[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A question of ethics.



>Ok, I'm in a bit of a quandry.  While surfing the net last week, I
>happened across an address addached to a machine that belongs the the 
>federal reserve.  No big deal.  I telnetted there on a lark, and entered 
>'guest' for the account.  It dropped me into a shell.  It didn't ask for 
>a password.  Intrigued, I did a little looking around.  Nothing special, 
>a CDRom and about 80 accounts.  But(!!), /etc/passwd was there and 
>available and not using shadows.  No, I didn't snatch a copy.
>
>Quandry(ies)
>
>1)  Should I alert someone there about the obvious (and, IMHO serious) 
>seciruty hole?
>
>	or
>
>2)  Should I ignore it?
>
>3)  Should I take advantage of it (well, maybe not)
>
>----------
>
>I don't like to see systems so open, no matter who they belong too, and 
>the fact that the governments (whether you like them or not) has one this 
>open REALLY bothers me. 
>
>But, I also wonder what kind of trouble I could get into.  Technically, I 
>violated something just by being there as I didn't have permission, and 
>the fact I accessed the passwd file makes it even worse.  If I report it, 
>I could be in deep shit.
>
>I could mail to them via a remailer (like penet.fi, so that they could 
>answer for more information if needed).  That is a little securer and 
>Julf is out of jurisdiction of the FBI hunting me down.
>
>Yes, I'm a little paranoid, but Uncle Sam likes to make examples out of 
>white-collar hackers, and for me it was pure and dumb luck (like a jury 
>would believe a 22 year-old computer geek isn't trying to gain illegal 
>access).
>
>Any suggestions?  Please?  I consider this to be serious (most may not).

Go to a COCOT and call Ms Flanagan below.  *Not* the Tech contact, who is
most likely the person who fucked up and will want to cover his butt.  The
admin contact should be more sympathetic...

   20th and C Streets, NW
   Washington, DC 20551

   Domain Name: FRB.GOV

   Administrative Contact:
      Flanagan, Elizabeth R.  (ERF7)  [email protected]
      (202) 452-2672
   Technical Contact, Zone Contact:
      Drzyzgula, Robert P.  (RPD5)  [email protected]
      (202) 452-3425

   Record last updated on 14-Aug-91.

   Domain servers in listed order:

   NS.UU.NET                    137.39.1.3
   UUCP-GW-1.PA.DEC.COM         16.1.0.18
   UUCP-GW-2.PA.DEC.COM         16.1.0.19