What Do You Think of Online Vigilantes?

gwoodrow asks: "I'm a member of the (primarily) Mac community Spymac. I originally joined for the 1 gb of email, but eventually found myself joining in on discussions in the forum. Today, I received an email from a supposedly anonymous Spymac member ("supposedly" because the smart guy didn't mask his IP). Basically, it said that he or she had harvested 10,000 member screen names/email addresses from Spymac's pages and that this, paired with the ability to view individual member's profiles, created a major problem because of the extent of information so readily available. The email this person sent out and the forum discussion that follow are available here. All cracks and personal opinion about Spymac aside, what do Slashdot members think of online 'vigilante' justice?" "Some viruses are released with little notes within that say things like - 'this is why you need to do X or Y to fix your software' Some hackers have also gained infamy by hacking a major system allegedly to help. Do you support such actions and why? Are virus/trojan writers, hackers, and spammers doing a noble deed or going about things in the wrong way? If you don't agree generally, are there exceptions when online vigilantes are fully in the right? Is the accessibility of vulnerabilities a good excuse to partake in such actions, or should there be ethical bounds regardless?"

If you know who it is

[John+Harrison]

Report it to the authorities. Alternately, post the info here on /. and then don't worry about it. Somebody will do something, and it won't be you.

i'll just kick your door in

[vena]

to show you how much you need a deadbolt.

yeah, no, that sounds like a bad idea.

Re:i'll just kick your door in

[zcat_NZ]

Here's a better analogy; you pay '$fuckknows' per month to a storage company to keep your stuff safe in a storage locker. One day you turn up to check on it and there's a note about the storage company's lack of security from someone who has obviously had access to your storage locker. Would you prefer not to know, and wait until someone else comes along and takes stuff?

What do I think?

[pedantic+bore]

They're criminals.

This is like me punching someone in the nose and saying "Why didn't you take karate lessons, for crying out loud? It's your own fault it's so easy for me to punch you. You should consider this assault a personal favor."

Speed of the Internet vs The speed of Justice

[cluge]

Considering the lack of speed and sometimes lack of ability when it comes to investigating cyber crimes, on line vigilante's may be the only option. This type of behavior does 2 things.

1. It provides some deterrant

2. It forces law enforcement to step up to the plate.

Example? There is an on line porn site that has pictures of a girl, about the ago of ten having hard core sex with an adult. I found out because a domain I admin with a catch all e-mail was recieving bounces from this sites spam. I reported it. Nothing happened for a few days so I traced the actual source of the pictures to a freeserver. The pictures were removed in minutes, I continued to follow the sites from free server to free server until it stopped working (I haven't checked in a while).

I made that persons life more difficult and hopefully caused him to leave more "trails". Each free server admin I talked to said that they would save any logs that they had. Now why couldn't the police do what I did for the 2 weeks or so?

cluge
AngryPeopleRule

Re:Speed of the Internet vs The speed of Justice

[cluge]

1) What do you do when some person tracks you down and shoots you becasue you were causing problems? If it had been a launder of money for an orginized crime outfit, they may very well have killed you.

They had better be a better shot than I. I live in a state where it is legal to defend myself.

2) It makes it harder for law enforcement to do their job.

I call BOVINE FECES

There is no reason law enforment needed to keep you informed of what they where doing.

I just asked them to do something, I don't want a blow by blow, or a window into their investigation. Hell HOW ABOUT A REPORT NUMBER? Oh - it's a domain hosted in Russia? with false information? sorry - try again. Thats why I did something.

It could be irresposible to do so, especially if they had to keep track of telling you the information. Once that caught someone, the lawyer would have demanded a look of how the case was handled, and if you name comes up, well then look at #1

The truth is that law enforcement rarely does anything in cases like this (or so it seems). Logs are usually dead ends, proxy servers in Turkey through proxy servers in Costa Rica. I've been told that they give up pretty quick, especially if the primary domain is hosted in Russia or China.

3) Who is to determin what justice is? If I found out it was my missing daughter, and that law enforcement was working on it, and you caused the site orinizer to flee befor that could be arrested, I would show you what vigilante justice means...for days.

