[puerto]

Unauthorized security testing == Malicious attack

The actions of Mr. Al-Khabaz were unlawful and unethical. If he only accidentally found the flaw and reported it to the responsible person, things would be fine. But security testing without the permission of the system owner is the same as unauthorized access attempt!

I work as a security professional for 7 years, and I recently did a guest lecture on the college discussing the example like this. Most students were not aware where the problem is. Maybe it would help imagining how would story like this look in the physical world: Let's suppose you come back home and find someone picking on your door lock with a lock picking tool. You ask him "what are you doing?" and he says "I'm just checking is your lock safe. I do it for your security." Would you believe him? Or would you call the police immediately, without asking him anything? Let's add to this that security testing tools can sometimes degrade the tested system's performance or sometimes even crash it. In this case, it's not just unauthorized access attempt, but successful denial-of-service attack!

Never, ever, do a security testing of the system without the written permission of the system owner. If you get the permission, you will probably be asked to sign an NDA in return. You will also need to provide some information, like source IP address you're using and emergency contacts that can be used to stop the testing in case of problems (like crashes, etc.). This is the only lawful and ethical way to do these kind of procedures on someone else's system.

I'm not discussing if the penalty is OK in this case. It really doesn't matter if most people here cannot tell what he did wrong in the first place.

[fduran]

Malicious definition: "motivated by wrongful, vicious, or mischievous purposes", so it doesn't look that what he did was malicious. Also, unlawful? please quote the Canadian law that he broke, even in the US IANAL but the law mentions a vague "unauthorized access", has anyone ever been charged or convicted for running a vulnerability scanner like Nessus?

Not that I disagree with you: always ask for permission in writing from an authorized person before performing any kind of scan or security testing.

[puerto]

I explained my point below in more detail regarding the equation and why I think it should be remembered.

When someone is scanning your system and you haven't authorized it, you will definitively treat it as malicious. In a given moment, you don't care about attacker's inside motives, because your system is under attack and you better act accordingly.

I know a story about a guy who lost his job because of the unauthorized Nessus scanning in his company. Every story with a convicted hacker has some kind of a scanning tool (at least nmap) that was used in scanning phase, you can bet on it. Every scanning tool is an attack tool. In fact, scanners are most useful tools for any kind of attack, because they minimize amount of manual effort needed.

I don't know much about Canadian law, but most current laws forbid unauthorized access and _atempts_ of doing it.

[crpatino]

I think what the GP meant was something along the lines of "Unauthorized security testing is indistiguishable from Malicious attack", in the sense that you cannot but expect the administrators of the system in question will react in alignment with their own goals. And you really have no control whether they perceive you as an ally or a threat.

Orthogonal to this fact is the question of what happens when an authority is brought in to solve the conflict. And something young hackers need to learn as early as possible is that you are not entitled to a due process in every possible context. It would be unlawful if you were not given the chance of a just trial in the context of a criminal or civil lawsuit, but this does not translate well into private institutions.

In particular case of a student unauthorized access within a university, this problem is compounded by the fact that such University and its representatives play the rules of prosecution, judge, jury and (sometimes) defense. You also have to consider that the people doing this are not professionals of law procurement but are pulled out of their real jobs to sort out some random mess, thus the only constrain is their common sense. I've even heard the first hand report of a case in my university where the faculty member supposedly playing "defense" was the most gung-ho about giving the boot to the guy in question (who ended up getting a one term suspension, but got to keep his scholarship, so it could have gone much worse).

This is probably not "fair", but it is the way it is and nobody seems interested enough to make it change. Education has a number of stakeholders with sometimes conflicting preferences and goals, so this is not a trivial problem.

But the point is that once your actions put you in the harms way, the abstract concepts of "fairness" and "proportionality of the punishment" are academic at best. My opinion is that legality is the bare minimum standard society imposes to keep barbarism at bay, but it is pretty rough itself. So it is in your best interest to conduct yourself in such a way that appeals to "the rules" happen as little as possible.

