PDA

View Full Version : yeah, but is it ethical?



bulldogzerofive
February 16th, 2006, 03:31 PM
I recently had an issue with a friend who forgot her administrator password on her windows box. Being a linux enthusiast, my first thought was to use knoppix to change it.

A google search for "howto change administrator password windows knoppix" turned up links to many sites, including a how to crack windowsXP passwords using a disk called auditor. Thinking this would be much better than simply changing it, I followed the steps and, sure enough, was able to extract her password hashes and brute-force crack them in a couple days.

Now that I have done this, I looked through some of the other utilities on this disk, and just owning the thing makes me a little nervous: The disk is a scipt-kiddie paradise. You can scan networks, listen for wlan traffic, decript SSL, and so on, all from an easy to use GUI. What would possess somebody to put this together? I cannot imagine that legitimate penetration testers need something like this.

There are others as well, such as phlack, Knoppix-std, and backtrack. They seem to generally do little more than make the internet a less-safe place to be.

I know there is already a thread questioning if it is good or bad that hackers use linux, but I have a slightly different question to pose:

Are these so-called security distros ethical? Is their existance good for GNU?

CospeFogo
February 16th, 2006, 03:38 PM
IMO tools are just tools. Ethics only concern how people use them. You can't call a security distro unethical because people can put them to bad use.

nocturn
February 16th, 2006, 03:39 PM
These tools can be used for good and bad alike. It is their use that makes them unethical, not their existance.

Consider tools like Nmap. You need it for reconaissance, yet it is invaluable for every admin out there to check his own box.

The same goes for wlan decryptors and password crackers. You need them to determine where the weak spots in your own network are.

gord
February 16th, 2006, 03:41 PM
if people didn't try to get past security systems and test out ways of doing things then we would be living in a very insecure world indeed, then it would only take one person with malicious intent to do a lot of damage.


everything has its ligitimate use, for example the best lock picking devices are held by locksmiths who can use them to get into your house without breaking a window or som't if you lock yourself out.

Stormy Eyes
February 16th, 2006, 03:44 PM
A tool is just a tool until somebody capable of free will takes it up and uses it. You might as well say that a surgeon's knife might not be ethical, because it can be used to kill as well as to heal.

Kvark
February 16th, 2006, 03:47 PM
Guns are not ethical either. There is no legitimate reason for anyone else then law enforcement to have a tool that is designed primarily for killing other human beings. But criminals have guns even in countries that have strict rules when it comes to weapons. Banks, police force and others will just have to count on that criminals have guns and take proper security measures.

It must be a lot harder to keep script kiddies from getting hacking tools since you can download them or get a copy of a friend's tool CD. Anyone with an interest in computer security will just have to accept that script kiddies have tools and take that into account.

Arktis
February 16th, 2006, 03:53 PM
Nobody would consider it an ethicly sound idea to freely distribute huge knives to convicted serial killers or loaded handguns to little kids, or nuclear weapons to 3rd world dictatorships. Some things shouldn't be freely availible.

It's a tricky issue. Where do you draw the line? In my opinion these nifty collections of tools are sticking their noses a bit past the gray area and into the red. Sure, they have lots of good uses too, but just look around the internet and you can find lots of "security" sites that have guides and even videos where people show you how to use them to some pretty questionable things.

Master Shake
February 16th, 2006, 03:55 PM
Guns are not ethical either. There is no legitimate reason for anyone else then law enforcement to have a tool that is designed primarily for killing other human beings. But criminals have guns even in countries that have strict rules when it comes to weapons. Banks, police force and others will just have to count on that criminals have guns and take proper security measures.



Woah! Let's not get into a debate on guns here, as that's not what this forum is for. Suffice it to say, my opinion on the topic is the direct polar opposite of yours.

Mr.X
February 16th, 2006, 03:57 PM
You did it the dumb way.

1) Boot into windows safe mode
2) click admin (usually people with no knowledge dont put a password)
3) done

I use to have one where you used a linux thingy that was on a disk to change the password in2 seconds :D

CospeFogo
February 16th, 2006, 04:02 PM
What's better, spend time educating your kids or block all objectionable content?

