A question of ethics

[Mr. Flibble]

I don't want to see this post immediately dumped into the idiots corner, so I hope I am clear on what I am trying to outline and that I explain what is going on, what I am considering doing and why.

I have never attacked a system without permission in my life. Whether that system is a client's who has asked for a pen test, in the lab, or against a friend who we agreed to mutually attack each others systems in a friendly hacking wargame.

I have, as you no doubt must guess, been asked countless times to "hack this system for me". I have always said no.

I have now been asked to help - but not necessarily perform an attack myself. The problem is that I have been asked to do this by my Girlfriend, and given that we sleep in the same bed, my outright saying "no" has not gone over well.

Understand I am trying to find a *LEGAL* way to do this, and that is part of my question. I want to do this within the bounds of the law, not outside it.

----

My girlfriend runs 3 orphanages in Africa, totaling around 300 children. Finding competent help to manage the orphanages while she is here in North America is difficult. Corruption is rampant in Africa. Any work the people do managing the orphanages does not come with receipts, or, when they do you can be certain that the values on the receipts are inflated greatly beyond the real amount.

One of the workers there who otherwise does a very good job has been caught embezzling orphanage funds before. My GF discovered this as she was suspicious, and shoulder-surfed his password to his yahoo email account, then read his yahoo email. It was then provable that he was stealing from the orphanage as yahoo email is his only communication with contractors.

He promised not to steal again, but then he changed his password. The laptop actually belongs to the orphanage, but he uses his personal yahoo email for all orphanage business.

Now, I know the kind of passwords he uses - and a dictionary attack on his yahoo email would crack it. That, however, would be illegal for me to do in my country.

The other option, is to install a keylogger on his machine. This would have to be done with a pre-made MSI with a silent install as the window of opportunity to install it would be short for my Girlfriend, but she is not computer savvy. It would have to be a one-click type install carried on a USB key.

On the internet front, he connects to the internet with a cell phone modem, and is on only for short periods, so gaining remote access to the machine over the internet is basically impossible, any initial exploit must first be local. I believe that my doing this would be legal as my girlfriends charity owns the laptop, and the employee is using it for the orphanages. The law is also substantially different in Africa of course.

My Girlfriend does not want to confront the employee directly without evidence, but at the same time she does not want some of the charity funds going to supporting this guys lifestyle instead of the children. To compound the problem, he is actually very good at what he does, and replacing him would be quite difficult. Due to the culture, locals will refuse to work for white people unless they pay 5X the "normal" wage in the area because "you can afford it if you are white..."

So, she wants to keep him on, but just cut off his avenues of stealing charity money. And, as he uses that email for all transactions, she needs access to it to find the money trail.

What options are there legally to find out who he is working with to steal extra money? Note, involving the police in Africa is not a good idea, their idea of an investigation involves tying someone to a chair and beating the confession out of them, then throwing them in prison for 3 years.

So, what I am asking for is how to *legally* gain access to this machine or more specifically the yahoo mail account. Problem is I am in North America, and my girlfriend is currently in Africa. I hope some people here on the forum have some ideas that might help as I can't think of anything other than the keylogger, which I believe is legal.

* I am deliberately being obtuse about the orphanage and specific country, as I don't want any sort of stink to be associated with the charity work that she does.

[streaker69]

INAL:

In my opinion, I would say the owner of the Laptop would have the right to grant you permission to retrieve any information you need, regardless of them using the Yahoo account, especially since the Yahoo account is being used to conduct business with the employer and with contractors of the employer.

Of course, the best bet would be to retrieve the laptop and then fire him. I understand that good help is hard to find over there, but they obviously don't have good help currently employed when it comes to this person.

If they hire a new person, make it very clear to them that all communications with the laptop can/will be monitored and the first instance of wrong-doing is immediate termination.

[imported_cybrsnpr]

I too "am not a lawyer" nor do I play one on TV. That being said:

IMHO: If the charity owns the laptop, and if their corporate IT usage policy states that monitoring is authorized, then if the charity were to install a keylogger on their laptop, they would be perfectly within their rights to do so. If you were to be "hired" by said charity as a consultant to perform IT services and you were to install the keylogger under their authorization, then that too would also be legal.

If you installed the keylogger only at your girlfriends request, without express permission from someone in the charity's IT management chain, then I think you would "legally" be on shaky ground.

[thorin]

One of the workers there who otherwise does a very good job has been caught embezzling orphanage funds before. My GF discovered this as she was suspicious, and shoulder-surfed his password to his yahoo email account, then read his yahoo email. It was then provable that he was stealing from the orphanage as yahoo email is his only communication with contractors.

He should have been fired.

He promised not to steal again, but then he changed his password. The laptop actually belongs to the orphanage, but he uses his personal yahoo email for all orphanage business.

