Defacing random websites, ethical, yes? no?

Our very own fight club!
Post Reply
User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

Defacing random websites, ethical, yes? no?

Post by ayu »

I read the latest news article here on suck-o about that mass defacement, which reminded me about something interesting. Some people say that it's ok to deface random sites, since it in a way tells the host to fix their security, and others just think that they deserve it since their security sucks.

It can be split into two groups that can be seen as responsible. The first one would be the host who doesn't update his/her software when there are upgrades available, or simply doesn't configure the software properly. The second one is simply the coder(s) who has missed something and left a hole opened in some way.

Some people simply think that you should not deface, because it's ruining for others and breaking into (well not really breaking into in all cases) a system that you do not have permission to meddle with. But it's like if we should stop crash testing cars to find the weak spots on them, although you don't crash test a car that has people in it.

Personally, I am usually very split on things where "ethical" and "vulnerability/exploit" are put in the same sentence, because I LOVE to meddle with vulnerabilities, I am the kind of guy who sets up a vulnerable system just to test an old worm, or to see how long I can expose a system before it becomes infected with something interesting.

But in this case, I think I would have to say that I do not agree with defacing sites, but to discover the vulnerability and offer my help to solve it, both to the host in this case, and the creator of the code (if it's a software issue with let's say Apache, or MySQL ... etc). But if they simply give me the finger or just ignore me and the problem, then I would sure as hell deface them, to make them aware of the problem.


Ladies and gentlemen, let the debate begin :)

I would like to take this opportunity to remind everyone to play nice, there is no need to get angry and throw crap at each other.If you don't have any more valid arguments to support what you believe, then drop it. Just because someone else has more arguments, doesn't mean that you are wrong and should stop believing in what you think is right. ;)
"The best place to hide a tree, is in a forest"

User avatar
Kirk
suck-o enforcer
suck-o enforcer
Posts: 547
Joined: 25 Apr 2009, 16:00
14
Contact:

Post by Kirk »

I would have to agree with both Cats and p4inl0v3r. Although I am not to the level of this yet I find it to be childish. I would liken it to the simple street gangs taging up a neighborhood. (This is my turf, foo!!)

Once a vulnerability is found I think you are ethically responsible to let the admin know. There are a few exceptions to this. If you come across a site that is inappropriate, ie child porn. Take it down.

User avatar
lilrofl
Siliconoclast
Siliconoclast
Posts: 1363
Joined: 28 Jan 2009, 17:00
15
Location: California, USA
Contact:

Post by lilrofl »

I think that defacement is childish. I also think that defacement is one of the things that continues to give a bad reputation to any hacker. With that said, I'll expand.

vulnerability searching, enumeration, and exploiting are skills that cannot be learned solely from reading. To really learn something I think you've got to put it into practice. This is much more then just running the script in my opinion, it's about learning. I realize that the learning curve can be steep at times, but the pay-off is worth it for those who persevere.

I agree that there are times when something a little less subtle is called for, but this is the exception, not the rule.

Enumerate, test, exploit, get in, and get out. hell poke around a bit if you want. Let the admin know or not as you like, they never listen anyhow, but to deface on the grounds that they were vulnerable alone seems to bring 'us' unneeded bad press.

I think that's all I have on that... but I'm tiered so I may revise after a good nights sleep =)
knuffeltjes voor mijn knuffel
[img]http://i911.photobucket.com/albums/ac320/stuphsack/Sig.jpg[/img]

User avatar
IceDane
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 197
Joined: 12 Aug 2009, 16:00
14

Post by IceDane »

Where I'm standing, there is no question. It shouldn't even be up for debate.

Defacement is lame. It lame, childish, juvenile, waste of time and whatever other derogatory term you can think of that relates to "young and stupid."

It saddens me that the people who do those things are the types of people we hear about in the news every now and then. You hear about some 14-year-old who gained access to a computer and got bank account passwords. Wow, he sounds fucking intelligent - but no, he installed sub7 and a keylogger. You hear about some other kid hacking a website - he defaced it using a vulnerability from metasploit or security focus or something equally stupid.

They go around, convincing themselves they they possess any real knowledge, but they don't. They're nothing but pathetic posers that take exploits from security sites and find vulnerable sites with google. They aren't hunters - they're killers. No time is spent on hunting the prey. The prey gets delivered to their door and they just stab it with a fork.

There is one thing we can take consolation in, though. These people are normally not able to produce enough electricity in their brain to spark an original thought, so eventually, the phase where they think they're hackers will pass.

As for setting up a system to exploit and play with; I don't even see how that has anything to do with the discussion at hand. That's a completely valid thing to do, if you want to study exploits and vulnerabilities and the like. The term 'exploiting' pretty much just means 'using an opportunity'. It is only illegal to use the opportunity to gain access to someone else's system - assuming they didn't allow you to do so.