KingBahamut
February 16th, 2006, 04:07 PM
Geeze, then dont ever pick up a Bootable PHLAK disc, youll go nuts.
http://www.phlak.org

Same for Insert, LocalareaSecurity, Plan-B or Knoppix STD
http://www.knoppix-std.org/
http://www.projectplanb.org/
http://www.localareasecurity.com/
http://www.knoppix-std.org/images/clap.pnghttp://localareasecurity.com/wp-content/themes/bionicjive/images/bionic7.jpg

Stormy Eyes
February 16th, 2006, 04:11 PM
Guns are not ethical either.

That sort of thinking pisses me off. A gun, like anything else made by man, can't possibly be ethical or unethical because it does not have a mind of its own, and therefore cannot make choices. Do you think that a pistol wields itself, like some hellsword out of a Michael Moorcock novel?


There is no legitimate reason for anyone else then law enforcement to have a tool that is designed primarily for killing other human beings.

How about SELF DEFENSE? The police can't be everywhere, except in a totalitarian police state, which creates its own problems. And, frankly, I have a great many suspicions about the self-respect of people who would expect others to protect them because they're not willing to protect themselves.

Having said that, I myself don't own a gun. Being nearsighted, I'm concerned that I might shoot an innocent. Instead, I prefer to use my fists, or a knife if somebody else draws a weapon. But I wouldn't presume to tell others that they have to disarm for my comfort unless they were guests in my home.

xequence
February 16th, 2006, 04:12 PM
Unless you do anything wrong with it, it is perfectly ethical.

nocturn
February 16th, 2006, 04:16 PM
That sort of thinking pisses me off. A gun, like anything else made by man, can't possibly be ethical or unethical because it does not have a mind of its own, and therefore cannot make choices. Do you think that a pistol wields itself, like some hellsword out of a Michael Moorcock novel?


Guys, let's not turn this in to a debate about firearms. This thread is relevant to Linux as it talks about security, but if it gets out of hand it'll have to go to the backyard.

Stormy Eyes
February 16th, 2006, 04:21 PM
Guys, let's not turn this in to a debate about firearms. This thread is relevant to Linux as it talks about security, but if it gets out of hand it'll have to go to the backyard.

Don't worry; I've said my piece. I just don't like to let that sort of thinking go unopposed.

BoyOfDestiny
February 16th, 2006, 04:27 PM
Well, what you used the disc for seems ethical (password recovery). If someone uses to exploit this, break that, etc... It means those things need their security strengthened. I guess a good metaphor is in biology. Your system needs immunity. If you live in let's say a biodome... one day when someone or something gets in, you will be very suceptible. Anyway, it just plain depends, but I'm sure these tools have plenty of legitimate uses, but the ethics/morals lies with the user.

fuscia
February 16th, 2006, 04:53 PM
ethical uses of guns:

shooting trash cans with shotguns makes festive noises that can be used for celebrations enjoyed by friends and family.

the S&W.500 is excellent for the development of wrist strength. while one might argue that CoC products are fine for such, one cannot argue the effectiveness of the gun's recoil for development of 'power' (strength applied at speed).

the most efficient manner in which to harvest mistletoe is to shoot it out of the tree it's growing in. mistletoe is a parasite, so such a harvesting is not just good for christmas romance.

reenactments of historical battles would be absurd without the presence of firearms. (do i really need to explain this one?:rolleyes:)

with overdevelopment on the rampage and an ever increasing population, space is being eaten up with empty bottles and cans, two entities that have no natural enemies. while one could argue that shooting a can doesn't really reduce its mass in any appreciable amount, one cannot deny the effectiveness in using firearms to reduce the mass of bottles. and before you go there...underage drinkers in the wilderness often forget to recycle.

mstlyevil
February 16th, 2006, 05:04 PM
Ethics or the lack thereof lies with the user. A tool of any kind can be used for both good and evil.

mstlyevil
February 16th, 2006, 05:05 PM
ethical uses of guns:

shooting trash cans with shotguns makes festive noises that can be used for celebrations enjoyed by friends and family.

the S&W.500 is excellent for the development of wrist strength. while one might argue that CoC products are fine for such, one cannot argue the effectiveness of the gun's recoil for development of 'power' (strength applied at speed).

the most efficient manner in which to harvest mistletoe is to shoot it out of the tree it's growing in. mistletoe is a parasite, so such a harvesting is not just good for christmas romance.

reenactments of historical battles would be absurd without the presence of firearms. (do i really need to explain this one?:rolleyes:)

with overdevelopment on the rampage and an ever increasing population, space is being eaten up with with empty bottles and cans, two entities that have no natural enemies. while one could argue that shooting a can doesn't really reduce its mass in any appreciable amount, one cannot deny the effectiveness in using firearms to reduce the mass of bottles. and before you go there...underage drinkers in the wilderness often forget to recycle.

