Slashdot Mirror
What Do You Think of Online Vigilantes?
gwoodrow asks: "I'm a member of the (primarily) Mac community Spymac. I originally joined for the 1 gb of email, but eventually found myself joining in on discussions in the forum. Today, I received an email from a supposedly anonymous Spymac member ("supposedly" because the smart guy didn't mask his IP). Basically, it said that he or she had harvested 10,000 member screen names/email addresses from Spymac's pages and that this, paired with the ability to view individual member's profiles, created a major problem because of the extent of information so readily available. The email this person sent out and the forum discussion that follow are available here. All cracks and personal opinion about Spymac aside, what do Slashdot members think of online 'vigilante' justice?"
"Some viruses are released with little notes within that say things like - 'this is why you need to do X or Y to fix your software' Some hackers have also gained infamy by hacking a major system allegedly to help. Do you support such actions and why? Are virus/trojan writers, hackers, and spammers doing a noble deed or going about things in the wrong way? If you don't agree generally, are there exceptions when online vigilantes are fully in the right? Is the accessibility of vulnerabilities a good excuse to partake in such actions, or should there be ethical bounds regardless?"
Please don't hack my computer at 127.0.0.1. Thanks!
Report it to the authorities. Alternately, post the info here on /. and then don't worry about it. Somebody will do something, and it won't be you.
Lasers Controlled Games!
no problem. They help by pointing out vulnerabilities as long as they don't actually exploit them to do harm to whoever.
wannabe mafiosos always click this link
My take is that vigilantes should not do any damage. Poking around a system, finding a vulnerability and then reporting it to the responsible party (not immediately to the public) is ok in my book. Instead of mailbombing your enemy, use social tactics to discount/disprove your enemy's arguments. Oh, and first post! :)
to show you how much you need a deadbolt.
yeah, no, that sounds like a bad idea.
This is like me punching someone in the nose and saying "Why didn't you take karate lessons, for crying out loud? It's your own fault it's so easy for me to punch you. You should consider this assault a personal favor."
Am I part of the core demographic for Swedish Fish?
Why is it people expect to be anonymous online still? If you want to interact with people and have them know your name, birthday, address, etc then that's up to you. However no one is stopping you from using a fake last name/address/bday and still interacting on the same level. Why is it people put personal data in obvious places, and then get mad when someone shows how easy it is to discover that data.
Discovering weaknesses is good. Exposing them publicly without giving the vulnerable company time to fix them is bad.
My opinion has always been that if you stumble across somthing, then you should absolutely tell those that need to know, and NOT the general public (at the very least, not until those responsible have had a reasonable chance to repair whatever the problem was). However, purposely breaking in to private servers to show how much they need to beef up security (or similar such actions) is tantamount to breaking in to someone's home to show how bad their door locks are; it's breaking and entering, and it's a crime. If you want to do penetration testing, you really need to get permission from the owner before they start tearing in to their system.
NO - that's not ok. How is the victim (i.e. the one 'visited' by the vigilante) to know that the vigilante just poked around and didn't leave any nasty things behind? Who's to say it actually was a vigilante and not, say, a competitor faking to be one? General security best practices say: if a system is compromised, rebuild. Rebuilding systems cost time. Time is money. Vigilante actions result in monetary damage. It's not ok.
Because it seems like you don't. A vigilante is someone who tries to bring people to justice by working outside of the law. The key here is that they are doing something which they belive is moraly right.
From your description, it sounds like someone just... grabbed some published information and started threatening people with it. There's no indication in your writeup that this person was even trying to do something 'good'.
autopr0n is like, down and stuff.
anyone who uses p2p apps should join up. they request that you only report websites and stuff, but ips and timestamps are probably fine. all the reports are forwarded to the appropriate law enforcement agency.
Problem is, without downloading it, how do you tell what's child porn? Don't tell me you can tell by the filename, because you can't. There are people out there who label ordinary stuff as child porn. I don't know why, maybe because that makes more people download it (??).
And if I had downloaded some, I'd delete it quick and not tell anyone, just in case. Call me paranoid, but too many people have got themselves in trouble by trying to help out lately.
Considering the lack of speed and sometimes lack of ability when it comes to investigating cyber crimes, on line vigilante's may be the only option. This type of behavior does 2 things.
1. It provides some deterrant
2. It forces law enforcement to step up to the plate.
Example? There is an on line porn site that has pictures of a girl, about the ago of ten having hard core sex with an adult. I found out because a domain I admin with a catch all e-mail was recieving bounces from this sites spam. I reported it. Nothing happened for a few days so I traced the actual source of the pictures to a freeserver. The pictures were removed in minutes, I continued to follow the sites from free server to free server until it stopped working (I haven't checked in a while).
