Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security The Internet

What Do You Think of Online Vigilantes? 273

gwoodrow asks: "I'm a member of the (primarily) Mac community Spymac. I originally joined for the 1 gb of email, but eventually found myself joining in on discussions in the forum. Today, I received an email from a supposedly anonymous Spymac member ("supposedly" because the smart guy didn't mask his IP). Basically, it said that he or she had harvested 10,000 member screen names/email addresses from Spymac's pages and that this, paired with the ability to view individual member's profiles, created a major problem because of the extent of information so readily available. The email this person sent out and the forum discussion that follow are available here. All cracks and personal opinion about Spymac aside, what do Slashdot members think of online 'vigilante' justice?"
"Some viruses are released with little notes within that say things like - 'this is why you need to do X or Y to fix your software' Some hackers have also gained infamy by hacking a major system allegedly to help. Do you support such actions and why? Are virus/trojan writers, hackers, and spammers doing a noble deed or going about things in the wrong way? If you don't agree generally, are there exceptions when online vigilantes are fully in the right? Is the accessibility of vulnerabilities a good excuse to partake in such actions, or should there be ethical bounds regardless?"
This discussion has been archived. No new comments can be posted.

What Do You Think of Online Vigilantes?

Comments Filter:
  • by Anonymous Coward on Saturday July 24, 2004 @01:06PM (#9789729)
    Please don't hack my computer at 127.0.0.1. Thanks!
    • by RLiegh ( 247921 ) on Saturday July 24, 2004 @01:09PM (#9789740) Homepage Journal
      Damn; whoever that is has some GREAT porn!!!
    • by jayhawk88 ( 160512 ) <jayhawk88@gmail.com> on Saturday July 24, 2004 @01:24PM (#9789847)
      The sun rises in the east and sets in the west.
      Spring follows Winter follows Fall follows Summer follows Spring.
      The moon follows its phases across the sky, the constallations move in the same patterns that they have for 10,000 years, and the planets dance the same waltz they have since the dinosaurs roamed the earth.

      Yet none of these things is as predictable as a "127.0.0.1" joke in a Slashdot article about hacking.
    • I just did a tracert 127.0.0.1 and the time was 1ms, you must be very close to my internet connection.
      • I just did a tracert 127.0.0.1 and the time was 1ms, you must be very close to my internet connection.

        dumbass windows user... the command is traceroute 127.0.0.1
    • by Anonymous Coward
      Doing what was described here is not being a "vigilante"--A vigilante is a private citizen (lacking official authorization--not a police officer or other governmental authority) who catches and/or punishes criminals for crimes outside of the established legal system. What this guy did was identify a security weakness and used it to make a point about it. That sounds either like civil disobedience, a technical infraction done to prove a point more than to cause actual damage or harm, or being a "good samar
  • by John Harrison ( 223649 ) <johnharrison@@@gmail...com> on Saturday July 24, 2004 @01:09PM (#9789742) Homepage Journal
    Report it to the authorities. Alternately, post the info here on /. and then don't worry about it. Somebody will do something, and it won't be you.
    • Report it to the authorities. Alternately, post the info here on /. and then don't worry about it. Somebody will do something, and it won't be you.

      Report him for what? He doesn't seem to have committed any crime. His email isn't spam (under CAN-SPAM), because it's not commercial. He threatens to send spam, but while that may be in poor taste, it is pretty obviously not a serious threat. I know he tried to hide his identity, but that is probably to avoid the wrath of Spymac rather than his fellow users.

      I

      • "Report him for what? He doesn't seem to have committed any crime.

        Vigilante: A member of a volunteer committee organized to suppress and punish crime summarily (as when the processes of law appear inadequate); broadly : a self-appointed doer of justice
    • Why report him? He alerted them to a problem, he didn't abuse it by selling the email address's. Looks to me like they should thank him.
  • No damage... (Score:3, Insightful)

    by bas148 ( 637517 ) on Saturday July 24, 2004 @01:09PM (#9789744)
    no problem. They help by pointing out vulnerabilities as long as they don't actually exploit them to do harm to whoever.
    • But what if the company they hack into ignores the 'friendly' hacker? Or the e-mail the 'friendly' hacker gets lost in the endless stream of customer support spam? The hacker usually has two choices at this point (remember this is the 'friendly' one here). He can :

      A. Launch a 'small' virus into their system to get their attention. May not 100% get the company's attention and is bad all around anyway you look at it. But small.
      B. He can launch a big virus and show the company he wants some attention for his w

