tag:blogger.com,1999:blog-5768616876286768328.post5142730513515425163..comments2024-03-28T15:58:33.994-07:00Comments on Mid-Pacific ICT Center: Ethical Hacking and LIGATT SecurityMid-Pacific ICT Centerhttp://www.blogger.com/profile/08405988801150059842noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-5768616876286768328.post-29291661658107493882011-02-08T15:35:31.657-08:002011-02-08T15:35:31.657-08:00th3j35t3r is wrong to take down sites he dislikes ...th3j35t3r is wrong to take down sites he dislikes with DoS attacks. Anonymous is also wrong to take down sites with the ridiculous LOIC DDoS tool. <br /><br />The principle is simple: you have no right to control someone else's server without their permission. And freedom of speech means that anyone is free to post almost anything on the Web. If someone has posted something that is actually illegal, the proper legal procedures must be followed to take it down.<br /><br />However, I think Anonymous is more repugnant than th3j35t3r, because Anonymous lies to children to suck them into criminal schemes, converting naive kids into felons. Th3j35t3r commits his crimes alone.Sam Bownehttps://www.blogger.com/profile/14190082233635609371noreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-11660558940974621102011-02-07T19:29:59.713-08:002011-02-07T19:29:59.713-08:00It is very interesting to know that there are lots...It is very interesting to know that there are lots of kinds of opinions about black/white hat. I personally think that black or white hat field should not be that difficult to identify. I mean if you act as a ethical hacker but most of the time you are doing bad things involving hacking, you are just a black hat hacker. No white hat hacker would do that.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-199325767566208712011-02-06T16:45:47.391-08:002011-02-06T16:45:47.391-08:00Hi Sam,
As a fellow security student I applaud yo...Hi Sam,<br /><br />As a fellow security student I applaud your condemnation of the hack/leak what-ever anyone wants to call it and thank you for it.<br /><br />The morals/ethics white/grey/blackness of it may all be a little blurred for some. However no matter what shade your ethics/morals are there is no debating that what happend was illegal. <br /><br />This kind of behavior is exactly what we should be trying to stop. It is not up to us to be law makers or deciders of who is right or wrong.<br /><br />I like any other person who has witnessed Ligatt's exploits know that they are a joke to the community. But just because we do not like someone does not mean we should break the law.<br /><br />Ryan DewhurstRyan Dewhursthttp://www.ethicalhack3r.co.uknoreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-88230212290160961162011-02-06T13:45:57.280-08:002011-02-06T13:45:57.280-08:00Well said. I'd be interested to hear your opi...Well said. I'd be interested to hear your opinions on th3j35t3r and the use of his self-developed XerXes tool that he uses to temporarally take down sites known for terrorist activities.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-77652193207647185762011-02-05T11:47:09.689-08:002011-02-05T11:47:09.689-08:00From what I can see hijacking Evans's twitter ...From what I can see hijacking Evans's twitter feed has enlightened quite a few of his victims, while hardly hurting anyone. Releasing the emails, however, doesn't seem to have achieved much good (except exposing a couple of Evans's sympathisers) and done some serious harm. I don't buy the whole binary criminal/professional distinction since the law, while marvellous, is hardly perfect, especially with regard to IT.<br /><br />'course I could be hopelessly wrong; I am new in the field and not a professional, ZDI/google/mozilla bounties aside. I think you might violate 'profession recognition of or association with amateurs' if you reply ;)albinohttp://skeletonscribe.blogspot.com/noreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-23628259395740057802011-02-05T08:07:15.591-08:002011-02-05T08:07:15.591-08:00Why are people jumping to conclusions saying LIGAT...Why are people jumping to conclusions saying LIGATT was "hacked"? The initial letter thanked, a "brave soul" who made it possible. Today on Pastebin there is a file with all LIGATT passwords in it. If that file was compromised, it would have left the door wide open for . <br /><br />We do not have any motive at this time. We have no clue who did this, probably never will. If it was an insider as it seems, maybe that person was acting as a whistle blower.Marcus J. Careyhttps://www.blogger.com/profile/05450197855239196100noreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-62777303982135184642011-02-05T07:22:59.895-08:002011-02-05T07:22:59.895-08:00Marcus:
