...and why I dislike it.
First off, the obvious point that a house is clearly nothing like a computer, or a network. People love to use this analogy when talking about security. the conversation usually goes something like this:
Me: "I think that pointing out security flaws does not equate or an immoral act. In other words: if my intent is purely non-destructive, how can it be considered wrong?"
Them: "It's wrong in the same way that breaking into a house is wrong."
Clearly this person is invoking the social contact regarding the expectation of security. This contract states that if you break into my house, or otherwise violate the physical security of this domicile, you will be sanctioned based on the nature of your entry and your subsequent crimes that result from an unauthorized entry.
The parallel here is that the physical security of my house is like the physical security of a network or computer system. If it's wrong to break into my house, then it's wrong to break into my computer as well.
I don't think this holds up like people think. First off, as far as a house goes, the borders and boundaries are clearly laid out. With computers and networks, not so much. The obvious scenario is a hacker gaining clearly unauthorized access to the system. In this case it's clear that no matter what this person does, they're doing it illegally. Gaining access to a network that you know you aren't supposed to be on is clearly wrong.
My differentiation here is that it's not illegal or immoral to find the flaw. The act of proving it ( in most cases ) is the same as exploiting it which makes this a bit of a semantic argument.
However, there are cases when exploiting by proving is worth less than the knowledge gained by knowing about the problem. For example, if we go back to the analogy of the house we could say that by calling the owner of the house letting them know that their front door was open ( and you knew it was open since you were standing inside the house ) and that perhaps the owner should do something about this before someone robs them blind. One might be inclined to think that the owner of the house would greatly appreciate this person pointing this out perhaps even paying this person to shut the door for them.
The person that entered the house was in breach of the social contract. They violated the expectation of security, however, they did it because the door was open, literally. I propose that the immorality of violating this social contract is grossly outweighed by the person doing the right thing, and clearly having no intentions of doing anything but.
The same is not what we see in the computer world. Unfortunately the world I live in is far more apathetic then this. I usually hear people suggest that "it's not your problem to point out" as if to suggest that I should just shrug it off and just say "it is what it is." Apathy pisses me off greatly.
The problem here is that this isn't just a house, it's more like a warehouse full of boxes of your information. I am a professional in the Information Systems profession, and as such it is my duty as a professional to point out the potential problems of any network or system I come across. I see this as my charge, my duty as a professional. I guess in some corny way I see myself as some kind of IS samurai. Everything I do is focused on a more complete mastery of my craft. Ignoring a problem with someone else's network ( read: YO MORON, YOUR DOOR IS OPEN ) is something I will not do just like I wouldn't ignore someone breaking into your house.
Breaking into a house hurts that family and the people closely attached to that family, even neighbors. Someone breaking into a warehouse hurts everyone who had information stored there their families, and everyone connected to them. I can't help thinking that my expectation of security for my home would extend to the warehouse. However, this is rarely ever the case. The unfortunate reality is that people are so busy beating people like me over the head with their own stupidity that now we just don't give a fuck. I know for dam sure that the next time I find a security hole I'm not going to point it out, then laugh while people get fucked from the fallout.