If it was your daughter you would be damn glad that I got those pictures taken down, and that I forced the culprit to leave many, many, more trails. If the police had REALLY wanted to keep a site up to try and track someone, they would have contacted the free server admins. Once contacted, then my request would be ignored.

How do I know this? At my job at 3 different ISP's I've worked with both the FDLE (Florida Department of Law enforcement), the RCMP in Canada, and the FBI. They send you a subpoena for logs, or send you a court order for a tap, you send them the information. You are asked to make no changes to the account, and to even keep an account open that is past due. Lets be totally honest, my efforts would have never interfered with legitimate police work. What my efforts did was get the horrible pictures of a little girl taken down. I reported the site to law enforcement, and I reported the site to the missing and abused children online site.

I guess at the end of the day there are 3 types of people.

1. The people that throw garbage into our world

2. The people that drive by the garbage and bitch about it being there. "TSK TSK", they say, "Someone should do something".

3. The people that do something.

Put me in the last category, put you in category 2. If you not part of the solution, then your part of the problem, so in truth, you go right back to category 1. Perhaps if you joined me in category 3 the world would be a better place

cluge
AngryPeopleRule

Vigilance != "vigilante"

[Doc+Ruby]

Vigilance, watching for problems that affect our community, and then telling the community about noticed problems is what is known as "civic duty". Using authorized access to community resources, then notifying the community that such access creates risks greater than they accepted, or expected, is a community service. Especially when that access, authorized by the community itself (eg. via a webserver), has subtler implications than are discernable to most members of the community (eg. non-techs). If we see something going wrong, it's our responsibility to tell people about it. That makes everyone safer.

Vigilantes do more than just find problems. They act on their information, using their judgement to change the problem, supposedly into a solution. But justice is a specialized process, like science. When unqualified people engage in risky acts with dangerous consequences, they expose the rest of the community to unacceptable danger. Looking for problems, and telling us about them, protects us. Acting on one's own, especially without telling the rest of us, creates risks as severe as, or worse than, the "problem" being "solved".

Eternal vigilance is no vice.
(with no apologies to Barry Goldwater)

Where does that stop?

[nurb432]

While stopping child porn is a 'noble cause', how far do you take this? Do you report everyone that you see anywhere that does anything you don't approve of, today?

Do you go out LOOKING for violations of your morals so you can feel good about turning them in?

Hate to tell you but you also do things that others disapprove of, and are illegal somewhere.. Do you want to be next?

Unless you directly are confronted with a violation of the law, in your face, I say keep your nose out of others business.. Lest it be cut off your face ..

"but its for the children' , ya right.. you just want to be nosy and cant mind your own business. You get what you deserve...

Re:Stumbling is okay...

[wassy121]

I completely agree. I have been both the stumblee, and the stumbler. When I accidently found all the social security numbers of everyone in my school, I emailed the teacher that posted the datafile to a public portion of our shared server (retard). He promptly fixed the problem, and never said anything else about it besides a humble 'thanks'.

I also have done white-hat work. It is kind of polite to find those 'nice' hackers that will get in through a known hole and just put a HACKER_README in /root. Says how he got in, and that I should close the hole. No rootkit, no security compromise (trust me, I looked for quite some time). This was quite possibly the best kind of vigilante. Saw the problem, exploited it to show that (s)he could, and left.

I say this guy went a little far with 10k emails. I think 100 would have proven his point, but who am I to judge?

Re:Yes and No

[i+love+pineapples]

Which leads to the question why this guy had to collect 10000 screen names + user data?

Although I don't suspect this to be the case, some people just don't get the fact that they are vulnerable until you slap them in the face with something big. I recently tried to show a client two exploits-- the bigger one was that I could sniff all the usernames and logins into his payroll DB, and the other was that that I could crash the client app and bluescreen windows. He was more impressed by the flashy blue screen than the sniffed packets... probably because the BSoD was a lot "prettier" than the text output of my proof of concept program.