I made that persons life more difficult and hopefully caused him to leave more "trails". Each free server admin I talked to said that they would save any logs that they had. Now why couldn't the police do what I did for the 2 weeks or so?
cluge
AngryPeopleRule
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Maybe I'll misbehave a little to get some "punishment" ;-)
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
Isn't being slashdotted a form of vigilante justice?
+++ATHZ 99:5:80
That's the point of the vigilante--if he or she can get in, that means someone else could have ALREADY gotten in and left things in there. If the vigilante can get in, then you already have to rebuild--it's just a question of whether you KNOW whether you have to rebuild. No point in killing the messenger.
Ebay has a problem with fraud. Especially in electronics/computer auctions. They do, in fairness to them, attempt to monitor and control fraudulent auctions, but clearly they are losing the battle. There has been an individual lately trying to sell the new Motorola V710 on eBay. (It's is as yet unreleased.) A number of people have determined that beyond using the regular channels, such as registering a complaint with eBay, they (or one person in particular) need to take more aggresive action and have managed to "guess" the password to the AOL account that the auctioner is requesting correspondance to. He made it clear a couple of times that he "guessed" the password, but didn't "hack" the account. Despite what I may think about auction scammers, taking the law into your own hands is foolish. You are opening yourself to civil and possibly criminal liability. Is it worth it? Doubtful. In today's paranoid security landscape, regardless of your intent, you could easily wind up being the scapegoat. Last I checked, any attempt to access a service which you are not licensed to use is a crime. ie, You can "scan" whatever you want, but as soon as you connect... BLAMO! Off to the slammer you go!!! A word to the wise.
Back in The Old West, when the law was too week or two thinly spread out to control outlaws and bandits, various towns set up secret societies known as "Vigilance Committees." They took the law into their own hands, arrested felons and, when they had to, they executed them. Their members were known as vigilantes, and that's where the term came from. Today, mailbombing or otherwise DOSing spammers is a form of vigilante activity. Finding the electronic equiviant of a broken lock on a door and shouting out to the world, "Here's where you can get in for free!" is just plain stupid.
Good, inexpensive web hosting
Vigilance, watching for problems that affect our community, and then telling the community about noticed problems is what is known as "civic duty". Using authorized access to community resources, then notifying the community that such access creates risks greater than they accepted, or expected, is a community service. Especially when that access, authorized by the community itself (eg. via a webserver), has subtler implications than are discernable to most members of the community (eg. non-techs). If we see something going wrong, it's our responsibility to tell people about it. That makes everyone safer.
Vigilantes do more than just find problems. They act on their information, using their judgement to change the problem, supposedly into a solution. But justice is a specialized process, like science. When unqualified people engage in risky acts with dangerous consequences, they expose the rest of the community to unacceptable danger. Looking for problems, and telling us about them, protects us. Acting on one's own, especially without telling the rest of us, creates risks as severe as, or worse than, the "problem" being "solved".
Eternal vigilance is no vice.
(with no apologies to Barry Goldwater)
--
make install -not war
While stopping child porn is a 'noble cause', how far do you take this? Do you report everyone that you see anywhere that does anything you don't approve of, today?
..
Do you go out LOOKING for violations of your morals so you can feel good about turning them in?
Hate to tell you but you also do things that others disapprove of, and are illegal somewhere.. Do you want to be next?
Unless you directly are confronted with a violation of the law, in your face, I say keep your nose out of others business.. Lest it be cut off your face
"but its for the children' , ya right.. you just want to be nosy and cant mind your own business. You get what you deserve...
---- Booth was a patriot ----
Generally speaking, if there's not an overt threat of violence or massive infrastructure damage, and no money is stolen, you just can't get anyone in law enforcement to listen. This is why I don't have a huge problem with SYN flooding someone who's mailbombing your server until the mailbombing stops. That's just self-defense. If you keep SYN flooding after the mailbombing stops, then you're just attacking an arbitrary IP address that could now belong to someone else, or could have belonged to a (now fixed) zombie, or whatever else. That's reckless.
Law enforcement is trying to get a better handle on internet fraud, but there's so much of it going on and they have so few resources to attack it that vigilante efforts to stop or mitigate the attacks are about our only options in many cases.
If I shoot a gun at a guy who's robbing a bank at gunpoint, I'm probably okay with the law. If I pull out my gun, close my eyes, wave it around, and pull the trigger several times at random, I'm not okay with the law.
If I get a guy in a headlock to break up a fight, I'm probably okay with the law. If he walks away from the fight and I put him in a headlock then, I'm not okay with the law.
You're generally allowed to do things to people you wouldn't otherwise be allowed to do if they weren't committing a crime, but you have to be certain that you're not doing these things to innocent people as well. The internet makes that quite difficult at times. You also have to restrain your response to be proportional to what you're trying to prevent. "Imperfect self-defense" can often get murder reduced to manslaughter, but you still do time for it.
