What Do You Think of Online Vigilantes?

gwoodrow asks: "I'm a member of the (primarily) Mac community Spymac. I originally joined for the 1 gb of email, but eventually found myself joining in on discussions in the forum. Today, I received an email from a supposedly anonymous Spymac member ("supposedly" because the smart guy didn't mask his IP). Basically, it said that he or she had harvested 10,000 member screen names/email addresses from Spymac's pages and that this, paired with the ability to view individual member's profiles, created a major problem because of the extent of information so readily available. The email this person sent out and the forum discussion that follow are available here. All cracks and personal opinion about Spymac aside, what do Slashdot members think of online 'vigilante' justice?" "Some viruses are released with little notes within that say things like - 'this is why you need to do X or Y to fix your software' Some hackers have also gained infamy by hacking a major system allegedly to help. Do you support such actions and why? Are virus/trojan writers, hackers, and spammers doing a noble deed or going about things in the wrong way? If you don't agree generally, are there exceptions when online vigilantes are fully in the right? Is the accessibility of vulnerabilities a good excuse to partake in such actions, or should there be ethical bounds regardless?"

No damage...

[bas148]

no problem. They help by pointing out vulnerabilities as long as they don't actually exploit them to do harm to whoever.

vigilantes should not do damage

[slazar]

My take is that vigilantes should not do any damage. Poking around a system, finding a vulnerability and then reporting it to the responsible party (not immediately to the public) is ok in my book. Instead of mailbombing your enemy, use social tactics to discount/disprove your enemy's arguments. Oh, and first post! :)

Re:vigilantes should not do damage

[PrvtBurrito]

vigilantes cease to be useful when they become indistinguishable from the crackers. In this case, the author should have emailed the administrators and, if response wasn't forthcoming, the guy should have left the system.

Yes and No

[Cranx]

Discovering weaknesses is good. Exposing them publicly without giving the vulnerable company time to fix them is bad.

Re:Yes and No

[Dr.+GeneMachine]

Quite right. Which leads to the question why this guy had to collect 10000 screen names + user data? It would have sufficed to show that it can be done and to report it to the company, and, if the company shrugs it off, to the user base. Finding and reporting weaknesses is one thing, exploiting them yourself for greater effect is at least questionable.

Sumbling is okay...

[applef00]

My opinion has always been that if you stumble across somthing, then you should absolutely tell those that need to know, and NOT the general public (at the very least, not until those responsible have had a reasonable chance to repair whatever the problem was). However, purposely breaking in to private servers to show how much they need to beef up security (or similar such actions) is tantamount to breaking in to someone's home to show how bad their door locks are; it's breaking and entering, and it's a crime. If you want to do penetration testing, you really need to get permission from the owner before they start tearing in to their system.

Re:Sumbling is okay...

[Stalus]

I think a lot of people are missing what's happening here. This wasn't someone breaking into private servers - he just collected some data that was publicly available, used those usernames to make e-mail addresses, and pointed out that he could look up profiles that are also public and get a lot of information about people. There's nothing illegal here. Annoying, yes. Illegal, no.

Some of the people in that thread said that they had mentioned this before and it was ignored, so it's also not a case that those that ran the system didn't know. Sometimes it takes public outcry to convince people to do anything about it.

As far as the vigilante thing goes, I think that comes up because people want to attack this guy that e-mailed them. And, frankly, I think that's wrong. I have a bigger beef with all the paper ads I get in my postal mail - it's a waste of paper and a lot of trash.. but you don't see anyone threatening them.

Re:vigilantes DO damage

[quiranus]

NO - that's not ok. How is the victim (i.e. the one 'visited' by the vigilante) to know that the vigilante just poked around and didn't leave any nasty things behind? Who's to say it actually was a vigilante and not, say, a competitor faking to be one? General security best practices say: if a system is compromised, rebuild. Rebuilding systems cost time. Time is money. Vigilante actions result in monetary damage. It's not ok.

Re:What do I think?

[Draconix]

Did you RTFA? In the legal sense, they are criminals, but it's not like punching someone in the nose at all. It doesn't do any harm to those they hack--except, perhaps, in some of the virus cases--and they're doing people a favor of showing them the security holes are there before someone less kind uses them to do actual damage. People get _paid_ by network owners to hack into the networks and find exploits. These people are doing it for free. Good for network owners, bad for paid hackers.

Misuse of term "vigilante"

How the fuck is this being a "vigilante"? Vigilantes run around beating up bad guys, often because of some tragic personal history. They work a bit outside the law themselves, but generally do not wish to harm innocents, only bad guys. Think "Batman" and you've got it.

This is just a guy who found a hole of sorts and decided to report it in a kind of stupid but not terribly harmful way. A mildly incompetent "white hat" hacker, perhaps, but no vigilante: he's not running around from website to website trying to "hack bad guys" or some bullshit like that.

Re:reportchildporn.com

[julesh]

anyone who uses p2p apps should join up. they request that you only report websites and stuff, but ips and timestamps are probably fine. all the reports are forwarded to the appropriate law enforcement agency.

