Should potentially harmful content be allowed in SCN? I say NO!
Chronology
A couple of days ago, a community member (I will not name him here) posted a Blog entry in the ABAP space, “teaching” how to modify standard programs without a registration key.
My first reaction was to write a comment which went something like this:
“There is an easier way to do this, but I will not tell you because it’s harmful and should not be encouraged”.
I also rated it 1 star and would have disliked it (or voted down, stacko verflow style) if there was such option.
I then went to Twitter to express my dislike, shortly before I noticed the moderator had deleted such post, an action classified by myself as “great”, for which some people, most prominently Tammy Powlas, agree with me.
Not much later, Ethan Jewett engaged in the convo, basically arguing such kind of posts should not only be allowed, but classified it as “community service” as it evidenced well known vulnerability, which should be tackled by the competent people (basis, security, auditors). He also argues the information will be available anyway, so it’s better it’s here in SCN where reasonable people could provide some guidance.
My point
I think it’s my duty as a community member to help prevent other members to act in ways that may harm their systems (and even could get them fired). I know tons of these dirty tricks, but I keep them to myself, only sharing with people I really trust and know will not make any mess with it. If I believed this kind of stuff should be spread, I would have wrote it myself (the better version of course).
Another thing I strongly disagree is the notion that SCN is the place for such articles. No, it’s not. We are in a SAP domain. Here we should share best practices, good advices. It’s a place for quality content (although there are lots of not so good stuff around, including anything I have ever written and anything I will ever write).
Also, RTFM. Just after my comment on that blog, Jürgen L posted the link directing the author to read the doco so he would understand why such behaviour was bad. We don’t encourage people to use unreleased FM. Or to modify standard objects (even with a registration key!). We don’t encourage SQL injections. We don’t encourage our peers to act against the good health of their systems (and SAP warranty).
OR, as Google says, “Do no evil”.
Your opinion, please?
So, do you believe “any” kind of article (which does not break terms of use) should be allowed here? Do you believe any information should be freely spread regardless of the potential to cause damage, or should be some triage and only allow “good” content? Please comment. I feel I’ll have more people disagreeing with me than agreeing. Of course Ethan is welcome to clarify his take in case something is missing or misunderstood.
I think if it is something I could do that could possibly get me fired (I am referencing my last job where for sure this would have happened) and the person still wants to post it, it should come with a warning.
Overall I don't think what was posted was a good practice.
Thank you for taking the time to blog.
Tammy
Hi Tammy,
Thanks for you comment. If I remeber the twitter convo right, Ethan and Juergen S said the same about the warning. Thing is, it may not be enough (in most cases will not be enough).
Cheers,
Custodio
EDIT: just noticed that I quoted Sue. 🙂
Hi Custodio,
Nice blog on ethics. Thanks to all the experts for sharing their views on this matter. My personal views are listed below:
i) Don't publish it in public forum.It is not a Grandma's secret recipe that should be handed down across generations .
ii) Primarily, SCN posts should go greater good to the community than harm it.
iii) Keep it with yourself. Let the potential perpetrators find it out on their own . Anyway, smart people will always find out ways to outwit the system.
iv ) Warning messages won't work as lot of techies will still try it out.
One person's joy may turn into other people's nightmare.
Regards,
DPM
Hi Custodio,
Thanks for bringing this up. I am sure this will inspire lots of spirited debate.
On the one hand, as Ethan Jewett said, sharing this information is a valuable service - letting our security and basis teams know what kind of evil tricks we can be up to - and letting SAP know that some of these evil tricks should be stopped for the benefit of their customers.
On the other hand, way too many people will glom on to the harmful (but no doubt shorter/easier) solution. While nobody can be forced to take the time to do things correctly, if they don't know about the shortcut, then maybe they will take the time to do it right? I don't know.
I suspect if people find a shortcut, they'll use it, so that's a point in favor of dis-allowing harmful content.
As you can see, I sit squarely in the middle of the fence.
Hi Sue,
Thanks for you comment. Maybe the fence is the safest place to be on this matter.
Cheers,
Custodio
I agree with you absolutely.
If such vulnerabilities are discovered, they should be raised with SAP, possibly involving the influencers like User Groups or Mentors.
There are an awful lot of very inexperienced people on this platform, whom their employers or agents throw into projects they are absolutely underqualified for without any senior guidance. You can clearly see this from many questions and some of the answers.
