About the Author

Chris Shiflett

Hi, I’m Chris, a web craftsman making things like Mapalong & Brooklyn Beta with my friends at Analog.

Ethics and Security

Paul Jones has published an entry on his blog discussing ethics and security. Although I don't have the time to properly respond, I do want to make a few points.

There is a tendency to view security research (in any form) as malicious. This seems to be the primary reason that people object to it. Of course, without such research, those with malicious intentions would gain an advantage. It is for this reason that I view attempts to curtail the ethical boundaries confining security research as counterproductive.

This is very similar to the issues surrounding the blood alcohol content levels used in certain laws. An overzealous restriction causes more people to be considered criminals. This makes the enforcement of severe penalties unjust in edge cases. In terms of security research, as soon as more researchers are viewed as unethical, fewer people are willing to engage in such research, and we all lose.

Of course, there must be boundaries, but I believe more flexibility needs to be afforded researchers than Paul asserts. I'm not suggesting that a Patriot Act approach is a good idea, but I think we need to be more forgiving rather than less when it comes to judging those with good intentions.

To those interested in this particular topic, the policies of the PHP Security Consortium are worth considering.

About this post

Ethics and Security was posted on Sun, 10 Jul 2005 at 19:55:21 GMT. Follow me on Twitter.

11 comments

1.Paul Jones said:

Hi Chris --

You say, "I think we need to be more forgiving rather than less when it comes to judging those with good intentions."

I completely agree. However, the only way to know if a tester's intentions are honorable is if that tester communicates those intentions to the target. Otherwise, the test may well look like an attack, from the target's point of view, which is why otherwise benign research would be seen as malicious.

What set of rules would **you** consider ethical when it comes to testing other people's public sites? (Note that I ask about "public sites" and not merely "open-source applications," which you can download and test on your own system.)

If you would, please let your reply take into consideration that it should be possible for the target to distinguish legitimate research behaviors from malicious penetration behaviors; if nobody else can tell, then the tester may be either good or bad, with no way to discern.

As long as there are published rules, and not merely "good intentions," we can start the basis of a more relaxed standard of ethics.

Sun, 10 Jul 2005 at 21:43:29 GMT Link

2.Paul Jones said:

Quick followup -- even by relaxed standards, the person who "researched" the Solar and Cortex sites has not proved himself an ethical tester; he has yet to notify me by any means of the vulnerabilities he discovered. (And no, me seeing the results of his "research" in my comments is not notification; that's me stumbling onto the scene.)

Sun, 10 Jul 2005 at 21:48:00 GMT Link

3.Chris Shiflett said:

The policies of the PHP Security Consortium reflect a subset of what I believe are ethical guidelines.

I am nearly convinced that prior notification is necessary. However, I don't think I'll ever be convinced that prior approval is necessary.

I'll provide a more thorough answer and response at a later date.

Sun, 10 Jul 2005 at 21:50:58 GMT Link

4.Paul Jones said:

"I am nearly convinced that prior notification is necessary."

Hey cool. :-)

"I'll provide a more thorough answer and response at a later date."

I look forward to it. :-)

Also, and not to keep going at it piecemeal, any set of guidelines should include what you are **not** allowed to do. If everything is allowed, or "the right to do anything else as necessary is reserved", then it's not really a set of ethics, it's notice that one gets to do what one wants, when one wants, for one's own reasons.

Sun, 10 Jul 2005 at 22:40:54 GMT Link

5.Ilia Alshanetsky said:

Mon, 11 Jul 2005 at 03:32:29 GMT Link

6.Paul Jones said:

Hi Ilia -- you say: "These included people who think that rather then solving problems, it is better to chase after people who find them."

Dude, nobody's chasing after you (at least not me). I like the idea of vuln testing, I just want (as a target) to be notified when you're doing it so I know I'm not being attacked.

You also say, "Back in the early days of net when the community mostly consisted for engineers and scientists and hackers this were a lot simpler." You're correct; when the network was primarily a tool for research, things were easier. But now the network is public, and "testers" need to behave in a more socially-friendly manner.

Finally, as far as people who test security, "most do it out of shear curiosity of and quest of understanding and helping people improve their systems." Wonderful! Ask me first before "helping" me to improve -- or at least tell me in advance that you're preparing a lesson for me.

Again, it's not hard, and I'm not trying to stop anyone -- I'm just saying that you need at the very least to communicate your intentions, and really ought to get approval before tooling through a site that is not yours. Is that such a hard task?

Mon, 11 Jul 2005 at 13:15:24 GMT Link

7.k1dd13 said:

Paul, next time when i r00t your server i will send u a msg frst

Mon, 11 Jul 2005 at 17:19:19 GMT Link

8.Derick Rethans said:

Although k1dd13 doesn't look very mature - he has a point. You should most of all do those security tests yourself! It's up to you , the programmer how safe you are. And unfortunately it seems that programmers writing Applications are just as mature as the people exploiting them...

Mon, 11 Jul 2005 at 17:22:26 GMT Link

9.Paul Jones said:

Hi, Derick,

I completely agree that security flaws are the fault of the programmer. I do what security testing I know how to; I don't know as much as Chris or Ilia or others about the various flaws, so I am an imperfect tester. I depend in some cases for others to point out where I have erred.

So my point is about how ethical persons go about testing for flaws. Certainly I would not expect an *un*ethical person to give me notice; that's part of what makes him an unethical bad guy.

But if a person is an ethical good-guy, I *do* expect him to give notice that he's testing my systems. Otherwise, I have no way of knowing if the "testing" is benign or malevolent. In addition, I epxect an ethical person to tell me what he found. What better way to improve the state of security than to tell your target what you discovered?

Perhaps I am naive to think that professional programmers want to help other programmers improve their craft.

Mon, 11 Jul 2005 at 18:40:26 GMT Link

10.Paul Jones said:

Hi again --

The "Web Application Security Consortium" seems to agree with the "approval" framework, if primarily as a matter of law rather than ethics. (I think the two coincide in this case; law and ethics do not always match, as we know. ;-)

http://www.webappsec.org/lists/webs...6/msg00081.html

Mon, 11 Jul 2005 at 19:49:26 GMT Link

11.Paul Jones said:

Here's a much a better one, from earlier in the thread (the entirety of which bears reading):

http://www.webappsec.org/lists/webs...6/msg00037.html

Mon, 11 Jul 2005 at 20:20:33 GMT Link

Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.

Work and Books

Analog Essential PHP Security HTTP Developer's Handbook