CAOS Weekly Philosophy: How should I break the news to you?

Brad Nunnally · 2005-03-15T17:32:06-06:00 (Tuesday)

Inspired by Matt's little Wi-Fi dilemma I think his problem raises a valid moral decision. I know certain companies which will go unnamed, :cough: Microsoft, follow legal action towards people who point out security flaws in their system, how should security leaks be reported? If you discover, or hear about some security flaw in a program or system should you report it, knowing you could get yourself into loads of trouble? If you do report, how would you go about it with your own security in mind, reporting anonymously, or write some formal "I didn't mean to but ..." letter?

Better yet, should these companies punish us for finding their mistakes? It is not our fault they screwed up, they could at least thank us for pointing out a potential problem to them. Or is it just some big headed exec trying to keep the little man down. I personally love the stories of ex-hackers getting hired by the very companies that they used to hack. So maybe instead of suing hackers, they should just offer them a job. Let me know what you all think.

Brad Ty Nunnally
CAOS Vice-Pres

:roll:

"Never trust a computer you can't throw out a window. "
Steve Wozniak

Jerry · 2005-03-15T18:11:05-06:00 (Tuesday)

Matt's situation has an interesting analogy to the good samaritan issues that nurses and doctors face. If you are a doctor or a nurse and you come across someone in need of emergent medical aid should you help?

The person or surviving relatives could sue you if they suspect malpractice. Even though you may have acted to you upmost ability to save someone's life you may still get sued. Say you performed some procedure like an emergency trachiotomy that saves the person life but causes an infection that places them in intensive care for a prolong stay. They could argue that you should have waited for paramedics to arrive who could have used sterile equipment. Of course it is a judgement call.

So, should you help someone and risk exposing yourself to a civil suit or should you just look the other way?

Some states have enacted good samaritan laws that have some protection, but not absolute. Some states have passed laws that make it criminal not to help.

So, should Matt be the good samaritan and risk exposing himself to potential charges, or should he look the otherway?

Brad Nunnally · 2005-03-15T18:31:29-06:00 (Tuesday)

Dr. Weinberg brings up a good point. I know that with the good samaritan laws if you see an act of violence or robbery and doing nothing about it you can been charge as an accomplice. It is a shame when good people trying to do good things get punished for it.

Brad Ty Nunnally
CAOS Vice-Pres.

"No good deed goes unpunished." ?

Tyler · 2005-03-15T18:58:05-06:00 (Tuesday)

If the security hole was at OIT, they would fire you just for knowing, regardless of whether you tell someone or not.

Bryan · 2005-03-15T23:07:42-06:00 (Tuesday)

OIT's philosphy is "ignorance is bliss, sure you can steal all 13,000 identities in our system..just don't let us know ok ;-) "...and this coming from someone that works there.

bill corcoran · 2005-03-16T00:50:03-06:00 (Wednesday)

while i usually hold my tongue on the subject, i'm kinda getting fed up hearing this stuff. yes, we all have our problems with OIT, even (or especially) those of us that are *priveleged* enough to work there. however, slanderous comments on a messageboard are neither warranted nor productive.

speaking from experience, knowledge of security problems concerning OIT will not get you fired. also, i am certain that the "ignorance is bliss" quote is not representative of OIT's philosophy. if this is not the case, perhaps you'd like to cite your source?

Tyler · 2005-03-16T08:02:33-06:00 (Wednesday)

Sorry if I offended any of you OIT workers out there. I am only poking fun at that dude that got fired because he stumbled upon an anonymous ftp server, and then got fired (and taken away by the FBI) for finding it and not telling someone until the next day. That's the story I heard, if it is not correct, again, I apologize.

bill corcoran · 2005-03-16T08:42:11-06:00 (Wednesday)

i'm certainly not offended, i had effectively nothing to do with it. i'd just like to try and be fair here and keep things a little more objective.

it's not exactly my place to know (and i don't), but maybe he got fired for not reporting his roommate's findings immediately. maybe OIT's philosophy is more like "you are responsible for reporting problems as soon as possible".

also, i think an important detail is that the anonymous ftp server was not "stumbled" upon. it was found using eEye's network vulnerability scanner, "Retina". use of such a tool constitutes an intrusion attempt, and violates every use policy i've ever seen (think your ISP is going to consent to you scanning their servers? better go over that contract again). anyway, such abusive activity is easily noticed, and certainly should be met with some sort of recourse.

Tyler · 2005-03-16T14:07:36-06:00 (Wednesday)

Good point.