I run into an average of 3 or 4 serious security holes a day just
surfing the internet and checking a few things like anonymous ftp, nfs,
and bad CGI scripts. I have yet to contact someone about a security
hole who has tried to mark me as a criminal for helping them out. This
doesnt only apply to small low-budget companies who cant afford
firewalls, I have run across lapses in security at some extremely large
corporations, including everything from jps.net, microsoft, and yahoo.
My personal take on it is that if discover a hole in someone's system
that is obvious enough to find without any special scanning tools and
you let the admnistrator know, no harm was done. If you beat on
someones network for hours trying to find a security hole, you are not
only stealing thier resources but making a deliberate attempt at
infiltration and should be responsible for the consequences. Any other
opinions?
Bill Stackpole wrote:
>
> Just curious what other think about the rattling door knobs question. Is it
> wrong to probe a system for security flaws if you have no evil intent? I
> check my neighbor's doors when they are on vacation to make sure no one has
> broken in, look in the windows to make sure everything is normal. Does that
> make me a criminal? I doubt it.
>
> Over the years, I've called many a company to inform them of potential
> security risks I have observed. Some have come to me in the mail, some as
> extraneous packets on my Internet connection and others as the result of my
> testing the effectiveness of certain security tools.
>
> I do such things to help people build more secure systems. I'm interested
> in what others think about the ethics or criminality of such conduct.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
