On Fri, Sep 13, 2002 at 09:42:26AM +1000, Geoff Crompton wrote: > I can see that sending an email is an approriate legal, and > responsible course of action. > However to make his servers beep, you still need to perform an illegal > act of cracking into his box. Regardless of what you intend to do when > you get in there, it is still unauthorized access to the computer. If > it is legal to crack a box for 'good' reasons, what do you think the > real crackers will say there were doing if they get caught?
Nobody's catching "real crackers". As long as the Internet remains like the wild west, following good moral, even if you are technically in violation of the law, is ok. Let me explain why I think this is morally OK: Cracking a machine in the first place is a Bad Thing. Once the admin finds out about it, they basically have no choice but to re-install everything from trusted sources. However, if a box has already been cracked, further crackings don't increase the work of re-installing, or anything (assuming the further crackings don't delete or damage other files). Thus, I don't see exploiting an already-cracked box to try to get someone to patch it, as long as you don't actually do any damage. It's possible that you might mistakenly think a box was Nimdaing you when it wasn't actually cracked. It's not important what makes you think that: The point is that if you exploit the standard hole that Nimda exploits, but the machine had never actually been cracked, you are the first one to crack the machine, and cause a headache for the admin. But if the machine was vulnerable to the Nimda exploit, and had been in this state for a while, the admin should not trust the machine anyway. It's probably already been cracked. Since cracking a machine without doing any damage or copying any information just makes the admin worry, and the chance of actually causing harm with this is extremely low (since you would have to mistakenly apply this alert-of-cracking tool to a machine that had just been set up (otherwise it would already be untrustworthy)). Given the very small harm of mistakenly applying this, combined with the very small probability of mistakenly applying it, the total harm done is small enough that it is acceptable in comparison with the benefits. Besides, if the machine was vulnerable to the exploit, it would be infected with a worm in the near future anyway, so warning the admin and doing no harm is not very bad. (It is important to remember that the harm is only wasted admin time. Nobody will be killed or permanently injured or anything seriously bad. Even small amounts of some kinds of harm should not be acceptable as side effects, but this is not one of those kinds of harm.) Another important part of this is that you would only get into the machine using the same exploit that the worm used in the first place. (Most IIS worms don't patch the hole they used, do they?) I think trying other exploits is a lot less morally acceptable, especially because if you use newer ones that aren't flooded by worms. If you used uncommon attacks, my argument that mistakenly applying it to an uncracked machine was not too bad wouldn't apply. (The machine probably wasn't already cracked, and isn't guaranteed to be cracked by a worm in the near future.) If you were going to respond to probes from worms by using different exploits, you would have to be very certain that the machine was actually infected. If people pooled information on which machines were attacking them, you could see if a machine was making lots of attacks, which would indicate a worm (or maybe a cracker using the machine to launch attacks, in which case alerting the admin is good too). That's another thing: what about attacks that look the same as those used by a worm, but are due to people trying to crack boxes. (They'd have to be pretty dumb to try it against a web server whose server string said it was non-IIS running on a non-MS OS, since it's safe to assume that people who would change the server header would also keep up with security updates.) If the attacks are coming from the crackers own computer, mailing them about their cracked machine won't do much good. If a cracker is using someone else's computer to make attacks, warning the admins of the machine is a Good Thing. (Smart crackers usually secure the machine against holes they exploited, at least on Unix, though.) I don't think that anything in this paragraph is a reason not to crack boxes that attack you and warn their owners. > Unless we could popularise running a 'alert-me-if-my-box-is-screwy' > daemon [...] A standard way of finding the webmaster's email addr would serve the same purpose. Probably would collect a lot of spam, though. Maybe if you only accepted mails that mentioned a URL that you have responsibility for, that would help. That way, spammers would have to go to more trouble than they want to bother with to mention the right URL in the subject of every email they send to one of these addresses. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
