| Blog Entry - Thursday, August 28th, 2003 | Add / Read (6) |
Rich Schwartz and Julian over at nsftools.com have recently talked about tools that can hack Notes passwords. In this case, they're really talking about brute force attacks that can, over time, expose a Notes password. Most systems and a large percentage of passwords are vulnerable to this type of attack, if it is allowed to execute.
While I've never created a program that can do this type of hack, I have been faced with the ethical dilemma surrounding it. In the past, I've had folks submit this as an article -- that is, they'd written one or wanted to write about the commercial one out there, and wanted me to publish the article. There have also been other types of Notes hacks (such as ones that were taking advantage of a reported bug or vulnerability) that have been submitted as article ideas. I wouldn't publish any of these articles.
Julian was hoping for a clear answer to ethical dilemmas such as these and I have to agree with him that there really isn't one. I actually got really slammed by a few of the people who had submitted these article ideas, as they thought I was "protecting" Lotus/IBM by not publishing the article. I think that was an unfair accusation: I will and have published stories that discuss bugs and holes in Lotus products, especially when they are being addressed by a MR or CF. If a hole exists and there is a fix or workaround, I believe it's my responsibility as a member of the community to help get the fix or workaround propagated -- this makes all of our server environments safer. It's also my responsibility to point out if Lotus/IBM isn't fixing a hole or vulnerability that has been reported and put pressure on them to do so.
On the other hand, I think it is irresponsible to provide support to tools that, as Julian suggests, will be used by 2% of the folks for constructive reasons and the by the other 98% for destructive reasons. I can certainly see the point that there is a real use for tools like the one Rich talks about and the one Julian has written -- many people have lost certifier ID passwords or administrator ID passwords and would love to get them back. Also, it can be used for testing your system to see how vulnerable it is. You can use it to force some user education by showing them the difference between a weak and strong password. Ok. Fine. Once again, however, I have to believe that no matter how I spun an article about a tool like this that I would be opening up someone's server to danger by publishing an article that either describes how to perform a hack, gives the code for a tool such as this one, or draws extra attention to the tool.
Now, the rub... Have I just done what I think is unethical by linking to Rich's site where he links to the tool that does this? I feel as though my responsibility is a little bit different here on my personal blog versus in the official press, but I also think it's still borderline...
Author: Libby
Posted at: 09:43:14 PM