  • My take is that vigilantes should not do any damage. Poking around a system, finding a vulnerability and then reporting it to the responsible party (not immediately to the public) is ok in my book. Instead of mailbombing your enemy, use social tactics to discount/disprove your enemy's arguments. Oh, and first post! :)
    • NO - that's not ok. How is the victim (i.e. the one 'visited' by the vigilante) to know that the vigilante just poked around and didn't leave any nasty things behind? Who's to say it actually was a vigilante and not, say, a competitor faking to be one? General security best practices say: if a system is compromised, rebuild. Rebuilding systems cost time. Time is money. Vigilante actions result in monetary damage. It's not ok.
      • If a vigilante gets in, whats to say that someone more malicious hasn't? If anything it saves the expense of not losing data or being charged when the system is compromised by a more malicious attacker. Yes you must rebuild the sytem, but considering that the "attacker" told you the system was compromised, its not as critical a situation as one where you suddenly discover the host is compromised and must be taken down immeaditly.
        • by Artifakt ( 700173 ) on Saturday July 24, 2004 @01:59PM (#9790021)
          First, I agree with you, if you mean that it's better to hear the news from a typical vigilante that to only find out when your most sensitive information appears in the hands of a competitor or plastered all over the net.
          Second, that's part of a larger picture. If you get hacked by a script kiddee, and he only appears to get to your web server, the same questions apply. Are you lucky to get the wake up call from a mere website defacement insead of finding a trojan that's been sitting for months in accounts recievable? Possibly, but how do you know the intruder only got in as far as it first appears, and how do you know no one else better than him hasn't done more? I'ts all a spectrum, from a vigilante who really didn't screw up anything, to one who accidentally did some damage, to a web site defacement that's easy to fix and relatively harmless, to harvesting personnel information for head hunters, to harvesting customer information for spam lists, to the most serious crimes that can cost a company millions.
          Anybody who falls victim to one of the less serious sorts can breathe a sigh of relief that it wasn't one of the worse ones, and for their blood pressure's sake they probably should, but they still need to think about what it implies about their chances the next time will be successful, and for worse consequences.
      • How is the victim (i.e. the one 'visited' by the vigilante) to know that the vigilante just poked around and didn't leave any nasty things behind?

        That's the point of the vigilante--if he or she can get in, that means someone else could have ALREADY gotten in and left things in there. If the vigilante can get in, then you already have to rebuild--it's just a question of whether you KNOW whether you have to rebuild. No point in killing the messenger.

    • vigilantes cease to be useful when they become indistinguishable from the crackers. In this case, the author should have emailed the administrators and, if response wasn't forthcoming, the guy should have left the system.
  • by vena ( 318873 ) on Saturday July 24, 2004 @01:10PM (#9789750)
    to show you how much you need a deadbolt.

    yeah, no, that sounds like a bad idea.
    • i'll just kick your door in to show you how much you need a deadbolt.

      There are a few big differences here:

      First of all, after you've kicked in my door, it'll be damaged. You've done damage to physical object which I must pay for to get repaired, dispite your best intentions.

      Secondly, you've intruded my house without my concent. You have violated my privacy in the real world. This is totally different from from breaking into a computer, because you shouldn't have expected any privacy anyway, if you hooke

      • While I agree with the rest of your points, this one;

        Secondly, you've intruded my house without my concent. You have violated my privacy in the real world. This is totally different from from breaking into a computer, because you shouldn't have expected any privacy anyway, if you hooked it up to the outside world.

        just doesn't work. That's like saying "Well, you didn't build a ten-foot-high wall around your house, thus completely sealing it off from the outside world, so you forfit your right to privacy.

      • Two interesting analogies but they're twisted together. They should be: 1) damage/theft to physical objects is the same as to digital ones; and 2) a third party who stores your objects has a duty to protect them.

        So the first analogy says that breaking into my system really is the same as kicking down my door. You've done damage, tampered with my logs, broken executables, etc. Intent is irrelevant since the results are the same.

        The second analogy is like the doctors' office. They have a duty to keep

    • by Secrity ( 742221 ) on Saturday July 24, 2004 @02:13PM (#9790105)
      and finding it unlocked. Leaving the door unlocked is a bad thing. It is an even worse thing to leave a door open when the things that could get stolen belong to other people.
      • by Pharmboy ( 216950 ) on Saturday July 24, 2004 @05:20PM (#9791011) Journal
        Actually, I read about half the forum posts in that thread. Lots of "lets string him up" and "I am so offended, this is spam!". Now please, don't get my wrong, but it seems like a lot of people pissing an whining about ONE email from someone who was trying to WARN everyone of a security problem, in a way that is probably not good. So what?

        They seemed all freaked out and disturbed. The first thing I thought was that these guys won't make it in the real world, dealing with real problems, contracts, business deals and real life frustration. I understand not liking it, but if you read the actual forums, half the crowd is freaked out beyond all common sense.

