Security Incidents mailing list archives

Helping or hacking (Was: Re: R: Re: Korea (was RE: ?))

From: robmccau () RADONC DUKE EDU (Rob McCauley)
Date: Sat, 5 Feb 2000 15:44:18 -0500


I wrote a long reply to a couple recent posts, but will send this, what I
see as the critical points of the discussion, then withdraw.  It's
becoming clear to me that there are simply two schools of thought, and no
dicussion on this list is going to resolve it.

* Well intentioned or not, you're an untrusted third party to me.  Any
  "fix" you might apply would be just another problem to fix.

* The fixes you apply *will* destroy evidence.  It may be of critical
  importance for me to prosecute, and you will make that more difficult or
  impossible.  For those of you who think you could remotely secure a
  cracked box without compromising the evidence, let me respectfully
  suggest that you don't properly understand the scope of what I would
  want to preserve.  You can't touch the system without modifying its
  state.  I want everything.  Please Don't Touch.  Please do tell me if
  you have reason to believe one of my boxes has been compromised.

* There are consequences to your fixes.  You may spur the original
  attacker to attempt to conceal their activities by rm -rf / the
  system.  The system may be performing a critical role (medical
  diagnostics, for example), and your "fix" (especially the poster who
  suggested rebooting a system he/she knows little or nothing about) may
  cause real harm to people or property.

* There is a simple ethical issue involved.  Don't modify that which isn't
  yours, especially if no effort has been made prior to request
  permission.  IMO there's a clear "Don't Touch" sign unless you've made
  repeated efforts to acquire permission and have some critical need in
  your organization to fix someone else's systems, and even then
  you're deep in grey area.  Proving that critical need might be an
  interesting exercise, and one I'm not anxious to engage in.

* Liability.  There may be records of you accessing the system.  Sure, the
  box is compromised, but is it a honeypot with all traffic logged on a
  firewall in between?  You may claim good intentions, but depending on
  jurisdictional issues, you may need to convince the SA, site owner, law
  enforcement personnel, and a judge.  Some organizations will happily let
  law enforcement decide if you're really a bad guy or not.  Don't put
  yourself in this situation lightly.

Rob

Current thread:

Re: R: Re: Korea (was RE: ?) spookah . (Feb 03)
- Re: R: Re: Korea (was RE: ?) Jordan Ritter (Feb 03)
  - Helping or hacking (Was: Re: R: Re: Korea (was RE: ?)) Rob McCauley (Feb 05)
    - Re: hack attempts from korea and Sydney Eric Kimminau (Feb 10)
    - UDP scaned C. (Feb 13)
- Is there vulnerability in sftp? Juha Virtanen (Feb 04)