Thank you for participating in the discus...Marcus:<br /><br />Thank you for participating in the discussion.<br /><br />I understand that there are greater and lesser crimes, and exigent circumstances that sometimes justify extreme actions. So for clarity, let me focus on a specific situation:<br /><br />Was it right to hack LIGATT?<br /><br />What do you think?Sam Bownehttps://www.blogger.com/profile/14190082233635609371noreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-64181594826784322202011-02-05T06:59:34.058-08:002011-02-05T06:59:34.058-08:00Sam,
Ethics is something learned at through vario...Sam,<br /><br />Ethics is something learned at through various means. They derive from home, environments, cultures, religions, countries, etc...<br /><br />You don't become ethical when you become a CISSP or CEH.<br /><br />If I'm in Russia and I write malware to feed my family am I unethical? If I'm American and sell exploits to the highest bidder am I unethical? If I make guarantees that you are hacker proof after I scan you network for vulnerabilities. Does a PCI scan guarantee I won't get hacked? Does antivirus defend against APT?<br /><br />All the questions above have fuzzy answers. They could be morally or ethically wrong to many people. The deeper you get into the community you'll see that there is no firm dividing line. Just to get things to work you may have to violate licensing agreements or void warranties. Does that make someone a grey/black hat?<br /><br />The White Hat/Gray Hat/Black Hat analogies are just like the OSI Model. They are great for teaching purposes only. We can tell people what the law is and that is it. They make the decision on what they do with it. <br /><br />There have been criminal cases involving stealing open WiFi. Does that make those people black hats. Most people that I know have jumped on an open WiFi hotspot (unethical??). Ever used bootleg music, software, movies, or anything else?? Most White Hats I know bootleg music, software and movies at the minimum. That's illegal and unethical right??<br /><br />I'm rambling, but hopefully you'll get the point. Feel free to contact me for a more in depth discussion.<br /><br />-MJCMarcus J. Careyhttps://www.blogger.com/profile/05450197855239196100noreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-45634598991735569632011-02-05T06:29:59.868-08:002011-02-05T06:29:59.868-08:00Leigh:
I certainly agree with you that merely cla...Leigh:<br /><br />I certainly agree with you that merely claiming to be a professional does not mean someone is ethical. Those who claim to be ethical and are not are frauds. A student entering this profession must agree to abide by professional ethics, just like doctors and lawyers. If they fail to live up to those standards, they have failed to be professionals.Sam Bownehttps://www.blogger.com/profile/14190082233635609371noreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-64814755005648136232011-02-05T06:25:23.791-08:002011-02-05T06:25:23.791-08:00Jericho:
I know there are people who break laws f...Jericho:<br /><br />I know there are people who break laws for what the see as a high good, like the Jester and AnonOps. And I think they are in very dangerous territory.<br /><br />The best way to defy authority is the way Socrates, Jesus, Ghandi, and Martin Luther King did--openly, publicly, with your real name, and accepting the consequences. If you hide and refuse to accept society's sanctions for your deeds, how can anyone trust you? And who will stop you when you are wrong?Sam Bownehttps://www.blogger.com/profile/14190082233635609371noreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-15657864644454465092011-02-05T06:17:22.714-08:002011-02-05T06:17:22.714-08:00Jericho and Leigh:
Thanks for presenting your vie...Jericho and Leigh:<br /><br />Thanks for presenting your views here. You are both luminaries in the ethics of hacking, and I respect your opinions highly.<br /><br />It would help me if you could answer these questions:<br /><br />1. Was it right to hack LIGATT?<br /><br />2. Is the (ISC)^2 Code of Ethics a good guide to proper conduct?<br /><br />My answers are:<br /><br />1. Absolutely not.<br /><br />2. Yes, although I dispute the requirement to "not associate with criminals". I go to Defcon and other conventions, and I am willing to talk to anyone and learn from them. My CISSP exam approval was delayed for a week or two because of my unexpected answer to this qualifying question.Sam Bownehttps://www.blogger.com/profile/14190082233635609371noreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-21265385692852632422011-02-04T21:51:54.680-08:002011-02-04T21:51:54.680-08:00@Sam: it's more complicated than who calls the...