Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Information sharing

by dragonchild (Archbishop)
on Jun 04, 2004 at 17:51 UTC ( #361013=perlmeditation: print w/replies, xml ) Need Help??

In 'freak' and recent threads, merlyn implies, and others agree, that before one answers a question, one should somehow divine the intention of the questioner and only answer if the intent is pure (for some relative value of pure). I think that this goal is not only impossible, but ethically wrong.

The obvious scenario is blackhat vs. whitehat in security. If you want to protect against an exploit, you have to know inside and out how that exploit works. Ideally, you'd be able to reproduce it at will. But, the information needed is still the same.

TimToady brought up another possibility - that the illegal activity, should there be any, might be to secure freedoms that Westerners would expect to have. For example, the ability to visit any website and write whatever you want while in mainland China.

Another possibility would be idle curiousity. I, personally, am curious as to how to hack root on a Linux box. I just want to know. Most of us on this site have this same burning desire to know exactly how the whizzbang works. We take things apart and put them back together again, often in a different configuration. Part of that is knowing how to do things that weren't intended by the creator(s). Remember - the first worm was written to see if it could be written.

And, so what if the person asking the question wants to break into a site? Frankly, I couldn't care less. Not only am I not someone else's moral compass, I am also not the protector of the hapless victim. The only kind of victim is a hapless one. If you weren't hapless, you wouldn't be a victim.

Put another way, you choose to connect yourself to the Internet. You choose to have a website up and running. You choose to take credit-card information. You choose to not have the necessary knowledge / personnel / skills / etc. If I were going to harden a site, I would charge a lot of money to do so. Why should I protect you for free?

Finally, I would put forth that by choosing what information we will and won't share on a community level is to perform the same kind of censorship that we, as Westerners, decry as "totalitarian" and "fascist". China, N. Korea, Iran, Saudi Arabia, Azerbaijan ... all these nations perform large amounts of censorship in the name of keeping people safe. We, the Perlmonks community, are not better than they are if there are topics we refuse to discuss. In some ways, we're worse. They, at least, are honest in their censorship. We would be hypocrites, as well.

------
We are the carpenters and bricklayers of the Information Age.

Then there are Damian modules.... *sigh* ... that's not about being less-lazy -- that's about being on some really good drugs -- you know, there is no spoon. - flyingmoose

I shouldn't have to say this, but any code, unless otherwise stated, is untested

Replies are listed 'Best First'.
Re: Information sharing
by chromatic (Archbishop) on Jun 04, 2004 at 18:06 UTC
    Finally, I would put forth that by choosing what information we will and won't share on a community level is to perform the same kind of censorship that we, as Westerners, decry as "totalitarian" and "fascist".

    "We" the Perl Monks community are all individuals who decide as individuals what to write and what not to write. "We" are not a government. "We" do not have the power to detain, imprison, or torture dissidents.

    If some jerk with too much time on his hands and no sense of personal responsibility wants to cause mayhem and havoc for other people, he can do it without my assistance. There's a big difference between my saying "I don't care to contribute to things I find ethically and morally distasteful" and driving tanks over people who criticize me!

    I think you may have a valid point, but it's lost in a forest of disproportional histrionics.

Re: Information sharing
by Zaxo (Archbishop) on Jun 04, 2004 at 18:12 UTC

    Hiding vulnerabilities instead of repairing them is generally regarded as poor security. The system of security alerts for vulnerabities is based on that.

    Regarding Tim Toady's remark, I think that computer programs and information should not only be protected by the First Amendment (free speech aka "information sharing", for denizens of those countries), but also the Second (right to bear arms). Recall that crypto software was until recently classed as "munitions" while paper copies of it were not restricted.

    After Compline,
    Zaxo

Re: Information sharing
by hossman (Prior) on Jun 04, 2004 at 18:28 UTC

    I agree that all information *should* be free, and in a perfect world that would be great ... but this is an imperfect world.

    Merlyn's point was merely that people should be cautious when answering questions of a "how do i hack this thing?" nature ... maybe the intentions are good, maybe the person is just curious, maybe their intentions are evil -- he's not saying it's your job to know, and to only answer quiestions asked by noble people ... he's just suggesting caution.

    I suggest using common sense.

    personally, I agreed with most of your post up untill this point...

    Put another way, you choose to connect yourself to the Internet. You choose to have a website up and running. You choose to take credit-card information. You choose to not have the necessary knowledge / personnel / skills / etc. If I were going to harden a site, I would charge a lot of money to do so. Why should I protect you for free?

    "Why?" becuase you're a human being and a member of a (virtual) society that should aspire to loftier goals then total anarchy and an "every man for himself" mentality.

    It's a lot easier and cheaper to shatter a large glass window (to rob a store, or rape and murder a family) then it is to create and install shatter proof glass. I wouldn't ask you to stand guard in front of my house, or even to help me pay for shatter proof windows -- but as a member of humanity the least you can do is not help someone (who looks sketchy, talks sketchy, and acts sketchy) you see trying to bust through a window of with their fists, by pointing out that a brick or a sledge hammer would work better.

      but as a member of humanity the least you can do is not help someone (who looks sketchy, talks sketchy, and acts sketchy) you see trying to bust through a window of with their fists, by pointing out that a brick or a sledge hammer would work better.
      But that's not the case here. Imagine if you were a hardware store employee, and someone in the store asked you what would be more useful to break a window, a brick or a sledge hammer -- you'd have no way to know why they wanted the information. You'd just answer them, and that would be the right thing to do -- unless they told you why they wanted it.

      Providing the information when unclear about intent is the right thing to do. Making your own choice about providing the information when intent is clear is probably the right thing to do as well.

      There are two goals at work here, and they work against each other in a situation like this -- Security, and Information Transfer. Information Transfer is the more important goal, IMHO, but even more important than that is the fact that the intent is the point of failure, the reason that the window's going to get broken isn't because of a recommendation from a hardware store employee. It's because there's a punk looking to break stuff.

      Admittedly, once intent becomes clear, this is not an issue any more. When freak indicated this was for Bad Things, then I would agree that it becomes personal choice about the resulting actions.

      Even in a court of law, the hardware store employee who sold the vandal the sledge hammer would be untouchable -- UNLESS the intent was communicated, in which case there could be a tenuous concept of conspiracy. (Not that I'm aligning myself with the legal system, just saying that even a courtroom would be hard pressed to say that you're facilitating a crime if you don't know one is going to occur.)



      -----------------------
      You are what you think.

        Imagine if you were a hardware store employee, and someone in the store asked you what would be more useful to break a window, a brick or a sledge hammer -- you'd have no way to know why they wanted the information. You'd just answer them, and that would be the right thing to do -- unless they told you why they wanted it.
        Nice analogy, but I don't think it fits the situation. A better one would be someone asking a pharmacist how to make poison. Perhaps the person asking is a researcher studying antidotes. If so, that person would already have some knowledge about poisons. In this case the person asking had little or no knowledge of the dangerous field he was asking about. Should knowledge about poisons be protected by the first amendment, sure. Should people with that knowledge share it when appropriate (assisted suicide?), that's an individual choice based on an individualistic definition of "appropriate". Should they share it with anyone who asks regardless of how much it looks like the person is intending to do harm to self or others with no indication there is a valid reason behind it? Nope.
Re: Information sharing
by robartes (Priest) on Jun 04, 2004 at 19:49 UTC
    Finally, I would put forth that by choosing what information we will and won't share on a community level is to perform the same kind of censorship that we, as Westerners, decry as "totalitarian" and "fascist".

    IMHO, you're comparing apples and oranges here. On the one hand, you have a community of people deciding to not do a certain thing, or -- to put it in grander words -- to set a certain moral standard. That's us deciding not to encourage cracking activity by not answering freak's questions. On the other hand, you have a non representative, mostly democratically unelected group of people misusing power to deny information and knowledge to vast masses of other people with the single purpose of protecting their own power. These are two vastly different things.

    As to the issue that sparked this thread, I'm firmly on merlyn's side. One could say that someone who explicitely has to ask for this sort of information, and does it in such a thinly veiled way will never be a big threat, so why bother, but there are legions of script kiddies out there to disprove that point.

    ++dragonchild for starting this interesting discussion

    CU
    Robartes-

Re: Information sharing
by hardburn (Abbot) on Jun 04, 2004 at 18:29 UTC

    In this specific case, I'm not going to give freak information. If he's ligit, then there are better ways to find what he's looking for than blathering around here. If he's not, it costs me exactly zero effort to not post a reply. I am free to speak my mind on this (namely, that others shouldn't give him information, either), but I ultimatley have no ability to force anyone to do this.

    ----
    send money to your kernel via the boot loader.. This and more wisdom available from Markov Hardburn.

      Before his intentions were called into question he's been given all the answers he wanted. His problem is that he wants to be spoon fed and refuses to read past what has been written in response to his questions.
Re: Information sharing
by McMahon (Chaplain) on Jun 04, 2004 at 18:35 UTC
    I know how to write bots.
    I know how to do ARP poisoning.
    I know how write Perl port-scanning apps.
    I know how to crash remote servers.
    I know how to own remote boxes.
    I choose not to discuss such things here.
      I know how to write bots. I know how to do ARP poisoning. I know how write Perl port-scanning apps. I know how to crash remote servers. I know how to own remote boxes. I choose not to discuss such things here.
      Most of what you said, I agree with. I won't talk about ARP poisoning. But what if it involves perl? What if it's about patterns that make perl and our lives more secure. If winnuke, from days of ol', wasn't talked about so much, smurf and the likes.. security and information about it would be a privaledge to have. It would be an advantage of a chosen set.

      I would rather people learn how to hack apart operating systems and languages. I rather do things smarter, than in more ignorant ways.

      If you think about it, w/o the unfiltered internet and the easy accessible-ness of information and data, we may not have been better off. So why is one topic so taboo? No system is totally secure, but w/ the information, we can make it damned well harder to break in.

      --
      Bart: God, Schmod. I want my monkey-man.

Re: Information sharing
by Steve_p (Priest) on Jun 04, 2004 at 20:25 UTC

    Although laziness is one of the three Great Virtues, I cannot myself see why I should exert any effort on someone who does not even make the effort to read some documentation or write some code before asking specific questions about how to do something. Several monks provided hints on documentation, perldocs, and other documents that would provide the information they needed. In some cases, the answers were easily at hand by going to Google. I don't believe that there was censoring going on at all. Many people on this site, however, believe that people generally need to make some sort of effort before answering specific questions. If freak's questions were more generic, say along the lines of "How do I access a website with Perl?", "What's the best module for accessing websites?", etc., then those questions can be answered quickly and should always be welcome here.

    Were freak's motives "pure" or not? I can't say. What I do know is that freak made no effort to ask the questions. We don't have to make the effort to answer them. We can choose to answer them or not. That choice is your's alone.

Re: Information sharing
by davido (Archbishop) on Jun 05, 2004 at 04:24 UTC
    You are correct that it is impossible to always know the intent of folks we help here. And I honestly really do enjoy helping people (if I'm able) no matter what their project, usually.

    But it leaves a really bad taste in my mouth when it is obvious beyond reasonable coincidence that someone is just planning on cut-n-pasting my assistance into a script that's going to be put to fraudulent or distasteful use. What I consider to be distasteful is my own opinion, and I'm entitled to it. ...and in fact, I may even share it once in awhile.

    At any rate, if I personally feel that my advice is going to be put to improper use, I'm going to refrain from providing it. I'm not going to always know, nor will I always care. But if a node, or group of nodes really rub(s) me the wrong way, and I vocally refrain from providing a solution, I don't care if others think I'm doing anyone a disservice by abstaining or not; I've made my choice. Nobody has a right to my free advice, unless I offer it to them.