I have discovered a few vulnerabilities on big sites that I frequent, on a couple of occasions. Both times after playing with them for a while to see how they worked, and perhaps showing a couple of people(None of which could actually use it for anything), I emailed the administrators to let them know and bash their coders for not doing any input sanitation.

User avatar
3XTORTION
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 246
Joined: 29 Jul 2007, 16:00
16
Contact:

Post by 3XTORTION »

We all agree that the act of defacing a website is very immature and lacks both intelligence and wisdom.So is attacking random hosts because you're not hacking for a valid reason instead you're just hitting whatever you can.

The digital holocaust occurs each time an exploit appears on Bugtraq,milw0rm or any,and kids across the world download it and target unprepared system administrators.

As for discovering an exploit and emailing the system administator.I don't see why anyone should do that ?Why would you help someone(Unless he's your friend or you're payed to do this job)and propose a fix for his problem.I would keep the exploit as a 0day and only contact the admin or the vendor of the software in case the exploit has gone public.One of the main reasons for this policy and what it is meant to address is the need for none-disclosure.This way skiddies and fame-seekers no longer have the ability to 'hack' websites with just few simple clicks...So Why giving powerful weapons to the kids all over?

So I don't think the question here should be "Is defacing random websites ethical or not" but instead "Is Defacing random websites an act of intelligence or stupidity?".

And we all know the answer to that.

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

it's neither intelligent nor ethical....it's nothing but mental masturbation for people that are too stupid and too lame to learn something valuable and useful.
what annoys me the most is that such people really think they are "hackers".....it's like walking in town from door to door and when you found an open one you call yourself "professional lockpicker". I am sure you can teach chimpanzees, parrots and dolphins to run a Perl-script too in 1-2 weeks (which is even faster than most skids need I guess).... :lol:

3X, it's not about discovering new exploits, people that deface sites usually look for known exploits on sites like milw0rm or packetstormsecurity and then scan whole IP ranges for websites where a specific string like "phpnuke 2001" appears....I have loads of such stupid scans in my IDS logs.
Image

User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

Post by ayu »

IceDane wrote: As for setting up a system to exploit and play with; I don't even see how that has anything to do with the discussion at hand. That's a completely valid thing to do, if you want to study exploits and vulnerabilities and the like. The term 'exploiting' pretty much just means 'using an opportunity'. It is only illegal to use the opportunity to gain access to someone else's system - assuming they didn't allow you to do so.
The first part was just to explain that I might as well play around with a vulnerability on an important system, as on a non-important one. The "I'm the kind of guy" part was just a random follow up.


3XTORTION wrote: So I don't think the question here should be "Is defacing random websites ethical or not" but instead "Is Defacing random websites an act of intelligence or stupidity?".
Well, you can still discover a vulnerability by yourself, exploit it and deface a website. The way there could be considered intelligent, then the part where you defaced the website could be questioned as ethical or not.
"The best place to hide a tree, is in a forest"

User avatar
3XTORTION
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 246
Joined: 29 Jul 2007, 16:00
16
Contact:

Post by 3XTORTION »

bad_brain wrote:3X, it's not about discovering new exploits, people that deface sites usually look for known exploits on sites like milw0rm or packetstormsecurity and then scan whole IP ranges for websites where a specific string like "phpnuke 2001" appears....I have loads of such stupid scans in my IDS logs.
That's exactly what i meant : D

...
3XTORTION wrote:The digital holocaust occurs each time an exploit appears on Bugtraq,milw0rm or any,and kids across the world download it and target unprepared system administrators.
cats wrote: Well, you can still discover a vulnerability by yourself, exploit it and deface a website. The way there could be considered intelligent, then the part where you defaced the website could be questioned as ethical or not.
True,but my point was defacing random websites and by that i mean google-dorking an exploit and hit any vulnerable website for no valid reason.

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

yeah, if I could say "deface this specific site" (like suck-o.com, or microsoft.com) and he does it he would surely get my respect, but defacing random sites found by scans or googledorks is simply laaaaame. I mean, look at the usual skiddie forums (we all know what sites I am talking about) and check with what kind of sites they show off in their "defacement boards":
amateur sites nobody ever heard of, and those sites mostly have been abandoned since months or even years already....that impresses me as much as a sack of rice falling over in China.
Last edited by bad_brain on 06 Jan 2010, 05:54, edited 1 time in total.
Image

User avatar
waringers
suck-o-fied!
suck-o-fied!
Posts: 74
Joined: 01 Jan 2010, 17:00
14
Contact:

Post by waringers »

I kinda agree with b_b on this one, If you deface a site that has been abandoned a while back, or a site that noone has ever heard of, its stupid and a waste of time. Its what script kiddies do to impress their friends or other random people. But ya if you get into a site like myspace or twitter, then you got some skill and its something to brag about ( not that you'd want to after defacing myspace). But I dont see why anyone would deface a site other than to impress their friends, which is as you all said, immature, lame, and 100% skiddie.
Share what I know, Learn What I dont.

Post Reply