Why won't people let you help them?

[bandchicky314]

I've been reading some stuff on the Ethics forum and a lot of people are asking whether or not to report vulnerabilities to the sites admin or IT or whatever. Aside from the fear of legal action being taken against them (sad too but not the point) people are mad that the company will get pissed off at them. I don't understand as why people won't let you privately disclose vulnerabilities to them. I mean I know that some people are 14 and people don't like to listen to 14 year olds (because apparently we're all stupid) but other than that I just don't get it.

So I want your thoughts on it. Please discuss with me.

[Goatboy]

I am pretty sure people get mad based on some psychological desire to be right. By revealing a flaw in their system, you are essentially saying "You dun goofed." Or it might just be that they see you as a threat and don't know any other way to react.

[pretentious]

This has happened to me. I thought the webmaster will welcome my input and appreciate that in a way, I've gone to the trouble to help him do his job. Instead, I'm met with abuse. No user with legitimate use or resources in mind would try what i did, so I'm certainly not in the right and look a bit dodgy for finding it, but surely ironing out logical errors in a website is a good thing? And I'm pretty sure the webmaster just dismissed the problem because no one will ever try it, so it doesn't need to be fixed, which in my opinion, isn't the right way to go. Might be obvious, but i think the reason why it is a problem is because by disclosing vulnerabilities, you are basically admitting to snooping around their stuff.

[bandchicky314]

One more stupid question why I'm here, is poking around their stuff illegal? Or is just admitting to it illegal?

[Goatboy]

One more stupid question why I'm here, is poking around their stuff illegal? Or is just admitting to it illegal?

As long as you don't actually break into anything, it's legal. Unless of course they specifically say otherwise, but there's little chance of them enforcing it.

[bandchicky314]

So viewing the source code would be legal, but using SQL injections on an admin page wouldn't be legal?

[Goatboy]

So viewing the source code would be legal, but using SQL injections on an admin page wouldn't be legal?

Yea... Simply by visiting a page you're downloading a copy of the source code, so there is absolutely no grounds to make that illegal. SQL injections are only done to break into a site, so of course that would be illegal.

Why is this in Philosophy/Ethics?

[pretentious]

So viewing the source code would be legal, but using SQL injections on an admin page wouldn't be legal?

Viewing source code is definitely fine. I think the second one is an interesting question though. From my interpretation of the law, where hacking is defined by unauthorized access to a computer, throwing SQL injections at the admin page isn't illegal unless you actually gain access. I'm probably full of crap though

[bandchicky314]

I'm sorry Goatboy I wasn't sure where to post it. Pretentious makes an interesting point, but if you actually do find the SQL that works and you gain access (which to my knowledge is the point of SQLs [correct me if wrong please]) you would be hacking anyways so it would be irrelevant.

[pretentious]

if you actually do find the SQL that works and you gain access....you would be hacking anyways so it would be irrelevant.

While my point inevitably leads to the same conclusion. You asked:

using SQL injections on an admin page wouldn't be legal?

My post was mealy suggesting that the action by itself might not be illegal, only the consequence.
You get arrested for killing the person, not firing the gun. Or something like that. Anyway, it's not worth debating, i'm probably wrong.