Re:Yes and No

[generationxyu]

An acquaintance of mine discovered some PHP vulnerabilities in my school's CS website. It was your usual $include from a GET variable crap. Horrible coding. So he published his results, not to the webmaster, whose email address is available on the website, not to the faculty, but to the CS Undergrad mailing list. He also mentioned his website, HackThisSite.org, which had recently been made an ACM project. As a result, he was kicked out of the ACM chapter and of the College of Engineering. He remains a student of the university, but he ruined his choice of major...

I have to support the decision made by the administrative folks. Pointing out vulnerabilities and how to fix them is one thing. Pointing them out and showing how to exploit them to a large, relatively untrusted population is quite another. I mean, I ran his POC code that showed a directory listing... I imagine others did the same. I also imagine others probably wrote their own code and ran that. He had www access to the server.

I'm all for finding vulnerabilities. I think if he had handled it better, he would have been touted as almost a hero and not some malicious kid. But he didn't.

He doesn't deserve vigilantism; He needs guidance

[ezraekman]

It seems to me that you're missing an important point of the guy's e-mail to you:

He sent you a warning.

And not only that; he probably sent it to everyone on his list of "thousands of member names". Don't you wonder why YOU of all people received it, having no previously existing relationship with him? It's because you *weren't* the only one who received it. At least two people who replied to your Spymac post had also received it, so you're obviously not the only one.

They guy was clearly concerned with a vulnerability at Spymac, not trying to take advantage of it. Don't you detect the mild sarcasm he used? They guy isn't recruiting accomplices; he's making a statement to members.

The guy says (paraphrased) that he just got hold of all this info. Coupled with [public member info] and [specific techniques], he could compile a very complete list of member data. Now, he says he could do [evil thing1], [evil thing 2] or [evil thing 3]... or, "or simply ask Spymac to GET THEIR ACT TOGETHER and FIX EXISTING PROBLEMS like this gaping security hole before they introduce ever new functions?? I should never have been able to get my hands on this!"

Uh, hello? That was a direct quote, with his emphasis, not mine. He's not a criminal (yet, anyway), and he doesn't deserve any kind of justice, vigilante or otherwise. He's simply made it blantently obvious to at least one user (you) of a service that their data is not secure.

Now, maybe it would be appropriate for you to contact the Spymac folks to make them aware of the issue. (If they aren't already, based on the fact that many of their employees probably have their own accounts, and that he's probably e-mailed quite a few people, if my assumption is not off.) It might also be appropriate to contact him directly (if possible) and make sure he's... "guided" to the proper methods for disclosure of the data to the applicable folks and deleting it. But to go after him for doing nothing more than producing an effective proof-of-concept... he doesn't deserve what you're asking about.

Of course, it's possible that he hacked their server... but it doesn't sound like it. He said "Played around the other day with Spymac and suddenly... I couldn't believe my eyes: A list with thousands of member names right there in front of me! " That *could* be hacking (perhaps some vigilante reconnaissance would be appropriate), but something makes me doubt it.

#startrekpl and script kiddies.

[SharpFang]

Some script kiddie kept taking over the polish Star Trek fan channel on IRC. Admins ignored complains. ISP ignored complains. Police ignored complains. So guys tracked down his IP, found his home address, paid him a visit, broke a few bones and left.
Police ignored complains.

Re:There is no centralized enforcement on the Net

[burns210]

"Until there is a real sheriff on the net"

OK, so who should be the sheriff?

USA? Well, we invented the damn thing, but no. A single sovereign nation should not be censored by another(America) nation. No country should be given control.

Each nation does their part? Well how should Censorasia(a hypotheical nation) censor out information from a non-Censorasia based website?

UN: F* that. who gets to decide what is 'censored' or what is 'illegal' a bunch of politicians in a completely non-militaristic group? That is like appointing a six-year-old girl to guard a keg of beer in the middle of a major university, with her old defense being 'hey, that isn't yours, stop it!'...

answer: There is, and should be no censorship, governing body, or central point on the internet. Period.

Re:Vigilantes, I support you!

[Anonymous+Coed]

Actually, can you prove the earth was not created last Thursday?