Personal email accounts should never be used to company business, even if it's only a separate yahoo or gmail account at least if it's setup by the business for the business you can argue there is no expectation of privacy.

Now, I know the kind of passwords he uses - and a dictionary attack on his yahoo email would crack it. That, however, would be illegal for me to do in my country.

Agreed.

The other option, is to install a keylogger on his machine. This would have to be done with a pre-made MSI with a silent install as the window of opportunity to install it would be short for my Girlfriend, but she is not computer savvy. It would have to be a one-click type install carried on a USB key.

To me this is fine. If it's a company machine he should have no expectation of privacy. Though a signed Acceptable Use Policy (re-signed yearly etc) would be a good move, so that employees understand that they have no expectation of privacy when using company resources.

On the internet front, he connects to the internet with a cell phone modem, and is on only for short periods, so gaining remote access to the machine over the internet is basically impossible, any initial exploit must first be local. I believe that my doing this would be legal as my girlfriends charity owns the laptop, and the employee is using it for the orphanages. The law is also substantially different in Africa of course.

Assuming the company has a administrative account on the machine there should be no need to "exploit" anything but existing reasonable permissions and functionality.

My Girlfriend does not want to confront the employee directly without evidence, but at the same time she does not want some of the charity funds going to supporting this guys lifestyle instead of the children. To compound the problem, he is actually very good at what he does, and replacing him would be quite difficult. Due to the culture, locals will refuse to work for white people unless they pay 5X the "normal" wage in the area because "you can afford it if you are white..."

The company should simply change his responsibilities or ensure that more than one person/signature is needed to access the funds.

So, she wants to keep him on, but just cut off his avenues of stealing charity money. And, as he uses that email for all transactions, she needs access to it to find the money trail.

See above.

What options are there legally to find out who he is working with to steal extra money?

Send him a "new" laptop and have him ship back the "old" one.

Note, involving the police in Africa is not a good idea, their idea of an investigation involves tying someone to a chair and beating the confession out of them, then throwing them in prison for 3 years.

I understand that she feels he's a good worker and her choices are limited but serious he's stealing from needy children it doesn't get much worse than that, he deserves whatever comes his way.

So, what I am asking for is how to *legally* gain access to this machine or more specifically the yahoo mail account. Problem is I am in North America, and my girlfriend is currently in Africa. I hope some people here on the forum have some ideas that might help as I can't think of anything other than the keylogger, which I believe is legal.

Again:

1) He should not be allowed to conduct business from a personal account. If he must then an acceptable use policy for the computer and his email access (personal or business) should be enforced.
2) If it's not his personal laptop I agree (though IANAL) you can do anything you wish to it.
3) Enforce some separation of duties, have him setup the agreements or whatever and have someone else pay them. Or even better have access to any charity funds require multiple people (hopefully at least one of which you can trust fully ... failing that it doesn't matter what you do or prove your problem will be on-going and never ending.).

You might be able to contact yahoo's abuse or fraud department and have then assist you.

[Thorn]

I agree with what both streaker and cybersnpr have said, although I am not a lawyer, I do have a bit of experience with the law. Clearly, under US law, if the charity owns the laptop, they can ask you to hack it.

A couple of things that I would do:

• Get a written contract signed by the charity's director (or if that's your girlfriend, then from the board of directors.) You want something that is signed by someone with authority in the charity other than your girlfriend to avoid any appearance of impropriety. Also, talk with the charity's lawyers to get clearance on this.
  
• The contract can say that you're waiving your fee, or donating the fee back to the charity. (One or the other may give you a tax break.) Either way, you want a contract to show that they have given you permission to do this, and that you are turning over any and all finding to the charity (i.e. not just your girlfriend.)
  
• This will show that it's all above board, and not just a witch hunt because your girlfriend doesn't like the guy, or because of office politics, etc.
  
• The one thing you probably want to avoid is directly accessing the Yahoo! account via webmail, as this would be overstepping the legal boundaries, and may place you, your girlfriend, and the charity in deep legal problems. That would clearly be a violation of US law.
  
• Get evidence that this guy is doing that via either a keylogger or by searching for other evidence on the laptop such as spreadsheets, and then have the lawyers submit a subpoena to Yahoo! for the guy's email history and contents. You can then assist them in going through the contents of the emails to determine who the target may be working with.
  
• Rather than going through all the subterfuge, buying a new laptop, and swapping it in person and without warning might be a good way to recover current evidence on the laptop. "Bill, we need to send this back to the US. Here's your new laptop. We'll send you a CD back if there's any personal files you need."

Technically, there are a couple of keylogger programs with silent installers that you can instruct your girlfriend to use on the laptop if you want to go that route. The Hak5 Hacksaw may give you some ideas.

[thorin]

Nicely said Thorn!