WARNING: there is a trojan on your
First, I agree with you, if you mean that it's better to hear the news from a typical vigilante that to only find out when your most sensitive information appears in the hands of a competitor or plastered all over the net.
Second, that's part of a larger picture. If you get hacked by a script kiddee, and he only appears to get to your web server, the same questions apply. Are you lucky to get the wake up call from a mere website defacement insead of finding a trojan that's been sitting for months in accounts recievable? Possibly, but how do you know the intruder only got in as far as it first appears, and how do you know no one else better than him hasn't done more? I'ts all a spectrum, from a vigilante who really didn't screw up anything, to one who accidentally did some damage, to a web site defacement that's easy to fix and relatively harmless, to harvesting personnel information for head hunters, to harvesting customer information for spam lists, to the most serious crimes that can cost a company millions.
Anybody who falls victim to one of the less serious sorts can breathe a sigh of relief that it wasn't one of the worse ones, and for their blood pressure's sake they probably should, but they still need to think about what it implies about their chances the next time will be successful, and for worse consequences.
Who is John Cabal?
Vigilantes are common where there is no effective law enforcement. This is not just on the web. In real-life, if there is no effective police force, people will grab a gun and use it to defend their home, work and friends and damn the law. People obey the law when they think it protects them and is fair. This is known as true anarchy. You could see this happening in the post-war looting in Iraq (and still today) where you had surgeons in hospitals wearing scrubs and totting guns. But it is generally true of any society. In crime-ridden areas where there is little effective law enforcement, people form gangs that enforce their own law outside of the proper legal system. People seek protection and order and if the law does not give this to them then they will take matters into their own hands. Hence vigilante actions on the web such as hunting people down are going to continue as long as there is no effective legal recourse that is easily and quickly available to everyone (such as dialing the police).
OTOH "vigilante" actions like writing viruses are a different matter. It's akin to street protests or graffitting public places with slogans. The first type of vigilante action is a matter of personal protection. The second type is to do with making a statement. Perhaps we should use as a yardstick the comfort level we have with street protests? When does a protest or making a statement go too far?
The internet is not centralized; there is no one central authority. It is like the Wild West. Good citizens keep to themselves and operate under common decency and common sense. But there are always some malcontents (spammers, virus creators etc) that feel they can do whatever they feel to whoever they want with small fear of retribution.
Some governments are just now awakening to the threats of these malcontents, and have passed laws against them. Of course, these laws are next to useless, because the net transcends international geopolitical boundaries.
So what is a decent net citizen to do? Nothing? Scream and cry until the lawmakers listen?
Until there is a real sheriff on the net, vigilante groups may be the only answer. Small groups of net-aware individuals who can root out the bad guys and administer some well-deserved justice. Some may call them net terrorists, but if they leave the good people alone, I would call them patriots.
Will the law go after these patriots? The law may turn a blind eye if these groups keep the peace. Besides, what can the law do to the net patriots that are trying to make things better when they can't even go after the malcontents?
I'm all for vigilantes, until we get a real sheriff in town.
and finding it unlocked. Leaving the door unlocked is a bad thing. It is an even worse thing to leave a door open when the things that could get stolen belong to other people.
19 pages in that thread and nobody has come up with the obvious solution.
In a forum the size of spymac, members viewing this thread/online is useless - needle in a haystack style.
To get a gauge of popularity, why not have "number of members viewing this page" rather than the whole list?
If users want to know when their friends are online, then they could implement a vBulletin style "buddy list" in the member's control panel.
Gamers Europe - Gaming News. Reviews.
Have you ever heard of the government doing that? They may investigate breakins that admins report, but they don't seem to do anything to confirm the security of the user's data that admins are trusted with.
No one likes a gadfly--but that's just how life works. Customers have a right to know if admins refuse to run secure systems.
Doing what was described here is not being a "vigilante"--A vigilante is a private citizen (lacking official authorization--not a police officer or other governmental authority) who catches and/or punishes criminals for crimes outside of the established legal system. What this guy did was identify a security weakness and used it to make a point about it. That sounds either like civil disobedience, a technical infraction done to prove a point more than to cause actual damage or harm, or being a "good samaritan" in that he identified a problem and offers to help solve it even though he has no obligation to do so. Since (at this point) no law has been broken, there is nobody to catch, and no opportunity for a "vigilante" to act. If someone bad did get the list of members and sold it to a spammer, and I found out who did it and gave him a black eye in retribution, i'd be the vigilante.
I completely agree. I have been both the stumblee, and the stumbler. When I accidently found all the social security numbers of everyone in my school, I emailed the teacher that posted the datafile to a public portion of our shared server (retard). He promptly fixed the problem, and never said anything else about it besides a humble 'thanks'.
