|
WebWord Weblog Posting Posting Date: May 12, 2003 Design Management Journal -- Free! (peterme) -- "Now, you could fork over $5 an article, or get a subscription, to read the goodies within. But I believe I've found a backdoor that allows free access to the content (not in published form, but in raw text)." (Comments: Should people publish "back doors" to paid content? Information wants to be free? Legal issues and liability? Speak up!)
Reader Comments...
There is nothing wrong with telling people about security holes in systems. It is your responsibility as a site owner to make sure there aren't any. A similar issue came up once before on Webword and I remarked that if it's on a public site, and people don't have to "hack" into your system to access it, there's no criminal liability. For instance, say Webword's MovableType was stored in the file www.webword.com/password.txt and that I could access it just by typing that URL in, I'm not doing anything wrong. I didn't make any special attempt to break into your site, did I? However, if I changed the look of your home page using your password, there might be a case for legal action. Posted by: MadMan on May 12, 2003 11:32 PM
I like MadMan's view of the world. The next time the ATM machine begins spitting out twenty dollar bills by mistake, I'll go tell everyone I know. As long as I don't take any money for myself, I'm OK. Yeah, gotta love new age ethics. It's your own damn fault I'm exploiting you, you dummy! Posted by: on May 13, 2003 01:08 AM
Publishing a back door is dodgy, but sometimes the only way to get security holes fixed is to publicise them. Several times I've pointed out an obvious hole to a site owner only for them to do absolutely nothing about it or blame me for spotting the problem (which is why I don't bother any more); if I named'n'shamed loudly enough I'm sure they'd get fixes done. Similarly, Microsoft tends to neglect many holes until people start openly spreading the information and exploiting them. (if you know a bit about web applications it's shocking how many fairly large sites are wide open to abuse, most developers still haven't grasped the basics of input validation)
The jokes on us, if we believe that anyone actually pays to read this stuff. If the "Design Management Institute" aren't able to build a site that actually works then maybe they should read their own article on "Writing the perfect design brief!"
If someone leaves their back door open, is it OK to rob them? Is it OK to have a look around and leave empty handed? I'm surprised that Peter published this back-door, firstly because the content wasn't very interesting (I scan read a couple) and secondly reading them felt wrong (Is this a paid for journal?) Posted by: Tom Smith on May 13, 2003 08:52 AM
I'm with Tom on all points. If someone puts a price on something, interesting or not, it's not free. Using it - or in this case viewing it - without payment is stealing. If someone found a backdoor into the 37signals search report, would we feel the same way about viewing it? What makes it okay to steal in this situation? When do you decide that it's okay to lie, cheat and steal? Posted by: Joshua Kaufman on May 13, 2003 09:13 AM
Nononononno, it's just like MP3s. It's OK for me to keep a library of 10,000 copyrighted MP3 songs because in the real world I'd never pay for so many. So it's not stealing. If it was wrong, there would be protections in place to stop me. Your door is wide open. Oh wait, this web site had a security system, and you're telling me how to bypass it. Gee, uh, ummm. No brainer. Entirely unethical. It saddens me to see today's moral compass pointing south. Posted by: McGruff on May 13, 2003 09:36 AM
It doesn't look like a back door, but rather someone's subscription (I didn't click on the link to investigate further). Nice going Peter! - NOT! Posted by: Ron Zeno on May 13, 2003 09:50 AM
John asked about the legal issues. I didn't think there was anything legally wrong with it. I didn't know it was a backdoor to someone else's subscription. In that case, I'm with Ron that it's not particularly responsible. Let me ask you: what if there were a hole in Microsoft's software or web site (often the case) and you thought people's data could be compromised? What if Microsoft had done nothing despite repeated notifications? Do you still think it's wrong to publicise it? The responsibility of securing something is the company's. If the ATM machine spits out, er, twenty dollar notes (I'm not American; why is that wrong?), the bank is at fault for not testing properly. At the very least, it does nothing to inspire confidence in such an organisation. If they can't secure their authentication systems, how safe is my credit card number or personal information? If you leave your front door wide open when you're gone and word gets around the neighbourhood, don't blame the neighbours. Should sites like SecurityFocus and others like it be shut down? I didn't read a single article from that link, incidentally. Posted by: MadMan on May 13, 2003 03:28 PM
"Publicizing it" obviously NOT the only way to call attention to a security hole. The ethical response is to send an e-mail directly to the site owner for their attention, not advertise the vulnerability to all and sundry and then sit back to watch the fireworks. As for your ethical duty if you've tried to notify them (repeatedly) and gotten no response... your best choice at that point is to contact a business-watch organization (such as the Better Business Bureau, perhaps) and ask them to investigate. In the meantime, you can certainly publish announcements that Company X has a security leak and that people may not want to store their customer info there. But describing exactly what the leak is and how to exploit is is NEVER ethical. Yes, the company is responsible for fixing the hole; you've done your duty by notifying them of it and warning the public so they don't lose or endanger their own info/money/whatever. But publishing instructions on how to take advantage of the weakness is morally the same as passing along safecracking instructions for bank vaults. It crosses the line between _warning_ about a vulnerability and _exploiting_ it. Posted by: Calybos on May 14, 2003 08:31 AM
Why are people assuming that this is really a backdoor? While I'm no expert, and I'm not going to investigate beyond what Peter has written, it looks to me like nothing more than the use of someone's account. Yes, it's a security problem. Should it be published in a weblog? Absolutely not. The fact that Peter did post it says tons (all very bad) about him, his company, and the organizations he leads. Posted by: Ron Zeno on May 14, 2003 11:50 AM
From Peter's own comments (now that the leak has been plugged): "I'm still not sure how I feel about this... I don't think I should be held responsible for someone else's thoughtlessness. It's as if a box of Design Management Journals had been left, open, with no one around." And if a coworker left money lying on their desk in plain sight, would that make it OK to steal it? Sorry, Peter; that fails the ethics test. It's not "holding you responsible for someone else's thoughtlessness." It's expecting a modicum of ethical behavior if you want anyone's respect. Just because you CAN do something doesn't mean you SHOULD. Principles, after all, are what drive your behavior when nobody's looking. Posted by: Calybos on May 14, 2003 03:24 PM
Recently posted to peterme: Ceasing and Desisting. "Peterme.com received it's first-ever cease-and-desist letter today. The folks at Proquest were none too happy that I pointed out a backdoor to their database." Posted by: Joshua Kaufman on May 14, 2003 04:04 PM
Home | Moving WebWord | Cool Books | Hot Web Sites
URL: http://webword.com/weblog/ ©1998-2005 by WebWord.com. All rights reserved. |