        These can NOT possibly be nerds. Most nerds I know have had a box 0wned once or twice, or a site defaced, etc. *Real* problems that had to be dealt with. But so someone has a list of your email addresses. I can simply wget the forums, write about 40 lines of code to grep out the user names, and build the same damn list.

        Get over yourselves Mac/spy/wannabes.
  • What do I think? (Score:4, Interesting)

    by pedantic bore ( 740196 ) on Saturday July 24, 2004 @01:10PM (#9789754)
    They're criminals.

    This is like me punching someone in the nose and saying "Why didn't you take karate lessons, for crying out loud? It's your own fault it's so easy for me to punch you. You should consider this assault a personal favor."

    • by Draconix ( 653959 )
      Did you RTFA? In the legal sense, they are criminals, but it's not like punching someone in the nose at all. It doesn't do any harm to those they hack--except, perhaps, in some of the virus cases--and they're doing people a favor of showing them the security holes are there before someone less kind uses them to do actual damage. People get _paid_ by network owners to hack into the networks and find exploits. These people are doing it for free. Good for network owners, bad for paid hackers.
      • Those people are professionals. Not some kiddie with half and idea of what they're doing.
        I'm all for full disclosure. I think it enforces change and better practices, but I still think people poking around without consent is stupid at best. If you feel the need to test out security, _get permission_ from the systems owner or use a similar setup on your own system. You don't have to break the law to help. Too many people piss about doing damage in the name of being helpful.
    • by Anonymous Coward
      I'm amazed that, in this day and age, people still find equivalents regarding meatspace. You'd think after so many years of online activity being somewhat commonplace, people would realize there are differences between computer transgressions and physical, in-person crimes.

      (This is more like having sex on your first floor forgetting to draw the blinds and you get seen by some peeping Tom. The Tom is in the wrong but you're an idiot for not checking some minimal level of security.)

      (Yes, if you someone ma
    • well this case didn't seem like even hacking or doing stuff you're not supposed to do, just stumbling over something that seemed like that needed to be known by the users(ie. unthoughtful sloppy programming design by the website creators, fundamental problems have a tendency to not get fixed too).

      so.. online vigilantes that break the law intentionally.. they're criminals, that's clear. but if you just stumble on something you're not supposed to and alert others of that it's not bad or even illegal.
      • It's how they warn others that makes it morally reprehensible. I won't go into the legality of the thing because IANAL, and because it depends where you are too.

        The idea is to get people to run secure systems(preferrably) or get them to make room for people that do run secure systems, because insecure systems cost us collectively, a lot.

        Now the vigilante already got a reply from a site admin in the thread, that the matter was being looked into, it may or may not have been the first time they heard about
  • by Stubtify ( 610318 ) on Saturday July 24, 2004 @01:11PM (#9789766)
    Why is it people expect to be anonymous online still? If you want to interact with people and have them know your name, birthday, address, etc then that's up to you. However no one is stopping you from using a fake last name/address/bday and still interacting on the same level. Why is it people put personal data in obvious places, and then get mad when someone shows how easy it is to discover that data.
  • Yes and No (Score:5, Insightful)

    by Cranx ( 456394 ) on Saturday July 24, 2004 @01:13PM (#9789775)
    Discovering weaknesses is good. Exposing them publicly without giving the vulnerable company time to fix them is bad.
    • Re:Yes and No (Score:5, Insightful)

      by Dr. GeneMachine ( 720233 ) on Saturday July 24, 2004 @01:20PM (#9789817)
      Quite right. Which leads to the question why this guy had to collect 10000 screen names + user data? It would have sufficed to show that it can be done and to report it to the company, and, if the company shrugs it off, to the user base. Finding and reporting weaknesses is one thing, exploiting them yourself for greater effect is at least questionable.
      • Which leads to the question why this guy had to collect 10000 screen names + user data?

        Although I don't suspect this to be the case, some people just don't get the fact that they are vulnerable until you slap them in the face with something big. I recently tried to show a client two exploits-- the bigger one was that I could sniff all the usernames and logins into his payroll DB, and the other was that that I could crash the client app and bluescreen windows. He was more impressed by the flashy blue scr
    • in a perfect world, I agree, unfortunatly in todays climate, most companies would take you to court, get a gag order, and still not fix the problem.
      • We found a huge security hole in a domain name registrar's website that gave us access to every one of their customer's account. We notified them promptly and politely, they fixed it quickly and send us a little cash and a box full of promotional goodies like t-shirts and such.

        The alternative would be to have published that vulnerability publicly and place ourselves as accomplices to others who would use that vulnerability to cause them harm.