Problem is, without downloading it, how do you tell what's child porn? Don't tell me you can tell by the filename, because you can't. There are people out there who label ordinary stuff as child porn. I don't know why, maybe because that makes more people download it (??).

And if I had downloaded some, I'd delete it quick and not tell anyone, just in case. Call me paranoid, but too many people have got themselves in trouble by trying to help out lately.

Re:vigilantes DO damage

[TRACK-YOUR-POSITION]

How is the victim (i.e. the one 'visited' by the vigilante) to know that the vigilante just poked around and didn't leave any nasty things behind?

That's the point of the vigilante--if he or she can get in, that means someone else could have ALREADY gotten in and left things in there. If the vigilante can get in, then you already have to rebuild--it's just a question of whether you KNOW whether you have to rebuild. No point in killing the messenger.

Re:What do I think?

I'm amazed that, in this day and age, people still find equivalents regarding meatspace. You'd think after so many years of online activity being somewhat commonplace, people would realize there are differences between computer transgressions and physical, in-person crimes.

(This is more like having sex on your first floor forgetting to draw the blinds and you get seen by some peeping Tom. The Tom is in the wrong but you're an idiot for not checking some minimal level of security.)

(Yes, if you someone manages to punch you in the nose and you were unaware, he's in the wrong and if you pressed charges, I hope he gets his ass thrown in jail, but I also think you need to be aware of your surroundings.)

Computer trespass or transgressions are not perfectly or even well- correlated to real world examples. In some cases, there is little to no damage. In others, there is huge damage.

Punching someone in the face is a huge difference than hacking a system. I'm not saying hacking a system is not a crime, but if the system is set up improperly, the fault does not fully rest with some curious individual. It also plays on the community for not being aware of the system insecurities or from protecting their identities.

What you need is some real vigilantes.

[techno-vampire]

You people need to set up a vigilance committee to bring the spammers and phishers preying on your site to justice. The twit that stole those addresses would be a good place to start. As others have posted, whoever did that isn't a vigilante, he's a target for them. I don't really think he meant any harm by what he did, but by making his exploit public, he's not only exposed a vulnerability in a very irresponsible fashion, he's exposed himself to retaliation.

Back in The Old West, when the law was too week or two thinly spread out to control outlaws and bandits, various towns set up secret societies known as "Vigilance Committees." They took the law into their own hands, arrested felons and, when they had to, they executed them. Their members were known as vigilantes, and that's where the term came from. Today, mailbombing or otherwise DOSing spammers is a form of vigilante activity. Finding the electronic equiviant of a broken lock on a door and shouting out to the world, "Here's where you can get in for free!" is just plain stupid.

Police response

[ca1v1n]

Generally speaking, if there's not an overt threat of violence or massive infrastructure damage, and no money is stolen, you just can't get anyone in law enforcement to listen. This is why I don't have a huge problem with SYN flooding someone who's mailbombing your server until the mailbombing stops. That's just self-defense. If you keep SYN flooding after the mailbombing stops, then you're just attacking an arbitrary IP address that could now belong to someone else, or could have belonged to a (now fixed) zombie, or whatever else. That's reckless.

Law enforcement is trying to get a better handle on internet fraud, but there's so much of it going on and they have so few resources to attack it that vigilante efforts to stop or mitigate the attacks are about our only options in many cases.

If I shoot a gun at a guy who's robbing a bank at gunpoint, I'm probably okay with the law. If I pull out my gun, close my eyes, wave it around, and pull the trigger several times at random, I'm not okay with the law.

If I get a guy in a headlock to break up a fight, I'm probably okay with the law. If he walks away from the fight and I put him in a headlock then, I'm not okay with the law.

You're generally allowed to do things to people you wouldn't otherwise be allowed to do if they weren't committing a crime, but you have to be certain that you're not doing these things to innocent people as well. The internet makes that quite difficult at times. You also have to restrain your response to be proportional to what you're trying to prevent. "Imperfect self-defense" can often get murder reduced to manslaughter, but you still do time for it.

Re:vigilantes DO damage

[Artifakt]

First, I agree with you, if you mean that it's better to hear the news from a typical vigilante that to only find out when your most sensitive information appears in the hands of a competitor or plastered all over the net.
Second, that's part of a larger picture. If you get hacked by a script kiddee, and he only appears to get to your web server, the same questions apply. Are you lucky to get the wake up call from a mere website defacement insead of finding a trojan that's been sitting for months in accounts recievable? Possibly, but how do you know the intruder only got in as far as it first appears, and how do you know no one else better than him hasn't done more? I'ts all a spectrum, from a vigilante who really didn't screw up anything, to one who accidentally did some damage, to a web site defacement that's easy to fix and relatively harmless, to harvesting personnel information for head hunters, to harvesting customer information for spam lists, to the most serious crimes that can cost a company millions.
Anybody who falls victim to one of the less serious sorts can breathe a sigh of relief that it wasn't one of the worse ones, and for their blood pressure's sake they probably should, but they still need to think about what it implies about their chances the next time will be successful, and for worse consequences.

