Comment by incrudible

4 years ago

> The kernel team literally already does this by the very nature of reviewing code submission. What do you think they do if not examining the incoming code to determine what, exactly, it does?

Maybe that's what they claim to do, but how do you know for sure? How do you test for it?

> This implies that this is the only or main way security is achieved.

It doesn't, there are many facets of security, social engineering being one of them. Maybe it's controversial to test something that requires misleading people, but realistically the only alternative is to ignore the problem. I prefer not to do that.

> Plenty of organizations agree to probing/intrusion attempts; there is no reason to secretly do this.

Yes there is: Suppose you use some company's service and they refuse to cooperate in regards to pentesting: The "goody two-shoes" type of person just gives up. The "hacker type" puts on their grey hat and plays some golf. Is that unethical? What if they expose some massive flaw that affects millions of unwitting people?

> I don't believe in the ends justify the means argument.

Not all ends justify all means, but some ends do justify some means. In fact, if it's a justification to some means, it's almost certainly an end.

> I do agree that the way the current laws regarding "hacking" are badly worded and very punitive, but crimes are crimes.

Tautologically speaking, crimes are indeed crimes, but what are you trying to say here? Just because it's a crime doesn't mean it is unethical. Sometimes, not performing a crime is unethical.

> You don't randomly walk up to your local business with a lock picking kit to "test their security".

Yes, but only because that's illegal, not because it is unethical.

> You don't randomly steal someone's wallet to "test their security".

Again, there's nothing morally wrong with "stealing" someone's wallet and then giving it back to them. Better I do it than some pickpocket. I have been tempted on numerous occasions to do exactly that, but it's rather hard explaining yourself in such a situation...

> Why is the digital space any different?

Because the risk of running into a physical altercation is quite low, as is the risk of getting arrested.

2 comments

incrudible

Reply
andrewzah  4 years ago

"Maybe that's what they claim to do,"

Our society is built on trust. Do you test the water from the city every time you drink it? Etc. Days like today show that, yes, the kernel team is doing their job.

How about -you- prove that they -aren't- doing their job?

"Suppose you use some company's service and they refuse to cooperate in regards to pentesting ... Is that unethical?"

Yes. You are doing it without their consent. It is unethical. Just because you think you are morally justified in doing something without someone's consent does not mean that it is not unethical. Just because you think the overall end result will be good does not mean that the current action is ethical.

"Yes, but only because that's illegal, not because it is unethical."

This is very pedantic. It's both illegal and unethical. How would you like if it you had a business and random people came by and picked locks, etc, in the "name of security"? That makes zero sense. It's not your prerogative to make other people more secure. If they are insecure and don't want to test it, then it's their own fault when a malicious actor comes in.

"Again, there's nothing morally wrong with "stealing" someone's wallet and then giving it back to them"

Yes, it is morally wrong. In that scenario, you -are- the pickpocket. This is a serious boundary that is being crossed. You are not their parent. You are not their caretaker or guardian. You are not considering their consent -at all-. You have no right to "teach people lessons" just because you feel like you are okay with doing that. If you did that to me I would not hang out with you ever again, and let people know that you might randomly take their stuff or cross boundaries for "ideological reasons".

"Because the risk of running into a physical altercation is quite low, as is the risk of getting arrested. "

This is admission that you know what you're doing is wrong, and the only reason you do it digitally is because it's more difficult to receive consequences for it.

I strongly urge you to start considering consent of other people before taking actions. You can voice your concerns, but things like taking a wallet or picking a lock is crossing the line. Either they will take the advice or not, but you cannot force it by doing things like that.

  • incrudible  4 years ago

    > Our society is built on trust.

    Доверяй, но проверяй

    > Do you test the water from the city every time you drink it?

    Not every time, but on a regular basis.

    > Days like today show that, yes, the kernel team is doing their job.

    ...and I am happy to report that my water test results did not raise concerns.

    > Yes. You are doing it without their consent. It is unethical.

    I disagree that it is unethical just because it lacks consent. Whistleblowing also implies that there is no consent, yet it is considered ethical. Suppose that Facebook leaves private data out in the open, then refuses to allow anyone to test their system for such vulnerabilities. It would be unethical not to ignore their consent in this regard.

    > How would you like if it you had a business and random people came by and picked locks, etc, in the "name of security"? That makes zero sense.

    I would find it annoying, of course. Computer hackers are annoying. It's not fun to be confronted with flaws.

    The thing is, security is not about how I feel. We need to look at things in proportion. If my business was a random shoe store, then perhaps it doesn't matter that my locks aren't that great, perhaps these lockpickers are idiots. If my business houses critical files that absolutely must not be tampered with, then I can not afford to have shitty locks and frankly I should be grateful that someone is testing them, for free.

    > Yes, it is morally wrong. In that scenario, you -are- the pickpocket. This is a serious boundary that is being crossed. You are not their parent. You are not their caretaker or guardian...

    Can we just agree to disagree on morals?

    > This is admission that you know what you're doing is wrong, and the only reason you do it digitally is because it's more difficult to receive consequences for it.

    Not at all, those are two entirely separate things. I wouldn't proclaim my atheism in public while visiting Saudi Arabia - not because I think there's anything morally wrong with that, but because I don't want the trouble.

    > I strongly urge you to start considering consent of other people before taking actions.

    You use "consent" as if it was some magical bane word in every context. In reality, there's always a debate to be had on what should and should not require consent. For example, you just assumed my consent when you quoted my words, yet I have never given it to you.