        Let me see: money, t-shirts and keychains or a federal indictme
    • Re:Yes and No (Score:2, Interesting)

      An acquaintance of mine discovered some PHP vulnerabilities in my school's CS website. [uic.edu] It was your usual $include from a GET variable crap. Horrible coding. So he published his results, not to the webmaster, whose email address is available on the website, not to the faculty, but to the CS Undergrad mailing list. He also mentioned his website, HackThisSite.org, [hackthissite.org] which had recently been made an ACM project. As a result, he was kicked out of the ACM chapter and of the College of Engineering. He remains a
  • by applef00 ( 574694 ) on Saturday July 24, 2004 @01:17PM (#9789800) Homepage
    My opinion has always been that if you stumble across somthing, then you should absolutely tell those that need to know, and NOT the general public (at the very least, not until those responsible have had a reasonable chance to repair whatever the problem was). However, purposely breaking in to private servers to show how much they need to beef up security (or similar such actions) is tantamount to breaking in to someone's home to show how bad their door locks are; it's breaking and entering, and it's a crime. If you want to do penetration testing, you really need to get permission from the owner before they start tearing in to their system.
    • by Stalus ( 646102 )

      I think a lot of people are missing what's happening here. This wasn't someone breaking into private servers - he just collected some data that was publicly available, used those usernames to make e-mail addresses, and pointed out that he could look up profiles that are also public and get a lot of information about people. There's nothing illegal here. Annoying, yes. Illegal, no.

      Some of the people in that thread said that they had mentioned this before and it was ignored, so it's also not a case that

    • by wassy121 ( 446363 ) on Saturday July 24, 2004 @03:43PM (#9790531)
      I completely agree. I have been both the stumblee, and the stumbler. When I accidently found all the social security numbers of everyone in my school, I emailed the teacher that posted the datafile to a public portion of our shared server (retard). He promptly fixed the problem, and never said anything else about it besides a humble 'thanks'.

      I also have done white-hat work. It is kind of polite to find those 'nice' hackers that will get in through a known hole and just put a HACKER_README in /root. Says how he got in, and that I should close the hole. No rootkit, no security compromise (trust me, I looked for quite some time). This was quite possibly the best kind of vigilante. Saw the problem, exploited it to show that (s)he could, and left.

      I say this guy went a little far with 10k emails. I think 100 would have proven his point, but who am I to judge?

    • Why are you doing someone else's work for them, for free?

      I find it hard to believe that the white hats are really doing it out of genuine concern for Corporate America. If you are really that altruistic, why not build a secure system that others could use, rather than try to break someone else's? So you discover an exploit - how does that help anyone if you don't also volunteer your time to help secure their system? Wouldn't it be better to help them migrate to a secure OS (such as *nix) rather than

  • by autopr0n ( 534291 ) on Saturday July 24, 2004 @01:21PM (#9789821) Homepage Journal
    Because it seems like you don't. A vigilante is someone who tries to bring people to justice by working outside of the law. The key here is that they are doing something which they belive is moraly right.

    From your description, it sounds like someone just... grabbed some published information and started threatening people with it. There's no indication in your writeup that this person was even trying to do something 'good'.
  • That's no vigilante. What he/she does with this information could make them a vigilante. Generally the definition of vigilante requires that some crime be committed, and that the labelled punish it. Right now, this user looks to be just a responsible member of the community.

    Reading further, I guess this email is annoying, but not really illegal. I wouldn't say that the definition of vigilante is (yet) warranted from anyone's actions so far.
  • by cluge ( 114877 ) on Saturday July 24, 2004 @01:28PM (#9789869) Homepage
    Considering the lack of speed and sometimes lack of ability when it comes to investigating cyber crimes, on line vigilante's may be the only option. This type of behavior does 2 things.

    1. It provides some deterrant

    2. It forces law enforcement to step up to the plate.

    Example? There is an on line porn site that has pictures of a girl, about the ago of ten having hard core sex with an adult. I found out because a domain I admin with a catch all e-mail was recieving bounces from this sites spam. I reported it. Nothing happened for a few days so I traced the actual source of the pictures to a freeserver. The pictures were removed in minutes, I continued to follow the sites from free server to free server until it stopped working (I haven't checked in a while).

    I made that persons life more difficult and hopefully caused him to leave more "trails". Each free server admin I talked to said that they would save any logs that they had. Now why couldn't the police do what I did for the 2 weeks or so?

    cluge
    AngryPeopleRule
    • 1) What do you do when some person tracks you down and shoots you becasue you were causing problems?
      If it had been a launder of money for an orginized crime outfit, they may very well have killed you.

