Kind of sad

Justin M. Streiner streiner at cluebyfour.org
Wed Nov 12 15:57:59 UTC 2014


On Wed, 12 Nov 2014, Sholes, Joshua wrote:

> I concur.   I was recently an admin/ITSO for a defense contractor, and
> from a network logging standpoint it is VERY difficult to tell the
> difference between what you posted and a really subtle
> social-engineering-enabled attack--and EVERY attacker these days has to be
> assumed to be subtle.

Agree completely.  While the OP's intentions might be honorable, even if 
he notified the organization directly, they might not react the way he 
would want:

"Thank you for bringing this to our attention!  We will get it fixed 
immediately."

I am not a lawyer, but I would strongly advise against randomly logging 
into hosts on a network where I don't have a formal business relationship 
that includes explicit authorization to do pen-testing and other 
[insert-color-here]-hat activities.

Being a good Samaritan and the current state of computer crime laws do not 
always line up very nicely with each other.

Bottom line: Tread carefully.

jms


More information about the NANOG mailing list