[plug] Community Hacking...

[Christian]

On Tue, Aug 22, 2000 at 02:22:12PM +0800, Petter Reinholdtsen wrote:
 
> The issue for me is what to accept and what to not accept, and which
> consequences to draw from the things that happend.  I believe most
> people offered trust will show trust and responsibility in return.

Most people, hopefully, would.  But most is not all and, to me, that
suggests people should minimise their risk from the irresponsible and
untrustworthy minority.  Do you have a lock on your front door?  Do you
lock your car?  If so, you would appear to agree with me!

> Someone made a request for help by offering trust to the PLUG mailing
> list.  This is something that should be done more often.  Those
> offering this trust needs to make sure they can afford to have this
> trust broken.

You speak of "the PLUG mailing list" like it is a known entity.  It is
not.  It is not only the people subscribed (which only really Matt
knows) but also anyone who reads the archive that Tony manages.

> When it is claimed that this request for help is _bound_ to be misused
> is to me another way of saying it is wrong to request help by offering
> trust to the plug mailing list.  I do not find this is acceptable.

I'm not sure there is any choice BUT to accept it.

> If someone misuses the trust, this is both stupid, short sighted and
> hopefully illegal.  And the act is not acceptable.

I agree that if someone breaks into a system it is stupid, short sighted
and (hopefully) punishable (=> illegal).  However, if you give pretty
much anyone in the world open access to your system with the expectation
that no one will abuse that trust then that is *naive* and short
sighted.

> When you disabled .bash_history, and thus made it impossible to keep
> an eye on the things done to the machine, you broke the trust given to
> the mailing list.  When you locked down the machine and made the offer
> of trust disappear, I believe you indirectly accepted the acts by
> peoples misusing an offer.  I do not think this is acceptable.

It was impossible to verify anything that had been done to the machine
BEFORE I disabled .bash_history; as has been confirmed here (and
numerous other places), the history file is NOT an audit trail.  I
believe I validated the offer of trust by securing the system and trying
to help the owner ensure that the system was not exposed again.  Leaving
the system open would have been irresponsible.  You say I'm accepting
the possibility of something bad happening and, by doing so, I'm
promoting it.  I understand your reasoning but I cannot agree with it.
I believe I acted as a responsible citizen by limiting the possibility
of a crime by acknowledging that possibility (even, probability) and
seeking to nullify it.  I believe the trust was misplaced and I'm sorry
if that conflicts with your (I believe, highly naive) idealistic view of
the world.

> If someone opens their house and invites everyone who wants to give it
> a try in to try to fix a problem, and someone starts trashing the
> house, I hope it is obvious who did the bad things and who did the
> acceptable things.

But I doubt the insurance company would pay for the damage.  They would
say that the owner brought it on themselves through their own
negligence.  I think they would be right.  If you actually believe your
own rhetoric then you would be quite happy doing things such as leaving
your house/car unlocked, publishing the password(s) to machines you have
accounts on, publishing your PIN and credit card numbers etc., etc.

> Locking the door and letting the house owner know that this is not the
> way to get help is not a stupid thing to do, but I do not think it is
> acceptable either.

Walking on and leaving the house wide open saying "Oh well, it's their
own fault if they get broken into" is a fairly irresponsible and
anti-social thing to do in my opinion.  If you truly think that
acknowledging evil and trying to protect somebody from it is an
unacceptable thing to do then I find that very strange indeed.

Contrary to your disclaimer, your English is fine and you have explained
yourself well.  I understand what you are saying but I don't believe it
stands up to any sort of inspection.  As I said, if you believe your own
rhetoric then your course of action is clear.