      2) It makes it harder for law enforcement to do their job. There is no reason law enforment needed to keep you informed of what they where doing. It could be irresposible to do so, especially if they had to keep track of telling you the information. Once that caught someone, the lawyer would have demanded a lo
      • "If it had been a launder of money for an orginized crime outfit"

        ObNitPick: The whole point of money laundering schemes is to turn illegitimate income into legitimate income. This leaves them with illegitimate money (because it is from the sale of child porn). Whatever this was, it wasn't money laundering. Anyway, murder is easier to investigate than an internet crime (more physical evidence). I applaud the poster for taking the risk.

        Btw, I wouldn't consider what this poster did to be vigilantism. A
        • well, yes. But they have to get the illegal money first! ok, thats a stretch, but my point is still valid.
          You also assume it's illegal in the country of origin.

          You're srewing with people who have demonstrated no morals, and you may have cost them money.

          I'm not sure about the other point. Are you saying if the poster got killed, then it would be easier to get the people who put up the site? Seems like a hell of a thing to do.
      • 1) What do you do when some person tracks you down and shoots you becasue you were causing problems? If it had been a launder of money for an orginized crime outfit, they may very well have killed you.

        They had better be a better shot than I. I live in a state where it is legal to defend myself.

        2) It makes it harder for law enforcement to do their job.

        I call BOVINE FECES

        There is no reason law enforment needed to keep you informed of what they where doing.

        I just asked them to do something, I do
  • by ericdano ( 113424 ) on Saturday July 24, 2004 @01:29PM (#9789878) Homepage
    AS long as they wear tight fitting clothes, have whips, and basically look like Catwoman [warnerbros.com] or Sandra Bullock [movieweb.com] all will be well.

    Maybe I'll misbehave a little to get some "punishment" ;-)

    • is SO not cat woman.

      it'snot going to be a cat women movie, it's going to ba a crappy actreee posing in an awfull looking cat suit movie.

      If I just want to see hot looking babes in latex, I'd go to google.
  • by maximilln ( 654768 ) on Saturday July 24, 2004 @01:32PM (#9789895) Homepage Journal
    Isn't being slashdotted a form of vigilante justice?
    • Isn't being slashdotted a form of vigilante justice?

      no.

      despite the fact that most sites cannot deal with the volume of hits that being featured on slashdot brings with it, most crave it... so much so that, in the past, some have hired people to submit stories directly to slashdot - and, when this has failed, have harboured people to build up mod points in the hope that their stories will be accepted by the slashdot editorial staff.

      for the admins - this is also a good test of their webservers under high
  • That is a hacker, and they are putting their skills to use in the wrong way.

    A vigilante is someone who rights wrongs without authorization from the law. That would be like someone who breaks into the spammer's computer and rewrites their BIOS with the contents of their spam or something.

    • "A vigilante is someone who rights wrongs"

      in their opinion of what is wrong. Sometime it's clear cut, mostly, no so much

      If you think cutting down tree is wrong, and go blow up the local sawmill, you may feel your right.
      • Right, but wandering off with some records and threatening to use them for evil purposes in order to change someone's policy isn't going to help anything. Cracking their security and then fixing it would. Even taking down the site would make a certain kind of sense - kind of like taking down the sawmill.
  • Ebay Vigilantes (Score:3, Informative)

    by stibles ( 708899 ) on Saturday July 24, 2004 @01:36PM (#9789911)
    Ebay has a problem with fraud. Especially in electronics/computer auctions. They do, in fairness to them, attempt to monitor and control fraudulent auctions, but clearly they are losing the battle. There has been an individual lately trying to sell the new Motorola V710 on eBay. (It's is as yet unreleased.) A number of people have determined that beyond using the regular channels, such as registering a complaint with eBay, they (or one person in particular) need to take more aggresive action and have managed to "guess" the password to the AOL account that the auctioner is requesting correspondance to. He made it clear a couple of times that he "guessed" the password, but didn't "hack" the account. Despite what I may think about auction scammers, taking the law into your own hands is foolish. You are opening yourself to civil and possibly criminal liability. Is it worth it? Doubtful. In today's paranoid security landscape, regardless of your intent, you could easily wind up being the scapegoat. Last I checked, any attempt to access a service which you are not licensed to use is a crime. ie, You can "scan" whatever you want, but as soon as you connect... BLAMO! Off to the slammer you go!!! A word to the wise.
  • by techno-vampire ( 666512 ) on Saturday July 24, 2004 @01:41PM (#9789933) Homepage
    You people need to set up a vigilance committee to bring the spammers and phishers preying on your site to justice. The twit that stole those addresses would be a good place to start. As others have posted, whoever did that isn't a vigilante, he's a target for them. I don't really think he meant any harm by what he did, but by making his exploit public, he's not only exposed a vulnerability in a very irresponsible fashion, he's exposed himself to retaliation.

