several of the scenarios with friends and associates one trend became crystal clear. Thier intial answer was usually different, sometiimes significantly from their answer after thinking about it or better yet discussing it for even 15 minutes. These scenarios are designed to be thought provoking. Take some time, think about it, talk to your friends and associates, read the responses already posted and when you're sure, let us know it.
All times listed are GMT. Let's keep this as light and enjoyable as we can for a topic of this nature.
Information security (or the lack there-of) is becoming more a part of peoples lives, and affects more people each day whether they use a computer themselves or not as banking, utilities, transportaion, medical care and other critical industries are all heavily computerized.
We have all seen the effects and impact on individual people and businesses when breaches occur, and it does not take much imagination to speculate about the impact to economies when large enough attacks are realized.
Given the variety of laws around the world or lack there of, legality aside, a large 'gray space' between the 'white' of the defenders and the 'black' of the attackers exists. And because of that variety, discussions here will remove the legality of an action from the discussions. What may be a serious crime where you live, may be perfectly legal where the next blog reader lives.
When you remove the legal aspect of the issue, right and wrong in the traditional sense become a function of the individual's beliefs. Of course there are lines that should not be crossed and actions that are clearly wrong to all but the most criminal but with information security, again, eliminiting the varied legalities around the world, those are few and far between and even those become gray at some point.
This forum will look into that wide gray space and discuss what is found so that readers can make up their own mind and determine their own ethical compass.
There are a few things to keep in mind when reading from or posting to the blog:
1. There is no 'right' or 'wrong' answer. Different people may arrive at the same conclusion but by taking very different paths. The journey is just as important as the destination.
2. Some of the scenarios presented here will seem a bit unusual almost perfect. This is done intentionally as I am trying to make all the variables black and white to simplify the problem and isolate the specific ethical issue in question.
3. It was mentioned previously but it bears repeating, remove the legality of the issue from your thinking. Laws vary widely around the globe so again, to isolate the specific ethical issue at hand assume that your reasonable response would be legal.
4. Ethical issues can become emotional. Avoid being judgemental. It is our hope that you will encounter very different views from your own. Attacking people with differing views is not the way to get your point across. Clear, concice writing wins over flames every day of the week.
5. Don't assume or try to read between the lines. In the scenarios, there is no hidden information. All the information that you have in order to make your decision is presented. The 'in short' section is a straigtforward explanation of the scenario with all the detail removed.
6. During testing of several of the scenarios with friends and associates one trend became crystal clear. Thier intial answer was usually different, sometiimes significantly from their answer after thinking about it or better yet discussing it for even 15 minutes. These scenarios are designed to be thought provoking. Take some time, think about it, talk to your friends and associates, read the responses already posted and when you're sure, let us know it.
All times listed are GMT. Let's keep this as light and enjoyable as we can for a topic of this nature.
Monday, June 11, 2007
Message Destined for Someone Else
Posted by Scrambled3ggs at 15:43 3 comments
Labels: confidentiality, disclosure, exploit
Subscribe to:
Comments (Atom)