Announcement

Collapse
No announcement yet.

wireless & security ethics question

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • wireless & security ethics question

    (didn't know whether to post this under "got questions" or "wireless"... mods feel free to move accordingly)

    since this matter potentially treads on certain legal issues, i will frame this whole question as a hypothetical...

    suppose i was on a consulting job this morning and i fired up my laptop to pull some files from a utilities dir onto a USB flash drive for use at the client's facility. further suppose that i flipped the laptop's external Wi-Fi switch to the "on" position without realizing it... imagine the surprise i would have had upon returning to the desk a few minutes later to find that my Wi-Fi adapter (which almost always has the stumbling profile loaded) had received an SSID broadcast, autoconfigured, and connected to someone's network all by itself. what if through standard NetBIOS operations, the entire machine list of this other network was in view.

    would it have been unethical at that point if (in an attempt to figure out whose network this was and let them know that they are being brainless) i took a few educated guesses at what might be webservers, pulled the index pages, and read the company name from the information that displayed? (in this hypothetical, we'll just state that for sake of argument there were a whole litany of SQL-enabled web servers, all with the default install, along with a bunch of other workstations and print servers that looked hopelessly insecure.)

    if i hypothetically had at my disposal a yellowjacket or a shmoo bloodhound gun i could have strolled the floors and halls, trying to hone in on the signal of the open AP. instead of doing so, however, let's imagine i just took the simplest and safest route to finding the company name (web browsing) then looked them up on the building directory in the lobby.

    you could guess how in this hypothetical, if i were to have walked upstairs and knocked on the door of the appropriate suite, i would be met with disbelief and astonishment when i presented the employee at the front desk with a printed list of their network machines that had contacted me and a brief summary of their Wi-Fi security problems. hypotheticall leaving this material for their sysadmin, along with one of my email addresses, i could have then potentially proceeded back downstairs to finish what i was doing.

    while it's very clear that in an example such as this one, law enforcement and prosecutorial parties could go either way in their interpretation of my hypothetical actions. while there was no malicious criminal intent of which to speak, in this example i did knowingly and willfully connect to and view the default pages of a few web servers in an attempt to discern who the owner was of the network to which i connected automatically. (in this hypothetical, the SSID wasn't in any way revealing since their AP was set to all vendor defaults.)

    i am not all that interested in deep analysis of whether this was illegal but would rather hear people's opinions concerning whether you would consider the actions taken in this hypothetical example to be unethical?
    Last edited by Deviant Ollam; August 10, 2005, 11:52.
    "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
    - Trent Reznor

  • #2
    Originally posted by Deviant Ollam
    i am not all that interested in deep analysis of whether this was illegal but would rather hear people's opinions concerning whether you would consider the actions taken in this hypothetical example to be unethical?
    I find this to be quite an odd question. You, for free and without any expectation of compensation, stumble upon a security risk and report the risk to the party in question in the most benign manner possible. Where would you find someone that would consider this behavior unethical?

    Let's try an analogy (since we all love those...). You see someone whose garage door doesn't close properly when they leave their house. Being a good citizen, you step onto their property to see their address plate (it's obscured by a tree), and then write a letter to the owners. Is this situation unethical, and would anyone fault you for it?
    Last edited by Voltage Spike; August 10, 2005, 15:43. Reason: Brain fart? Busy with work? I'm just bad with words?

    Comment


    • #3
      Seems to me that ethics have more to do with intent and how violations are resolved than action.

      Example:
      If you are looking through posters while carrying a binder, and walk out of the store not realizing you are carrying one poster under your arm, and then return it, that would not be unethical.
      However, if after discovering this, you intend to keep it, or you intentionally steal it, then that would be unethical.

      Only you know your intentions, and from those, you have an understanding on the ethics of this issue.

      Comment


      • #4
        Originally posted by Voltage Spike
        You see someone whose garage door doesn't close properly when they leave their house. Being a good citizen, you step onto their property to see their address plate (it's obscured by a tree), and then write a letter to the owners. Is this situation unethical, and would anyone fault you for it?
        i agree with you 100%. (and i love your analogy, by the way... i may have to use it in the future when describing the situation to others)

        i think that in the interest of doing a good deed and protecting someone, the matter of trespass and compromising of someone's personal space slightly is justified. i was just curious if anyone would blatantly disagree and take the "it's my property so stay the hell off it at all times" postition.
        "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
        - Trent Reznor

        Comment


        • #5
          Your assumption is that how could any 'clued' person consider this unethical. I encountered a similar situation where this all went wrong a few years back. Screw being hypothetical, heres what happened:

          IP address kept repeatedly scanning and attacking my home IP. The attempts were so regular and diliberate that it obviously wasnt some passing scan from a script kid, but rather a person who seemed pretty hell bent on getting into my firewall. I decided to do some recon of my own on the offending IP. I fired up nmap and mapped the hell out of it. Sure enough, it turned out to be a DNS server at some company that was running RedHat 5.2 in its default configuration. There were some high ports open. I connected to those high ports and found backdoors running on them. At this point I assumed (correctly in this case) that this box was put into production by someone who didnt know what they were doing and it had been compromised by an attacker. The attacker was then using their DNS server to attack other sites. I realized I had several avenues open to me

          1. Hack the hacked box, kick out the attackers, secure it for the company, then kick myself out. Reason for doing this; its obvious they didnt have a clue about Linux so asking them to fix the problem on their own may not solve my issues. Ultimately decided that regardless of my intentions, I'd be breaking the law and that would be unethical

          2. Block their IP at the firewall and be done with it. Reasoning for doing this; i have better things to spend my time on. However I decided not to go with this route because the attacker seemed very determined and if all I did was block him at the firewall he was attacking, it wouldnt stop him from continuing his attack.

          3. Gather data and contact the admin at the company. Reason for doing this; if I were a network admin *I'd* want to know if one of my perimeter boxes was compromised, especially if it was compromised and being used as a staging area to attack other hosts outside of my company. I decided to go with this route

          So, after gathering up logs of the attacks, nmap output, and screen captures of the telnet connections to the backdoors, I tried to reach the admin via email. Turns out the company contact information was out of date on the domain, so I called their main number and after a few grueling conversations finally got a network admin on the phone.

          me: Hi, my name is __ and I need to talk to you about one of your servers
          him: um...ok..what is this about
          me: well your DNS server has been trying to break into my firewall over the last 2 weeks
          him (defensive now): I dont know what you are talking about, we have better things to do than try to break into peoples firewalls..<rant starts>
          me: easy there trigger, i didnt say *YOU* or *YOUR COMPANY* was trying to hack me, but rather your DNS server is. I did some probing around and it looks like someone has hacked your DNS server and is using it to stage attacks
          him: you hacked our DNS server?
          me: no, someone else did, and they are doing some damage right under your nose
          him (agitated now): Well, I'm going to call the FBI on you and your friends, what was your name again, whats the name of your friend that hacked our server. I cant believe you had the balls to call me and tell me about this
          me (irritated): no, sit down, take a deep breath, and FUCKING LISTEN. I did not hack your DNS server. Some random person did. They are attacking me via your DNS server. I am trying to help you fix your problem, because in doing so, it helps me fix my problem. I have log files of the activity, plus a scan of your box showing the backdoors where the attacker left himself a way back in
          him: you're scanning our machines?
          me: this is going nowhere, forget I called.

          So, the moral to this story is never assume that the company you are doing a favor is going to react favorably to you bringing this information to their attention, or even understand what you are showing them. In fact, they may react badly and assume in their ignorance that you are the problem. To answer your hypothetical situation: fuck 'em.

          I return whatever i wish . Its called FREEDOWM OF RANDOMNESS IN A HECK . CLUSTERED DEFEATED CORn FORUM . Welcome to me

          Comment


          • #6
            Originally posted by Deviant Ollam
            further suppose that i flipped the laptop's external Wi-Fi switch to the "on" position without realizing it...
            Using a Toshiba, by any chance? ;)

            Originally posted by Deviant Ollam
            what if through standard NetBIOS operations, the entire machine list of this other network was in view.
            would it have been unethical at that point if (in an attempt to figure out whose network this was and let them know that they are being brainless) i took a few educated guesses at what might be webservers, pulled the index pages, and read the company name from the information that displayed?
            let's imagine i just took the simplest and safest route to finding the company name (web browsing) then looked them up on the building directory in the lobby.
            hypotheticall leaving this material for their sysadmin, along with one of my email addresses, i could have then potentially proceeded back downstairs to finish what i was doing.
            Sounds fairly harmless so far.

            Originally posted by Deviant Ollam
            i am not all that interested in deep analysis of whether this was illegal but would rather hear people's opinions concerning whether you would consider the actions taken in this hypothetical example to be unethical?
            Personally, I wouldn't call them unethical. The network was wide open and while you made a conscious decision to connect to it (that action having many potential ramifications, both ethical and legal), you had no intention - as demonstrated by your actions - of causing harm.