    Regarding the freedom of speech discussion, yes, free speech is protected (thankfully) in the USA, but don't mistake the right to free speech with the right to speak freely in any forum the speaker chooses. The latter is not a protected right, under the US constitution. And lets not get all worked up politically anyway, this is PerlMonks, not the Town Hall. To say that my refraining from offering a solution is a form of censorship, akin to what goes on in countries that don't have protection of freedom of speech... is a load of crap. Deciding to not give an answer hasn't impeded anyone else's freedom to do so, plus, as I already mentioned, this "community" doesn't have to protect free speech anyway; free speech is protected under the US Constitution, but free choice of forum for speech isn't protected nor guaranteed.

    This guy just happened to make a lot of people suspicious of his motives. And a lot of consciencious individuals chose not to become facilitators in his deviant plan. It's not a big deal... If he's creative and bright, he'll figure it out for himself anyway, and if not, one less script-kiddy trying to muck up the Net.


    Dave

Re: Information sharing
by kragen (Sexton) on Jun 04, 2004 at 23:24 UTC
    I believe that people are morally responsible for the consequences of their actions to the degree that they could reasonably have anticipated those consequences. If you believe this, then it follows that you should spend a reasonable amount of effort to guess at the consequences of your actions, then not take actions that you predict will have bad consequences.

    In this case, a reasonable person could probably guess that they were helping a thief commit fraud, and so people who helped are morally responsible for their part of the crime.

      I'm sorry, but I can't make sense of this argument - it would surely follow from this that anyone who creates a general purpose tool (such as perl, created by Larry) is morally culpable since they could and should have anticipated that someone would at some point in the future use the tool for bad purposes, and should therefore not have released it in the first place (or only, under strict licensing conditions, to carefully vetted individuals).

      The same argument would apply to anyone writing a book to teach people how to program.

      Except in the case of a signed contract explicitly removing the right, I don't see how anyone giving out correct information can be legally culpable. Whether they are morally culpable of course depends on your ethics, but most ethical systems would hold truth to be a high trump card.

      Hugo

      I want to address this argument because it actually ends up somewhere I don't think you want to be.

      Some backgroud is in order. I am a Wiccan, which means I actually have only one ethical precept, called the Wiccan Rede. It reads: An it harm none, do what thou wilt. We also have only one law (more of an observation, really) called the Rule of Three. It reads: Whatever you do returns threefold upon you.

      All Wiccans agree that if I rape someone, I have violated the Rede, as I have caused harm. Same goes for (most) killing, theft, assault, etc. Most Wiccans would also agree that by helping others, I am helping me and mine. So far, so good.

      Most Wiccans would also say that if I give someone a knife, knowing they are capable of killing, and they use that knife to kill, I have committed harm. I vehemently disagree with this.

      For me to withold that knife, I must assert a greater moral capability than my friend. I am, in effect, making the moral choice for him. This is the same attitude that the Chinese goverment has when they ban certain websites on the grounds that the sites are seditious. Their reasoning goes something like this:

      1. If a citizen were to read something that maligns the government, they will be swayed by it.
      2. If the citizen is swayed by it, we'll have to imprison them.
      3. Since imprisoning a citizen is bad, we have to prevent the citizen from being exposed to what will get them imprisoned.

      The problem here is that the government is asserting that the citizen is a stupid sheep that has no capability to do the right thing. In effect, the only entity capable of moral action is the government.

      Here's another example, from the West. In nearly every industrialized nation, suicide is illegal. It is against the law to kill yourself. Why? Who have I harmed? Am I not in control of my body? Essentially, the goverment is saying that it knows better than I do. The same goes for the "War On Drugs" and several other intrusive initiatives.

      The point being that if I have to be morally responsible for the concesquences of your actions, I have to assert that you are a lesser being, morally, than I am. I hope that's not what you want to say.