ROFLMAO. I used to own a SKS with a high powered scope and a composite stock. It was great to use to compress the volume of beer bottles left by underage drinkers.

majikstreet
February 16th, 2006, 10:16 PM
stop the ******* gun ethics discussion... or I'm sure the mods will either lock the thread or move it to the backyard..


anywho, It all depends on what you are using the CD for.... even without these cd's crackers and scipt kiddies could do what they do... I mean, there are programs you can download on windows where you type in a URL and it pings it or something to take down the site.

majikstreet

xequence
February 16th, 2006, 11:19 PM
stop the ******* gun ethics discussion... or I'm sure the mods will either lock the thread or move it to the backyard..

Yea. Good idea. Lets talk about only one thing. Anything not exactly about that is off topic and should be moved to the backyard, where noone accually goes to and is a mini version of the jail o_O

jfdill_2
February 16th, 2006, 11:38 PM
Well, since this can of worms is already open... What about access to the "tools" though? You wouldn't leave a pile of grenade launchers lying around with a sign that says "Help Yourself." You don't give the car keys to your first-grader and tell him to drive to the grocery store. I think that both of those scenarios are more on the order of "negligent" than "unethical" however. For some dangerous things, there is some kind of tracking and training, although there are also always ways to circumvent or ignore those safeguards, but which may also lead to some sort of liability if you get caught eg. driving a car without insurance.

If you wanted to follow the tracking concept, you could make people register to download the software and agree to a traceroute to their (possibly ersatz) location on the internet. I know plenty of people who would fill it in as Mickey Mouse on Pennsylvania Avenue or something like that. If you have ever applied for a commercial SSL certificate eg. from Thawte or Verisign, you have to provide documentation to "prove" that you are who you say you are, so there is an example where some sort of tracking and verification is in place. I'm not saying this is a good idea or that I agree with it, just some fodder for the canons so to speak.

Edit: Having thought about all that, I would be concerned as a developer of one of these toolkits about exposure to liability. Suppose that someone uses your CD to hack into a bank for example and results in some sort of measurable damages, Could the bank sue you for negligence or some other civil crime? At least in the US there has been some similar activity with respect to people suing gun manufacturers, so it is not without precedent. There was a famous case in my own back yard where somebody sued the author of a book on "how to be a hit man" when someone actually used the book to carry out a triple homicide.

imagine
February 17th, 2006, 01:12 AM
You can scan networks, listen for wlan traffic, decript SSL, and so on, all from an easy to use GUI. What would possess somebody to put this together? I cannot imagine that legitimate penetration testers need something like this.
Umm, why shouldn't "legitimate(?!) penetration testers" use a GUI? : )

Those systems are intentionally made as beginner-friendly as possible, so many people can use it against their own computers and networks. The best way to defend yourself is knowing and having the weapons of your opponents.


There are others as well, such as phlack, Knoppix-std, and backtrack. They seem to generally do little more than make the internet a less-safe place to be.Well, a place doesn't get safe by burying one's head in the sand. Security holes do exist and you cannot ignore them and hope nobody will exploit them.
That said I think scriptkiddies, as you called them, serve a valid purpose because they make others aware of problems before someone does something really nasty. Filling up the screen with advertising or "owned"-messages may be annoying, but that's about it. Just look at the Blaster worm: It was a buggy piece of software, obviously made by someone without much knowledge, and it didn't contain any code to do real damage (except a dDoS-attack against the windowsupdate servers which didn't work). But it still made users aware that their Windows-computer had a big security flaw which allows everybody around the world to take full control over the box. You can take it for granted that without that worm two out of three Windows-boxes would still run with that hole wide open.
Or I read about a recent test of the IT infrastructure of power plants in the USA, which showed up serious security problems that could - in an extreme case - give an attacker the possibility to shut down the power plant over the net. On one machine even a 10 year old hole was found, unpatched. Clearly a sign for too less scriptkiddies in those networks.