    Back in The Old West, when the law was too week or two thinly spread out to control outlaws and bandits, various towns set up secret societies known as "Vigilance Committees." They took the law into their own hands, arrested felons and, when they had to, they executed them. Their members were known as vigilantes, and that's where the term came from. Today, mailbombing or otherwise DOSing spammers is a form of vigilante activity. Finding the electronic equiviant of a broken lock on a door and shouting out to the world, "Here's where you can get in for free!" is just plain stupid.

  • by Doc Ruby ( 173196 ) on Saturday July 24, 2004 @01:41PM (#9789940) Homepage Journal
    Vigilance, watching for problems that affect our community, and then telling the community about noticed problems is what is known as "civic duty". Using authorized access to community resources, then notifying the community that such access creates risks greater than they accepted, or expected, is a community service. Especially when that access, authorized by the community itself (eg. via a webserver), has subtler implications than are discernable to most members of the community (eg. non-techs). If we see something going wrong, it's our responsibility to tell people about it. That makes everyone safer.

    Vigilantes do more than just find problems. They act on their information, using their judgement to change the problem, supposedly into a solution. But justice is a specialized process, like science. When unqualified people engage in risky acts with dangerous consequences, they expose the rest of the community to unacceptable danger. Looking for problems, and telling us about them, protects us. Acting on one's own, especially without telling the rest of us, creates risks as severe as, or worse than, the "problem" being "solved".

    Eternal vigilance is no vice.
    (with no apologies to Barry Goldwater)
  • .....should not hesitate to report this to the police (a probable violation of the Computer Misuse Act) and the Data Protection Registrar (a very definite violation of the Data Protection Act, especially if the servers are not in the UK). Show no mercy whatsoever, companies who are lax with other people's private data will not learn to behave properly unless there are a few well-published criminal prosecutions.

    The guy that found this did everyone a big favour and ought to be congratulated, but sadly the spa

  • Police response (Score:3, Insightful)

    by ca1v1n ( 135902 ) <snook@noSPam.guanotronic.com> on Saturday July 24, 2004 @01:47PM (#9789967)
    Generally speaking, if there's not an overt threat of violence or massive infrastructure damage, and no money is stolen, you just can't get anyone in law enforcement to listen. This is why I don't have a huge problem with SYN flooding someone who's mailbombing your server until the mailbombing stops. That's just self-defense. If you keep SYN flooding after the mailbombing stops, then you're just attacking an arbitrary IP address that could now belong to someone else, or could have belonged to a (now fixed) zombie, or whatever else. That's reckless.

    Law enforcement is trying to get a better handle on internet fraud, but there's so much of it going on and they have so few resources to attack it that vigilante efforts to stop or mitigate the attacks are about our only options in many cases.

    If I shoot a gun at a guy who's robbing a bank at gunpoint, I'm probably okay with the law. If I pull out my gun, close my eyes, wave it around, and pull the trigger several times at random, I'm not okay with the law.

    If I get a guy in a headlock to break up a fight, I'm probably okay with the law. If he walks away from the fight and I put him in a headlock then, I'm not okay with the law.

    You're generally allowed to do things to people you wouldn't otherwise be allowed to do if they weren't committing a crime, but you have to be certain that you're not doing these things to innocent people as well. The internet makes that quite difficult at times. You also have to restrain your response to be proportional to what you're trying to prevent. "Imperfect self-defense" can often get murder reduced to manslaughter, but you still do time for it.
  • I have always had my suspicions about SpyMac. It's just too much eyecandy to be perfect.

    Compare SpyMac: It's like the shiniest used car in the used car parking lot - you know the one that's usually a lemon!

    Am I reading the parent right? Someone harvested SpyMac email accounts?

    I've done a few editorial articles on my website about this very thing. One on SpyMac problems and prediction that this kind of thing would happen and then another on how the SpyMac Community really latched on to a recent vigilante
  • by tehanu ( 682528 ) on Saturday July 24, 2004 @02:03PM (#9790037)
    Vigilantes are common where there is no effective law enforcement. This is not just on the web. In real-life, if there is no effective police force, people will grab a gun and use it to defend their home, work and friends and damn the law. People obey the law when they think it protects them and is fair. This is known as true anarchy. You could see this happening in the post-war looting in Iraq (and still today) where you had surgeons in hospitals wearing scrubs and totting guns. But it is generally true of any society. In crime-ridden areas where there is little effective law enforcement, people form gangs that enforce their own law outside of the proper legal system. People seek protection and order and if the law does not give this to them then they will take matters into their own hands. Hence vigilante actions on the web such as hunting people down are going to continue as long as there is no effective legal recourse that is easily and quickly available to everyone (such as dialing the police).

