IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [ethics]

The branch of philosophy which deals with how the professionals should make decisions regarding professional and social conduct

71 questions
366
votes
22 answers

I found that the company I work for is putting a backdoor into mobile phones

I have found out recently that the remote assistant software that we put in a smartphone we sell can be activated by us without user approval. We are not using this option, and it is probably there by mistake. But the people who are responsible for…
anonymousquery
  • 2,991
  • 2
  • 13
  • 4
141
votes
8 answers

How do I report a security vulnerability about a trusted certificate authority?

I stumbled across a huge security vulnerability in a Certificate Authority that is trusted by all modern browsers and computers. Specifically, I am able to get a valid signed certificate for a domain I don't own. If I had the means to become a Man…
MotorStoicLathe
  • 1,031
  • 2
  • 8
  • 8
135
votes
16 answers

What should I do when my boss asks me to fabricate audit log data?

My boss just asked me to create a fictitious log entry to say that a user's account was updated before it was, to win a dispute. I feel this is not right because I am trying to start a career in working with data technology. Whether or not I get…
computer_nurd
78
votes
6 answers

How to disclose a security vulnerability in an ethical fashion?

How to disclose a security vulnerability in an ethical way? I've heard there are various schools of thought on this topic. I'd like to know the pros/cons of each.
Olivier Lalonde
  • 5,039
  • 8
  • 31
  • 35
61
votes
4 answers

I think I accidentally DoS'd a website. What should I do?

I was browsing a website, and stumbled across a sample scheme for password-protecting web pages. The owner of the website specifically had a page that invited people to attempt to hack it. I wanted to give it a try, so I wrote up a quick python…
Michael0x2a
  • 721
  • 1
  • 5
  • 9
29
votes
4 answers

Consequences of grey hat hacking

While I was working on a anomaly detection system (finding cheaters in a quite popular online game service) I accidentally found a way to get a password of a user in a reasonable amount of time. Basically, the whole idea to build an anomaly…
Salvador Dali
  • 1,745
  • 1
  • 19
  • 32
20
votes
10 answers

Is it ever appropriate to fight back?

When an website or system is being attacked, is there ever a scenario where it should automatically take action against the attackers rather than just passively handling the attack? If so, what responses are appropriate and legal? Are there any…
VirtuosiMedia
  • 3,142
  • 3
  • 26
  • 32
18
votes
2 answers

How to handle security issues of someone else's website

A few weeks ago I found that someone has posted admin account details for a certain website on a public wiki by mistake. As I found that data to be real (i.e. I could log into their website run by Wordpress), I immediately did the following: I…
selfthinker
  • 285
  • 1
  • 6
18
votes
2 answers

What are legal/ethical concerns to bear in mind, when hacking websites with open invitations?

I was reading another question which mentions a site that had a page inviting people to try to hack it, and it made me wonder. Lets assume, for the sake of this rather hypothetical question, that a site has a page asking people to hack it, and that…
Yoav Aner
  • 5,299
  • 3
  • 24
  • 37
16
votes
3 answers

Reporting vulnerable sites

Take this scenario: You browse the web and find a website that is vulnerable to SQL Injection. Being a good guy/gal you report the vulnerability to the site owner (if you are able to find contact details). What do you do if no one replies back or…
Alexandru Luchian
  • 632
  • 5
  • 11
16
votes
4 answers

Is decompiling software considered unethical or illegal?

Is decompiling a dynamic link library considered unethical/illegal or blackhat? If, for instance, the result of the decompile showed methods and literals that contain passwords that the application use, is simply viewing decompiled source code…
Lock
  • 261
  • 1
  • 2
  • 4
13
votes
3 answers

Whistleblowing, business ethics and credit card data

I'm writing this post as I'm facing a personal, ethical dillemma and I would like feedback on the best way to approach this situation, particularly from a philosophical point of view. I work for a small-business. I'm part-time, doing "grunt" work…
ethically_minded
11
votes
1 answer

Burpsuite accidental defacement, should I be concerned?

I was spidering a website with Burpsuite and the automated Form Submission caused me to unknowingly deface the main page with "555-555-0199@example.com". It took me a decent amount of time to notice but when I did I immediately worked to resolve the…
QUEX0R
  • 113
  • 1
  • 5
10
votes
5 answers

Is it ethical to use ReCAPTCHA to decode house addresses?

I noticed recently that ReCAPTCHA is using house numbers and street numbers as images for humans to decode. How ethical is it for Google to do this to this? Does it hamper privacy of an individual? TechCrunch has reported it way back in 2012, and…
Vineet Menon
  • 393
  • 3
  • 10
10
votes
4 answers

How should I escalate a vulnerability that is dismissed by the vendor?

I've come across a vulnerability that secure@microsoft does not think is worth pursuing. I would estimate that there are many, many customers affected by this issue. I do not want to start a grassroots campaign to fix this, as that would publish the…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
1
2 3 4 5