Page 1 of 1

What are your thoughts on security ethics?

Posted: Thu Aug 11, 2011 1:59 am
by flying_circus
Suppose you're sitting around drinking beer one evening and purusing craigslist looking for a quick and easy web development contract. You find an interesting listing and the company name is listed, so you google them and start reading about the company and what they do. As you're reading, you notice a login box. Out of sheer boredom and perhaps a little curiosity of the companys current level of security, you enter the first thing that comes to mind. Next thing you know, you're looking at a screen that says "You are logged in as *' OR 1='1".


Suppose, someday, that you find yourself in this position... Would you notify the company? It would seem like the right thing to do. Would you take an anonymous approach by registering a fake email or just walk right in the front door and say "we need to talk". Obviously, either method has pros and cons...

Comments welcome and encouraged. :drunk:

Re: What are your thoughts on security ethics?

Posted: Thu Aug 11, 2011 10:21 am
by Jonah Bron
How about tell them and offer to do it? :)

Re: What are your thoughts on security ethics?

Posted: Thu Aug 11, 2011 11:08 am
by pickle
The appeal is to tell them about it & take credit for finding it. Unfortunately there's precedent where the company then sues the "hacker" - usually those companies are really stupid & led by fear. I guess it would depend on the company, but I would imagine in most cases, a simple email that says: "Hey - you have a security hole here, and the result can be XYZ", will be met with a "thanks" and possibly a "wanna help?".

Re: What are your thoughts on security ethics?

Posted: Thu Aug 11, 2011 2:44 pm
by greyhoundcode
I accidentally stumbled across something like this - simply by using an apostrophe in a textarea, I seem to remember. I did indeed let that organisation know and offered my services. The reply was a polite, "Thanks - but we'll let our developer know." Fair enough.

From an ethical standpoint of course that is slightly different to deliberately testing their security and, ethically speaking, I'm not sure where I stand on this one: so long as there is no intention to cause damage or steal information ... after all, doesn't criminality rest largely upon intent? Hmm, quite a tough question.

Anyway, replacing my professor-of-ethics hat with my business one, these days it would be a clear decision not to do anything that could be construed as hacking, regardless of the intention - or at the very least I would not draw attention to the fact.

Re: What are your thoughts on security ethics?

Posted: Thu Aug 11, 2011 3:02 pm
by John Cartwright
I would love to see an organization try to sue me for hacking based on the fact I triggered a simple SQL injection. It just won't happen. Nor will you be liable if their system cannot defend accidental and plausible scenarios.

Yours,
(Not a lawyer) Jcart

Re: What are your thoughts on security ethics?

Posted: Thu Aug 11, 2011 3:07 pm
by pickle
We're Canadian though ~Jcart, what doesn't fly up here may have wings in the States.

Re: What are your thoughts on security ethics?

Posted: Thu Aug 11, 2011 3:40 pm
by social_experiment
I'd go for the anonymous route, my reasoning is similar to what pickle mentioned. Few website owners care to find out about how their site measures up in the security department and there are constant buzzes about 'hacker this' and 'hacker that' so paranoia amounts among un-educated users are at an all time high imo. Maybe your email reaches them just as they spill their coffee and suddenly it's your fault :/

Re: What are your thoughts on security ethics?

Posted: Thu Aug 11, 2011 3:40 pm
by John Cartwright
Agreed, I should have been more clear on that. Again, I'm not a lawyer and I do not fully understand laws outside of Canada.

Re: What are your thoughts on security ethics?

Posted: Thu Aug 11, 2011 3:57 pm
by social_experiment
In the European Union cyber crime law is primarily based on the Council of Europe’s Convention on cyber crime (November 2001). South Africa has signed but did not ratify the Convention. Under the convention, member states are obliged to criminalize:
1. Illegal access to computer system,
2. Illegal interception of data to a computer system,
3. Interfering with computer system without right, intentional interference with computer data without right,
4. The use of inauthentic data with intent to put it across as authentic (data forgery),
5. Infringement of copyright related rights online,
6. Interference with data or functioning of computer system,
7. Child pornography related offences (possession/distribution/procuring/producing of child pornography).
I did a quick search of cyberlaws in south africa and it looks, to me, that entrance gained, even accidentally (yet still illegally by common sense standards) will be a bit of a bother for you. To my reasoning, (or in defence of said accidental entry) the onus would be on the person / company who owns the site / server to prove that it was an intentional attempt at breaking / entering / violating data. But like John Cartwright, i'm not lawyer and this is pure speculation.

Re: What are your thoughts on security ethics?

Posted: Thu Aug 11, 2011 4:14 pm
by flying_circus
It's interesting to see the variety of responses here.

You know... I had typed a reply to this thread but I just deleted it all. I thought about the crazy world we live in, driven by fear of the unknown and the bliss of ignorance. I like to think I am a well intentioned person, I'm honest, and I certainly dont wish harm or damage upon anyone. More than anything, I just like to help.

Outside my development world, I love wings and parachutes. I have come to terms that when I want to jump off a building or other restricted object, I need to research the object, and likely circumvent security, but I'm not willing to cause damage in the process. In almost all cases, I would think the object owner would say no, and then heighten security, so I dont notify them. Lastly I don't spread the details of the site, leave a trace, or make a move where I can been seen.

Damn, those kids were right, BASE jumping has touched my life in ways I never imagined...

For me this choice should be simple. I haven't caused any damage or left any trace, and there is no reward for jumping it again. If they fix the lock and someone in the future finds another way in, atleast my conscience won't be eating at me.

I'm going to tell them, but do so anonymously.