[Dylan16807]

>"Unauthorized security testing is indistiguishable from Malicious attack"

Of course it's distinguishable. Testing comes before attacking, to provide information. The two are otherwise completely unrelated. It'd dead-easy to distinguish between someone poking your fence and someone stealing your jewelery, for example.

[Confusion]

If your test to see if you can pick a lock is actually trying to pick the lock, then the test can of course be indistinguishable from attempted burglary. If you were caught in the act, any defense will be suspicious. However, if you confessed of your own free will, there is usually no reason to suspect criminal intent.

[Dylan16807]

If you're caught in the act, sure. But they called him about it well after the actual actions. That's solid evidence then that he left after entering and logically did not use the entering to commit a crime.

[crpatino]

You are willingly missing the point here. It is human nature to assume malicious intention, even if it is wrong. And if there's no a strong motive to provide a due process and investigate, malicious intention will will be assumed.

If a random male servant is found to have gained unauthorized access to the princess' chamber, torture comes first and beheading comes last. In-between questioning regarding his intentions and the degree of fulfillment is optional.

[Dylan16807]

You don't do that if you have video evidence of him entering, standing there for 15 seconds, and leaving.

There is a huge difference between catching someone in the act of breaking in, where it's reasonable to assume malicious intention, and noticing that someone entered and left, where you can see that they didn't do anything malicious.

[aquadrop]

>'Unauthorized security testing == Malicious attack' I don't agree with that. Although I do think that unauthorized testing is unethical and you should get permission first, but treating it the same as successful attack and punishing the same is wrong. The main difference is intention. And Mr. Al-Khabaz notified relevant authorities and did get thanks at first. If we compare this case to your example about locks, I'd say that Mr. Al-Khabaz walked around your house, saw the broken lock on your back door, then came to your front door, knocked and told you about that. Maybe you may wonder why he would walk around your house in the first place and accuse him of being weird, but can you accuse him in breaking in and stealing?

P.S. Since the author of the article is known for partnering with students defending organizations, the whole story can be one sided, and it would be good to judge after hearing another side. E.g. it could be not the first issue, or there's traces of something more than just security inspection.

[puerto]

You missed my point. Like I said, I'm not commenting the penalty. In my opinion, it's too hard. But this is only my opinion after hearing (just like you said) just one side of the story.

The main problem with unauthorized testing (putting aside technical problems) is that person who performs it is in _very_ difficult position explaining her intentions. She already did what is considered the _second_ stage in hacker attack. Until she can prove her good intentions, this is rightfully treated as a malicious attack.

This is what my equation means. I think everybody on this forum should be aware of this. Don't get yourself in trouble for not knowing this.

[aquadrop]

> She already did what is considered the _second_ stage in hacker attack

Considered by who? There's companies which pay you money if you can find bug in their software. And that's open offer, they don't say 'wait, we'll get ready at 8 p.m. friday and then you can check'. What do you think would Google do, if this student used scanner(or something else) on gmail and found bug and then told Google about it?

I still think that intention is key difference here. And as you said 'that person who performs it is in _very_ difficult position explaining her intentions'. That's why you shouldn't do any unauthorized checks, because even if you wanted to tell about your findings to the relevant authorities, you can be caught before that and then you'r screwed. But Mr. Al-Khabaz informed university/company and was initiator of that talk, so it kinda clears him. He was able reasonable explain his intentions and his punishment could be just some warning(of course if there's no any significant moments we don't know about). Also he didn't get any credit for help he did by finding the bug.

[puerto]

Scanning is the second phase of the standard hacker attack procedure. Phases of hacking:

Phase 1—Reconnaissance Phase 2—Scanning Phase 3—Gaining Access Phase 4—Maintaining Access Phase 5—Covering Tracks

Regarding this guy's intention, you're probably right. The main reason why I'm commenting here is that guys with good intentions don't get themselves in the trouble for not knowing what they're doing.

