Finally, I would put forth that by choosing what information we will and won't share on a community level is to perform the same kind of censorship that we, as Westerners, decry as "totalitarian" and "fascist".

"We" the Perl Monks community are all individuals who decide as individuals what to write and what not to write. "We" are not a government. "We" do not have the power to detain, imprison, or torture dissidents.

If some jerk with too much time on his hands and no sense of personal responsibility wants to cause mayhem and havoc for other people, he can do it without my assistance. There's a big difference between my saying "I don't care to contribute to things I find ethically and morally distasteful" and driving tanks over people who criticize me!

I think you may have a valid point, but it's lost in a forest of disproportional histrionics.

Hiding vulnerabilities instead of repairing them is generally regarded as poor security. The system of security alerts for vulnerabities is based on that.

Regarding Tim Toady's remark, I think that computer programs and information should not only be protected by the First Amendment (free speech aka "information sharing", for denizens of those countries), but also the Second (right to bear arms). Recall that crypto software was until recently classed as "munitions" while paper copies of it were not restricted.

I agree that all information *should* be free, and in a perfect world that would be great ... but this is an imperfect world.

Merlyn's point was merely that people should be cautious when answering questions of a "how do i hack this thing?" nature ... maybe the intentions are good, maybe the person is just curious, maybe their intentions are evil -- he's not saying it's your job to know, and to only answer quiestions asked by noble people ... he's just suggesting caution.

I suggest using common sense.

personally, I agreed with most of your post up untill this point...

Put another way, you choose to connect yourself to the Internet. You choose to have a website up and running. You choose to take credit-card information. You choose to not have the necessary knowledge / personnel / skills / etc. If I were going to harden a site, I would charge a lot of money to do so. Why should I protect you for free?

"Why?" becuase you're a human being and a member of a (virtual) society that should aspire to loftier goals then total anarchy and an "every man for himself" mentality.

It's a lot easier and cheaper to shatter a large glass window (to rob a store, or rape and murder a family) then it is to create and install shatter proof glass. I wouldn't ask you to stand guard in front of my house, or even to help me pay for shatter proof windows -- but as a member of humanity the least you can do is not help someone (who looks sketchy, talks sketchy, and acts sketchy) you see trying to bust through a window of with their fists, by pointing out that a brick or a sledge hammer would work better.

but as a member of humanity the least you can do is not help someone (who looks sketchy, talks sketchy, and acts sketchy) you see trying to bust through a window of with their fists, by pointing out that a brick or a sledge hammer would work better.

But that's not the case here. Imagine if you were a hardware store employee, and someone in the store asked you what would be more useful to break a window, a brick or a sledge hammer -- you'd have no way to know why they wanted the information. You'd just answer them, and that would be the right thing to do -- unless they told you why they wanted it.

Providing the information when unclear about intent is the right thing to do. Making your own choice about providing the information when intent is clear is probably the right thing to do as well.

There are two goals at work here, and they work against each other in a situation like this -- Security, and Information Transfer. Information Transfer is the more important goal, IMHO, but even more important than that is the fact that the intent is the point of failure, the reason that the window's going to get broken isn't because of a recommendation from a hardware store employee. It's because there's a punk looking to break stuff.

Admittedly, once intent becomes clear, this is not an issue any more. When freak indicated this was for Bad Things, then I would agree that it becomes personal choice about the resulting actions.

Even in a court of law, the hardware store employee who sold the vandal the sledge hammer would be untouchable -- UNLESS the intent was communicated, in which case there could be a tenuous concept of conspiracy. (Not that I'm aligning myself with the legal system, just saying that even a courtroom would be hard pressed to say that you're facilitating a crime if you don't know one is going to occur.)





-----------------------
You are what you think.

Imagine if you were a hardware store employee, and someone in the store asked you what would be more useful to break a window, a brick or a sledge hammer -- you'd have no way to know why they wanted the information. You'd just answer them, and that would be the right thing to do -- unless they told you why they wanted it.

