
The Vigilantes Who Created 'Malware' to Secure 10,000 Routers - cdubzzz
http://www.forbes.com/sites/thomasbrewster/2015/10/06/mystery-white-team-vigilante-hackers-speak-out/
======
logfromblammo
I have already considered this as an ethical hypothetical scenario. Is it
acceptable to break in to someone else's system for the purposes of preventing
other people with unknowable motives from breaking in, or to stop a break-in
already in progress?

For a full answer, I also need to answer some other questions. Is there any
way to contact the owner of the device that has a reasonable chance of
success? Are there any reasons why the owner might leave the device in an
unsecured state intentionally? Is the device spreading harm to others because
it is insecure? Is the owner aware that the device is not secure?

I decided that the scenario was analogous not just to someone leaving their
car doors unlocked in a high-crime neighborhood, but to a medical quarantine.
An unlocked car doesn't really hurt anyone else, but an unaware carrier of a
contagious pathogen is dangerous to himself and to others. It then becomes
more acceptable to force treatment on an unwilling or unaware person, for the
sake of public health.

As a result, I figured that a program like the following would be ethically
acceptable, but not necessarily virtuous:

    
    
      - uses a single specific vulnerability to compromise systems
      - immediately patches the vulnerability out of an infected system
      - attempts to detect and remove any known malware
      - goes dormant for a variable amount of time
      - attempts to infect other systems at a slow rate for a fixed amount of time
      - removes itself from the infected system
      - leaves behind a human-readable log of its activity
    

It would also be helpful for it to be accompanied by a fix for the
vulnerability in the official device update stream.

~~~
AnimalMuppet
In the physical world, this type of "helpfulness" would get you shot dead, as
you broke into someone's house for what you considered to be "helpful"
reasons.

The medical quarantine example is interesting, but there is a critical
difference: There are officially recognized medical authorities with the legal
power to require you to be quarantined. Currently, no such authorities exist
on the network.

So the example is more like: some people with medical knowledge _but no actual
standing_ try to quarantine you. But it's not quite as bad as it sounds,
because there exists no Health Department to do so officially. (For that
matter, there doesn't exist much government at all, in any form.) What's more,
since there is no government to enforce this, the self-appointed expert
quarantines you _without your permission_.

I can see the reasoning behind it, but I'm not willing to go so far as to call
it moral/ethical behavior.

~~~
frozenport
Perhaps forced vaccination, as it has little interference with your everyday
life.

~~~
duaneb
Some vaccinations are riskier than others. While it's fairly clear they don't
cause autism after that whole braindead debate, they aren't exactly risk free
EITHER, though complications are vaccine specific, rare, and not very well
understood because of the rarity.

It's very easy to violate someone's self determination rights with the best
intentions and still hurt them. In the virus parallel the vector is an unknown
quantity. It doesn't entirely seal the router, and doing it without permission
may in fact increase the vulnerability of the router (or brick it, if things
go wrong).

I find this really interesting, but it's very hard to back from a moral or
ethical point of view.

~~~
logfromblammo
It is hard to accept and hard to condemn. I find it to be tolerable.

The end result benefits me slightly, yet the means does not entirely justify
it.

If I lived in the tropics, I'm not certain how I would feel if I returned home
to find that a band of rogues had broken into my house, installed new
insecticidal bed nets in all bedrooms, and locked up after themselves on their
way out, without touching anything else. On the one hand, hey, free bed nets.
On the other hand, no one bothered to ask my permission. Or knock.

But then maybe I hear about a terrifying disease currently spreading via the
saliva of the oogeyboogeyfly, who will chew through untreated bednets, or
insecticidal nets older than 6 months, to bite sleeping people, and only new
ones treated with skellingtol will work to stop them.

