I find this to be quite an odd question. You, for free and without any expectation of compensation, stumble upon a security risk and report the risk to the party in question in the most benign manner possible. Where would you find someone that would consider this behavior unethical?

Let's try an analogy (since we all love those...). You see someone whose garage door doesn't close properly when they leave their house. Being a good citizen, you step onto their property to see their address plate (it's obscured by a tree), and then write a letter to the owners. Is this situation unethical, and would anyone fault you for it?

Seems to me that ethics have more to do with intent and how violations are resolved than action.

Example:
If you are looking through posters while carrying a binder, and walk out of the store not realizing you are carrying one poster under your arm, and then return it, that would not be unethical.
However, if after discovering this, you intend to keep it, or you intentionally steal it, then that would be unethical.

Only you know your intentions, and from those, you have an understanding on the ethics of this issue.

i agree with you 100%. (and i love your analogy, by the way... i may have to use it in the future when describing the situation to others)

i think that in the interest of doing a good deed and protecting someone, the matter of trespass and compromising of someone's personal space slightly is justified. i was just curious if anyone would blatantly disagree and take the "it's my property so stay the hell off it at all times" postition.

Your assumption is that how could any 'clued' person consider this unethical. I encountered a similar situation where this all went wrong a few years back. Screw being hypothetical, heres what happened:

IP address kept repeatedly scanning and attacking my home IP. The attempts were so regular and diliberate that it obviously wasnt some passing scan from a script kid, but rather a person who seemed pretty hell bent on getting into my firewall. I decided to do some recon of my own on the offending IP. I fired up nmap and mapped the hell out of it. Sure enough, it turned out to be a DNS server at some company that was running RedHat 5.2 in its default configuration. There were some high ports open. I connected to those high ports and found backdoors running on them. At this point I assumed (correctly in this case) that this box was put into production by someone who didnt know what they were doing and it had been compromised by an attacker. The attacker was then using their DNS server to attack other sites. I realized I had several avenues open to me

1. Hack the hacked box, kick out the attackers, secure it for the company, then kick myself out. Reason for doing this; its obvious they didnt have a clue about Linux so asking them to fix the problem on their own may not solve my issues. Ultimately decided that regardless of my intentions, I'd be breaking the law and that would be unethical

2. Block their IP at the firewall and be done with it. Reasoning for doing this; i have better things to spend my time on. However I decided not to go with this route because the attacker seemed very determined and if all I did was block him at the firewall he was attacking, it wouldnt stop him from continuing his attack.

3. Gather data and contact the admin at the company. Reason for doing this; if I were a network admin *I'd* want to know if one of my perimeter boxes was compromised, especially if it was compromised and being used as a staging area to attack other hosts outside of my company. I decided to go with this route

So, after gathering up logs of the attacks, nmap output, and screen captures of the telnet connections to the backdoors, I tried to reach the admin via email. Turns out the company contact information was out of date on the domain, so I called their main number and after a few grueling conversations finally got a network admin on the phone.

me: Hi, my name is __ and I need to talk to you about one of your servers
him: um...ok..what is this about
me: well your DNS server has been trying to break into my firewall over the last 2 weeks
him (defensive now): I dont know what you are talking about, we have better things to do than try to break into peoples firewalls..<rant starts>
me: easy there trigger, i didnt say *YOU* or *YOUR COMPANY* was trying to hack me, but rather your DNS server is. I did some probing around and it looks like someone has hacked your DNS server and is using it to stage attacks
him: you hacked our DNS server?
me: no, someone else did, and they are doing some damage right under your nose
him (agitated now): Well, I'm going to call the FBI on you and your friends, what was your name again, whats the name of your friend that hacked our server. I cant believe you had the balls to call me and tell me about this
me (irritated): no, sit down, take a deep breath, and FUCKING LISTEN. I did not hack your DNS server. Some random person did. They are attacking me via your DNS server. I am trying to help you fix your problem, because in doing so, it helps me fix my problem. I have log files of the activity, plus a scan of your box showing the backdoors where the attacker left himself a way back in
him: you're scanning our machines?
me: this is going nowhere, forget I called.

So, the moral to this story is never assume that the company you are doing a favor is going to react favorably to you bringing this information to their attention, or even understand what you are showing them. In fact, they may react badly and assume in their ignorance that you are the problem. To answer your hypothetical situation: fuck 'em.

Using a Toshiba, by any chance? ;)

Sounds fairly harmless so far.

Personally, I wouldn't call them unethical. The network was wide open and while you made a conscious decision to connect to it (that action having many potential ramifications, both ethical and legal), you had no intention - as demonstrated by your actions - of causing harm.

Skirting ethics for a moment (yeah, I know...), my only real concern would be the admin with the open AP feeling all butt-hurt that you showed his incompetence to the world and bringing in law enforcement. People dumb enough to do things like that in that sort of environment have probably either bluffed their way into the position (e.g., the interviewer was non-technical) or some nepotism is involved. Either way, they may want to cover their ass by hanging yours out to dry, and he probably knows that you both work in the same building by now.

Back to ethics: my personal view is that securing a wireless network is slightly different to securing a wired one, which means that by definition so is the act of connecting to one. Basically, I can't stand outside your office waving a piece of CAT5 in the general direction of the switch and attach myself to your network. However, unless you're big on Faraday Wallpaper and proper configuration, pretty much anyone is capable of connecting to your 802.11 network. Because of this, while individual users have a responsibility to not screw with the network (as was the case in your experience), the admin has no reasonable expectation of privacy should he choose to leave it open. If anything, he should be grateful to you for not fucking with it and pointing out what a drooling retard he actually is.

see... now this would be an example of something that, in my opinion, would have been illegal but not unethical.

yeah, i didn't give the person at the front desk my full name and i stopped in the middle of writing down my primary email, opting instead to give them an address that is a lot harder to trace back to me if someone decided to be an assface. uhm... i mean, i hypothetically did that.

