[azipa] Ethics Question

Bob George plug-discuss@lists.PLUG.phoenix.az.us
Wed, 2 May 2001 18:15:19 -0700 

Lowell Hamilton wrote:

> IMHO reporting/publishing unauthorized traffic on your network is
> ethical and should be encouraged. [...]

There are some lines though. I responded to JLF's original AZIPA posting,
but thought I'd send it here as well. No slight to JLF intended, he does
PLENTY of good work. These are just my thoughts on this particular scenario.

--- cut here --- cut here ---

J.Francois wrote:
> [...]
> Is it ethical to reveal the IP address and attacks of the bad guys
> in a public web page?
>
> Please give me your opinions.
>
> The Page: http://www.magusnet.com/ids.html

Well, since you ARE asking for opinions...

Speaking for myself, I would be hesitant to do so, simply because much of
what I see listed on your page MAY be the result of an effort to compromise
your system, but some may also be the result of inadvertent
misconfigurations or outright cluelessness. You label them "bad guys",
without (so far as I can tell) necessarily knowing that to be the case. Some
of the traffic is obviously unwanted (portscans etc.) but, given that you
run a proxy service, I wonder if some might be innocent. For example:

(From the logs):
> May  1 19:15:15 citadel snort[17047]: MISC-WinGate-8080-Attempt: [Source
IP 1]:61008 -> 216.27.171.164:8080
> May  1 19:15:16 citadel snort[17047]: MISC-WinGate-8080-Attempt: [Source
IP 1]:61009 -> 216.27.171.164:8080

Your public proxy is on 8081 & 8090. Mistyping the URL by one character
(i.e. https://proxy.magusnet.com:8081/-_-http://isc2.org/code.html) creates
an entry on the "bad guy" list.

You appear to be listing one time offenders in with everyone else as well.

> May  1 20:13:36 citadel snort[17047]: IDS159 - PING Microsoft Windows:
[Source IP 2] -> 216.27.171.164
> May  2 03:38:42 citadel snort[17047]: IDS159 - PING Microsoft Windows:
[Source IP 3] -> 216.27.171.164

Aren't these merely a ping of your public proxy (www.magusnet.com)?

You also have the additional ethical question of providing free, public
privacy services (sounds odd doesn't it?) while still monitoring and
publishing log info. Don't get me wrong, I'm fully aware of your efforts to
provide services and your activities both on this list and with PLUG. I
RESPECT AND APPLAUD YOU FOR THESE EFFORTS (especially the Teergrube :). It's
just that there's the whole perception issue. After reading your
instructions on your proxy page, I pinged www.magusnet.com to verify that
it's up. I'm now listed on your "bad guy" page. Why am I using an anonymous
proxy service? What do I have to hide? Better log my activity somewhere,
privacy be damned. Hmm... maybe log those URLs I'm visiting too, just in
case. (you get the idea)

As part of the (ISC)2 CISSP certification process, I was required to get
quite familiar with their published code of ethics (see
http://isc2.org/code.html). After reviewing that, I'd say that you
definitely have a borderline situation here. It really comes down to what
you value more: Individuals' privacy versus alerting others to possible
activity by "bad guys".

My opinion: I'd suggest perhaps scaling back or filtering what's published
on that page. Anything persistently indicating an attempt to subvert the
system might warrant attention. However, not everything "wrong" is
necessarily "bad", and I'd be inclined to give the benefit of a doubt before
labeling someone a "bad guy" in a public forum. You might report some of
these activities in a less public forum (as suggested by others in this
thread), in the hope that persistent patterns of abuse across multiple
systems may be indicative of a deliberate and conscientious effort to
subvert systems. I think that would be more worthwhile in the long run,
while still allowing proactive management and monitoring of your system.

Again, these are my opinions only, and I want to emphasize that JLF is a
good guy in my book!

- Bob
 (who just took a job where writing policy on these sorts of things will be
required!)