            Skirting ethics for a moment (yeah, I know...), my only real concern would be the admin with the open AP feeling all butt-hurt that you showed his incompetence to the world and bringing in law enforcement. People dumb enough to do things like that in that sort of environment have probably either bluffed their way into the position (e.g., the interviewer was non-technical) or some nepotism is involved. Either way, they may want to cover their ass by hanging yours out to dry, and he probably knows that you both work in the same building by now.

            Back to ethics: my personal view is that securing a wireless network is slightly different to securing a wired one, which means that by definition so is the act of connecting to one. Basically, I can't stand outside your office waving a piece of CAT5 in the general direction of the switch and attach myself to your network. However, unless you're big on Faraday Wallpaper and proper configuration, pretty much anyone is capable of connecting to your 802.11 network. Because of this, while individual users have a responsibility to not screw with the network (as was the case in your experience), the admin has no reasonable expectation of privacy should he choose to leave it open. If anything, he should be grateful to you for not fucking with it and pointing out what a drooling retard he actually is.
            Last edited by skroo; August 10, 2005, 12:29.

            Comment


            • #7
              Originally posted by noid
              regardless of my intentions, I'd be breaking the law and that would be unethical
              see... now this would be an example of something that, in my opinion, would have been illegal but not unethical.

              Originally posted by noid
              never assume that the company you are doing a favor is going to react favorably to you bringing this information to their attention, or even understand what you are showing them.
              yeah, i didn't give the person at the front desk my full name and i stopped in the middle of writing down my primary email, opting instead to give them an address that is a lot harder to trace back to me if someone decided to be an assface. uhm... i mean, i hypothetically did that.
              "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
              - Trent Reznor

              Comment


              • #8
                Originally posted by Deviant Ollam
                see... now this would be an example of something that, in my opinion, would have been illegal but not unethical.
                Fair point, but it's important to remember that the two aren't mutually-exclusive in most cases.

                Comment


                • #9
                  Originally posted by skroo
                  Using a Toshiba, by any chance?
                  Fujitsu LifeBook 7010D, actually.

                  Originally posted by skroo
                  and he probably knows that you both work in the same building by now.
                  ah, the beauty of consulting gigs. while i will likely be around the building again at some point in the future, it won't be for a while nor will it involve any regularity. i enjoy this life a whole lot more than my 9 to 5 past.

                  Originally posted by skroo
                  unless you're big on Faraday Wallpaper
                  that's wicked awesome. frequency-selective absorption. badass.
                  "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
                  - Trent Reznor

                  Comment


                  • #10
                    Intentions vs. Perception

                    Beyond the question of ethics and law there is also the issue of your intentions versus the perception of your intentions. Just because you believe that you are acting with ethics and integrity, their perception of the situation may be totally different. Remember, they dont know you from Adam. To inject another life example:

                    I was driving from LA to Phoenix. I was in the middle of the desert around Indio when I saw a car on the side of the road with a flat and its hazards on. I slowed down and saw the single occupant was a teenage-ish looking girl. I had tools in my car and I do a fair ammount of mechanic work, I figured I'd do my good deed for the day (night, acutally) and offer some help. I pulled over and approached her car. As I approached she rolled her window up and was bug eyed with fear.

                    me: excuse me. I saw you had a flat. I'm a mechanic. Would you like me to fix your tire? Or use my cell phone to call AAA?

                    her (near tears): no, I'm fine. Please, leave me alone.

                    me: I understand, I look like a thug, but you dont even have to get out of your car, just pop your trunk and I'll get your spare on for you and get you back on the road.

                    her (near hysterics): Please...please..dont hurt me...just..leave me alone..please

                    She began sobbing at that point. I returned to my truck, drove till I saw the first call box, and radioed it in to the CHP.

                    So, what went wrong here? My intentions were honorable. I knew this. She however, had a different perception of the situation. She looked college age, was probably on her own for the first time driving to Phoenix, probably to attend ASU or something. Mom had probably told her 'if you break down in the middle of nowhere, anyone who stops to help you is probably a rapist. If you're lucky the cops will find your sodomized and mutilated body so we can give you a proper burial'. Couple this with the fact that I looked like your garden variety thug. So, I know I am a nice person. I know that my intentions were honorable. However, her perception of the situation was that she was about to die because some evil thuggish rapist had her cornered in her car out in the middle of the desert in the dead of night.

                    I know that notifying some dipshit admin of his inability to secure his wireless is a far less extreme case, but the same idea still applies. Regardless of your intentions, its really all about THEIR perception of the situation.