Two types of online vigilante

[tehanu]

Vigilantes are common where there is no effective law enforcement. This is not just on the web. In real-life, if there is no effective police force, people will grab a gun and use it to defend their home, work and friends and damn the law. People obey the law when they think it protects them and is fair. This is known as true anarchy. You could see this happening in the post-war looting in Iraq (and still today) where you had surgeons in hospitals wearing scrubs and totting guns. But it is generally true of any society. In crime-ridden areas where there is little effective law enforcement, people form gangs that enforce their own law outside of the proper legal system. People seek protection and order and if the law does not give this to them then they will take matters into their own hands. Hence vigilante actions on the web such as hunting people down are going to continue as long as there is no effective legal recourse that is easily and quickly available to everyone (such as dialing the police).

OTOH "vigilante" actions like writing viruses are a different matter. It's akin to street protests or graffitting public places with slogans. The first type of vigilante action is a matter of personal protection. The second type is to do with making a statement. Perhaps we should use as a yardstick the comfort level we have with street protests? When does a protest or making a statement go too far?

There is no centralized enforcement on the Net

[DrDebug]

The internet is not centralized; there is no one central authority. It is like the Wild West. Good citizens keep to themselves and operate under common decency and common sense. But there are always some malcontents (spammers, virus creators etc) that feel they can do whatever they feel to whoever they want with small fear of retribution.

Some governments are just now awakening to the threats of these malcontents, and have passed laws against them. Of course, these laws are next to useless, because the net transcends international geopolitical boundaries.

So what is a decent net citizen to do? Nothing? Scream and cry until the lawmakers listen?

Until there is a real sheriff on the net, vigilante groups may be the only answer. Small groups of net-aware individuals who can root out the bad guys and administer some well-deserved justice. Some may call them net terrorists, but if they leave the good people alone, I would call them patriots.

Will the law go after these patriots? The law may turn a blind eye if these groups keep the peace. Besides, what can the law do to the net patriots that are trying to make things better when they can't even go after the malcontents?

I'm all for vigilantes, until we get a real sheriff in town.

Re:i'll just kick your door in

[druhol]

While I agree with the rest of your points, this one;

Secondly, you've intruded my house without my concent. You have violated my privacy in the real world. This is totally different from from breaking into a computer, because you shouldn't have expected any privacy anyway, if you hooked it up to the outside world.

just doesn't work. That's like saying "Well, you didn't build a ten-foot-high wall around your house, thus completely sealing it off from the outside world, so you forfit your right to privacy."

The simple fact is, the data contained on someone's computer is their property. Someone else have no more right to access it without the owner's consent than our mythical do-gooding-door-kicker does to bash in someone's door.

More like turning the door knob

[Secrity]

and finding it unlocked. Leaving the door unlocked is a bad thing. It is an even worse thing to leave a door open when the things that could get stolen belong to other people.

Re:More like turning the door knob

[Pharmboy]

Actually, I read about half the forum posts in that thread. Lots of "lets string him up" and "I am so offended, this is spam!". Now please, don't get my wrong, but it seems like a lot of people pissing an whining about ONE email from someone who was trying to WARN everyone of a security problem, in a way that is probably not good. So what?

They seemed all freaked out and disturbed. The first thing I thought was that these guys won't make it in the real world, dealing with real problems, contracts, business deals and real life frustration. I understand not liking it, but if you read the actual forums, half the crowd is freaked out beyond all common sense.

These can NOT possibly be nerds. Most nerds I know have had a box 0wned once or twice, or a site defaced, etc. *Real* problems that had to be dealt with. But so someone has a list of your email addresses. I can simply wget the forums, write about 40 lines of code to grep out the user names, and build the same damn list.

Get over yourselves Mac/spy/wannabes.

Jeez!

[ProudClod]

19 pages in that thread and nobody has come up with the obvious solution.

In a forum the size of spymac, members viewing this thread/online is useless - needle in a haystack style.

To get a gauge of popularity, why not have "number of members viewing this page" rather than the whole list?

If users want to know when their friends are online, then they could implement a vBulletin style "buddy list" in the member's control panel.

Re:i'll just kick your door in

[cynic10508]

Two interesting analogies but they're twisted together. They should be: 1) damage/theft to physical objects is the same as to digital ones; and 2) a third party who stores your objects has a duty to protect them.

So the first analogy says that breaking into my system really is the same as kicking down my door. You've done damage, tampered with my logs, broken executables, etc. Intent is irrelevant since the results are the same.

The second analogy is like the doctors' office. They have a duty to keep your private (health) data locked up. Digital firms such as Spymac are under the same onus.

Re:vigilantes DO damage

[TRACK-YOUR-POSITION]

That's the responsibility of law enforcement and only within certain boundaries.

Have you ever heard of the government doing that? They may investigate breakins that admins report, but they don't seem to do anything to confirm the security of the user's data that admins are trusted with.

No one likes a gadfly--but that's just how life works. Customers have a right to know if admins refuse to run secure systems.

Re:They're worse than the crimals themselves

[sik+puppy]

One of the big reasons for vigilantes is the lack of response from authorities.

I'd love to see a little justice done to the big spammers, and to the 419 people. The law won't do anything unless enough money is involved to get the bureaucrats off their butts.