    OTOH "vigilante" actions like writing viruses are a different matter. It's akin to street protests or graffitting public places with slogans. The first type of vigilante action is a matter of personal protection. The second type is to do with making a statement. Perhaps we should use as a yardstick the comfort level we have with street protests? When does a protest or making a statement go too far?
  • by DrDebug ( 10230 ) on Saturday July 24, 2004 @02:10PM (#9790081) Journal
    The internet is not centralized; there is no one central authority. It is like the Wild West. Good citizens keep to themselves and operate under common decency and common sense. But there are always some malcontents (spammers, virus creators etc) that feel they can do whatever they feel to whoever they want with small fear of retribution.

    Some governments are just now awakening to the threats of these malcontents, and have passed laws against them. Of course, these laws are next to useless, because the net transcends international geopolitical boundaries.

    So what is a decent net citizen to do? Nothing? Scream and cry until the lawmakers listen?

    Until there is a real sheriff on the net, vigilante groups may be the only answer. Small groups of net-aware individuals who can root out the bad guys and administer some well-deserved justice. Some may call them net terrorists, but if they leave the good people alone, I would call them patriots.

    Will the law go after these patriots? The law may turn a blind eye if these groups keep the peace. Besides, what can the law do to the net patriots that are trying to make things better when they can't even go after the malcontents?

    I'm all for vigilantes, until we get a real sheriff in town.

    • "Until there is a real sheriff on the net"

      OK, so who should be the sheriff?

      USA? Well, we invented the damn thing, but no. A single sovereign nation should not be censored by another(America) nation. No country should be given control.

      Each nation does their part? Well how should Censorasia(a hypotheical nation) censor out information from a non-Censorasia based website?

      UN: F* that. who gets to decide what is 'censored' or what is 'illegal' a bunch of politicians in a completely non-militaristic group? Th
  • many times, the punishments do not fit the crime. It would be like sentencing someone to life for just breaking a door to someone else's house.
  • Jeez! (Score:3, Insightful)

    by ProudClod ( 752352 ) on Saturday July 24, 2004 @02:15PM (#9790119)
    19 pages in that thread and nobody has come up with the obvious solution.

    In a forum the size of spymac, members viewing this thread/online is useless - needle in a haystack style.

    To get a gauge of popularity, why not have "number of members viewing this page" rather than the whole list?

    If users want to know when their friends are online, then they could implement a vBulletin style "buddy list" in the member's control panel.
  • If you step in the ring, you have no right to cry when you get punched. You may think you're doing some fair and noble deed when you, say, grab the IP out of some trolls email post, paste it into your web browser and use the default login credentials to turn off their SOHO router. But what happens if everybody does this sort of thing? What happens when you annoy somebody and they do this to you?

    The network and the online society becomes less valuable and beneficial when people start throwing rocks at

  • Spymac is great. Nevermind the 1 GB email, the ftp space is very generous too. So along comes an article on Slashdot disparaging security while asking a disingenuous question about ethics. Oh man, this is not a public interest issue. It is trivial to retrieve every AOL profile, for example, just by dictionary guessing of screen names, so how is Spymac any less vigilant against attack, whether vigilante or otherwise?

    It is so hard to get a submission accepted by Slashdot, one would think the standards were v
  • Should there be a police organization specifically for the net which might have the authority to hack someone's machine if they are breaking the law with it?

    GJC
    • "Should there be a police organization specifically for the net which might have the authority to hack someone's machine if they are breaking the law with it?"

      Let that wait. The police should have the authority to request (and receive) a search warrant that allows them to monitor and log the traffic form the suspect site. Having the authority to search an 80 gig hard drive might lead to a lot of work. Having the authority to monitor the traffic could turn out to be ridiculously easy. In addition, the l
  • excuse me, but I always thought a vigilante was someone who performed duties of the court (investigation, apprehension, judgement, and/or punishment) without court authorization. e.g. roundin' up a posse an' lynchin' ol' Black Bart for horse theivin'. That was back in the days before words were allowed to end in 'g' or 'd'

    What does vigilantism mean in an online context? 1) spying out the home address of some spammer outside detroit and then publishing it? 2) white-hat breaking-and-entering of security syst
  • Honeypot operators watch for abuse rather than simply secure against it. They can take some actions (perfectly legal and legitimate) against the abusers (mostly spammers) they find, they can initiate actions against the abusers.