@Sam: it's more complicated than who calls themselves a professional or a whitehat or whatever because identification does not always correlate with what people actually do.<br /><br />In the workplace your students will see people who identify loudly and publicly as whitehats/professionals behaving in an unethical and even illegal manner. It does happen. They will see conflict between those professed identities and how people actually behave. They will need to respond responsibly to the unethical or illegal actions of others. Just saying "whitehat/professional" == "only does legal/ethical things" is insufficient. I hope that makes my point clearer, hooray for more than 140 characters :)<br /><br />There's a whole other discussion to be had about what to do when ethics and the law disagree. As I said on Twitter, What's happening in Egypt is the perfect illustration of that. But civil disobedience is not really the subject of my argument here, so I'll leave that for another time.Unknownhttps://www.blogger.com/profile/14127768641278137489noreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-31328977889417130852011-02-04T21:47:42.845-08:002011-02-04T21:47:42.845-08:00Probably because I know people that walk the line....Probably because I know people that walk the line. Infosec pros by day protecting networks and doing a great job, occasional "black hats" by night if the cause is worth it in their eyes. They weigh the greater good and act. If you know some of these people, you will start to see that away from paper, it is a lot more complicated.<br /><br />Our founding fathers broke the law for the greater good, are they only criminals? Does a soldier in Iraq that violates an order or law to save a civilian get pegged as a criminal?Jerichonoreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-44984799972515932262011-02-04T21:40:23.141-08:002011-02-04T21:40:23.141-08:00Here are some comments that came in via Twitter:
...Here are some comments that came in via Twitter:<br /><br />“@sambowne: RT @MJCdotMe: @sambowne You are in fantasy land trying to differentiate black hats/white hats/"real infosec pros"/unicorns, etc...””<br /><br />“@hypatiadotca: @sambowne feels like fussing over terminology. Not everyone who abides by the law identifies as wearing a particular hat.”<br /><br />“@attritionorg: @sambowne @MJCdotMe on paper yes, clear cut difference. real world? much more colorful and shades of gray.”<br /><br />I have heard these statements before, but somehow I have never understood them. I still don't.<br /><br />My students face real temptations to become criminals, and I want them to resist them. And I regard it as an essential job skill to understand what the legal rules are, and know which side you are on. I do not understand how it is more complicated for you.Sam Bownehttps://www.blogger.com/profile/14190082233635609371noreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-49940135227088122052011-02-04T21:25:52.340-08:002011-02-04T21:25:52.340-08:00Jericho:
I don't know that a white hat hacker...Jericho:<br /><br />I don't know that a white hat hacker did this. But there are those who applaud these tactics, and I want to make the ethical point clear to my students, and anyone else who cares about my opinion. Which, I suppose, means white hats.Sam Bownehttps://www.blogger.com/profile/14190082233635609371noreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-77474517432667532882011-02-04T18:57:45.531-08:002011-02-04T18:57:45.531-08:00Why do you point out the difference like that? All...Why do you point out the difference like that? All you do is imply that an ethical hacker(s) went rogue and hacked Evans, when there is no public basis for that. The fact you and others write this suggests that the person(s) who did this are otherwise the same as you or I. This is baffling to me.Jerichohttp://attrition.org/errata/noreply@blogger.comtag:blogger.com,1999:blog-5768616876286768328.post-42688170173704406422011-02-04T15:41:40.341-08:002011-02-04T15:41:40.341-08:00Sam Bowne: Well put. I think it shows true charact...Sam Bowne: Well put. I think it shows true character to stand up and call this out for what it is. I have to admit that I initially let myself be pleased with this turn of events in a moment of human weakness. As a security professional I cannot possibly condone this type of behaviour though. Fortunately, I have the luxury of nobody particularly caring who I am, you have a bit more spotlight on you, so I say kudos to you sir.thelightcosinehttps://www.blogger.com/profile/03060233785644761709noreply@blogger.com