Security Incidents mailing list archives
Helping or hacking (Was: Re: R: Re: Korea (was RE: ?))
From: robmccau () RADONC DUKE EDU (Rob McCauley)
Date: Sat, 5 Feb 2000 15:44:18 -0500
I wrote a long reply to a couple recent posts, but will send this, what I see as the critical points of the discussion, then withdraw. It's becoming clear to me that there are simply two schools of thought, and no dicussion on this list is going to resolve it. * Well intentioned or not, you're an untrusted third party to me. Any "fix" you might apply would be just another problem to fix. * The fixes you apply *will* destroy evidence. It may be of critical importance for me to prosecute, and you will make that more difficult or impossible. For those of you who think you could remotely secure a cracked box without compromising the evidence, let me respectfully suggest that you don't properly understand the scope of what I would want to preserve. You can't touch the system without modifying its state. I want everything. Please Don't Touch. Please do tell me if you have reason to believe one of my boxes has been compromised. * There are consequences to your fixes. You may spur the original attacker to attempt to conceal their activities by rm -rf / the system. The system may be performing a critical role (medical diagnostics, for example), and your "fix" (especially the poster who suggested rebooting a system he/she knows little or nothing about) may cause real harm to people or property. * There is a simple ethical issue involved. Don't modify that which isn't yours, especially if no effort has been made prior to request permission. IMO there's a clear "Don't Touch" sign unless you've made repeated efforts to acquire permission and have some critical need in your organization to fix someone else's systems, and even then you're deep in grey area. Proving that critical need might be an interesting exercise, and one I'm not anxious to engage in. * Liability. There may be records of you accessing the system. Sure, the box is compromised, but is it a honeypot with all traffic logged on a firewall in between? You may claim good intentions, but depending on jurisdictional issues, you may need to convince the SA, site owner, law enforcement personnel, and a judge. Some organizations will happily let law enforcement decide if you're really a bad guy or not. Don't put yourself in this situation lightly. Rob
Current thread:
- Re: R: Re: Korea (was RE: ?) spookah . (Feb 03)
- Re: R: Re: Korea (was RE: ?) Jordan Ritter (Feb 03)
- Helping or hacking (Was: Re: R: Re: Korea (was RE: ?)) Rob McCauley (Feb 05)
- Re: hack attempts from korea and Sydney Eric Kimminau (Feb 10)
- UDP scaned C. (Feb 13)
- Helping or hacking (Was: Re: R: Re: Korea (was RE: ?)) Rob McCauley (Feb 05)
- Is there vulnerability in sftp? Juha Virtanen (Feb 04)
- Re: R: Re: Korea (was RE: ?) Jordan Ritter (Feb 03)