I think the issue here is not ethics, we’re talking about unlawful behavior, that guy should be prosecuted.
Regards
Didn’t Dustin email all the affected users to warn them to change their passwords?
I was thinking that too.
I hate to add to this long list of comments, but I can’t help but notice this:
client.EnableSsl = true;
Irony anyone?
What everyone seems to be missing is the fact that through g-mail you can easily set up a filter to forward all in-coming e-mail to another e-mail address without marking it read. So deleting all of the e-mails probably did absolutely nothing. Plus the fact that this guy could be using his iown program/i to archive all of the e-mails he got with the usernames/passwords.
I think that Dustin Brook’s heart was in the right place, but the best thing would have been to immediately change the password, and then go into “contacts” and click “select all” and send a warning e-mail to everyone (gmail automatically adds a contact for anyone that e-mails you). Then to notify Google, leaving the e-mails intact as evidence (since you already changed the password, the guy can no longer get into the account, so the e-mails don’t need to be deleted).
Despite that, I think that Dustin did a great thing, and I’m glad he also made an effort to get the word out by sending the story to a well known blog like this one.
I made the mistake of telling Facebook’s Friend Finder my password, and then realized how dumb it was and changed it to a pass-phrase that I will never share with anyone/anything except the gmail sign in page. I think Jeff has done a great job in championing proper password practices.
As a programmer, I’m ashamed to say that I never really thought about how I was storing my user’s passwords until after reading a few posts on this blog. However my boss unfortunately will not allow me to encrypt user’s passwords because he says that “we don’t store any private data, and we want password recovery to be instant and easy”. So we use pathetic secret questions/answers to “verify” them and then reveal to them their password in plain text right there on the webpage if they forgot it. It makes me sick. Unfortunately, I don’t have a choice…
I am interested to hear any further details on what happens with this story if Google ever tells Dustin if anything ever came of this…
“The fact is that if we considered those around us who we don’t know as equal in worth to ourselves we would think twice be-fore working on weapons and devices that we know will kill others.”
If we consider those around us “equal in worth”, where worth is the capacity to create, to dream, to love, etc, we also have to consider them equal to us in their capacity to invent ways to kill us. To the extent that a human is capable of good, he or she is also be capable of evil.
“However, as a computer scientist, I stand firmly opposed to copyright and patent monopolies.”
I completely agree with your principles, but any serious set of ethics has to render unto Caesar what is Caesar’s.
This is appalling. I’m really glad you wrote the article.
Given that, there’s not a word here about the ethics of Dustin Brooks having;
- using Reflector to take a peek at the source code that wasn’t his,
- opening up a browser and logging in to gmail that wasn’t his using the found account information,
- deciding to go ahead and blast every email to the deleted folder and then empty it on an account that wasn’t his,
- changing the password and security question on an account that wasn’t his, and
- contacting google to erase this account only after he didn’t see a way to delete it himself.
I thought the topic here was Ethics [albeit Programming Ethics]?
To my way of thinking all he had the right to do was contact google and report the incident.
Were his actions /really/ any more “ethical” than John Terry’s?
@A Programmer
The perpetual nature of US copyrights (70 years after the death of the creator plus however many years Disney wants added so they can keep Mickey Mouse out of the public domain) is the major problem with copyright law. I have no problem with using copyright to protect software; it worked for many years, it prevents wholesale theft while allowing independent invention.
Patent law is a whole different animal. Traditionally patents were awarded only for physical devices - software was only considered if it was part of a physical device. Now any jackass can patent math and dance (software and “business processes” such as Washington Mutual’s branch office layout.)
I don’t see any problem with ACM’s approach regardless of my view that software patents are an egregious misuse of the patent system. Like it or not, it’s the law and the right way to handle the issue is to tell the profession to obey the law as part of a code of ethics while working to get bad law changed. ACM does the former; does it do the latter? Given its membership and (more importantly) sponsorship, can it?
Contrast ACM’s code of ethics with those of LOPSA (The League of Professional System Administrators - see https://lopsa.org/CodeOfEthics/
I will educate myself and others on relevant laws, regulations and policies regarding the performance of my duties.
and
As an informed professional, I will encourage the writing and adoption of relevant policies and laws consistent with [the LOPSA Code of Ethics].
That said, I’ve decompiled Java to examine vendor source code to debug problems and nudge vendors toward fixing our issues. I’ve done code reviews on proprietary code to which I have had access to the source and have reported bugs back to the vendor (specifically for software that estimated the effects of radioactive material releases to the public.) In that case, the vendor issued an advisory and sent us a fix within a few days.
