Re: So, did the BBC cross the line?

[Gadi Evron <ge () linuxbox org>]

On Sat, 14 Mar 2009, nick hatch wrote:
> I'm honestly curious: you sound very passionate that there is a clear
> ethical line here somewhere, and I'd hate to miss exactly where you believe
> it is.

Who does it is clear: we can't stop anyone from doing anything online (or 
at least, pretty much~).
We prefer for it to be people who "know what they are doing.
It must be people who are "authorized to do so".

The question of this discussion though, is WHAT are you allowed to do, the 
who is easy to answer.

I have done every single one of these things in the past 15 years, mainly 
in the late 90s, while developing my idea of what's right and what's 
wrong with botnets.

So, let's examine our main options.

Are you allowed to connect to a botnet and passively listen in?

Passive:
Concievably you can be breaking the law by connecting to, say, an IRC 
server on a compromised machine. It's pretty white.

Passively using botnet resources:
Sedning passive commands to the bots via use of their natural control 
mechanism, i.e., type in a command to an IRC channel where the bots 
respond. Gray.

Actively using botnet resources:
Sedning a passive command via the use of their natural control mechanism 
to perform an action on the network or the machine itself. Example: remove 
bot.

Mostly a useless action as the machine has not been secured, and it is 
quite possible the user would get reinfected by repeating past activity 
regardless.

The point here, though, is that you cause an action on the remote machine 
which is more than providing with simple data.

Gray to black, depending on circumstance. In an emergency during an 
attack, I can concieve of doing something of the sort.

Accessing botnet machines:
Uploading a new executable (for whatever purposes, even for "removal", is 
black as they come. Even if you weren't doing it on a machine (or many 
machines) you do not own, you can be collapsing the remote machine due to 
simplistic reasons such as lack of RAM.

It's executing code and nobody gave you permission to do so.

Black, black.

Connecting via network rather than C&C:
This can be done for any reason, from controlling the bot to nmaping the 
compromised host. Should be referenced to list above while making every 
step one level darker than it was when doing via C&C.

These of course, are just my opinion. Further, while my ethical 
convictions on this issue are strong, I am unsure how long they will 
remain practical.

        Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.