I have been thinking about this for some time, now finally putting fingers to keyboard. I would be interested to know what others think.

In no way do I want to encourage anyone to break any law or do anything illegal. My purpose isn't to give anyone ideas or specific direction but merely to open a dialog that I don't think I have seen discussed before.

I don't want to discuss the technical side of how to hack but rather should we hack? Here are my thoughts...

I see news stories all the time where websites, corporations, and even countries get hacked. Often, it's suggested these attacks come from poorly set up and infected computers in foreign countries. Do we enable this to continue by allowing these computers to remain online? Would taking these poorly secured computers offline be a bigger wrong than the damage that these bot armies can cause?

Or has the problem already grown to large to be controlled? With the ability to spawn machines as needed virtually, would those with malicious intent just re-spawn new machines as fast as you could shut them down?

Thoughts?

While I see what you are trying to get at. Its kind of like asking "Is it ever ok to spray paint (tag?) the front of someones house if they leave the gate open?".

No its never OK, but we live in a less than ideal world thankfully and that means that it will happen. Which keeps things interesting.

1 members found this post helpful.

"I object to violence because when it appears to do good, the good is only temporary; the evil it does is permanent." Mahatma Gandhi

1 members found this post helpful.

Well, attacks came from poorly secured computers, used as a surrogates you say, but what is the difference between those and the ones that got hacked.

They are used, so the real attackers are harder to trace, there are attacks on EU that come from US (and vice versa), there are attacks that came from your computer. So shall we take you down then?

1 members found this post helpful.

The poorley secured boxes are more often than not used for DDoS attacks, or sale to people who want to perform DDoS attacks. DDoS attacks are hardley hacking/cracking, there just flat out extortion (same idea as a protection racket). These machines are also used for email based crime (scams, phishing, spam etc..). The correct way to deal with the email crime is education, just like you need to train people not to participate in real world scams, or give there bank detail to anyone with a name badge.

The DDoS problem is more difficult, the people who suffer generally have a lot to lose from the downtime, so do they pay to make the problem go away, this will just encourage the criminals to continue their actions.

The real solution is to educate people how not to be low hanging fruit, there are to many people browsing dodgey websites with un-patched, unsecured, warez copies of XP. If we could get people to switch from XP to Linux for these machines it would be a real boon.

As for people people being hacked and having there personal information stolen. That is not our responsibility. If we as geeks help our neighbours we can reduce the attack vector, but this this a responsibility for law enforcement.

If you are going to hack machines that pose a security risk, taking them offline is not the way to go. You could put a .txt file on there desktop then open up notepad, force them to acknowledge the risk. Note this is still Illegal in most if not all jurisdictions. but certainly more ethical than taking the machine offline.

The text file should include the exploit you used, suggestions how to fix, and I'm not evil but an evil person may have been here message. Don't do anything other than place this file, dont identify yourself, don't leave a trace.

1 members found this post helpful.

Hello

I'm of the opinion that it's only okay to attack your own machines or the machines of others where they are actually requesting they be attacked. Taking advantage of anyone else simply because you can is never okay.

1 members found this post helpful.

Mother thinks acceptable to go into the room of her daughter and look for interesting things...

2 members found this post helpful.

If you have to ask, you know the answer.

1 members found this post helpful.

I'd think a mother has a very appropriate obligation both legally and morally to be sure of their children within their home.


I'd have to say it isn't right to somehow damage a computer that isn't your own. If what you say is a case where an unwitting computer has been hacked and obfuscating the real criminal then no. That computer can't be remotely formatted or data lost or even a denial of service. That computer might be needed for phone service to call a doctor, fire or such. That computer may have the person's life saving drug information on it. Any number or things would be vital to life or even just vital to the user.

The real criminals deserve to die.

1 members found this post helpful.

I would like to thank everyone for their comments.

from ukiuki:
If Gandhi had remained a lawyer and let the problems his country faced be "Someone else's problem" where would we be?

from Nikosis:
Ignorance is the lack of knowledge. I am ignorant of many things. Stupid is when you have the opportunity to learn and choose not to. If I have decided to be stupid and pose a risk to others, do I deserve to continue the risky behavior?

from archShade:
I really wish some of the big Linux distros would put together a marketing campaign to accomplish this!

from jefro:
Amen Brother!

HTH
Dave

A secure system obviously has to live within the actual environment in which it exists. In the case of the Internet, it must be that every other computer but me is not trustworthy, nor is it trusted.

1 members found this post helpful.

Ask Randal L Schwartz how much fun it is to hack someone; even when your intentions are good.
Point being, if the law isn't on your side [and the law isn't always ethical] being "right" may not be enough.

1 members found this post helpful.

I think the Asatru way here.

Read:

Shooting people could be considered wrong in general, but shooting and active terrorist who is carrying a bombing out should be not.

Just use common sense.

If you are in an office network, and the administrator is a really lame one and has no QoS set, and you have to send an important report which could save the life of somebody, and you can't because your workmates are using P2P and hogging the bandwith, and they will refuse to turn it down (I have lived a similar situation, it is really pathetic) then, please use some dirty trick so you can take the P2P out and send your report.

Attacking computers you know nothing about seems not pretty right to me, if you ask...

1 members found this post helpful.

an eye for an eye leaves the whole world blind.

1 members found this post helpful.

I believe that is Gandhi's too.