      ------
      We are the carpenters and bricklayers of the Information Age.

      Then there are Damian modules.... *sigh* ... that's not about being less-lazy -- that's about being on some really good drugs -- you know, there is no spoon. - flyingmoose

      I shouldn't have to say this, but any code, unless otherwise stated, is untested

        At the risk of dragging this thread way OT:

        For me to withold that knife, I must assert a greater moral capability than my friend. I am, in effect, making the moral choice for him. This is the same attitude that the Chinese goverment has when they ban certain websites on the grounds that the sites are seditious.

        Again, I disagree. You are correct on the one hand if you say that it is not our place to make moral choices for other people. Aside from the fact that if you choose to live in a society that sets certain moral standards (you shall not kill, etc), some of which are even 'universal' standards that you will find wherever more than two people join together, you will have to live according to those standards, people should be able to set their own moral compass.

        On the other hand, witholding our hypothetical murderer a knife does not equate to making a moral choice for him. He has already made his moral choice, you are just providing one means of acting upon that choice. In effect, you yourself are making a moral choice - you are choosing to believe that your actions in this case will not have harmful consequences, or rather, that whatever harmful consequences they will have are not your fault, and thus not your moral repsonsibility. That's where I disagree with you. I would withold the knife.

        Perhaps, if you want to discuss this further, we should take this elsewhere - this is a Perl community after all, not a moral debating society :)

        CU
        Robartes-

        Most Wiccans would also say that if I give someone a knife, knowing they are capable of killing, and they use that knife to kill, I have committed harm. I vehemently disagree with this.

        I probably agree with you, since just about everyone is capable of killing, but most people don't wind up killing others. But to give someone a knife, knowing that they intend to kill, I feel, is contributing to their crime. In that case, you are culpable, and you have done harm.

        I'm not clear, however, whether you meant to discuss the case where someone intends to do harm, and you knowingly give them the tools to do this. It seems to me unlikely that you'd claim to be exempt from accountability in that case... (?)


        בּרוּך
Re: Information sharing
by karmacide (Acolyte) on Jun 05, 2004 at 00:43 UTC
    'Freedom' of information is freedom of individual choice.

    If you hide security pitfalls from others, you are only helping blackhats generally. Especially if you help to perpetuate a taboo culture about talking through security issues in detail. In the long run, you only help to provide blackhats with an occult advantage.

    But even if you help one blackhat unwittingly, I don't believe you cause as much damage in the long term at all.

    But as I said, it's personal freedom which matters. There shouldn't be hard and fast rules for such issues.

Re: Information sharing
by Ninthwave (Chaplain) on Jun 05, 2004 at 08:16 UTC

    To paraphrase everything that has been written here: As individuals we have the choice to respond or not to any post here. We must use our own moral system to do that and do it in the manner that we see fit. No system should be opposed on us, but we are allowed to raise words of caution if we disagree with actions of others. But they are words, we do not bind each others actions, and we respect each other to do the best they can within in their right to choice.

    That aside it is good example of how moral questions in a free and open community, need to be asked, because we need to be reminded of each others differences in approaches now and again. As for the recent threads from freak, this happens so many times here and we deal with it the same way openly and honestly, what more could a community ask for. This entire discussion is open to freak to read even to the point where their was belief a new id was created. I think this type of policing is the best. Mainly because the user in question can gauge the communities collective moral, and either respond to it by changing their questions, or explaining their actions. And yes they may even contact a sympathetic individual in the community away from these discussions. In the end all options and moral systems are addressed and respected.

    "No matter where you go, there you are." BB
Re: Information sharing
by baruch (Beadle) on Jun 05, 2004 at 01:46 UTC

    I think it's really impossible to tell what someone else's motives are, even when you have known them for a long time. Who are we to judge what someone else is thinking? As you pointed out, many hackers have a burning desire to know how the thing works, how to break into it, but don't have any intention of doing harm or committing crimes. How else can you learn, but by asking?