In that case, there was

    
    
      - an overriding concern for public safety, from an actual threat
      - some urgency, such that voluntary compliance might be too slow
      - a risk that some might not take effective preventative measures
      - no malicious intent toward me, specifically
    

The target of the action was actually the oogeyboogeyfly, which I was
unknowingly providing with a safe platform for spreading disease. So it comes
down to the old Star Trek 3 dilemma: if you could save a thousand lives by
letting just one person die, would it be ethical to do it? Would it still be
ethical if that one person wasn't you?

~~~
duaneb
Yea, but you're ignoring the fact that _people might want to get malaria_. Not
everyone likes being taken care of; some want to live life the way they want
to (e.g. short and fast, but without bug nets).

~~~
logfromblammo
People might also want to walk into my living room and remove my television
set from it. I can't stop them wanting it, but I can stop them doing it. If
you threaten my life, liberty, or property, it is ethical for me to defend
those things, regardless of whether your threat is the product of malice,
ignorance, or negligence.

If you intentionally get yourself infected with a zoonotic pathogen and start
cavorting with one of the carrier species, at minimum, you're going to get a
severe beating when the town finds out about it. If you don't take care of
yourself as a person, someone else might take care of you as their problem.

------
ix5
I must admit, to me it first seemed more like someone wanted all those devices
to be their own botnet without having script kiddies interfering and possibly
causing a stirrup, instead preferring to keep everything for the exclusive use
of the botnet owner.

------
imglorp
The worm left backdoors for future use. It booted off competition so it would
have the whole device to itself, ready for instructions.

~~~
PhasmaFelis
IIRC, it also instructs the user to update and secure their firmware, wiping
and blocking the vigilante worm as well as other malware. That doesn't seem
like a plan for building a secure criminal botnet.

------
cdubzzz
Link to the GitLab page:
[https://gitlab.com/rav7teif/linux.wifatch](https://gitlab.com/rav7teif/linux.wifatch)

------
rasz_pl
The more clueless people pick the story the more distorted it gets.

There are VERY FEW ARM based routers. Huge majority runs MIPS. You know what
runs ARM? stupid IoT devices, security systems/cameras, and custom/very
specialized niche jobs.

Here is a graph from the original story:
[http://www.symantec.com/connect/sites/default/files/users/us...](http://www.symantec.com/connect/sites/default/files/users/user-2598031/Fig4_10.png)

------
josefresco
Trying to think of a real world analogy - let's say your car was compromised
and hackers were using it when it was idle to launch attacks, or make money.
Would I be mad if someone entered my car and turned on/activated the locks?

~~~
CorpOverreach
Assuming everything went as planned, no problem. But to play devil's
advocate...

The risk with these things is always the "what if?". What if during that patch
it bricked my device due to some fluke? What if I had a special customization
that relied on a specific behavior on the component that was just updated
without my consent?

What if that patch attempt to a vehicle fails, leaving it unable to turn on?
What if that vehicle was an ambulance?

~~~
anon4
I think their answer would be "the needs of the many outweigh the needs of the
few"...

And to flip that argument again - would you prefer your device to be bricked
by someone trying to run a webserver serving child pornography, or by someone
trying to protect you from the first?

~~~
ethbro
Aka the "yelling 'Fire!' in a crowded movie theater is not free speech"
exception. It's good for the guy who wants to yell "Fire", but is it good for
the majority?

If you patch routers and 1% get bricked by some fluke, is that not a win for
society?

Also, to rebut the "How dare you change the firmware on my router without my
consent?!" point, let's not forget these were essentially unprotected routers
at this point in the applied_patch vs known_vulnerability cycle. If you don't
want anyone patching your router without your permission... SECURE YOUR OWN
PROPERTY.

If I leave something on the sidewalk, I don't get angry when people cart it
off / step on it. I especially don't get angry when they glue the broken bits
back together and leave it on my doorstep with a note saying "We noticed this
was broken. Superglue works wonders! Here's the number for a hardware store
where you can buy it."

------
jessaustin
This is basically what sent Max Vision to prison in 2001, right? I hope
there's better opsec with this. Also _never_ talk to the cops...

