Offensive Computing: A Bad Idea That Never Dies
Your network is getting scanned from some system on the other side of the country, or perhaps the globe. You traceroute the IP address, and discern the offending system is infected with a bot that's trying to infect you. You take a look at the device and see it's not patched for a multitude of OS vulnerabilities. Is it ethical (never mind legal) for you to take the system down with some exploits of your own?
March 5, 2009
Your network is getting scanned from some system on the other side of the country, or perhaps the globe. You traceroute the IP address, and discern the offending system is infected with a bot that's trying to infect you. You take a look at the device and see it's not patched for a multitude of OS vulnerabilities. Is it ethical (never mind legal) for you to take the system down with some exploits of your own?It's clearly not legal in most areas I'm familiar with. But let's set that annoying fact aside for a moment.
I despise the topic of "offensive computing." The controversial subject seems to come up every couple of years. Following the massive Code Red worm outbreak in the summer of 2001, which brought many networks to a crawl. Shortly thereafter we had the counter-worms Code Green and CRclean surface: both were devised to spread and patch Code Red's target: unpatched IIS Web servers.
It was a desperate time, and sometimes those times call for desperate measures. But these types of worms aren't a good idea. Too many potential unintended consequences. Too high of a risk of collateral damage: innocent networks clogged -- or even data destroyed -- because of a programming error.
In fact, the very idea of offensive computer actions goes against the 10 Commandments of Computer Ethics, created in 1992, by the Computer Ethics Institute, and are supposedly the foundation for the CISSP's own ethics rules:
"The Commandments"
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024