    Even so, it's important to weigh the amount of harm that could be done with the information, against how well you know or trust the person. It probably wouldn't be a good idea to give someone root password, or instructions on making explosives, unless you felt you could trust them with your life. Similarly, you might tell a relative stranger about exploits that have been patched, but maybe not about the ones you just discovered today.

    Not everyone who can pick a lock is a locksmith. But lock-picking is one of the skills that a good locksmith needs to have...


    בּרוּך
Re: Information sharing
by toma (Vicar) on Jun 05, 2004 at 23:10 UTC
    A somewhat-related US legal precedent is interesting.

    Braun v. Soldier of Fortune Magazine: Publisher can be held liable only if an advertisement on its face, without further investigation, would alert a reasonably prudent publisher to the unreasonable risk.

    So here's one that is officially over-the-top!

    Gun for Hire
    Professional Mercenary
    Confidential and Very Private
    Will Consider All Jobs

    It should work perfectly the first time! - toma
Re: Information sharing
by Shinwa (Beadle) on Jun 07, 2004 at 23:32 UTC
    As always, the ideals of morals, freedom of speech, and giving of information is always something that must be challenged continually. After reading freak's posts I would agree that his intentions are obviously not for the greater good, or simple curiousity.

    When the issue of morals comes into play, the decisons become that much harder depending on your own personal beliefs of course. I for one, believe that most people do intend for a good course of actions unless proven otherwise.

    Put another way, you choose to connect yourself to the Internet. You choose to have a website up and running. You choose to take credit-card information. You choose to not have the necessary knowledge / personnel / skills / etc.

    I do have to agree with this though. When you are on the internet, you have to accept the risks and responsibilities when operating within it. If you happen to make a poorly coded script, and you database ends up destroyed or stolen, then that is something you should have addressed first off. Anyone, even the basic user, will stress the importance of security online. When something of your own, or for another is created, you must indeed take the responsibility should something indeed go wrong.

    Another possibility would be idle curiousity.

    Curiousity keeps many new inventions, and languages alive. The thought of, "hey...I wonder what this does,". It's hard to distinguish between a person's actual intention, and growing curiousity. I will admit i've had curiousity of how to pick locks, make explosives, and hack into numerous systems to see if I can. But hey, it doesn't mean I am going to go break into someone's home, blow up a small building, or trash random people's systems. I just want to see if I can achieve the desired results of my curiousity in my own way.

    Imagine if you were a hardware store employee, and someone in the store asked you what would be more useful to break a window, a brick or a sledge hammer -- you'd have no way to know why they wanted the information. You'd just answer them, and that would be the right thing to do -- unless they told you why they wanted it.

    This is an interesting example. Anyone who has worked in a public area with computers, or tech support, has probably been asked how to hack a system. My own place of work has me in contact with tech support almost daily, and the question has come up. Nevermind the fact I would be in severe trouble from the management for answering such a question, but it really is a moral dilemma.

    "Will this person just crack a system and let it be?"

    or

    "Will this person break into a small town hospital and damage medical files for kicks?"

    You can never really know unless told. But when you do decide to answer a fellow monk's question, always keep in mind the content and damage that may be caused by the person. It never hurts to ask what it is being used for after all...

    ----------------------------------------------------
    Shinwa : Did that penguin just meow at me?
    Snuggy : What hunny?
    Shinwa : nuffin' luff...

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://361013]
Approved by Zaxo
Front-paged by Old_Gray_Bear
help
Chatterbox?
[karlgoethebier]: ...good Hot tuna. Note the stacks & racks in the background
[karlgoethebier]: ..the last hippies. They still perform. At least the survivors...
[Discipulus]: not survived
[Discipulus]: has pm some danish monk?
[Discipulus]: erix the problem was not rain in the brain.. ;=)
[erix]: I'll think about that for a bit; I'll figure it out

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (8)
As of 2017-11-17 20:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    In order to be able to say "I know Perl", you must have:













    Results (272 votes). Check out past polls.

    Notices?