Nice analogy, but I don't think it fits the situation. A better one would be someone asking a pharmacist how to make poison. Perhaps the person asking is a researcher studying antidotes. If so, that person would already have some knowledge about poisons. In this case the person asking had little or no knowledge of the dangerous field he was asking about. Should knowledge about poisons be protected by the first amendment, sure. Should people with that knowledge share it when appropriate (assisted suicide?), that's an individual choice based on an individualistic definition of "appropriate". Should they share it with anyone who asks regardless of how much it looks like the person is intending to do harm to self or others with no indication there is a valid reason behind it? Nope.

Finally, I would put forth that by choosing what information we will and won't share on a community level is to perform the same kind of censorship that we, as Westerners, decry as "totalitarian" and "fascist".

IMHO, you're comparing apples and oranges here. On the one hand, you have a community of people deciding to not do a certain thing, or -- to put it in grander words -- to set a certain moral standard. That's us deciding not to encourage cracking activity by not answering freak's questions. On the other hand, you have a non representative, mostly democratically unelected group of people misusing power to deny information and knowledge to vast masses of other people with the single purpose of protecting their own power. These are two vastly different things.

As to the issue that sparked this thread, I'm firmly on merlyn's side. One could say that someone who explicitely has to ask for this sort of information, and does it in such a thinly veiled way will never be a big threat, so why bother, but there are legions of script kiddies out there to disprove that point.

++dragonchild for starting this interesting discussion

In this specific case, I'm not going to give freak information. If he's ligit, then there are better ways to find what he's looking for than blathering around here. If he's not, it costs me exactly zero effort to not post a reply. I am free to speak my mind on this (namely, that others shouldn't give him information, either), but I ultimatley have no ability to force anyone to do this.

Before his intentions were called into question he's been given all the answers he wanted. His problem is that he wants to be spoon fed and refuses to read past what has been written in response to his questions.

I know how to write bots.
I know how to do ARP poisoning.
I know how write Perl port-scanning apps.
I know how to crash remote servers.
I know how to own remote boxes.
I choose not to discuss such things here.

Most of what you said, I agree with. I won't talk about ARP poisoning. But what if it involves perl? What if it's about patterns that make perl and our lives more secure. If winnuke, from days of ol', wasn't talked about so much, smurf and the likes.. security and information about it would be a privaledge to have. It would be an advantage of a chosen set.

I would rather people learn how to hack apart operating systems and languages. I rather do things smarter, than in more ignorant ways.

If you think about it, w/o the unfiltered internet and the easy accessible-ness of information and data, we may not have been better off. So why is one topic so taboo? No system is totally secure, but w/ the information, we can make it damned well harder to break in.

--
Bart: God, Schmod. I want my monkey-man.

Although laziness is one of the three Great Virtues, I cannot myself see why I should exert any effort on someone who does not even make the effort to read some documentation or write some code before asking specific questions about how to do something. Several monks provided hints on documentation, perldocs, and other documents that would provide the information they needed. In some cases, the answers were easily at hand by going to Google. I don't believe that there was censoring going on at all. Many people on this site, however, believe that people generally need to make some sort of effort before answering specific questions. If freak's questions were more generic, say along the lines of "How do I access a website with Perl?", "What's the best module for accessing websites?", etc., then those questions can be answered quickly and should always be welcome here.

Were freak's motives "pure" or not? I can't say. What I do know is that freak made no effort to ask the questions. We don't have to make the effort to answer them. We can choose to answer them or not. That choice is your's alone.

But it leaves a really bad taste in my mouth when it is obvious beyond reasonable coincidence that someone is just planning on cut-n-pasting my assistance into a script that's going to be put to fraudulent or distasteful use. What I consider to be distasteful is my own opinion, and I'm entitled to it. ...and in fact, I may even share it once in awhile.