/root. Says how he got in, and that I should close the hole. No rootkit, no security compromise (trust me, I looked for quite some time). This was quite possibly the best kind of vigilante. Saw the problem, exploited it to show that (s)he could, and left.
I also have done white-hat work. It is kind of polite to find those 'nice' hackers that will get in through a known hole and just put a HACKER_README in
I say this guy went a little far with 10k emails. I think 100 would have proven his point, but who am I to judge?
--If I said something interesting it probably wasn't correct
It seems to me that you're missing an important point of the guy's e-mail to you:
He sent you a warning.
And not only that; he probably sent it to everyone on his list of "thousands of member names". Don't you wonder why YOU of all people received it, having no previously existing relationship with him? It's because you *weren't* the only one who received it. At least two people who replied to your Spymac post had also received it, so you're obviously not the only one.
They guy was clearly concerned with a vulnerability at Spymac, not trying to take advantage of it. Don't you detect the mild sarcasm he used? They guy isn't recruiting accomplices; he's making a statement to members.
The guy says (paraphrased) that he just got hold of all this info. Coupled with [public member info] and [specific techniques], he could compile a very complete list of member data. Now, he says he could do [evil thing1], [evil thing 2] or [evil thing 3]... or, "or simply ask Spymac to GET THEIR ACT TOGETHER and FIX EXISTING PROBLEMS like this gaping security hole before they introduce ever new functions?? I should never have been able to get my hands on this!"
Uh, hello? That was a direct quote, with his emphasis, not mine. He's not a criminal (yet, anyway), and he doesn't deserve any kind of justice, vigilante or otherwise. He's simply made it blantently obvious to at least one user (you) of a service that their data is not secure.
Now, maybe it would be appropriate for you to contact the Spymac folks to make them aware of the issue. (If they aren't already, based on the fact that many of their employees probably have their own accounts, and that he's probably e-mailed quite a few people, if my assumption is not off.) It might also be appropriate to contact him directly (if possible) and make sure he's... "guided" to the proper methods for disclosure of the data to the applicable folks and deleting it. But to go after him for doing nothing more than producing an effective proof-of-concept... he doesn't deserve what you're asking about.
Of course, it's possible that he hacked their server... but it doesn't sound like it. He said "Played around the other day with Spymac and suddenly... I couldn't believe my eyes: A list with thousands of member names right there in front of me! " That *could* be hacking (perhaps some vigilante reconnaissance would be appropriate), but something makes me doubt it.
Doh. "might have screwed up"? I'll counter with "no it wouldn't". Care to explain why exactly that would have made it invalid, or skew results significantly enough to produce multiple magnitudes of order discrepancies? And your "Adam and Eve" angle was truly bizarre: are you claiming they lived in there for eons before that supposed 6000 year period started? Or that unlike the bible says, there was a specific, gasp, l Granted, similar excuses are rather common with fundamentals, but I'd expect more from someone who truly tries to convince crowd (Slashdot readers) that supposedly has stronger natural science background than the average US population.
Your comment is either fundamentalists sly take on abusing the (too) common relativist attitude of too many people (even educated ones have), or part of that apathic relativist agenda. "In fairness' sake, let's consider unfounded claims of one non-open minded party, no matter how easily debunkable they are" (as in trying to claim evolution a "controversial" subject when it's not one at all). That's not fairness, that's being gullible and letting fanatic minority abuse the good nature of people (well, plus bad self esteem less educated folks have WRT anything smelling of "science").
The debates between fundamentalists with their cemented views (having painted themselves in corner with fundamentalist interpretation of their holy book, be it bible, quran or whatever) and scientists (or people with strong natural science background) are uneven battles of wits, one side generally being unarmed. The end result is that "intelligent design" proponents end up pointing ostensible contradictions in tiny details, and trying to convince those completely derail whatever theory are railing against.
Finally, note that while I do consider fundamentalist believers bunch of ignorant cuckoos, I have no problem with normal pragmatic religious people. Most christians do NOT believe in literal interpretation of the bible; only the vocal minority in US of A tries to present different picture.
I like paying taxes. With them I buy civilization -- Oliver Wendell Holmes
Some script kiddie kept taking over the polish Star Trek fan channel on IRC. Admins ignored complains. ISP ignored complains. Police ignored complains. So guys tracked down his IP, found his home address, paid him a visit, broke a few bones and left.
Police ignored complains.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
One of the big reasons for vigilantes is the lack of response from authorities.
I'd love to see a little justice done to the big spammers, and to the 419 people. The law won't do anything unless enough money is involved to get the bureaucrats off their butts.
The first thing we do, let's kill all the lawyers. Shakespeare, Henry VI, Part 2, Act 4, Scene 2