Releasing Private Credentials on the Internet

One Response to “Releasing Private Credentials on the Internet”

1. Rab on November 18th, 2007 4:30 pm

   By operating a Tor server, Egerstad was offering a service. If any of the users exposed on the Internet were legitimate owners of the accounts, didn’t he betray the trust of those users by posting email credentials? Never mind that it was easy to do; it is always easy to exploit people who trust in a security measure, or a person’s intentions. You can not say, to quote Bruce in his podcast for Educause, “it’s her fault for walking down that ally.” (Bruce, you seem to disagree in your post above, but I know we are not comparing apples to apples here… sorry if I am mis-using that statement).

   I think releasing the credentials the way he did may have been a lapse in judgment. Yes the community needs to know that the tool they are using can be exploited, and easily. But the “shock” approach is not the only way to market and distribute an important piece of knowledge, and probably not the best way.

   If no damage was done as a result of his actions, perhaps Egerstad will come out of this without any further consequence. If there is no specific law about posting other people’s private credentials on a public web site, better still for him. But you can look at this from a liability standpoint as well.

   Suspend disbelief for a moment and assume that, prior to the release of account credentials, nobody with malicious intent had compromised the account belonging to the Office of the Dalai Lama. As a result of the posting, the account could be compromised, and people or governments wishing to subvert Tibetan independence could prosper from the information, to the detriment of the Dalai Lama. If nothing else, Egerstad would have committed a tort against the Office of the Dalai Lama. Whether there would ever be a consequence for Egerstad, I do not know. But if he thought it through, would he want to potentially subvert Tibetan independence?

   I admit that the above has movie-plot elements. But even if I have to resort to reductio ad absurdum, it seems like the question of whether Egerstad did something wrong should be argued. There is certainly the potential for wrong, is there not? Why increase the security/privacy risk to the users of his own exit node? Is that raping someone to prove that rape is a possibility?

   If Egerstad defines himself as a researcher, his best approach is to research a better way of protecting privacy on the Internet and submit it to peer review. An open-source project, even a ‘fork’ project, would be possible suggestions. Another approach would have been to raise awareness of the problem without increasing anyone’s exposure to risk, if possible. Instead he took action without knowing (or caring?) what the result would be. Acting without knowing the consequences of your actions, in legal terms, can amount to either negligence or recklessness.

   On the note of recklessness, recall that Egerstad is quoted as saying ‘Screw it, I’m just going to put it online and see what happens’. That is from the article here. Note that he might have elevated the charges against himself from negligence to recklessness in that quote, if laws in his country are similar to US laws on such matters. What is important for Egerstad to know is this: if his actions damaged an innocent party, he was either reckless, or at best negligent. I hope I am not alone in my feeling that a ’security researcher’ should avoid recklessness.

Leave a Reply

You must be logged in to post a comment.

• welcome

  You have entered 'start your head on fire,' housed at www.robertbeverly.com. 'start your head on fire' is the blog of Robert Beverly. It is not a very serious blog. Mr. Beverly writes most of the news items, but you will also see us (Debbie and Secretia) posting from time to time to clarify things. We are his "blog secretaries."

• View Robert Beverly's profile

• who?

  Rather than publish a biography or ask Mr. Beverly to record his memoirs (which would be dull), we thought we would post a summary for anyone who was wondering. He said we should do something like this because that's what other people's blogs have on them. Mr. Beverly goes by Rab, which is a common name for Scotsmen and their dogs. We call him Mr. Beverly in person because we're trying to talk him into a raise, but you can really call him Rab. Rab drinks gallons of coffee daily and makes jokes that we usually don't understand. We laugh politely because he writes the paychecks for Debbie and I (he hired us both as blog secretaries back in October 2006... we didn't even know what a blog was before this). Mr Beverly goes to the gym a lot, which is why he doesn't have time to type in his blog entries, and he does all kinds of weird exercises like Kung Fu and Yoga (NEVER ask him about this unless you want to hear all about martial arts). He enjoys literary analysis and esoteric reading and games like "Go" (the ancient Japanese strategy game) and chess, not to mention those weird "role playing" and "strategy" games he designs himself, all of which account for why we do not to start conversations with him. (Secretia here... what the hell was wrong with Yahtzee, I ask you?!) We like talking about peekapoos and the best grocery store sales, but we don't get to talk about that here.

• Categories

  • 13th of the month
  • Business and Investing
  • Consulting
  • Cool Technology
  • countersales
  • culture
  • exercise and martial arts
  • fitness and medicine
  • Games and other stuff
  • health
  • In all seriousness
  • Insurance
  • law
  • Mundane Mondays
  • Music
  • politics
  • Programming
  • Pronouncement
  • Risk Management
  • Saturday Satire
  • Security
  • Thursday Thamauturgy
  • Uncategorized
  • Writing

• starting your head on fire

  Delivers oxygen to your brain faster than all other methods! Proven in double blind placebo controlled studies.

• Places to Go

  • The Cato Institute
  • The Florida Insurance School, Tampa and Tallahassee, FL
  • All County Insurance, Tampa FL
  • Florida Insurance School Continuing Education, Tallahassee FL

• Blogroll

  • Cato @ Liberty - Cato is a libertarian research foundation. If you wish to stay informed on public policy, you can not ignore the Cato blog. Pay them a visit.
  • Greg Lincoln
  • Modo Vernant Omnia - Tampa local with many topics of interest to my readers. As you might imagine, I could not resist blogrolling a site that has tags as diverse as: economy (with views similar), spinning (as in wool), ancient Greek stuff, and occult.
  • Nassim Nicholas Taleb - Fooled by Randomness - The Economist turned me on to Mr. Taleb, a trader turned philoisopher (as described by Forbes). His writing and his thinking are quite interesting, and certainly more worthwhile than anything you will find here.
  • Ouralexander.org - Site discussing informed consent in pediatric medicine, by a family that experienced the worst possible tragedy.
  • RiskProf - An Insurance Blog - A truly marvelous blog. I know risk & insurance are less interesting to most of you than organizing your sock drawer, but this is excellent writing. Besides, if you understand insurance you have the right to complain about it.
  • Schneier on Security - This will be your favorite security blog. Bruce Schneier exposes “security theatre” and proposes realistic problems and solutions. Stay up to date on security policy and IT risk management with CRYPTOGRAM, his email newsletter.
  • The Goodly Mr. Plotkin - My excellent friend Richard Plotkin. Read his musings and insights, or wander through the social network of MySpace users. Several of his blog-friends are people I went to school or knew other ways… I wonder if they will Google me and say ‘hi.’
  • Worlds Healthiest Foods - I love this website. It is all about the nutritional value of foods that are considered ‘healthy,’ with tons of sources cited.