There is far too much temptation to try something dirty to meet a deadline or hide a mistake from a customer. Sure, there are some grey tricks, which are ok-ish or debatable, but then there's the really dark stuff, which should not be here.
I know, this sounds terribly patronising and to some extend it gets my liberal soul screaming, but then, if you'd assume everybody acts responsibly, you could post your online banking details here, and allow 16 years olds to ride 500ccm motorbikes, couldn't you?
Hi Sven,
Thanks for your comment. Agree, assuming everyone act responsibly unfortunately just doesn't work.
Cheers,
Custodio
Hi Custodio,
I agree that the op should not have posted this at all and if asked I would have advised them against doing so.
However I disagree that we should be looking to identify and remove a post like this. I think a better result is that we should be able to rely on the very active comment stream to highlight why this is a bad idea and provide alternatives - as was happening in this case.
In short I think that SCN at its best is a self-regulating and self-correcting organism.
I suspect the op probably thinks he has been censored - rather than having had wiser heads suggest to him an alternative approach next time.
Cheers
Graham Robbo
hummmm, How many people that consider to cut corners and hack standard SAP without leaving a trace, will actually take the time to go through comments?
Also, this should be a discussion, not a blog 😈 (self-regulating)
Hi Tom,
Thanks for you comment. To your question my answer is: very few.
As for posting it as a discussion, as a matter of fact I thought about it, but this document by Jason Lax says
So I think it makes sense posting as a blog.
Cheers,
Custodio
Hi Robbo,
Thank you for your comment. Agree that self regulating could be better IF it worked, but unfortunately it doesn't, as Jurgen shows below.
Cheers,
Custodio
Hi Custodio,
A thoughtful blog and one that will and probablyand already has started a good and many sided conversation, judging by the comments so far.
Another axis to think of this on (dare I say it) is the litigation, loss and damage angle.
Scenario:
1. Person A posts "dubious" or "harmful" instructions as posted on SCN, a SAP "Community" site
2. Person B follows those instructions in another Company's SAP system which results in loss or damage ($$$) to said company, and/or "people being fired".
3. Said company takes possible legal redress against SAP (as the Community site owner who allowed the said instructions to be posted and to remain there for others to use) and perhaps others such as the Moderator (who failed to remove it) and A the blog poster.
I am not a lawyer or legal type, so I am not sure if the above scenario is a valid one to consider. However I wouldn't want to see it happen to anyone either.
As you say, the rule should be "do no harm".
Cheers, Phil G.
Hi Phil,
Thanks for your comment. Indeed, this is an angle I haven't thought. I discussed it with my wife, who's a lawyer, and she believes it's a valid scenario, although terms of use probably state SAP is not liable.
Cheers,
Custodio
I think there are two different categories of "harmful" posts:
This will make sure it's in the right hands _and_ you will be recognized for finding it. Any other behaviour potentially threatens other customers, which _to me_ is not acceptable (after all preventing that is what I go to work for every day)
To summarize: you have the right to be stupid, and I'm no friend of censorship. If you're disclosing a yet unknown vulnerability here I will be over you with all my mighty security moderator powers 😀
Cheers,
Frank.
Exactly right, Frank. If there was a way to mark a blog comment as the "right answer" this should get it !
Steve.
Hi Frank,
Thanks for your comment. Before I wrote this I talked to our Security Architect Cooper Richard and he shares the same opinion as you (except he's not SCN moderator 😉 ). As they say, "great minds think alike".
Cheers,
Custodio
+ 1
Everything forbidden spreads in underground. Removing it from Internet is almost impossible.
You just remove it from the site but you could have taken the chance to comment and explain why this is not a good approach.
It should be a storm of such comments, but unfortunately the storm happens at the like button and the rating as you can see in those 2:
How to change/delete records using debug mode
Activate &SAP_EDIT in SE16N (SAP ECC 6.0)
And that is the reason why I think SCN is far away from self regulating. And even the abuse button just pushes the decision from many to one.
Instead of removing I would wish to classify such content as harmful, adding a red watermark so that it is visible to anyone.
I even like to keep it because then the poster is known. If he works for one of our contractors, then I am sure we would address this at the right place.
