Chronology

A couple of days ago, a community member (I will not name him here) posted a Blog entry in the ABAP space, “teaching” how to modify standard programs without a registration key.

My first reaction was to write a comment which went something like this:

“There is an easier way to do this, but I will not tell you because it’s harmful and should not be encouraged”.

I also rated it 1 star and would have disliked it (or voted down, stacko verflow style) if there was such option.

I then went to Twitter to express my dislike, shortly before I noticed the moderator had deleted such post, an action classified by myself as “great”, for which some people, most prominently Tammy Powlas,  agree with me.

Not much later, Ethan Jewett engaged in the convo, basically arguing such kind of posts should not only be allowed, but classified it as “community service” as it evidenced well known vulnerability, which should be tackled by the competent people (basis, security, auditors). He also argues the information will be available anyway, so it’s better it’s here in SCN where reasonable people could provide some guidance.

My point

I think it’s my duty as a community member to help prevent other members to act in ways that may harm their systems (and even could get them fired). I know tons of these dirty tricks, but I keep them to myself, only sharing with people I really trust and know will not make any mess with it. If I believed this kind of stuff should be spread, I would have wrote it myself (the better version of course).

Another thing I strongly disagree is the notion that SCN is the place for such articles. No, it’s not. We are in a SAP domain. Here we should share best practices, good advices. It’s a place for quality content (although there are lots of not so good stuff around, including anything I have ever written and anything I will ever write).

Also, RTFM. Just after my comment on that blog, Jürgen L posted the link directing the author to read the doco so he would understand why such behaviour was bad. We don’t encourage people to use unreleased FM. Or to modify standard objects (even with a registration key!). We don’t encourage SQL injections. We don’t encourage our peers to act against the good health of their systems (and SAP warranty).

OR, as Google says, “Do no evil”.

Your opinion, please?

So, do you believe “any” kind of article (which does not break terms of use) should be allowed here? Do you believe any information should be freely spread regardless of the potential to cause damage, or should be some triage and only allow “good” content? Please comment. I feel I’ll have more people disagreeing with me than agreeing. Of course Ethan is welcome to clarify his take in case something is missing or misunderstood.

To report this post you need to login first.

60 Comments

You must be Logged on to comment or reply to a post.

  1. Tammy Powlas

    I think if it is something I could do that could possibly get me fired (I am referencing my last job where for sure this would have happened) and the person still wants to post it, it should come with a warning.

    Overall I don’t think what was posted was a good practice.

    Thank you for taking the time to blog.

    Tammy

    (0) 
    1. Custodio de Oliveira Post author

      Hi Tammy,

      Thanks for you comment. If I remeber the twitter convo right, Ethan and Juergen S said the same about the warning. Thing is, it may not be enough (in most cases will not be enough).

      Cheers,

      Custodio

      EDIT: just noticed that I quoted Sue. ๐Ÿ™‚

      (0) 
      1. DEBOPRIYO MALLICK

        Hi Custodio,

        Nice blog on ethics. Thanks to all the experts for sharing their views on this matter. My personal views are listed below:

        i) Don’t publish it in public forum.It is not a Grandma’s secret recipe that should be handed down across generations .

        ii) Primarily, SCN posts should go greater good to the community than harm it.

        iii) Keep it with yourself. Let the potential perpetrators find it out on their own . Anyway, smart people will always find out ways to outwit the system.

        iv ) Warning messages won’t work as lot of techies will still try it out.

               One person’s joy may turn into other people’s nightmare.

        Regards,

        DPM

        (0) 
  2. Susan Keohan

    Hi Custodio,

    Thanks for bringing this up.  I am sure this will inspire lots of spirited debate.
    On the one hand, as Ethan Jewett said, sharing this information is a valuable service – letting our security and basis teams know what kind of evil tricks we can be up to – and letting SAP know that some of these evil tricks should be stopped for the benefit of their customers.

    On the other hand, way too many people will glom on to the harmful (but no doubt shorter/easier) solution.  While nobody can be forced to take the time to do things correctly, if they don’t know about the shortcut, then maybe they will take the time to do it right?  I don’t know. 

    I suspect if people find a shortcut, they’ll use it, so that’s a point in favor of dis-allowing harmful content.

    As you can see, I sit squarely in the middle of the fence.

    (0) 
  3. Sven Ringling

    I agree with you absolutely.

    If such vulnerabilities are discovered, they should be raised with SAP, possibly involving the influencers like User Groups or Mentors.

    There are an awful lot of very inexperienced people on this platform, whom their employers or agents throw into projects they are absolutely underqualified for without any senior guidance. You can clearly see this from many questions and some of the answers.

    There is far too much temptation to try something dirty to meet a deadline or hide a mistake from a customer. Sure, there are some grey tricks, which are ok-ish or debatable, but then there’s the really dark stuff, which should not be here.

    I know, this sounds terribly patronising and to some extend it gets my liberal soul screaming, but then, if you’d assume everybody acts responsibly, you could post your online banking details here, and allow 16 years olds to ride 500ccm motorbikes, couldn’t you?

    (0) 
  4. Graham Robinson

    Hi Custodio,

    I agree that the op should not have posted this at all and if asked I would have advised them against doing so.

    However I disagree that we should be looking to identify and remove a post like this. I think a better result is that we should be able to rely on the very active comment stream to highlight why this is a bad idea and provide alternatives – as was happening in this case.

    In short I think that SCN at its best is a self-regulating and self-correcting organism.

    I suspect the op probably thinks he has been censored – rather than having had wiser heads suggest to him an alternative approach next time.

    Cheers

    Graham Robbo

    (0) 
    1. Tom Van Doorslaer

      hummmm, How many people that consider to cut corners and hack standard SAP without leaving a trace, will actually take the time to go through comments?

      Also, this should be a discussion, not a blog ๐Ÿ˜ˆ (self-regulating)

      (0) 
      1. Custodio de Oliveira Post author

        Hi Tom,

        Thanks for you comment. To your question my answer is: very few.

        As for posting it as a discussion, as a matter of fact I thought about it, but this document by Jason Lax says

        Jason Lax wrote:

                             

        Blogs are where you express your point of view or share your thoughts on something.  It’s your soap box to stand on if you want to bring something to the attention of  other community members or just share with them your ideas or experiences

        So I think it makes sense posting as a blog.

        Cheers,

        Custodio

        (0) 
    2. Custodio de Oliveira Post author

      Hi Robbo,

      Thank you for your comment. Agree that self regulating could be better IF it worked, but unfortunately it doesn’t, as Jurgen shows below.

      Cheers,

      Custodio

      (0) 
  5. Phil Gleadhill

    Hi Custodio,

    A thoughtful blog and one that will and probablyand  already has started a good and many sided conversation, judging by the comments so far.

    Another axis to think of this on (dare I say it) is the litigation, loss and damage angle.

    Scenario:

    1. Person A posts “dubious” or “harmful” instructions as posted on SCN, a SAP “Community” site

    2. Person B follows those instructions in another Company’s SAP system which results in loss or damage ($$$) to said company, and/or “people being fired”.

    3. Said company takes possible legal redress against SAP (as the Community site owner who allowed the said instructions to be posted and to remain there for others to use) and perhaps others such as the Moderator (who failed to remove it) and A the blog poster.

    I am not a lawyer or legal type, so I am not sure if the above scenario is a valid one to consider. However I wouldn’t want to see it happen to anyone either.

    As you say, the rule should be “do no harm”.

    Cheers, Phil G.

    (0) 
    1. Custodio de Oliveira Post author

      Hi Phil,

      Thanks for your comment. Indeed, this is an angle I haven’t thought. I discussed it with my wife, who’s a lawyer, and she believes it’s a valid scenario, although terms of use probably state SAP is not liable.

      Cheers,

      Custodio

      (0) 
  6. Frank Koehntopp

    I think there are two different categories of “harmful” posts:

    • If we’re talking “hack” as in “there are more ways to do it”, and it’s a bad practice – be my guest, hope you can take the feedback you’ll get here. If anybody sees an article like that that has the potential to break stuff badly if you do it, please alert a moderator so we can at least come up with some disclaimers around it.

    To summarize: you have the right to be stupid, and I’m no friend of censorship. If you’re disclosing a yet unknown vulnerability here I will be over you with all my mighty security moderator powers ๐Ÿ˜€

    Cheers,

    Frank.

    (0) 
    1. Custodio de Oliveira Post author

      Hi Frank,

      Thanks for your comment. Before I wrote this I talked to our Security Architect Cooper Richard and he shares the same opinion as you (except he’s not SCN moderator ๐Ÿ˜‰ ). As they say, “great minds think alike”.

      Cheers,

      Custodio

      (0) 
  7. Jรผrgen L

    Everything forbidden spreads in underground. Removing it from Internet is almost impossible.

    You just remove it from the site but you could have taken the chance to comment and explain why this is not a good approach.

    It should be a storm of such comments, but unfortunately the storm happens at the like button and the rating as you can see in those 2:

    How to change/delete records using debug mode

    Activate &SAP_EDIT in SE16N (SAP ECC 6.0)

    And that is the reason why I think SCN is far away from self regulating. And even the abuse button just pushes the decision from many to one.

    Instead of removing I would wish to classify such content as harmful, adding a red watermark so that it is visible to anyone.

    I even like to keep it because then the poster is known. If he works for one of our contractors, then I am sure we would address this at the right place.

    (0) 
    1. Custodio de Oliveira Post author

      Thanks Jurgen,

      Very good example of SCN not being self regulated (yet?). The first one shows the op in a rather defiant attitude. Would vote down if had this option.

      cheers,

      Custodio

      (0) 
    2. abhishek bansal

      You just remove it from the site but you could have taken the chance to comment and explain why this is not a good approach.

                         

      I completely agree with jurgen as they should be watermarked with red or something like this.

      As for my scnerio, my organisation  is passing through financial crises and they ahve not renewed their sap license from past 3 years. hopefully they wont get it renewed in future also.

      As i am only abap developer so i was forced to find out a way to modify sap standard code without access key.(I manage to do so in the end ๐Ÿ˜› )

      However, i agree it is not bad practice. but i have left no other option.

      Finally , my boss is happy with the changes and so that management.

      So I am believe people should be allowed to post but also they should be awared of consequences of these dirty tricks.

      (0) 
  8. Suhas Saha

    Hello Custodio,

    First-of-all, kudos for publishing the blog.

    the fence is the safest place to be on this matter

    I bet that’s true. And after i hear the comments of Ethan Jewett i feel that the content should not have been removed, rather quarantined ๐Ÿ™‚

    Food for thought for tptb @SCN management ๐Ÿ˜‰

    Cheers,

    Suhas

    (0) 
    1. Custodio de Oliveira Post author

      Hi Suhas,

      Thanks for commenting. Not sure how it works, but there were some abuse reports, so I guess the op is being moderated right now.

      One thing with the warning is that it might make people even more willing to try, just because it’s labeled as dangerous ๐Ÿ™‚

      Cheers,

      Custodio

      (0) 
  9. Holger Stumm

    This is a great discussion (thanks to Custodio for breaking this up) and I wondered, that this kind of topic is coming up after 10 yeras of scn (can’t remember a security thread discussion before) .

    This discussion inspired my to add my own 2cents to this discussion. There is a certain viewpoint in the security industry about this kind of published exploits. If you are interested, I posted this blog on scn: “Spies like us don’t talk to you in public”  http://bit.ly/GL8UvX

    (0) 
  10. Matthew Billingham

    I wouldn’t take such a post down, but I would reserve the right to be savagely sarcastic to the poster, in bold, red, large type.

    It might even be legitimate for a moderator to edit the blog/document/comment/discussion with a bold, red large type warning of “Do not do this, it is spectacularly stupid and could cost your employer a lot of money, and you your job”.

    If some people ignore this advice, think of it as a kind of evolution in action. The stupid people are forced to quit the industry.

    (0) 
    1. Joao Sousa

      For example in the case of the debug/delete in SE16 that Jurgen posted, people will do it anyway so deleting it won’t have any real effect, it’s too widespread.

      The real answer is making a blog that teaches Basis people that allowing values to be changed in debug is real stupid and negligent in prodution systems.

      Deleting the blog is pointless, but moderators could include a large warning saying “This behaviour will void your SAP Warranty”.

      (0) 
      1. Julius von dem Bussche

        Some folks don’t post that warning and even think what they are doing is novel. Some even think it is a good idea and worth blogging about to share the “trick”.

        Being flamed for it is a part of the learning process and also necessary.

        Cheers,

        Julius

        (0) 
        1. Joao Sousa

          The problem with flaming is that in the end, it’s a matter of opinion. The flamer can be wrong, etc.

          That’s why I believe the best way to signal these posts is with facts: “This will void your SAP warranty/support”.

          (0) 
        1. Matthew Billingham

          The only information I need is that it is possible. Anyone who can’t work how to do it from that is much of a programmer, in my (not very) humble opinion. It gets slightly more difficult in later releases.

          (0) 
          1. Joao Sousa

            That’s why the problem isn’t that the trick exists, it’s not really an exploit. In a prodution system that allows values to be changed (or lines skipped) in debug you can do pretty much anything you want.

            I don’t think that restricting debug is the right way to go, since it has proven very useful in my daily life when you can’t replicate a certain problem in Q&A, but being able to change values is very, very, very dangerous, even if you are not deleting tables.

            I’ve seen people skip standard validations (that guess what, exist for a reason). The result, inconsistency between MM and FI, which that particular “doctor” wasn’t able to solve. Irresponsible behaviour that would have been avoided if changing values was blocked. I was appaled after realizing what that person had done, but the damage was already done.

            (0) 
            1. Matthew Billingham

              I entirely agree. Changing values (in production) should only be allowed on an as-needed basis, with a clear reason for it. In one of my clients, any changing of values is picked up during audit and must be justified.

              (0) 
        1. Gareth Ryan

          That kind of thing would get my vote.  Just need people to “report abuse” of suspect content so a mod can add similar wording in.

          Gareth.

          (0) 
        2. Steffi Warnecke

          Maybe there is a chance to develop something (by the team behind the SCN platform), that you moderators can add, like a more official looking message with a logo etc, that can’t be edited or deleted by the creator of the post. That would make your work easier. ๐Ÿ™‚

          I also agree with Gareth, that another add to the “Abuse report”-dropdown list would be great for this stuff.

          (0) 
  11. Vinod Vemuru

    Hi Custodio,

    I strongly agree with you. Such kind of content should never be allowed in any public forum.

    As a responsible SAPien, to protect the reputation of our product, we should report such vulnerabilities to SAP via OSS message. SAP do give the credit to the person who reports such issues as “External security researcher”. I reported one of such issue couple of years back and SAP released a security note for this.

    Thanks,

    Vinod.

    (0) 
    1. Matthew Billingham

      Vinod Vemuru wrote:

                             

      Hi Custodio,

      I strongly agree with you. Such kind of content should never be allowed in any public forum.

                         

      The problem is that there is no way of preventing the information being discussed on a non-sap-controlled web site. Therefore, the only place you’ll get the information if you’re a determined idiot, is from the non-sap sites, where it won’t come with warnings.

      (0) 
  12. Suseelan Hari

    Hi Custodio,

    Good Day!

    I agree with you. We should not allow such things in SCN. If any warning message pops up it is always good and much safer.

    Regards,

    Hari Suseelan

    (0) 
  13. Gareth Ryan

    My opinion on this subject – one of the key points of the SCN forums (and any other forum for that matter) is to spread knowledge and educate members.  This should cover off both good and bad knowledge, ie. the right way and the wrong way to achieve something.

    So, in the scenario of something being a very bad hack that could have dire consequences (like modifying standard programs without a key for instance!) I don’t have a problem with it being mentioned on here that it can be done, however I don’t believe the how it can be done should be shared.  Also, I think that it should be very clear that this shouldn’t be done – just because I can stick my hand in the fire, doesn’t mean I should.

    As has already been mentioned, often comments point out that content is bad on SCN but people don’t always read comments so I think there needs to be more positive action to stress to people who casually read stuff that it is wrong.  We need to educate people on what not to do, as well as what to do after all.

    When I was taught ABAP (a long time ago!) there was no SCN, no SAPFans and indeed no internet access at my place of work.  All I had to rely on was good old F1 help and the people I worked with.  If we found a hack like this, we shared it and understood we shouldn’t do it.  The problem with the internet (now there’s an interesting start to a sentence…) is that it is too easy to share all sorts of random information without the consumer getting the full context, or understanding whether it is accurate or not.  Scary stuff… ๐Ÿ™‚

    (0) 
  14. Siddarth Jain

    I totally agree with you. A big no for just posts / blogs. But on a different note, there should be a forum or place where these kind of vulnerabilities can be recorded by daily SAP users. It will not only help SAP improve there software but also provide end customer a better software. (I am not aware if there is any apart from raising OSS Message)

    There are lots of bug bounty program over there in market where lots of social networking sites recognize efforts of ethical hacking and fix those issues to provide better end user experience.

    Regards

    Siddarth

    (0) 
  15. Naimesh Patel

    Hello Custodio,

    I totally agree with you on this topic.

    I remember around 4-5 years ago on SDN – at time it was SDN – there was a stricter moderation of a new Blog Post or Article. Whenever a user or anyone first registers to write a blog, the user would be granted as only Contributor – He / she can only write the post in draft mode but cant publish it. I had to face the same moderation for my initial blog posts – around 5/6 posts, even though I was in Topaz status based on current ratings. I was than granted to have publish rights.

    I believe that type of stricter moderation should be still in place. Most of people who is looking for answers in the different area other than their expertise, use SCN as bible. They would use those poor, incomplete, potential dangerous articles as their weapons to argue with the person who is familar with the matter and who is denying not to use those techniques. But without having this stricter moderation, the content quality is becoming poor and poor everyday. That makes the expert’s life more miserable as he has to keep on defending himself / herself from this bad techniques.

    I believe SAP has opened the gates for new articles or blogs – many of them are not adding any values or are duplicates – after they moved to this new SCN. In the mix, SCN has introduced the Gamification which lures this of type bad content and making SCN nothing but only a content farm site.

    Thanks for bringing up this topic.

    Regards,
    Naimesh Patel

    (0) 
  16. Rahul Mahajan

    Hi Custodio,

    I too agreed with you. Awesome blog! We should not encourage this kind of content and educating the people will help us as a community to take SCN to next level.

    Just one concern/question.

    Where and how can we ask for getting our content (technical articles/blogs) reviewed by Moderators ?

    Sometimes it’s quite difficult for people like me to categories the content because somethings which are very basics/easy/not adding value to people who are in SAP world from long time and are experts might be something very useful/simple tips/adding value to less experienced people.

    As rightly mentioned by Naimesh Patel in above comment, it’s always a best to publish the content after review by Moderators as they are experts in respective fields.

    Thanks and sorry for putting my question in this forum.

    Regards,

    Rahul

    (0) 
        1. Julius von dem Bussche

          I also warned the OP that it was a silly idea and would go downhill, but he was adamant that there was nothing wrong…

          He felt the heat warmth as the community reached out to him and decided to then remove it again himself.

          Cheers,

          Julius

          (0) 
  17. Frรฉdรฉric Girod

    Hi,

    I think we must be allowed to post content like “How to hack SAP” just to inform SAP how we could do this, and what SAP must protect or change.

    Second point, SCN have to provide a secure place to post this kind of messages, just to restrict the access to register members …

    I hacked SAP with the same method for the last 14 years …  Do you know any others software that could be possible ??

    (I remove the developer key control, the change object key control ….)

    regards

    Fred

    (0) 
    1. Otto Gold

      Dear user,

      hereby we kindly inform you about the legal actions being started against you. Please expect our team arriving shortly. We are running out of budget, so please go buy yourself a nice orange pyjamas before we get to knock on your door.

      Your favorite software vendor’s legal team.

      (0) 
  18. Rob Dielemans

    Hi Custodio,

    I’m thinking of disagreeing with you. Here’s why.

    The gist of it is that people who do drugs, do it because they want to do drugs. People who want to do bad things to an SAP system will do bad things to an SAP system because they want to do that.

    Unless you somehow have a monopoloy on a piece of information that could potentially (I will get to this point specifically in a minute) be harmfull, then and only then you might have a point of not showing it here on SCN. Otherwise they will find a way and you can’t stop them.

    I think it is even beneficial to post this stuff here on SCN to make people who want to do good things aware of these issues.

    You have to understand that if I want to do something bad to a system no one can stop me, the accumulated knowledge and skills over the years have made me potentially really dangerous. The only thing you can do is:

    1. find out early that something went awry

    2. find out who has done it

    3. find out how to fix this

    Now about potentially dangerous.

    This is really subjective. Deleting workitems for instance SWWL is a dangerous tool in the hands of the uninitiated, even more dangerous than let’s say the various se16/se16n tricks to delete stuff.

    There are standard SAP transactions and standard reports to massively manipulate production data which I find way more potentially dangerous than all of those ABAP/debug tricks which you can’t stop anyway if someone has bad intentions.

    The unintentional <insert expletive> ups caused by using SAP standard transactions is something you can and should prevent and more worth the time and effort to enforce it.

    Kind regards, Rob Dielemans

    (0) 
    1. Custodio de Oliveira Post author

      Hi Rob,

      Thanks for commenting. As I said, I was expecting to have more people disagreeing with me than agreeing.

      I agree with the subjectivity of the matter. What I don’t agree is that SCN is the place to have this kind of info, the same way as, referring to your drugs analogy, you will not find a “How To Do Drugs” manual on the World Healthy Organisation website.

      Cheers,

      Custodio

      (0) 
      1. Rob Dielemans

        Hi Custodio,

        Hah! And now I am going to take your stolen analogy of mine and make a (succesful?) run for it.

        There should be a “How to do drugs” manual on the WHO website. My point is you can’t control individuals’ (bad, destructive, <insert subjectivity>) needs, that is what the prohibition and something atrocious like krokodil teaches us.

        The only thing in your power is to teach people how to do it in the least destructive way possible and also train others in how to spot them so that they can try to prevent or minimalize the destruction that normally goes with it.

        To summarize my point:

        If you do not have the monopoly on a piece of information on how to technically screw up an IT-system, it is better to get it out in the open so that people can learn from it and be prepared on how to fix it; should this piece of information be used to deliberately disrupt their IT-systems.

        (0) 
  19. kishan P

    What a great blog and subsequent discussions!

    Although I’m not a great fan of letting incorrect and dangerous content being published openly, considering that we live in a time where online censure is highly impossible, I would rather read such dangerous content (with clarifications) here in SCN than on a third party site.

    pk

    (0) 

Leave a Reply