On Sat, 14 Mar 2009, nick hatch wrote:
>
> I'm honestly curious: you sound very passionate that there is a clear
> ethical line here somewhere, and I'd hate to miss exactly where you believe
> it is.
Who does it is clear: we can't stop anyone from doing anything online (or
at least, pretty much~).
We prefer for it to be people who "know what they are doing.
It must be people who are "authorized to do so".
The question of this discussion though, is WHAT are you allowed to do, the
who is easy to answer.
I have done every single one of these things in the past 15 years, mainly
in the late 90s, while developing my idea of what's right and what's
wrong with botnets.
So, let's examine our main options.
Are you allowed to connect to a botnet and passively listen in?
Passive:
Concievably you can be breaking the law by connecting to, say, an IRC
server on a compromised machine. It's pretty white.
Passively using botnet resources:
Sedning passive commands to the bots via use of their natural control
mechanism, i.e., type in a command to an IRC channel where the bots
respond. Gray.
Actively using botnet resources:
Sedning a passive command via the use of their natural control mechanism
to perform an action on the network or the machine itself. Example: remove
bot.
Mostly a useless action as the machine has not been secured, and it is
quite possible the user would get reinfected by repeating past activity
regardless.
The point here, though, is that you cause an action on the remote machine
which is more than providing with simple data.
Gray to black, depending on circumstance. In an emergency during an
attack, I can concieve of doing something of the sort.
Accessing botnet machines:
Uploading a new executable (for whatever purposes, even for "removal", is
black as they come. Even if you weren't doing it on a machine (or many
machines) you do not own, you can be collapsing the remote machine due to
simplistic reasons such as lack of RAM.
It's executing code and nobody gave you permission to do so.
Black, black.
Connecting via network rather than C&C:
This can be done for any reason, from controlling the bot to nmaping the
compromised host. Should be referenced to list above while making every
step one level darker than it was when doing via C&C.
These of course, are just my opinion. Further, while my ethical
convictions on this issue are strong, I am unsure how long they will
remain practical.
Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
