informa
Commentary

Offensive Computing: A Bad Idea That Never Dies

Your network is getting scanned from some system on the other side of the country, or perhaps the globe. You traceroute the IP address, and discern the offending system is infected with a bot that's trying to infect you. You take a look at the device and see it's not patched for a multitude of OS vulnerabilities. Is it ethical (never mind legal) for you to take the system down with some exploits of your own?
Your network is getting scanned from some system on the other side of the country, or perhaps the globe. You traceroute the IP address, and discern the offending system is infected with a bot that's trying to infect you. You take a look at the device and see it's not patched for a multitude of OS vulnerabilities. Is it ethical (never mind legal) for you to take the system down with some exploits of your own?It's clearly not legal in most areas I'm familiar with. But let's set that annoying fact aside for a moment.

I despise the topic of "offensive computing." The controversial subject seems to come up every couple of years. Following the massive Code Red worm outbreak in the summer of 2001, which brought many networks to a crawl. Shortly thereafter we had the counter-worms Code Green and CRclean surface: both were devised to spread and patch Code Red's target: unpatched IIS Web servers.

It was a desperate time, and sometimes those times call for desperate measures. But these types of worms aren't a good idea. Too many potential unintended consequences. Too high of a risk of collateral damage: innocent networks clogged -- or even data destroyed -- because of a programming error.

In fact, the very idea of offensive computer actions goes against the 10 Commandments of Computer Ethics, created in 1992, by the Computer Ethics Institute, and are supposedly the foundation for the CISSP's own ethics rules:


The Commandments

Recommended Reading: