By now every security geek and their mom has probably heard of SHODAN, a 'computer search engine', or more accurately, a search engine that enables anyone to search for indexed internet-facing systems that can be port scanned. People are already debating over how soon SHODAN will be forced to shut down, and leaving aside the legal issues (If one, or a few, port scans aren't illegal, should 9000 be? Should 1000000? Should a billion?), what are the ethical implications of such a service? Some complain that this would only enable script kiddies, but the same argument can be used to claim that information itself enables script kiddies, and I tend to find arguing over semantics boring. Personally, if you have internet-facing systems that are that vulnerable (such that any skiddie with a few minutes to search for exploits would be able to pwn them), you deserve to get pwned. If you leave your brand-new car unlocked in the worst neighborhood in town, it isn't right in any moral sense that it wouldn't last long, but it would be a stretch to claim ignorance of the consequences of your idiotic move. For example, look at this instance of an epic security fail. IIS 4.0? Seriously?! As a friend of mine once said: "It's easier to pwn IIS than a drunk chicken." How do these systems not deserve to get pwned? How do the people responsible for securing these systems not deserve to be rewarded with a swift kick to the butt and a lesson in common sense? With SHODAN, not only will it be easier for administrators to find and secure their systems, the existence of such a search engine would cause administrators to be constantly on their toes and not do half-assed jobs with regards to security (or one can hope). Despite the potential for harm, SHODAN is a good thing. Openness and access to information is a good thing. To those who are BAWWWWWing over it: Grow some balls, patch your shit, and get a spine. :) |