...but I enjoy a good argument/discussion.
Hehe, me too ;-)
Why is accessing the default web page set up by IIS when it runs as a service any different from accessing his root when I was not the one to open it. Theoretically, I could assume that he wanted to open his hard drive/operating system to the world. Or would it be just as illegal to access the default web page?
An excellent point. That's why I used "explicit or implicit" when talking about permission.
If some schmoe puts up a Linux box on a DSL line, it's probably going to have a default apache page up. Is accessing that page illegal? I'd say no--although some eager-beaver lawyer might make me eat those words in the future.
Webservers are for webserving--plain and simple. So back to my point about courts and intent--they are going to use their heads on this one. If you access a web server, it could be argued that webservers are for exactly that; no harm, no foul. But, if you tried to argue that because he didn't lock his machine down he was basically inviting you to peruse it's contents, you'd be in a hot kettel of fish. No judge or jury will let that one stand, and if it was the basis for a defense, you'd be in trouble.
Confession time: during a very nasty "security takedown", I started getting my firewall hammered. I was notifying comprimised servers, and I assume the crackers saw my probes and traffic on several machines and starting putting two and two together to make five. So I "fought" back and started tracing back probes on my firewall in addition to the traffic logs I had from a client. I got a hold of a server in another state. It was probbing my samba ports and nfs ports.
I did a drive-by via ping and traceroutes, then an nmap port scan, and found out I had an NT box. I see that the SMB share ports are up. I think to myself, "No frigging way they could be that stupid." For kicks, I fired smbclient at it and asked it to list its services. Wham! It gives me the ENTIRE domain: workstations, workstation descriptions, shares, etc.
Well, hell, at this point, it was obvious why they were cracked. So I go looking for contact info, but I couldn't find any. But I do
see a link for this guy on the web page (an "employee") and I see his name attached to one of the workstations in the SMB listing. So I take his email off the site and send him an email explaining that he should check his system because it's not being nice to my system.
Well, my wording was friendly, but the fact that some stranger over 2,000 miles away knew which computer he was using and was talking about cracked machines made them assume I was threatening them. As it was, my attempts to make the seriousness of the matter (and explaining that I had helped shut down a dozen other comprimised servers) made me sound like the enemy and they started accusing me of all sorts of stuff. On top of that, this guy was THE BOSS, and he beat the tar out of his consulting firm, who in turn took it out on me.
Was I in the wrong: ethically, yes--even if I didn't realize it at the time. Just because some dork doesn't have enough brains to NOT expose his entire Windows network filesystem to me doesn't mean I should look at it. I should have seen the port open (via nmap), noted it, and sent an email explaining what I had seen. Mentioning that I could see their networks just made someone look like an ass.
Which, honestly, was my purpose. I couldn't believe how colossally stupid they had been. But my eagerness to be smart and clever did not help things. If I had realized this up front, I would have tried just a little harder, and I would have probably found the consulting company's contact info. As it was, I got someone in big trouble and for what? To make myself feel cool?
So now I'm a big "play nice" guy. Granted, the guy was totally at fault, but the anger I got on the phone was pretty intense. At that point, I realized that someone properly motivated with a lawyer could make my life a living hell--when I was doing the "right" thing! I took up the CYA approach from that point on, being extra careful and logging all my terminal sessions.
He doesn't know about either and I didn't cause either to be accessible to the outside world ... The only difference I can really see is that he would know about the message but I can't see how that's a bad thing.
Again, I'm all for sending him a message. Please do! But I think you should limit it to email. Something like "I got CR probes from your machine. I traced it back and found you had a CR web page up. Do you know that your machine is comprimised?" is a helluva lot nicer to find than a message in the NT service log saying "Yo! You've got CR. I shutdown IIS for you."
In theory, both are notification and both do no damage. But one will land you in jail (potentially) because you crossed the line from observing the machine to using the machine.
However, the underlying point I'm driving at is, who is at fault for running the borked IIS server in the first place? Is it this guy who is not educated enough about his software or Microsoft for making it run as default in the first place?
Clearly he is at fault for running a poorly managed server. And, if he did enough damage, you could sue him for negligence. But accessing his machine in "retaliation" isn't a good idea.
I know we all want to "school" the "lusers", but it is a bad idea career-wise, and it is really childish when you look at it (I admit that in myself).
Veritas otium parit. --Terence
[ Parent ]