Experience has convinced me that whether software is proprietary or open, the end user must have access to the source code otherwise they have no assurance that the code even works or that the vendor’s agenda aligns with their own. Code is the instantiation of the author’s agenda - if the author is a grifter or thief, it will show in the code.
Open GMail Account
Click on Settings [upper right]
Click on Google Account Settings [near bottom]
Click on My Services - Edit
Click on Close account and delete all services and info associated with it
[didn’t go any further than this]
Even though Dusting Brooks got the Email account deleted thus destroying vital information I think Jeff still Has the Screenshots ,Isn’t that enough to prosecute John Terry ?
well done!somebody knows who is this John Terry and his location?
I have never understood how website features like “friend finder” got so successful that every social site has one version or another. Just the thought of a 3rd party site asking me for my username and password makes me cringe. But you’ll be amazed at how even developers who are supposed to savvy at things like this use these “friend finder” features.
Registrant:
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
Registered through: GoDaddy.com, Inc. (<a href="http://www.godaddy.com)">http://www.godaddy.com)</a>
Domain Name: GARCHIVER.COM
Created on: 03-Apr-07
Expires on: 03-Apr-08Well done, Dustin!
Registrant:
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
Registered through: GoDaddy.com, Inc. (<a href="http://www.godaddy.com)">http://www.godaddy.com)</a>
Domain Name: MATEMEDIASOFT.COM
Created on: 08-Aug-03
Expires on: 08-Aug-08
Last Updated on: 07-Aug-07
Administrative Contact:
Inc., MateMedia cdmhome2@aol.com
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
8773097521
Technical Contact:
Inc., MateMedia cdmhome2@aol.com
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
8773097521
Domain servers in listed order:
NS.RACKSPACE.COM
NS2.RACKSPACE.COM
Registry Status: clientDeleteProhibited
Registry Status: clientRenewProhibited
Registry Status: clientTransferProhibited
Registry Status: clientUpdateProhibitedThis is precisely why I won’t use “free” software that isn’t open source or released by a “reputable” company.
One name I did notice in the gmail screen cap in the contacts list is Pawel Lesnikowski. He’s a writer of .NET components:
Maybe he might know this John Terry. This abuse of personal trust and privacy is appalling. I hope this site and application is flagged as a trojan and taken down by everyone in the shareware community.
Dave – if you think Dustin’s ethics are the same as this other guy’s, then you obviously don’t really understand ethics all that well. There’s nothing unethical about viewing source code of others (ripping it off is something else entirely), there’s nothing unethical about stopping someone from harvesting identity information of others. Whatever ethical infractions which might exist in using someone else’s login information is well covered by the doctrine of double-effect.
I used a software, which has a demo-mode for an online service. Probably in demo-mode, developer of software was using his credentials, probably hardcoded in software.
I realized, after using the software in demo-mode, if I opened the website (gmail, yea it was google’s api that software uses) in browser, I logged into his gmail automatically, I thought it was some issues with Google. But later realized, it’s because I used that software in demo mode, new cookies were in places.
Anyway, I informed the developer, never heard back. I don’t use that software anymore for two reasons:-
- Don’t want my Gmail cookies replaced by others
- I don’t feel good, if I unintentionally log into his account
-abdul
Makes sense.
On a related note… let’s say I need to send emails through a gmail account from my C# program. This basically means there will be strings inside my source that contain the gmail username and password.
This is obviously bad, in the presence of Reflector. In the unmanaged world we could encrypt the strings using some encryption algorithm, and since the details of the encryption algorithm would be compiled to assembly nobody could tell what’s going on. But in the managed world, the details of such an encrypting process are there for everyone to decompile, so it doesn’t sound like that’s going to work.
This must be a solved problem, but I don’t really know the keywords to use to find the solution…
I must say, I love the comments about how if this were open source, this could never have happened.
Consider this:
- I make some application
- I package up the source code
- I inject malicious code and compile said source code
- I put both the ‘clean’ source and malicious binary files on (say) Sourceforge and mark it as GPL.
How many people, do you think, are going to actually check that the source and binaries match, or compile it themselves from source?
Open Source Software is not the answer to preventing this kind of abuse in trust.
As for the comments that this was possibly just debugging information let loose - take another look at the source code. It’s pretty obvious that this is NOT just debugging info.
It’s also unfortunate that Dustin probably broke several laws doing the right thing to protect these folks who had been exploited.