Finding vulnerabilities in software on your machine and hacking other people's systems are entirely different things. By testing software you're not violating anything (except maybe EULA for some licences). By hacking other people's systems, you're committing a crime.

> What do you think would Google do, if this student used scanner(or something else) on gmail and found bug and then told Google about it? At first, they would treat it like an attack. Like almost any other company would do. I have no idea what would happen later.

[Dylan16807]

But you wouldn't call reconnaissance hacking, would you? That's just vaguely looking at the site and information about the company. Step 2, pointed at something like a webserver, does not connect to any systems the person is not supposed to have access to. Only step 3 crosses the line.

[puerto]

Good point, I wouldn't call reconnaissance hacking. For two reasons: 1) It's a passive method 2) It's not done on the attacked system.

Scanning is an active method and it's done on the attacked system. Web scanning is not the same as web crawling (downloading pages of the site). It include all kinds of invasive tests, like SQL Injection, XSS, command injection and other attack attempts. It can cause many kinds of problems, named here in this thread.

From security perspective, scanning is an attack. Everyone who uses these tools should be aware of this.

[thefreeman]

Companies paying bounties for bugs are explicitly giving you the right to pen test their applications. This changes nothing in terms of unauthorized scanning = malicious attack.

[aaron695]

http://www.acunetix.com/blog/web-security-zone/should-you-te...

what can happen when production Web applications are tested including:

Email floods

Junk data inserted into databases

News feeds filling with random input

Log files filling up

Accounts getting locked out

Internet bandwidth consumption

Scans that take longer to complete

High server and database utilization

Incident response teams and managed security providers having to deal with alerts

Final cleanup needed after the fact

[aquadrop]

Still, all those things are caused by bugs in _your_ software. And all of that can be caused by regular users just hitting one of the bugs.

[aaron695]

No they are not bugs, in any way, shape or form. I think you are missing the technology and ethos of website design here.

Web scanners do massive offensive attacks. They basically DOS attack your site in many ways, trying millions of attack vectors.

Mitigating against vandalism is very hard. It hurts users the more you do. Generally you leave it as open as possible and it is ok, since it's not a security issue per se and most sites can live their lives never having been attacked this way.

There's no money in vandalism and unless you piss off skilled or determined people it won't be abused.

Someone could write a script to cause thousands of $ damage to wikipedia without much trouble. But wiki chose's to leave itself open and take the risk. They don't have a bug. They are trying to do the right thing by users.

[aquadrop]

> No they are not bugs, in any way, shape or form. Maybe not all, but some of them are.

I think you mentioned different issue here, puerto called unauthorized check 'unethical' and you talk about performance. If Mr. Al-Khabaz used some noninvasive scanner, which didn't bring any serious technical overhead, is it ok by you?

> Someone could write a script to cause thousands of $ damage to wikipedia without much trouble. But wiki chose's to leave itself open and take the risk. They don't have a bug. I don't really understand what do you mean when you say 'open', open to what? But I think wiki has some protection mechanisms, because at their scale if someone could easily bring them down, someone would.

[aaron695]

As per my link to a direct article by the makers of the scanner he used, it is invasive. What more do you want?

Yes, passive scanning is fine with me, it's probably legal in most countries, but this is not certain (See Google and wifi). But I don't see the relevance to the conversation.

Passive automated scanning is fairly useless so it's not really used.

Fact is he broke the law at a criminal level and caused damage, if you can't see this, you really have no idea of the reality of the technology he was using.

But what should happen to him for it is a discussion for a different thread.

[puerto]

I agree. But _any_ kind of hacking exploits some kind of a vulnerability in the system. The presence of the bug doesn't give you right to exploit it.

[puerto]

Yeah, those things also.. ;)

[dexterchief]

You are probably correct that what he did is probably unlawful (Canadian law is usually fairly close to US law), I disagree that it was unethical.

In a general sense It's not difficult to find instances of behaviour that, while lawful are far from ethical, so those to things don't necessarily travel together. Some examples: http://en.wikipedia.org/wiki/Sexual_Sterilization_Act_of_Alb... http://en.wikipedia.org/wiki/Canadian_Indian_residential_sch... Obviously this could be a long list...

