>David Binder wrote, >I think Hacking is a very interesting topic but there is something I want >to mention. I think Haking and Hackers have a positive aspect too, if they >dont want do harm you (otherwise they would be called crackers). >If a Hacker broke into your system and shows you that your security system >is not good, you will have to work on it. So you will have a better >security system and this protects you from people who really want to harm you. >Software engineers and producers of firewalls will also have to work on >it. So the Internet will get more safe. >I agree with you when you say that it is a vicious circle but that is the >same in real life too. Consider the following scenario, that takes place in a country without universal and unlimited health care. Someone walking on a public street is stopped by a wild-eyed, stethoscope-wielding person in a white coat. The white-coated one screams that he has observed that the passerby has yellow eyes, spider-shaped blood vessels under the skin, fluid retention in the legs, is trembling and seems to be itching intolerably. "You have innumerable symptoms of advanced liver disease. That is not good. Your liver wishes to harm you and must immediately be replaced with a transplant." And the innocent one says "I have no money for food. If I do not eat, the state of my liver will be irrelevant." Let me try to put this into philosophical rather than metaphorical terms. The doctor, in my metaphor, regards the state of one's liver as an absolute good. Those hackers that claim they are doing a favor for individuals and organizations, by probing every aspect of their security, base their claims on that security against active probes is an absolute good, and that the target of their probe can guard against the attacks. Assume that one of the targets of the probe is a community health center in a remote rural area. That center has limited funds. Due to its remote location, electrical power is not reliable. With finite resources, the center may make a decision that it is more important to buy a backup electrical generator than to allocate those resources to install a firewall. In the clinic example, I will assume that its system administrator is infinitely knowledgeable in security and security tradeoffs, and has made a conscious decision that the risks of not having electricity are more severe than the risks of breakins. Does that administrator have an obligation to tell the hackers why he implemented a certain policy? What responsibility do the hackers--and I will assumed they are well intentioned--have to the system administrator? That administrator may have detected a breakin, and not know if it is malicious or not. Under such circumstances, a reasonable administrator is forced to spend resources to restore potentially damaged files. He cannot trust the word of the hacker, because they are anonymous and unsolicited. No relationship of trust exists between hacker and organization being hacked. For sake of argument, the clinic administrator is assumed to be a security expert. In the real world, only larger enterprises will have in-house security staff. Properly supporting a firewall is not a trivial task--I've done it, and simply staying aware of published new threats and installing protections against them requires significant effort. To me, there is a significant ethical difference between: a hacker that experiments on her own machines that run Microsoft software, finds a vulnerability, and notifies both Microsoft and independent organizations (i.e., http://www.cert.org) of the vulnerability and how to protect against it a hacker who invades a small business system and leaves a note saying "I am an Elite Hacker D00D who got in through your lousy security. Fix it. I could have left a bomb, but trust me, I didn't." _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]