                    I return whatever i wish . Its called FREEDOWM OF RANDOMNESS IN A HECK . CLUSTERED DEFEATED CORn FORUM . Welcome to me

                    Comment


                    • #11
                      Originally posted by TheCotMan
                      Seems to me that ethics have more to do with intent and how violations are resolved than action.
                      It seems that others have already covered this a bit, but I'd like to add that some people believe the best course of action is to expose the vulnerability (some as a first resort and some as a last (such as Feynman's famous antics)). The intention is still good (or at least those people like to believe so), but the execution is generally quite unethical.

                      Comment


                      • #12
                        Excellent analogy Voltage Spike! And I totally agree with Deviant Ollam.

                        I am still nervous about the randomness of current wireless legislation (at least in my country). From what I can tell, scanning radio freq's and discovering a device is no problem, but introducing another device that can talk to it is bordering on legal problems. Around here judges are misinformed, but I'm being paranoid perhaps.

                        Noid - to your first post I totally agree with option 3, but I thought about how I would react on the other end of the telephone. Not as hostile, admittedly, but far from coherent both purposely and confused at the same time! Your second post sums it up nicely, from both perspectives.

                        Edit: (Musings over legality) Over here there was a massive scrabble over how to prosecute freephone wardialers years ago (far from the root of the problem), and their ultimate answer was to make "abuse of reverse-charge services" illegal, effectively allowing arrest for dialing blocks. 6 months later they had payphones monitored for quick-response enforcement. Perhaps radio will go the same way...
                        Last edited by Spanners; August 10, 2005, 15:37.
                        "There are those who do the work and those who take the credit. I try to be in the first group, there is less competition there." -- Gandhi

                        Comment


                        • #13
                          Originally posted by Spanners
                          I am still nervous about the randomness of current wireless legislation (at least in my country). From what I can tell, scanning radio freq's and discovering a device is no problem, but introducing another device that can talk to it is bordering on legal problems. Around here judges are misinformed, but I'm being paranoid perhaps.
                          It's actually fairly parallel to how things work here. Detecting a wireless network may not in and of itself be illegal depending on intent (this is already being debated in the courts), but connecting to it may be depending on the circumstances. If I use a fully-open AP, I have no way of knowing if it's open intentionally or due to ignorance - some people have no problem with sharing their wireless to the world; others do. But in neither case is there a 'No Trespassing' sign in evidence when the AP's open.

                          WRT introducing another device that can talk to the network: I can see this causing all sorts of legal hassle since the devices designed to detect the presence of the network are also the same ones used to connect to it. Granted, there are keyring 802.11 detectors and so forth, but for the most part people use computing devices to locate their networks.

                          Edit: (Musings over legality) Over here there was a massive scrabble over how to prosecute freephone wardialers years ago (far from the root of the problem), and their ultimate answer was to make "abuse of reverse-charge services" illegal, effectively allowing arrest for dialing blocks. 6 months later they had payphones monitored for quick-response enforcement. Perhaps radio will go the same way...
                          This is something of a tangent, but I wonder what would happen if someone were to dial in a non-sequential order.

                          Comment


                          • #14
                            Many admins would no doubt be defensive in such a situation, though luckily the law is neither interpreted nor enforced by admins. That said, they at least understand the technology and ethical factors involved.

                            Hopefully some new attorneys will emerge from the nations many law schools to educate the rest of the legal community on such issues so that the laws may conform with society's wishes. As far as legislators go, they will forever be a lost cause to educate about any subject whatsoever.

                            I hope to have more information about the state of the law regarding this matter over the next few months.
                            jur1st, esq.

                            Comment


                            • #15
                              The law isnt interpreted or enforced by admins, but its panicky idiots that call law enforcement, who can and do interpret/enforce law, and oft times are just as clueless as the panicky idiot that made the call.

                              Last year right before elk season someone near a school saw a guy in camoflage loading a gun into his pick up truck. Panicky idiot calls the police and basicaly says 'theres a man with a gun at the school. THERE IS A MAN WITH A GUN AT THE SCHOOL. Doodily-diddily'. Of course law enforcement rushed to the scene ready to do battle, only to find an Elk hunter getting ready head out across the mountains. At least in that case the law was easy to interpret. With computer stuff you're going to get a 'this guy says you hacked his computers. thats illegal dont you know!' and you're going to be on the defensive from minute one.

                              Frankly, your best bet isnt to get involved directly. Write em a nice little report and slide it under the door afterhours.

                              I return whatever i wish . Its called FREEDOWM OF RANDOMNESS IN A HECK . CLUSTERED DEFEATED CORn FORUM . Welcome to me

                              Comment

                              Working...
                              X