Fair point, but it's important to remember that the two aren't mutually-exclusive in most cases.

Fujitsu LifeBook 7010D, actually.

ah, the beauty of consulting gigs. while i will likely be around the building again at some point in the future, it won't be for a while nor will it involve any regularity. i enjoy this life a whole lot more than my 9 to 5 past.

that's wicked awesome. frequency-selective absorption. badass.

Intentions vs. Perception

Beyond the question of ethics and law there is also the issue of your intentions versus the perception of your intentions. Just because you believe that you are acting with ethics and integrity, their perception of the situation may be totally different. Remember, they dont know you from Adam. To inject another life example:

I was driving from LA to Phoenix. I was in the middle of the desert around Indio when I saw a car on the side of the road with a flat and its hazards on. I slowed down and saw the single occupant was a teenage-ish looking girl. I had tools in my car and I do a fair ammount of mechanic work, I figured I'd do my good deed for the day (night, acutally) and offer some help. I pulled over and approached her car. As I approached she rolled her window up and was bug eyed with fear.

me: excuse me. I saw you had a flat. I'm a mechanic. Would you like me to fix your tire? Or use my cell phone to call AAA?

her (near tears): no, I'm fine. Please, leave me alone.

me: I understand, I look like a thug, but you dont even have to get out of your car, just pop your trunk and I'll get your spare on for you and get you back on the road.

her (near hysterics): Please...please..dont hurt me...just..leave me alone..please

She began sobbing at that point. I returned to my truck, drove till I saw the first call box, and radioed it in to the CHP.

So, what went wrong here? My intentions were honorable. I knew this. She however, had a different perception of the situation. She looked college age, was probably on her own for the first time driving to Phoenix, probably to attend ASU or something. Mom had probably told her 'if you break down in the middle of nowhere, anyone who stops to help you is probably a rapist. If you're lucky the cops will find your sodomized and mutilated body so we can give you a proper burial'. Couple this with the fact that I looked like your garden variety thug. So, I know I am a nice person. I know that my intentions were honorable. However, her perception of the situation was that she was about to die because some evil thuggish rapist had her cornered in her car out in the middle of the desert in the dead of night.

I know that notifying some dipshit admin of his inability to secure his wireless is a far less extreme case, but the same idea still applies. Regardless of your intentions, its really all about THEIR perception of the situation.

It seems that others have already covered this a bit, but I'd like to add that some people believe the best course of action is to expose the vulnerability (some as a first resort and some as a last (such as Feynman's famous antics)). The intention is still good (or at least those people like to believe so), but the execution is generally quite unethical.

Excellent analogy Voltage Spike! And I totally agree with Deviant Ollam.

I am still nervous about the randomness of current wireless legislation (at least in my country). From what I can tell, scanning radio freq's and discovering a device is no problem, but introducing another device that can talk to it is bordering on legal problems. Around here judges are misinformed, but I'm being paranoid perhaps.

Noid - to your first post I totally agree with option 3, but I thought about how I would react on the other end of the telephone. Not as hostile, admittedly, but far from coherent both purposely and confused at the same time! Your second post sums it up nicely, from both perspectives.

Edit: (Musings over legality) Over here there was a massive scrabble over how to prosecute freephone wardialers years ago (far from the root of the problem), and their ultimate answer was to make "abuse of reverse-charge services" illegal, effectively allowing arrest for dialing blocks. 6 months later they had payphones monitored for quick-response enforcement. Perhaps radio will go the same way...

It's actually fairly parallel to how things work here. Detecting a wireless network may not in and of itself be illegal depending on intent (this is already being debated in the courts), but connecting to it may be depending on the circumstances. If I use a fully-open AP, I have no way of knowing if it's open intentionally or due to ignorance - some people have no problem with sharing their wireless to the world; others do. But in neither case is there a 'No Trespassing' sign in evidence when the AP's open.

WRT introducing another device that can talk to the network: I can see this causing all sorts of legal hassle since the devices designed to detect the presence of the network are also the same ones used to connect to it. Granted, there are keyring 802.11 detectors and so forth, but for the most part people use computing devices to locate their networks.

This is something of a tangent, but I wonder what would happen if someone were to dial in a non-sequential order.

Many admins would no doubt be defensive in such a situation, though luckily the law is neither interpreted nor enforced by admins. That said, they at least understand the technology and ethical factors involved.

Hopefully some new attorneys will emerge from the nations many law schools to educate the rest of the legal community on such issues so that the laws may conform with society's wishes. As far as legislators go, they will forever be a lost cause to educate about any subject whatsoever.

I hope to have more information about the state of the law regarding this matter over the next few months.

The law isnt interpreted or enforced by admins, but its panicky idiots that call law enforcement, who can and do interpret/enforce law, and oft times are just as clueless as the panicky idiot that made the call.

Last year right before elk season someone near a school saw a guy in camoflage loading a gun into his pick up truck. Panicky idiot calls the police and basicaly says 'theres a man with a gun at the school. THERE IS A MAN WITH A GUN AT THE SCHOOL. Doodily-diddily'. Of course law enforcement rushed to the scene ready to do battle, only to find an Elk hunter getting ready head out across the mountains. At least in that case the law was easy to interpret. With computer stuff you're going to get a 'this guy says you hacked his computers. thats illegal dont you know!' and you're going to be on the defensive from minute one.

Frankly, your best bet isnt to get involved directly. Write em a nice little report and slide it under the door afterhours.