Thanks Jurgen,
Very good example of SCN not being self regulated (yet?). The first one shows the op in a rather defiant attitude. Would vote down if had this option.
cheers,
Custodio
I completely agree with jurgen as they should be watermarked with red or something like this.
As for my scnerio, my organisation is passing through financial crises and they ahve not renewed their sap license from past 3 years. hopefully they wont get it renewed in future also.
As i am only abap developer so i was forced to find out a way to modify sap standard code without access key.(I manage to do so in the end 😛 )
However, i agree it is not bad practice. but i have left no other option.
Finally , my boss is happy with the changes and so that management.
So I am believe people should be allowed to post but also they should be awared of consequences of these dirty tricks.
if "not paying licence fee" is the reason to bypass, then I am actually for removal of such content
😯
Hello Custodio,
First-of-all, kudos for publishing the blog.
I bet that's true. And after i hear the comments of Ethan Jewett i feel that the content should not have been removed, rather quarantined 🙂
Food for thought for tptb @SCN management 😉
Cheers,
Suhas
Hi Suhas,
Thanks for commenting. Not sure how it works, but there were some abuse reports, so I guess the op is being moderated right now.
One thing with the warning is that it might make people even more willing to try, just because it's labeled as dangerous 🙂
Cheers,
Custodio
Hi Custodio,
Very good Blog and I totally agree with you . These kind of of information should not be spread freely.
Regards,
Raghu
Hey,
I say NO too.
Regards
Purnand
This is a great discussion (thanks to Custodio for breaking this up) and I wondered, that this kind of topic is coming up after 10 yeras of scn (can't remember a security thread discussion before) .
This discussion inspired my to add my own 2cents to this discussion. There is a certain viewpoint in the security industry about this kind of published exploits. If you are interested, I posted this blog on scn: "Spies like us don't talk to you in public" http://bit.ly/GL8UvX
Hi Holger,
Thaks for you comment and for linking it to your (very nice) blog. I left a comment there as well.
Cheers,
Custodio
I wouldn't take such a post down, but I would reserve the right to be savagely sarcastic to the poster, in bold, red, large type.
It might even be legitimate for a moderator to edit the blog/document/comment/discussion with a bold, red large type warning of "Do not do this, it is spectacularly stupid and could cost your employer a lot of money, and you your job".
If some people ignore this advice, think of it as a kind of evolution in action. The stupid people are forced to quit the industry.
For example in the case of the debug/delete in SE16 that Jurgen posted, people will do it anyway so deleting it won't have any real effect, it's too widespread.
The real answer is making a blog that teaches Basis people that allowing values to be changed in debug is real stupid and negligent in prodution systems.
Deleting the blog is pointless, but moderators could include a large warning saying "This behaviour will void your SAP Warranty".
Some folks don't post that warning and even think what they are doing is novel. Some even think it is a good idea and worth blogging about to share the "trick".
Being flamed for it is a part of the learning process and also necessary.
Cheers,
Julius
The problem with flaming is that in the end, it's a matter of opinion. The flamer can be wrong, etc.
That's why I believe the best way to signal these posts is with facts: "This will void your SAP warranty/support".
Hi João,
Thanks for your comment. Believe it or not I saw this SE16 "trick" yesterday in the security space. Go figure.
Cheers,
Custodio
The only information I need is that it is possible. Anyone who can't work how to do it from that is much of a programmer, in my (not very) humble opinion. It gets slightly more difficult in later releases.
That's why the problem isn't that the trick exists, it's not really an exploit. In a prodution system that allows values to be changed (or lines skipped) in debug you can do pretty much anything you want.
I don't think that restricting debug is the right way to go, since it has proven very useful in my daily life when you can't replicate a certain problem in Q&A, but being able to change values is very, very, very dangerous, even if you are not deleting tables.
I've seen people skip standard validations (that guess what, exist for a reason). The result, inconsistency between MM and FI, which that particular "doctor" wasn't able to solve. Irresponsible behaviour that would have been avoided if changing values was blocked. I was appaled after realizing what that person had done, but the damage was already done.
I entirely agree. Changing values (in production) should only be allowed on an as-needed basis, with a clear reason for it. In one of my clients, any changing of values is picked up during audit and must be justified.
I suggest a warning like that I've added here: http://scn.sap.com/community/data-warehousing/netweaver-bw/blog/2013/06/30/how-to-delete-a-request-from-a-database-table-in-a-debug-mode
That kind of thing would get my vote. Just need people to "report abuse" of suspect content so a mod can add similar wording in.
