Slashdot Mirror


What Do You Think of Online Vigilantes?

gwoodrow asks: "I'm a member of the (primarily) Mac community Spymac. I originally joined for the 1 gb of email, but eventually found myself joining in on discussions in the forum. Today, I received an email from a supposedly anonymous Spymac member ("supposedly" because the smart guy didn't mask his IP). Basically, it said that he or she had harvested 10,000 member screen names/email addresses from Spymac's pages and that this, paired with the ability to view individual member's profiles, created a major problem because of the extent of information so readily available. The email this person sent out and the forum discussion that follow are available here. All cracks and personal opinion about Spymac aside, what do Slashdot members think of online 'vigilante' justice?" "Some viruses are released with little notes within that say things like - 'this is why you need to do X or Y to fix your software' Some hackers have also gained infamy by hacking a major system allegedly to help. Do you support such actions and why? Are virus/trojan writers, hackers, and spammers doing a noble deed or going about things in the wrong way? If you don't agree generally, are there exceptions when online vigilantes are fully in the right? Is the accessibility of vulnerabilities a good excuse to partake in such actions, or should there be ethical bounds regardless?"

10 of 273 comments (clear)

  1. No damage... by bas148 · · Score: 3, Insightful

    no problem. They help by pointing out vulnerabilities as long as they don't actually exploit them to do harm to whoever.

  2. Yes and No by Cranx · · Score: 4, Insightful

    Discovering weaknesses is good. Exposing them publicly without giving the vulnerable company time to fix them is bad.

    1. Re:Yes and No by Dr.+GeneMachine · · Score: 4, Insightful

      Quite right. Which leads to the question why this guy had to collect 10000 screen names + user data? It would have sufficed to show that it can be done and to report it to the company, and, if the company shrugs it off, to the user base. Finding and reporting weaknesses is one thing, exploiting them yourself for greater effect is at least questionable.

      --
      This comment does not exist.
  3. Sumbling is okay... by applef00 · · Score: 5, Insightful

    My opinion has always been that if you stumble across somthing, then you should absolutely tell those that need to know, and NOT the general public (at the very least, not until those responsible have had a reasonable chance to repair whatever the problem was). However, purposely breaking in to private servers to show how much they need to beef up security (or similar such actions) is tantamount to breaking in to someone's home to show how bad their door locks are; it's breaking and entering, and it's a crime. If you want to do penetration testing, you really need to get permission from the owner before they start tearing in to their system.

  4. Re:vigilantes DO damage by quiranus · · Score: 3, Insightful

    NO - that's not ok. How is the victim (i.e. the one 'visited' by the vigilante) to know that the vigilante just poked around and didn't leave any nasty things behind? Who's to say it actually was a vigilante and not, say, a competitor faking to be one? General security best practices say: if a system is compromised, rebuild. Rebuilding systems cost time. Time is money. Vigilante actions result in monetary damage. It's not ok.

  5. Re:reportchildporn.com by julesh · · Score: 5, Insightful

    anyone who uses p2p apps should join up. they request that you only report websites and stuff, but ips and timestamps are probably fine. all the reports are forwarded to the appropriate law enforcement agency.

    Problem is, without downloading it, how do you tell what's child porn? Don't tell me you can tell by the filename, because you can't. There are people out there who label ordinary stuff as child porn. I don't know why, maybe because that makes more people download it (??).

    And if I had downloaded some, I'd delete it quick and not tell anyone, just in case. Call me paranoid, but too many people have got themselves in trouble by trying to help out lately.

  6. Re:vigilantes DO damage by Artifakt · · Score: 4, Insightful

    First, I agree with you, if you mean that it's better to hear the news from a typical vigilante that to only find out when your most sensitive information appears in the hands of a competitor or plastered all over the net.
    Second, that's part of a larger picture. If you get hacked by a script kiddee, and he only appears to get to your web server, the same questions apply. Are you lucky to get the wake up call from a mere website defacement insead of finding a trojan that's been sitting for months in accounts recievable? Possibly, but how do you know the intruder only got in as far as it first appears, and how do you know no one else better than him hasn't done more? I'ts all a spectrum, from a vigilante who really didn't screw up anything, to one who accidentally did some damage, to a web site defacement that's easy to fix and relatively harmless, to harvesting personnel information for head hunters, to harvesting customer information for spam lists, to the most serious crimes that can cost a company millions.
    Anybody who falls victim to one of the less serious sorts can breathe a sigh of relief that it wasn't one of the worse ones, and for their blood pressure's sake they probably should, but they still need to think about what it implies about their chances the next time will be successful, and for worse consequences.

    --
    Who is John Cabal?
  7. There is no centralized enforcement on the Net by DrDebug · · Score: 3, Insightful

    The internet is not centralized; there is no one central authority. It is like the Wild West. Good citizens keep to themselves and operate under common decency and common sense. But there are always some malcontents (spammers, virus creators etc) that feel they can do whatever they feel to whoever they want with small fear of retribution.

    Some governments are just now awakening to the threats of these malcontents, and have passed laws against them. Of course, these laws are next to useless, because the net transcends international geopolitical boundaries.

    So what is a decent net citizen to do? Nothing? Scream and cry until the lawmakers listen?

    Until there is a real sheriff on the net, vigilante groups may be the only answer. Small groups of net-aware individuals who can root out the bad guys and administer some well-deserved justice. Some may call them net terrorists, but if they leave the good people alone, I would call them patriots.

    Will the law go after these patriots? The law may turn a blind eye if these groups keep the peace. Besides, what can the law do to the net patriots that are trying to make things better when they can't even go after the malcontents?

    I'm all for vigilantes, until we get a real sheriff in town.

  8. More like turning the door knob by Secrity · · Score: 3, Insightful

    and finding it unlocked. Leaving the door unlocked is a bad thing. It is an even worse thing to leave a door open when the things that could get stolen belong to other people.

    1. Re:More like turning the door knob by Pharmboy · · Score: 3, Insightful

      Actually, I read about half the forum posts in that thread. Lots of "lets string him up" and "I am so offended, this is spam!". Now please, don't get my wrong, but it seems like a lot of people pissing an whining about ONE email from someone who was trying to WARN everyone of a security problem, in a way that is probably not good. So what?

      They seemed all freaked out and disturbed. The first thing I thought was that these guys won't make it in the real world, dealing with real problems, contracts, business deals and real life frustration. I understand not liking it, but if you read the actual forums, half the crowd is freaked out beyond all common sense.

      These can NOT possibly be nerds. Most nerds I know have had a box 0wned once or twice, or a site defaced, etc. *Real* problems that had to be dealt with. But so someone has a list of your email addresses. I can simply wget the forums, write about 40 lines of code to grep out the user names, and build the same damn list.

      Get over yourselves Mac/spy/wannabes.

      --
      Tequila: It's not just for breakfast anymore!