Re^4: Information sharing

Who says that person's going to use it? I've asked plenty of questions in the course of not killing people about things that could kill people. I'm a writer, and I need information about poisons occasionally. Further, that poison (assuming the person didn't ask "How do I make poison?") may have other properties. Asking about sodium doesn't mean you're going to kill someone with it, necessarily.

Now, you can say that's the exception -- and it may be. Or you can say that "provisions would be made" in an information-restriction strategy to allow special cases like that to get through. Operating in reality, however, will tell you that Special Cases means you have to get a license. On the site, that would equate to being approved for security information by others. I think that's not the kind of thing we'd want.

You can't gauge appropriate by the question. You can't gauge intent by the question either.

Should they share it with anyone who asks regardless of how much it looks like the person is intending to do harm to self or others with no indication there is a valid reason behind it?

Again, I did not say you should encourage destructive acts. I'm saying that if you do not know the intent, then it's your job to ask if you're going to be concerned about how it's used. Even if you ask, you may not find out. You only hope the other person will be honest.

If freak had the presence of mind necessary to say that he was doing security testing, who would have questioned that? And who's to say that freak isn't just the first illegitimately intentioned person to screw up and be honest? Who's to say that there haven't been plenty of other, less active monks amongst us who might have been a little smarter and a little subtler?

Who will continue to answer questions related to security issues when they will be held responsible -- even if it's only by their peers and no legal body -- for the questioner's intent? If fewer people answer, where will that knowledge go?

-----------------------
You are what you think.

Comment on Re^4: Information sharing

Replies are listed 'Best First'.
Re^5: Information sharing by jZed (Prior) on Jun 05, 2004 at 18:41 UTC
On the site, that would equate to being approved for security information by others. I think that's not the kind of thing we'd want. I agree. I'm saying that if you do not know the intent, then it's your job to ask if you're going to be concerned about how it's used. I agree. Who will continue to answer questions related to security issues when they will be held responsible -- even if it's only by their peers and no legal body -- for the questioner's intent? If fewer people answer, where will that knowledge go? Very good questions. I don't think we should feel responsible for knowing the asker's intent. I do think we should feel responsible for trying to find it out when it's in question and to use our best judgement in assessing what we learn. If perlmonks were the only or a major place people got knowledge on security I would be more inclined to support the "answer almost anyone almost any time" approach.	[reply]
Re^6: Information sharing by hv (Prior) on Jun 06, 2004 at 03:21 UTC
If perlmonks were the only or a major place people got knowledge on security I would be more inclined to support the "answer almost anyone almost any time" approach. Could you expand on that please? I read it as "because there are other places you can ask, it's OK to set the bar higher here". I don't understand the reasoning behind that - there are other places you can ask "why doesn't my CGI work" too. Hugo	[reply]
Re^7: Information sharing by jZed (Prior) on Jun 06, 2004 at 05:50 UTC
I'm not advocating we never discuss things like bulk-emailing or security here. I'm suggesting that some kinds of discussions of potentially harmful practices be caried out at more specialized sites rather than at a general purpose, broad-audience site like perlmonks. My reasoning is that this will not deter people who really need the information, there is a place they can get it, but that it might deter some of the script-kiddies - the people of any age who are looking for an easy something to cut and paste into their latest malware. Should we brand anyone who asks about security or bulk emailing a deviant and cast them out, no, I hope not. But I also don't think we should offer positive encouragement to people wanting to use the tools for anti-social ends and that we have a right to question intentions and to withohold answers if we have reason to doubt those intentions.	[reply]