Cool … it’s OK to steal a log-in and password from source code, illegally log in to the email account and destroy all the messages [and the account had the perp figured out how] -because- you guys didn’t like what the vendor was doing.
You haven’t the foggiest fricking idea what he was /actually/ doing with any of that information - but your assumption that he was up to no good gives you the warm and fuzzy you need do what ever the hell you want. Bah … I call BS!
Please don’t confuse /any/ of this with any misguided perception that I condone what was originally happened - I’m appalled -but- that doesn’t give you the right …
the doctrine of double-effect
Horse hockey!
Both events [provided the first one is /actually/ illegal] should be punishable by law.
That’s why i don’t trust shareware. They can leave you with a bunch of spyware and steel your personal information. The only software that I can trust is free (as in freedom) software.
Curious thought. The email address may have been embedded in the code and done what you say, but the snapshot of the inbox shows that ALL of those passwords and email addresses were NEW and UNREAD.
Although it was a completely dumbass way of going about things, i would probably deduce that the email account was set up to capture those for the lost passwords and account names for those who use the program or something equally idiotic. In no way am i saying this is the right thing to do, but the programmer was more than likely extremely foolish, but mostly oblivious to the trust he was violating.
On the other hand, the gentleman you say had alerted google of this, violates someone else’s inbox, using someone else’s information that required a bit of digging to get, trashes this other party’s email account, and sends a note marking it for deletion.
This is ALSO a vast breech of proper ethics.
the first thing to dowould be alert the programmer of this error, and request that it isdealt with in an ethical manner that alerts his users of this “programming error” and then re-releases with a better password storage option, if any at all.
If this fails to geyt any attention, then report it to the proper authorities or agency for dealing with this issue, as well as google.
Your friend may be in some hot water for his actions as well.
Holy Living Funk! What a huge scam, I’m going to every shareware download site that will let me post a review of this and link to this article, great job! Really love your blog, everyday reader for a few months now.
if A does something illegal
and person B does something illegal to uncover it
B’s evidence should be admissible in court
and both A and B should be tried for the crimes they committed.
In our current society, though, police may uncover crucial evidence without a warrant but it will be inadmissible in court. I think it is much more fair for the evidence to still be admissible in court AND for the officer to be tried for the crime of breaking and entering. If they want to risk a few years in jail to put a violent criminal behind bars, they should have the ability to do so.
There is certainly an opportunity for academic debate on the ethics exhibited by Misters Brooks and Terry, but I know where I stand within that debate. Your view struck me right away, upon reading this article, but truthfully (non-violent) vigilante justice is consistent with my personal ethics, so I don’t see a conflict here. Especially when it comes down to this kind of rarely prosecuted, yet extremely harmful crime. Mr. Brooks, we are to presume, would never log into someone’s account maliciously. He was simply protecting himself, and others. Mr. Terry had no right to that information to begin with, I see no foul play in preventing him from accessing it, and forcing him to contact google… or sign up for another account, of course. I believe Mr. Brooks to be a hero without doubt.
Why do people act so shocked? If you download any app or go to any website which asks for you credentials to do anything you should be extremely cautious and only trust once you’ve verified that it is legit. You might argue that there was no way to verify it in this case without reflecting it and looking at what it was doing, but your credentials are basically your children when you’re roaming the 'net - so if you can’t verify it, DON’T USE IT. It’s pretty simple. And for the person who said this guy was probably smart enough to create a back-up account “in case someone reflected his code”… no, he would have obfuscated the code if he was being cautious. He f’ed up.
I assume most of you would trust, say, Facebook to keep its word and not store your credentials when you allow it to use its “Friend Finder”? Why?
And it’s frankly a waste of time to say this is a matter of ethics and we all need to be held to a higher standard and “if only he adhered to the code” etc. Sorry, the 'net is the real world, it’s not contained within our individual computers. People are out to scam, and you need to go out there believing it. As honest programmers we need to stick together, and the scammers will make themselves known. That’s the real value of Jeff’s post.
Thank you Dustin Brooks for erasing the credentials. I was not on the list but you definitely made the world a better place. Also thanks for exposing the phisher and trojan malware author.
To those that he did not do the right thing: There is NO excuse harvesting passwords. Even if “John Terry” is merely a total moron it’s inexcusable, and I’m not buying it, stealing users passwords is done for ill gain.
I’d probably wouldn’t do exactly as Brooks, such as I’d log in through Tor, get shocked like him, changed the password, made sure there was no forwarding, notified all users by sending them a warning together with their respective account passwords to make sure they understand it’s real, then not delete anything but get the attention of the police. But I’m in no place to complain as I wouldn’t have refractored it in the first place. Again, he certainly did the best he could think of, it seems he probably did neuter it, and he made the details about the trojan public. Very good job.
“If I had been one of those people in the in-box, I’d have wanted Dustin to do exactly what he did.”
actually, dustin did miss one step. Mass emailing everyone involved to let them know what happened.
It’s trivial for someone with your gmail user/password to set up a backdoor using email forwarding so that they’ll get copies of any email with “password” in it or billing information.
What if this article had been about Brooks getting caught in the email account where all he found was personal mail? There’s little if anything to indicate that it was any more than a crap shoot (with pretty big odds in his favor admittedly) that he would.
Although he did state: 'I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box.'
Wonder how he noticed that about ‘other’ users.
In addition the comment: ‘It didn’t really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code.’ - doesn’t cause any alarms here, amazing. How would having a peek improve the functionality of the program?
Have your big hug-fest because a data farmer was snagged. What he did to get there, IMHO, was wrong. I won’t bother arguing the issue any further, we seem to differ on opinion in this regard … which is ok by me. It’s all just the perspective I saw/read it from at any rate.
What if this article had been about Brooks getting caught
in the email account where all he found was personal mail?"
In this case perhaps he’d send the account an email suggesting “Terry” should change is password. And again, he would have helped someone.
In addition the comment: ‘It didn’t really have the functionality
I was looking for, but being a programmer myself I used Reflector
to take a peek at the source code.’ - doesn’t cause any alarms
here, amazing. How would having a peek improve the functionality
of the program?
That’s one of the ways malware is identified. It’s really hard to turn it around against him, especially when we know what he did.
So, just to be a little contrarian can anyone point out in the code of ethics where it says that programmers should become vigillantes? It would seem to me that Dustin Brooks falls short of living up to the ideal of honoring property rights. By deleting the GMail account and the emails there-in Dustin has potentially opened himself up to potential prosecution under laws designed to be used against hackers. In addition he has potentially destroyed evidence that might be used to prosecute John Terry.
If he really wanted to be a good guy he could have just reported the individual to Google’s security hotline along with the appropriate documentation, as well as reporting to the shareware site where the application was hosted.
Travis,
What if you like killing people? You’re choices are limited in that case: join the military (if you can) and get paid to do what you enjoy, work for a weapons development company and get paid more, or commit a “crime”. It’s all about perspective and if you’re working freelance or as an employee :).