Gareth.
Maybe there is a chance to develop something (by the team behind the SCN platform), that you moderators can add, like a more official looking message with a logo etc, that can't be edited or deleted by the creator of the post. That would make your work easier. 🙂
I also agree with Gareth, that another add to the "Abuse report"-dropdown list would be great for this stuff.
Hi Custodio,
I strongly agree with you. Such kind of content should never be allowed in any public forum.
As a responsible SAPien, to protect the reputation of our product, we should report such vulnerabilities to SAP via OSS message. SAP do give the credit to the person who reports such issues as "External security researcher". I reported one of such issue couple of years back and SAP released a security note for this.
Thanks,
Vinod.
The problem is that there is no way of preventing the information being discussed on a non-sap-controlled web site. Therefore, the only place you'll get the information if you're a determined idiot, is from the non-sap sites, where it won't come with warnings.
Hi Custodio,
Good Day!
I agree with you. We should not allow such things in SCN. If any warning message pops up it is always good and much safer.
Regards,
Hari Suseelan
Hi Custodio,
I totally agree with you, thanks for sharing.
thanks,
Srinu.
My opinion on this subject - one of the key points of the SCN forums (and any other forum for that matter) is to spread knowledge and educate members. This should cover off both good and bad knowledge, ie. the right way and the wrong way to achieve something.
So, in the scenario of something being a very bad hack that could have dire consequences (like modifying standard programs without a key for instance!) I don't have a problem with it being mentioned on here that it can be done, however I don't believe the how it can be done should be shared. Also, I think that it should be very clear that this shouldn't be done - just because I can stick my hand in the fire, doesn't mean I should.
As has already been mentioned, often comments point out that content is bad on SCN but people don't always read comments so I think there needs to be more positive action to stress to people who casually read stuff that it is wrong. We need to educate people on what not to do, as well as what to do after all.
When I was taught ABAP (a long time ago!) there was no SCN, no SAPFans and indeed no internet access at my place of work. All I had to rely on was good old F1 help and the people I worked with. If we found a hack like this, we shared it and understood we shouldn't do it. The problem with the internet (now there's an interesting start to a sentence...) is that it is too easy to share all sorts of random information without the consumer getting the full context, or understanding whether it is accurate or not. Scary stuff... 🙂
Hi Gareth,
I liked your comment very much. Thanks.
Regards,
Hari Suseelan
I totally agree with you. A big no for just posts / blogs. But on a different note, there should be a forum or place where these kind of vulnerabilities can be recorded by daily SAP users. It will not only help SAP improve there software but also provide end customer a better software. (I am not aware if there is any apart from raising OSS Message)
There are lots of bug bounty program over there in market where lots of social networking sites recognize efforts of ethical hacking and fix those issues to provide better end user experience.
Regards
Siddarth
Hello Custodio,
I totally agree with you on this topic.
I remember around 4-5 years ago on SDN - at time it was SDN - there was a stricter moderation of a new Blog Post or Article. Whenever a user or anyone first registers to write a blog, the user would be granted as only Contributor - He / she can only write the post in draft mode but cant publish it. I had to face the same moderation for my initial blog posts - around 5/6 posts, even though I was in Topaz status based on current ratings. I was than granted to have publish rights.
I believe that type of stricter moderation should be still in place. Most of people who is looking for answers in the different area other than their expertise, use SCN as bible. They would use those poor, incomplete, potential dangerous articles as their weapons to argue with the person who is familar with the matter and who is denying not to use those techniques. But without having this stricter moderation, the content quality is becoming poor and poor everyday. That makes the expert's life more miserable as he has to keep on defending himself / herself from this bad techniques.
I believe SAP has opened the gates for new articles or blogs - many of them are not adding any values or are duplicates - after they moved to this new SCN. In the mix, SCN has introduced the Gamification which lures this of type bad content and making SCN nothing but only a content farm site.
Thanks for bringing up this topic.
Regards,
Naimesh Patel
Hi Custodio,
I too agreed with you. Awesome blog! We should not encourage this kind of content and educating the people will help us as a community to take SCN to next level.
Just one concern/question.
Where and how can we ask for getting our content (technical articles/blogs) reviewed by Moderators ?
