Ethics and Security

Hi Chris --

You say, "I think we need to be more forgiving rather than less when it comes to judging those with good intentions."

I completely agree. However, the only way to know if a tester's intentions are honorable is if that tester communicates those intentions to the target. Otherwise, the test may well look like an attack, from the target's point of view, which is why otherwise benign research would be seen as malicious.

What set of rules would **you** consider ethical when it comes to testing other people's public sites? (Note that I ask about "public sites" and not merely "open-source applications," which you can download and test on your own system.)

If you would, please let your reply take into consideration that it should be possible for the target to distinguish legitimate research behaviors from malicious penetration behaviors; if nobody else can tell, then the tester may be either good or bad, with no way to discern.

As long as there are published rules, and not merely "good intentions," we can start the basis of a more relaxed standard of ethics.

Sun, 10 Jul 2005 at 21:43:29 GMT Link

Quick followup -- even by relaxed standards, the person who "researched" the Solar and Cortex sites has not proved himself an ethical tester; he has yet to notify me by any means of the vulnerabilities he discovered. (And no, me seeing the results of his "research" in my comments is not notification; that's me stumbling onto the scene.)

Sun, 10 Jul 2005 at 21:48:00 GMT Link

"I am nearly convinced that prior notification is necessary."

Hey cool. :-)

"I'll provide a more thorough answer and response at a later date."

I look forward to it. :-)

Also, and not to keep going at it piecemeal, any set of guidelines should include what you are **not** allowed to do. If everything is allowed, or "the right to do anything else as necessary is reserved", then it's not really a set of ethics, it's notice that one gets to do what one wants, when one wants, for one's own reasons.

Sun, 10 Jul 2005 at 22:40:54 GMT Link

Mon, 11 Jul 2005 at 03:32:29 GMT Link

Hi Ilia -- you say: "These included people who think that rather then solving problems, it is better to chase after people who find them."

Dude, nobody's chasing after you (at least not me). I like the idea of vuln testing, I just want (as a target) to be notified when you're doing it so I know I'm not being attacked.

You also say, "Back in the early days of net when the community mostly consisted for engineers and scientists and hackers this were a lot simpler." You're correct; when the network was primarily a tool for research, things were easier. But now the network is public, and "testers" need to behave in a more socially-friendly manner.

Finally, as far as people who test security, "most do it out of shear curiosity of and quest of understanding and helping people improve their systems." Wonderful! Ask me first before "helping" me to improve -- or at least tell me in advance that you're preparing a lesson for me.

Again, it's not hard, and I'm not trying to stop anyone -- I'm just saying that you need at the very least to communicate your intentions, and really ought to get approval before tooling through a site that is not yours. Is that such a hard task?

Mon, 11 Jul 2005 at 13:15:24 GMT Link

Paul, next time when i r00t your server i will send u a msg frst

Mon, 11 Jul 2005 at 17:19:19 GMT Link

Although k1dd13 doesn't look very mature - he has a point. You should most of all do those security tests yourself! It's up to you , the programmer how safe you are. And unfortunately it seems that programmers writing Applications are just as mature as the people exploiting them...

Mon, 11 Jul 2005 at 17:22:26 GMT Link

Hi, Derick,

I completely agree that security flaws are the fault of the programmer. I do what security testing I know how to; I don't know as much as Chris or Ilia or others about the various flaws, so I am an imperfect tester. I depend in some cases for others to point out where I have erred.

So my point is about how ethical persons go about testing for flaws. Certainly I would not expect an *un*ethical person to give me notice; that's part of what makes him an unethical bad guy.

But if a person is an ethical good-guy, I *do* expect him to give notice that he's testing my systems. Otherwise, I have no way of knowing if the "testing" is benign or malevolent. In addition, I epxect an ethical person to tell me what he found. What better way to improve the state of security than to tell your target what you discovered?

Perhaps I am naive to think that professional programmers want to help other programmers improve their craft.

Mon, 11 Jul 2005 at 18:40:26 GMT Link

Hi again --

The "Web Application Security Consortium" seems to agree with the "approval" framework, if primarily as a matter of law rather than ethics. (I think the two coincide in this case; law and ethics do not always match, as we know. ;-)

http://www.webappsec.org/lists/webs...6/msg00081.html

Mon, 11 Jul 2005 at 19:49:26 GMT Link

Here's a much a better one, from earlier in the thread (the entirety of which bears reading):

http://www.webappsec.org/lists/webs...6/msg00037.html

Mon, 11 Jul 2005 at 20:20:33 GMT Link