In this specific instance it seems that his information was exposed by this flaw along with everyone else's. Wanting to verify the safety of your own information feels like a pretty reasonable and ethical thing.

I think I would rephrase your example a little: "Let's suppose you let someone store their stuff at your house you come back home and find them picking on your door lock with a lock picking tool. You ask him "what are you doing?" and he says "I'm just checking is your lock safe. I do it for your security." Would you believe him?"

[alecperkins]

A analogy even more accurate to this case would be: "Let's suppose you let someone store their stuff at your house, and they have previously pointed out a problem with the lock. You come back home and find them picking on your door lock with a lock picking tool. You ask him "what are you doing?" and he says "I'm just checking the lock I said you should fix is safe. I do it for our security."

[puerto]

There are many standards of ethics. I am talking about professional ethics in information security. Example of this: https://www.isc2.org/ethics/default.aspx

If you are in business of finding vulnerabilities in IT systems, you should be aware of it. If for noting else, to save yourself form situations like this.

This guy is not a security professional (yet), but running vulnerability scanners on other people systems definitely puts him in context.

[stereo]

It's his own data in the system, which makes this completely different. In your lock picking example, it would be a landlord finding one of their tenants picking their flat's locks.

[illuminate]

"It's his own data in the system, which makes this completely different. In your lock picking example, it would be a landlord finding one of their tenants picking their flat's locks"

More accurate would be catching your tenant picking every single apartment's lock to prove that their personal lock is vulnerable.

[waitwhat]

Assuming the vulnerability scanner tries some basic login attacks (for example, trying default username/passwords), then it would be analogous to a landlord finding one of their tenants trying to pick their neighbours' locks, and that of the building management office.

[puerto]

So you think you can do the testing of any system that contains your data without prior permission?

[chollida1]

No it's more analogous to him trying to break into a bank vault because it has his money.

[marekmroz]

If by breaking in you mean walking in through open, unsecured doors...

[woodchuck64]

You are overlooking the fact that Al-Khabaz informed the system owner 2 days prior of the problem. Thus, you can not claim the actions of Mr. Al-Khabaz were definitely unlawful and unethical, that remains to be seen. This is not a black and white issue.

[illuminate]

"You are overlooking the fact that Al-Khabaz informed the system owner 2 days prior of the problem"

Warning the system owner doesn't give you the ability to run pen tests if they do not wish you to do so.

[illuminate]

"True, but it makes the case quite different in legal and moral scope from one in which the system owner is not warned"

I would believe that it would really only make a difference if the systems administrator replied to your warning with acceptance and an invitation to do so.

Morals being subjective, how do you feel it would change the legal conditions?

[illuminate]

"A warning removes malicious intent. Lack of warning leaves malicious intent in place."

The trespassing, using a system in nonstandard ways could still be considered "malicious", even if the user's intent was not. (I'm not making judgments on the guy so much as imagining that prior warning is not sufficient.)

[woodchuck64]

I don't see how a reasonable person would conclude Al-Khabaz's actions were malicious. People with malicious intent do not draw attention to themselves prior to the event, nor do they advertise the exact attack that they will use.

[illuminate]

You're still stumbling through systems you are not explicitly invited into. I understand why you might feel that good intentions validate the act, but assuming that all administrators are so gracious would be dangerous :P

[woodchuck64]

A warning removes malicious intent. Lack of warning leaves malicious intent in place.

[woodchuck64]

True, but it makes the case quite different in legal and moral scope from one in which the system owner is not warned.

[ptolts]

Sounds like he was using an automated scanner as well. That's a stupid thing to do and he should be in trouble.

I'm not sure he should be expelled, but definitely reprimanded.

[LambdaDriver]

I agree with this if you get rid of any references to morality. Can you explain how a vulnerability scan would be considered morally equivalent to a full scale attack?