At any rate, if I personally feel that my advice is going to be put to improper use, I'm going to refrain from providing it. I'm not going to always know, nor will I always care. But if a node, or group of nodes really rub(s) me the wrong way, and I vocally refrain from providing a solution, I don't care if others think I'm doing anyone a disservice by abstaining or not; I've made my choice. Nobody has a right to my free advice, unless I offer it to them.

Regarding the freedom of speech discussion, yes, free speech is protected (thankfully) in the USA, but don't mistake the right to free speech with the right to speak freely in any forum the speaker chooses. The latter is not a protected right, under the US constitution. And lets not get all worked up politically anyway, this is PerlMonks, not the Town Hall. To say that my refraining from offering a solution is a form of censorship, akin to what goes on in countries that don't have protection of freedom of speech... is a load of crap. Deciding to not give an answer hasn't impeded anyone else's freedom to do so, plus, as I already mentioned, this "community" doesn't have to protect free speech anyway; free speech is protected under the US Constitution, but free choice of forum for speech isn't protected nor guaranteed.

This guy just happened to make a lot of people suspicious of his motives. And a lot of consciencious individuals chose not to become facilitators in his deviant plan. It's not a big deal... If he's creative and bright, he'll figure it out for himself anyway, and if not, one less script-kiddy trying to muck up the Net.

In this case, a reasonable person could probably guess that they were helping a thief commit fraud, and so people who helped are morally responsible for their part of the crime.

I'm sorry, but I can't make sense of this argument - it would surely follow from this that anyone who creates a general purpose tool (such as perl, created by Larry) is morally culpable since they could and should have anticipated that someone would at some point in the future use the tool for bad purposes, and should therefore not have released it in the first place (or only, under strict licensing conditions, to carefully vetted individuals).

The same argument would apply to anyone writing a book to teach people how to program.

Except in the case of a signed contract explicitly removing the right, I don't see how anyone giving out correct information can be legally culpable. Whether they are morally culpable of course depends on your ethics, but most ethical systems would hold truth to be a high trump card.

Hugo

I want to address this argument because it actually ends up somewhere I don't think you want to be.

Some backgroud is in order. I am a Wiccan, which means I actually have only one ethical precept, called the Wiccan Rede. It reads: An it harm none, do what thou wilt. We also have only one law (more of an observation, really) called the Rule of Three. It reads: Whatever you do returns threefold upon you.

All Wiccans agree that if I rape someone, I have violated the Rede, as I have caused harm. Same goes for (most) killing, theft, assault, etc. Most Wiccans would also agree that by helping others, I am helping me and mine. So far, so good.

Most Wiccans would also say that if I give someone a knife, knowing they are capable of killing, and they use that knife to kill, I have committed harm. I vehemently disagree with this.

For me to withold that knife, I must assert a greater moral capability than my friend. I am, in effect, making the moral choice for him. This is the same attitude that the Chinese goverment has when they ban certain websites on the grounds that the sites are seditious. Their reasoning goes something like this:

1. If a citizen were to read something that maligns the government, they will be swayed by it.
2. If the citizen is swayed by it, we'll have to imprison them.
3. Since imprisoning a citizen is bad, we have to prevent the citizen from being exposed to what will get them imprisoned.

The problem here is that the government is asserting that the citizen is a stupid sheep that has no capability to do the right thing. In effect, the only entity capable of moral action is the government.

Here's another example, from the West. In nearly every industrialized nation, suicide is illegal. It is against the law to kill yourself. Why? Who have I harmed? Am I not in control of my body? Essentially, the goverment is saying that it knows better than I do. The same goes for the "War On Drugs" and several other intrusive initiatives.

The point being that if I have to be morally responsible for the concesquences of your actions, I have to assert that you are a lesser being, morally, than I am. I hope that's not what you want to say.

------
We are the carpenters and bricklayers of the Information Age.