    It continually amazes me that so many people are highly irate about net abuse and yet do so little to stop it when they could. Honeypot evidence could be used to convince ISPs that there's plenty they could be doing, too, without violating any laws and without violating any of the
  • by Chasuk ( 62477 )
    My first impression is that the original poster has no idea what a vigilante is...

    But perhaps that is just semantic quibbling?
  • Vigilante justice is worse than the original crime. Let the proper authorities deal with it before it turns into one big mess.

    • One of the big reasons for vigilantes is the lack of response from authorities.

      I'd love to see a little justice done to the big spammers, and to the 419 people. The law won't do anything unless enough money is involved to get the bureaucrats off their butts.

  • I've been reading through the spymac forum thread, and people are talking about how they are "victims" of this spam, and that he should go to jail. WTF!?!? He sent one email to 10K people to illustrate a point. Yeah, he shouldn't have done that, but jail time? Give me a break. Of course not everyone in the thread was like that, but there sure were a lot of pansies. [Insert flaming comment about Mac users here ;-) ]
  • You read that right. I wrote an email/website harvester. Once. In PHP on PostgreSQL, just to see what it would take. It took me about 6 hours, including the expressions and a bit of performance tuning.

    It wasn't very well tuned at all, but when run, it found about 1,000 email addresses every hour on a PII-400, after filtering out the bogus addresses.

    It would get caught in a harvester trap every now and then - which was easily overcome - it would only look thru 100 pages in a particular domain. There's plen
  • He doesn't apparently do anything illegal(though he doesnt disclose where the list of users came from exactly)

    The extent of the damage caused seems to be an email sent to 10,000 of the users of spymac. I fail to see the problem. This isn't a 'hacking for good' or a 'worm to kill another worm'. It's a mass emailing telling people theres a problem. There is also nothing to suggest that someone in a position of power WASN'T contacted prior to the mailing.

    So I'll say it again, what did this guy do wrong?
  • by ezraekman ( 650090 ) on Saturday July 24, 2004 @04:55PM (#9790895) Homepage

    It seems to me that you're missing an important point of the guy's e-mail to you:

    He sent you a warning.

    And not only that; he probably sent it to everyone on his list of "thousands of member names". Don't you wonder why YOU of all people received it, having no previously existing relationship with him? It's because you *weren't* the only one who received it. At least two people who replied to your Spymac post had also received it, so you're obviously not the only one.

    They guy was clearly concerned with a vulnerability at Spymac, not trying to take advantage of it. Don't you detect the mild sarcasm he used? They guy isn't recruiting accomplices; he's making a statement to members.

    The guy says (paraphrased) that he just got hold of all this info. Coupled with [public member info] and [specific techniques], he could compile a very complete list of member data. Now, he says he could do [evil thing1], [evil thing 2] or [evil thing 3]... or, "or simply ask Spymac to GET THEIR ACT TOGETHER and FIX EXISTING PROBLEMS like this gaping security hole before they introduce ever new functions?? I should never have been able to get my hands on this!"

    Uh, hello? That was a direct quote, with his emphasis, not mine. He's not a criminal (yet, anyway), and he doesn't deserve any kind of justice, vigilante or otherwise. He's simply made it blantently obvious to at least one user (you) of a service that their data is not secure.

    Now, maybe it would be appropriate for you to contact the Spymac folks to make them aware of the issue. (If they aren't already, based on the fact that many of their employees probably have their own accounts, and that he's probably e-mailed quite a few people, if my assumption is not off.) It might also be appropriate to contact him directly (if possible) and make sure he's... "guided" to the proper methods for disclosure of the data to the applicable folks and deleting it. But to go after him for doing nothing more than producing an effective proof-of-concept... he doesn't deserve what you're asking about.

    Of course, it's possible that he hacked their server... but it doesn't sound like it. He said "Played around the other day with Spymac and suddenly... I couldn't believe my eyes: A list with thousands of member names right there in front of me! " That *could* be hacking (perhaps some vigilante reconnaissance would be appropriate), but something makes me doubt it.

  • by SharpFang ( 651121 ) on Saturday July 24, 2004 @06:26PM (#9791301) Homepage Journal
    Some script kiddie kept taking over the polish Star Trek fan channel on IRC. Admins ignored complains. ISP ignored complains. Police ignored complains. So guys tracked down his IP, found his home address, paid him a visit, broke a few bones and left.
    Police ignored complains.
  • First, I oppose vigilantes everywhere, including the net.

    Second, the net is a public place. Anyone who posts any information on any site has no more expectaton of privacy than if they wrote the same information on a 3x5 card and pinned it to a bulletin board at the local mall or library.

    You know, there's a book on my shelves that lists the names, addresses and telephone numbers of almost everyone in my city.(Bet you have one, too.) My God, think of the privacy implications....

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...