Iandefor
February 17th, 2006, 04:29 AM
Tools are tools. How they are used determines their value. That should be obvious.
Film can be used to educate, widen the minds of the public, entertain with great stories and cinematography. It can also be used to convery propaganda to a wide variety of people, feed them shallow entertainment with subpar writing but no end of jokes, or even incite violence.
A hammer may be used to nail a house together, or can be used to smash in someone's skull. Nmap can be used to test the security of your system, or it can be used to scan someone else's system.
The Enigma encryption scheme protected the records of countless businesses, but the Nazi party also used it to protect their own communications.

mstlyevil
February 17th, 2006, 04:53 AM
Tools are tools. How they are used determines their value. That should be obvious.
Film can be used to educate, widen the minds of the public, entertain with great stories and cinematography. It can also be used to convery propaganda to a wide variety of people, feed them shallow entertainment with subpar writing but no end of jokes, or even incite violence.
A hammer may be used to nail a house together, or can be used to smash in someone's skull. Nmap can be used to test the security of your system, or it can be used to scan someone else's system.
The Enigma encryption scheme protected the records of countless businesses, but the Nazi party also used it to protect their own communications.

Film can also be used for PORN! You decide if that is good or bad. :twisted:

bulldogzerofive
February 17th, 2006, 08:05 AM
You did it the dumb way.

1) Boot into windows safe mode
2) click admin (usually people with no knowledge dont put a password)
3) done

I use to have one where you used a linux thingy that was on a disk to change the password in2 seconds :D


The box had an admin password (and a good one), so that method would not work. She is quite savvy with windows, and set it up in what I would consider a very secure way in general. She is also aware that she can also simply use her Windows boot disk to change the password, but since I am always talking about how great Ubuntu is, and mentioned that you can use Linux to change windows passwords she wanted me to prove it. As for the password changing tool, that is what I was looking for to start with but the "how to crack windows admin password" came up first in google (indeed, many of these tutorials came up but not a single one for "changing" the password that I saw)... and after reading that I wanted to see the look on her face when I handed her her own secure password. <soapbox>As an aside, I think it is bad form to call people or their methods "dumb." You do not know the reasons for which they choose to do what they do and you run the risk of insulting people, which is not what any of us wants here. I know that wasn't your intent but that is kind of what it sounds like. </soapbox>


Now, I understand that a tool is only as good or bad as the person using it. That is a very old debate (please let's not get into gun control again). HOWEVER, Auditor, backtrack, and so on, do not, to me, seem to be oriented toward auditing.

Let's take the SSL cracking tool as an example. I have not actually used it to I do not know how effective it is, however even if it works this tool has no legitimate use to a penetration tester that I can see. SSL's strengths and weaknesses are very well documented. Everybody knows that 128 bit keys are stronger than 40 bit keys. You do not need to hack into your own organization's network and record some SSL-encrypted traffic and decrypt it to know that your 40 bit SSL key is weak. This tool is oriented exclusively toward doing "bad" things.

While sticking our heads in the sand will not make security issues go away, I still see no "white hat" reason to put a disk like this together. A legitmate penetration tester is going to know what tools are out there and how to get them and use them. The "it's for penetration testers" argument seems akin to the people who circumvent copy-protection to make "backup copies" of their proprietary software: yes, there are very limited legitimate uses for the this, but realistically, who is going to use it? (I am just using this as an illustrative example let's not get into the DRM debate please)

I can see no realistic, legitimate use for a collection of 300 tools to hack into computer systems on one boot disk. Is there anyone out there who does in fact do penetration testing for a living? I would really be interested to hear if "experts" actually use these.




By the by, I do not buy that argument that script kiddies and crackers help us by showing us where we are weak. Some are out to annoy, others are out to steal. Both varieties cause billions of dollars (or Euros or whatever your local currency is) of damage anually.