I am going to play devil's advocate here because personally i believe mr lamo should be put in prison. I must say i find all your posts amusing within the context of this discussion. I was especially amused by the anonymous poster who noted that Mr Lamo exhbited a lack of ethics. I personally believe that ethics and morality have no bearing upon this argument. The legality of mr lamo's actions are obviously questionable at best, but since mr lamo has followed a pattern of notifying everyone he has breached afterwords he has a code which he himself follows. while it may differ from your perception of moral correctness, it is simply a difference of opinion. Most Social ethics arise from the fact that someone is being hurt. I fail to see how mr lamo's actions specificly hurt anyone up until the point where he went public with his findings. When he went public it hurt the companies reputation but I fail to see how the intial breach did. The analogy to breaking and entering versus computer hacking may be correct in a sence but it cant be made on a personal level. If someone broke into my house and i found out about it obviously id feel violated. Corperations especially learning towords the larger ones do not have this psychological problem. Assume that the person who broke in took nothing at all. 3 possible situations would occur....

1. They were undiscoverd, and as they say if a tree falls in the forest

2. they are discovered and the companies security is beefed up as a result

3. They arnt discoverd but 2 months later they email the media and give evidence that they had broken into the building.

Now who is hurt?

The first 2 situations dont really hurt anyone do they? The third can embarrass the company etc and then the issue becomes more complex.

Let us also not forget the information Mr lamo has exposed. It has in all cases been invariably linked to you and I. Customer Data. I tend to look at it more like the corperations have exposed data about me, rather then mr lamo has exposed data about me.

As far as him keeping memento's etc. who really cares? Its not as if he deprives the corperation of them. This brings to light one of more interesting arguments made regarding actions of ppl like mr lamo. Because he has the power to sell this information, profit off it etc. does that make it more or less wrong? " What do we know about what he is doing with that internal data ". I find this question to be rediculous, if in the future he uses the data to perpetuate criminal activities then fine let he be prosecuted for it. The fact is all this information is in databases @ these companies anyway and the only ppl who check to make sure its not handed to real criminals are ppl like mr lamo.

Anyway to end this horribly written, fragmented rambling of random points:

i think mr lamo should be prosecuted because thats what the law requires. Ethicly i dont think he should be. do i think the law should be changed to allow for people like mr lamo? I think it should be evaluated on a case by case basis. If there is no real harm done, there is no real harm done. Incidently i also find the practice of charging intruders with the money it requires to fix security issues equally rediculous. If you keep any sort of data which is not meant to be disclosed to the public, especially information such as customer data etc. then it is your repsonsibility to keep it secure. Otherwise one could be tempted to argue that since the company houses data which could infringe my rights if its compromised then i have the right to make sure that information is protected.

sorry for this is disjointed someone is translating for me from bulgarian.

Dimitri

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/358/11485#11485