Sometimes it's quite difficult for people like me to categories the content because somethings which are very basics/easy/not adding value to people who are in SAP world from long time and are experts might be something very useful/simple tips/adding value to less experienced people.
As rightly mentioned by Naimesh Patel in above comment, it's always a best to publish the content after review by Moderators as they are experts in respective fields.
Thanks and sorry for putting my question in this forum.
Regards,
Rahul
I'd say this is another example of where the knowledge could be shared but it really needs a warning/explanation to give it some context - http://scn.sap.com/community/abap/blog/2013/10/21/provide-sapall-authorization-using-report
I talked it through with some of the other moderators and the consent was to abuse it - repeat offender, was guestified before.
Frank.
Ah right 😉
I also warned the OP that it was a silly idea and would go downhill, but he was adamant that there was nothing wrong...
He felt the heat warmth as the community reached out to him and decided to then remove it again himself.
Cheers,
Julius
Hi,
I think we must be allowed to post content like "How to hack SAP" just to inform SAP how we could do this, and what SAP must protect or change.
Second point, SCN have to provide a secure place to post this kind of messages, just to restrict the access to register members ...
I hacked SAP with the same method for the last 14 years ... Do you know any others software that could be possible ??
(I remove the developer key control, the change object key control ....)
regards
Fred
Dear user,
hereby we kindly inform you about the legal actions being started against you. Please expect our team arriving shortly. We are running out of budget, so please go buy yourself a nice orange pyjamas before we get to knock on your door.
Your favorite software vendor's legal team.
Maybe I will have to modify SapScript for 15 years 😯
😉
Fred
Hi Custodio,
I'm thinking of disagreeing with you. Here's why.
The gist of it is that people who do drugs, do it because they want to do drugs. People who want to do bad things to an SAP system will do bad things to an SAP system because they want to do that.
Unless you somehow have a monopoloy on a piece of information that could potentially (I will get to this point specifically in a minute) be harmfull, then and only then you might have a point of not showing it here on SCN. Otherwise they will find a way and you can't stop them.
I think it is even beneficial to post this stuff here on SCN to make people who want to do good things aware of these issues.
You have to understand that if I want to do something bad to a system no one can stop me, the accumulated knowledge and skills over the years have made me potentially really dangerous. The only thing you can do is:
1. find out early that something went awry
2. find out who has done it
3. find out how to fix this
Now about potentially dangerous.
This is really subjective. Deleting workitems for instance SWWL is a dangerous tool in the hands of the uninitiated, even more dangerous than let's say the various se16/se16n tricks to delete stuff.
There are standard SAP transactions and standard reports to massively manipulate production data which I find way more potentially dangerous than all of those ABAP/debug tricks which you can't stop anyway if someone has bad intentions.
The unintentional <insert expletive> ups caused by using SAP standard transactions is something you can and should prevent and more worth the time and effort to enforce it.
Kind regards, Rob Dielemans
Hi Rob,
Thanks for commenting. As I said, I was expecting to have more people disagreeing with me than agreeing.
I agree with the subjectivity of the matter. What I don't agree is that SCN is the place to have this kind of info, the same way as, referring to your drugs analogy, you will not find a "How To Do Drugs" manual on the World Healthy Organisation website.
Cheers,
Custodio
Hi Custodio,
Hah! And now I am going to take your stolen analogy of mine and make a (succesful?) run for it.
There should be a "How to do drugs" manual on the WHO website. My point is you can't control individuals' (bad, destructive, <insert subjectivity>) needs, that is what the prohibition and something atrocious like krokodil teaches us.
The only thing in your power is to teach people how to do it in the least destructive way possible and also train others in how to spot them so that they can try to prevent or minimalize the destruction that normally goes with it.
To summarize my point:
If you do not have the monopoly on a piece of information on how to technically screw up an IT-system, it is better to get it out in the open so that people can learn from it and be prepared on how to fix it; should this piece of information be used to deliberately disrupt their IT-systems.
Hi Custodio.
Thanks for bring this discussion. I agree with you. Making this practice you can loose the guarantee offered for SAP.
What a great blog and subsequent discussions!
Although I'm not a great fan of letting incorrect and dangerous content being published openly, considering that we live in a time where online censure is highly impossible, I would rather read such dangerous content (with clarifications) here in SCN than on a third party site.
pk