Then there are Damian modules.... *sigh* ... that's not about being less-lazy -- that's about being on some really good drugs -- you know, there is no spoon. - flyingmoose

I shouldn't have to say this, but any code, unless otherwise stated, is untested

At the risk of dragging this thread way OT:

For me to withold that knife, I must assert a greater moral capability than my friend. I am, in effect, making the moral choice for him. This is the same attitude that the Chinese goverment has when they ban certain websites on the grounds that the sites are seditious.

Again, I disagree. You are correct on the one hand if you say that it is not our place to make moral choices for other people. Aside from the fact that if you choose to live in a society that sets certain moral standards (you shall not kill, etc), some of which are even 'universal' standards that you will find wherever more than two people join together, you will have to live according to those standards, people should be able to set their own moral compass.

On the other hand, witholding our hypothetical murderer a knife does not equate to making a moral choice for him. He has already made his moral choice, you are just providing one means of acting upon that choice. In effect, you yourself are making a moral choice - you are choosing to believe that your actions in this case will not have harmful consequences, or rather, that whatever harmful consequences they will have are not your fault, and thus not your moral repsonsibility. That's where I disagree with you. I would withold the knife.

Perhaps, if you want to discuss this further, we should take this elsewhere - this is a Perl community after all, not a moral debating society :)

CU
Robartes-

Most Wiccans would also say that if I give someone a knife, knowing they are capable of killing, and they use that knife to kill, I have committed harm. I vehemently disagree with this.

I probably agree with you, since just about everyone is capable of killing, but most people don't wind up killing others. But to give someone a knife, knowing that they intend to kill, I feel, is contributing to their crime. In that case, you are culpable, and you have done harm.

I'm not clear, however, whether you meant to discuss the case where someone intends to do harm, and you knowingly give them the tools to do this. It seems to me unlikely that you'd claim to be exempt from accountability in that case... (?)

---

בּרוּך

If you hide security pitfalls from others, you are only helping blackhats generally. Especially if you help to perpetuate a taboo culture about talking through security issues in detail. In the long run, you only help to provide blackhats with an occult advantage.

But even if you help one blackhat unwittingly, I don't believe you cause as much damage in the long term at all.

But as I said, it's personal freedom which matters. There shouldn't be hard and fast rules for such issues.

To paraphrase everything that has been written here: As individuals we have the choice to respond or not to any post here. We must use our own moral system to do that and do it in the manner that we see fit. No system should be opposed on us, but we are allowed to raise words of caution if we disagree with actions of others. But they are words, we do not bind each others actions, and we respect each other to do the best they can within in their right to choice.

That aside it is good example of how moral questions in a free and open community, need to be asked, because we need to be reminded of each others differences in approaches now and again. As for the recent threads from freak, this happens so many times here and we deal with it the same way openly and honestly, what more could a community ask for. This entire discussion is open to freak to read even to the point where their was belief a new id was created. I think this type of policing is the best. Mainly because the user in question can gauge the communities collective moral, and either respond to it by changing their questions, or explaining their actions. And yes they may even contact a sympathetic individual in the community away from these discussions. In the end all options and moral systems are addressed and respected.

I think it's really impossible to tell what someone else's motives are, even when you have known them for a long time. Who are we to judge what someone else is thinking? As you pointed out, many hackers have a burning desire to know how the thing works, how to break into it, but don't have any intention of doing harm or committing crimes. How else can you learn, but by asking?

Even so, it's important to weigh the amount of harm that could be done with the information, against how well you know or trust the person. It probably wouldn't be a good idea to give someone root password, or instructions on making explosives, unless you felt you could trust them with your life. Similarly, you might tell a relative stranger about exploits that have been patched, but maybe not about the ones you just discovered today.

Not everyone who can pick a lock is a locksmith. But lock-picking is one of the skills that a good locksmith needs to have...

Braun v. Soldier of Fortune Magazine: Publisher can be held liable only if an advertisement on its face, without further investigation, would alert a reasonably prudent publisher to the unreasonable risk.

So here's one that is officially over-the-top!

Gun for Hire
Professional Mercenary
Confidential and Very Private
Will Consider All Jobs