What Do You Think of Online Vigilantes?
gwoodrow asks: "I'm a member of the (primarily) Mac community Spymac. I originally joined for the 1 gb of email, but eventually found myself joining in on discussions in the forum. Today, I received an email from a supposedly anonymous Spymac member ("supposedly" because the smart guy didn't mask his IP). Basically, it said that he or she had harvested 10,000 member screen names/email addresses from Spymac's pages and that this, paired with the ability to view individual member's profiles, created a major problem because of the extent of information so readily available. The email this person sent out and the forum discussion that follow are available here. All cracks and personal opinion about Spymac aside, what do Slashdot members think of online 'vigilante' justice?"
"Some viruses are released with little notes within that say things like - 'this is why you need to do X or Y to fix your software' Some hackers have also gained infamy by hacking a major system allegedly to help. Do you support such actions and why? Are virus/trojan writers, hackers, and spammers doing a noble deed or going about things in the wrong way? If you don't agree generally, are there exceptions when online vigilantes are fully in the right? Is the accessibility of vulnerabilities a good excuse to partake in such actions, or should there be ethical bounds regardless?"
no problem. They help by pointing out vulnerabilities as long as they don't actually exploit them to do harm to whoever.
wannabe mafiosos always click this link
Discovering weaknesses is good. Exposing them publicly without giving the vulnerable company time to fix them is bad.
My opinion has always been that if you stumble across somthing, then you should absolutely tell those that need to know, and NOT the general public (at the very least, not until those responsible have had a reasonable chance to repair whatever the problem was). However, purposely breaking in to private servers to show how much they need to beef up security (or similar such actions) is tantamount to breaking in to someone's home to show how bad their door locks are; it's breaking and entering, and it's a crime. If you want to do penetration testing, you really need to get permission from the owner before they start tearing in to their system.
NO - that's not ok. How is the victim (i.e. the one 'visited' by the vigilante) to know that the vigilante just poked around and didn't leave any nasty things behind? Who's to say it actually was a vigilante and not, say, a competitor faking to be one? General security best practices say: if a system is compromised, rebuild. Rebuilding systems cost time. Time is money. Vigilante actions result in monetary damage. It's not ok.
anyone who uses p2p apps should join up. they request that you only report websites and stuff, but ips and timestamps are probably fine. all the reports are forwarded to the appropriate law enforcement agency.
Problem is, without downloading it, how do you tell what's child porn? Don't tell me you can tell by the filename, because you can't. There are people out there who label ordinary stuff as child porn. I don't know why, maybe because that makes more people download it (??).
And if I had downloaded some, I'd delete it quick and not tell anyone, just in case. Call me paranoid, but too many people have got themselves in trouble by trying to help out lately.
First, I agree with you, if you mean that it's better to hear the news from a typical vigilante that to only find out when your most sensitive information appears in the hands of a competitor or plastered all over the net.
Second, that's part of a larger picture. If you get hacked by a script kiddee, and he only appears to get to your web server, the same questions apply. Are you lucky to get the wake up call from a mere website defacement insead of finding a trojan that's been sitting for months in accounts recievable? Possibly, but how do you know the intruder only got in as far as it first appears, and how do you know no one else better than him hasn't done more? I'ts all a spectrum, from a vigilante who really didn't screw up anything, to one who accidentally did some damage, to a web site defacement that's easy to fix and relatively harmless, to harvesting personnel information for head hunters, to harvesting customer information for spam lists, to the most serious crimes that can cost a company millions.
Anybody who falls victim to one of the less serious sorts can breathe a sigh of relief that it wasn't one of the worse ones, and for their blood pressure's sake they probably should, but they still need to think about what it implies about their chances the next time will be successful, and for worse consequences.
Who is John Cabal?
The internet is not centralized; there is no one central authority. It is like the Wild West. Good citizens keep to themselves and operate under common decency and common sense. But there are always some malcontents (spammers, virus creators etc) that feel they can do whatever they feel to whoever they want with small fear of retribution.
Some governments are just now awakening to the threats of these malcontents, and have passed laws against them. Of course, these laws are next to useless, because the net transcends international geopolitical boundaries.
So what is a decent net citizen to do? Nothing? Scream and cry until the lawmakers listen?
Until there is a real sheriff on the net, vigilante groups may be the only answer. Small groups of net-aware individuals who can root out the bad guys and administer some well-deserved justice. Some may call them net terrorists, but if they leave the good people alone, I would call them patriots.
Will the law go after these patriots? The law may turn a blind eye if these groups keep the peace. Besides, what can the law do to the net patriots that are trying to make things better when they can't even go after the malcontents?
I'm all for vigilantes, until we get a real sheriff in town.
and finding it unlocked. Leaving the door unlocked is a bad thing. It is an even worse thing to leave a door open when the things that could get stolen belong to other people.