Comments on: Ethics and Security

By: pmjones

pmjones — Wed, 13 Jul 2005 13:33:00 +0000

Hi, Hatem –

Were you attempting to discover a vulnerability? Then no. :-) If you stumble across it in the normal course of using the site, then you’re clear.

By: Hatem

Hatem — Wed, 13 Jul 2005 08:20:28 +0000

Since its talking about ethics i was wondering

Consider that I visit a website and click somewhere on their pages then see a security bug, it could be sources or anything, Am I considered as an innoncent visitor or an evil hacker ?

By: pmjones

pmjones — Tue, 12 Jul 2005 15:09:16 +0000

Hi Ilia — “I guess this is something we donâ€™t see eye to eye on.” I guess so. Reasonable people can agree to disagree (and you at least are a reasonable person, there may be some debate about me ;-).

“Some companies, developers and admins often are more intent on sweeping security issues under the rug rather then fixing them.” Which drives me nuts; ultimately, it’s self-destructive behavior, and takes more effort than just fixing the problem.

However, that’s their call, and outside the control of testers; my point is that a tester’s behavior is his own to control, and he should behave ethically as described above. That way you avoid the entire problem of being pursued for discovering flaws.

By: Ilia Alshanetsky

Ilia Alshanetsky — Tue, 12 Jul 2005 14:45:48 +0000

I guess this is something we don’t see eye to eye on. Some companies, developers and admins often are more intent on sweeping security issues under the rug rather then fixing them. So, their “approach” to security is to persue people who try to help them identify those problems rather then fixing them. Thus reporting problems becomes a rather risky proposition. A few Google searches will find you plenty of evidence to this affect…

By: pmjones

pmjones — Tue, 12 Jul 2005 03:13:55 +0000

And regarding your comment, “…if the tester does not feel comfortable telling the site operator about a problem, they are by no means obligated to do so.” — I’m calling bull on that one. If a tester is “comfortable” testing without approval, he should feel “comfortable” enough to report his findings to the system operator/owner.

By: pmjones

pmjones — Tue, 12 Jul 2005 03:07:06 +0000

Hi, Ilia –

“Periodic security audits and code reviews are the way to keep security holes from appearing.”

I completely agree; developers should regularly request and approve audits and reviews. However, you are not operating ethically when you take it on yourself to perform one on someone else’s site or system without notification and approval. Certainly you may suggest it to the site owner, but to follow through without approval, or at the very least notification and full disclosure, is outside the bounds of ethical conduct.

By: ilia alshanetsky

ilia alshanetsky — Tue, 12 Jul 2005 02:21:57 +0000

I am not saying tester should keep their findinds to themselves, and not tell the site being testing about the found problems. However it is not a MUST, so if the tester does not feel comfortable telling the site operator about a problem, they are by no means obligated to do so.

Developers should not rely on kind hearted users to find and report bugs for them. Periodic security audits and code reviews are the way to keep security holes from appearing.

By: pmjones

pmjones — Mon, 11 Jul 2005 20:52:11 +0000

Hi Ilia — regarding my take on your earlier statement with respect to responsibility: my mistake, and thanks for clarifying. :-)

However, if testers keep their findings secret from the target, how is the problem to be resolved? I say if you find it, you have an ethical obligation to tell them. Other than for reasons of personal inconvenience, why would you not?

By: ilia alshanetsky

ilia alshanetsky — Mon, 11 Jul 2005 20:44:53 +0000

I do not say that the tester has no responsibility to the owners of the sites being tested, that is simply incorrect. The tester has the responsibility (unless testing with explicit permission) to ensure that the tested site and it’s visitors are not harmed in any way by the test. They also have the responsibility to keep the results on their findings secret until the time that the problem is resolved or if the tested party is notified and fails to act upon it within a reasonable time (I believe the industry standard is 1 month).

What I am saying is that the tester has no obligation to inform the site being tested of their findings.

By: pmjones

pmjones — Mon, 11 Jul 2005 19:59:37 +0000

I updated the article to include a link to the Web Application Security Consortium mailing list thread about this very issue. They seem to agree with the “approval” framework.

http://www.webappsec.org/lists/websecurity/archive/2005-06/msg00037.html

The whole thread is very enlightening; at least one guy got sent to jail for testing without approval.