[Dshield] my dilemma

Roger A. Grimes roger at banneretcs.com
Thu Nov 24 14:22:39 GMT 2005

You are not invited "in" simply because you have credentials. In most states and countries doing so would be against the law. Here are some quick general guidelines to follow in "gray areas" (although your dilemma isn't one of those):

Never logon to or modify anyone else's system, traffic, or network without their explicit permission

Do not eavesdrop on traffic that you do not have permission to listen to

Never do further harm to either the good guys or the bad guys

These three rule guides off the top of my head should keep you legal and ethical, although I'm sure readers can think of plenty of others.

[If we come up with enough interesting rules I'll print them in my InfoWorld column.]

Now, follow your heart about anything else that doesn't violate the rules above.


*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), TICSA, CEH, CHFI
*email: roger_grimes at infoworld.com or roger at banneretcs.com
*Author of Honeypots for Windows (Apress)

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org] On Behalf Of P Thompson
Sent: Wednesday, November 23, 2005 10:44 PM
To: list at lists.dshield.org
Subject: [Dshield] my dilemma

OK, I had posted a link a while back about a virus tracking page that the author of a virus had created.

I did a little more investigation, and it is apparent this virus is committing some serious identity theft, and most of the proof is evident using login information ironically which the virus authors themselves expose through reverse engineering their exploit code at http:// dimpy.narod.ru/ v9.html which seems to be the exploit upgrade ftp back end for their virus downloader and repository of stolen information.

(This is an ethical grey area that I don't pretend to have thought
through: if someone exposes a plaintext username and password in a web page as part of an illegal identity theft virus, and I have the virus executable, they've pretty much invited me in, right, and not just to meekly update their virus client to the current rev level...?)

The identity theft is hosted by a backend database at a company which from scanning google and google groups seems at best to have a very laissez faire attitude toward those it hosts, and at worst could be the American front end for some sect of the Russian mafia.

So, what's the next step?  Just getting the database site shut down does not solve the real problem right?  There some bad folks who made a big mistake and need their ass kicked by proper authorities.  Preferably without mine being kicked by anyone.

So I guess I need to do something, but what?  I really wish I understood the implications of the grey area a little better.

www.newmail.ru -- óçåë ñâîáîäíûõ êîììóíèêàöèé.
Using .Net? Need to know more about .Net Security?

send all posts to list at lists.dshield.org To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list