[Thorn]

Nicely said Thorn!

Thanks. I see you also thought of the direct approach of giving him a new laptop. Great minds think alike.

And I agree he should have been fired when first found out. People in such situations who say "I won't do it again" usually mean "I'll be careful not to have you catch me again."

[Mr. Flibble]

Some excellent replies, thank you!

Of course, the best bet would be to retrieve the laptop and then fire him. I understand that good help is hard to find over there, but they obviously don't have good help currently employed when it comes to this person.

Believe it or not, this is apparently common practice – or so I am told. While it is illegal, it is considered “expected” behavior. In fact, any government official, police or otherwise takes something on the side.

She informs me that she has literally been unable to locate anyone who can run the orphanages in her absence – she is away from Africa for 9 months of the year, she used to be there for 6 months of the year running them. This guy is corrupt, but apparently he is “less” corrupt than most, and the only employee she has found so far that actually works to improve the orphanages.

She tells me that the culture just considers this acceptable – as long as they don’t get caught. But if they get caught, then they stop. In my mind this is messed up…. I would fire his ass personally, but everyone who has been there (not just my GF) tells me that finding a replacement is just about impossible. The conditions suck.

IMHO: If the charity owns the laptop, and if their corporate IT usage policy states that monitoring is authorized, then if the charity were to install a keylogger on their laptop, they would be perfectly within their rights to do so. If you were to be "hired" by said charity as a consultant to perform IT services and you were to install the keylogger under their authorization, then that too would also be legal.

There is not even an IT usage policy. He is located in a small village in Africa, and commutes to the orphanages that are about 35 miles from the nearest power lines, his laptop is the only charity computer apart from my girlfriends laptop and the rest of the directors who live here in North America. Basically, all the management is run by this one guy.

1) He should not be allowed to conduct business from a personal account. If he must then an acceptable use policy for the computer and his email access (personal or business) should be enforced.
2) If it's not his personal laptop I agree (though IANAL) you can do anything you wish to it.
3) Enforce some separation of duties, have him setup the agreements or whatever and have someone else pay them. Or even better have access to any charity funds require multiple people (hopefully at least one of which you can trust fully ... failing that it doesn't matter what you do or prove your problem will be on-going and never ending.).

You might be able to contact yahoo's abuse or fraud department and have then assist you.

Good suggestions Thorin, I actually setup a website for the orphanages, and I set it up so that there is an email account specifically for him. I have also set it up to silently forward all inbound and outbound email to his account to my girlfriends email so she can keep tabs on him. I know she is in the process of trying to get all communication about the orphanage to go through the actual orphanage email accounts.

I know my GF is trying to do this under the radar, because the guy will “go to ground” if he thinks she is snooping about. To make matters worse, she is far less skilled with a computer than he is.

The suggestion of contacting yahoo’s abuse/fraud department is excellent. I had not considered that.

I agree with what both streaker and cybersnpr have said, although I am not a lawyer, I do have a bit of experience with the law. Clearly, under US law, if the charity owns the laptop, they can ask you to hack it.

A couple of things that I would do:

• Get a written contract signed by the charity's director (or if that's your girlfriend, then from the board of directors.) You want something that is signed by someone with authority in the charity other than your girlfriend to avoid any appearance of impropriety. Also, talk with the charity's lawyers to get clearance on this.
  
• The contract can say that you're waiving your fee, or donating the fee back to the charity. (One or the other may give you a tax break.) Either way, you want a contract to show that they have given you permission to do this, and that you are turning over any and all finding to the charity (i.e. not just your girlfriend.)
  
• This will show that it's all above board, and not just a witch hunt because your girlfriend doesn't like the guy, or because of office politics, etc.
  
• The one thing you probably want to avoid is directly accessing the Yahoo! account via webmail, as this would be overstepping the legal boundaries, and may place you, your girlfriend, and the charity in deep legal problems. That would clearly be a violation of US law.
  
• Get evidence that this guy is doing that via either a keylogger or by searching for other evidence on the laptop such as spreadsheets, and then have the lawyers submit a subpoena to Yahoo! for the guy's email history and contents. You can then assist them in going through the contents of the emails to determine who the target may be working with.
  
• Rather than going through all the subterfuge, buying a new laptop, and swapping it in person and without warning might be a good way to recover current evidence on the laptop. "Bill, we need to send this back to the US. Here's your new laptop. We'll send you a CD back if there's any personal files you need."

Technically, there are a couple of keylogger programs with silent installers that you can instruct your girlfriend to use on the laptop if you want to go that route. The Hak5 Hacksaw may give you some ideas.

The idea of the new laptop that you and thorin suggested is a very good one, I had not considered it. It would have to go out with a BIOS level spyware package, as he can nuke and pave the OS whenever he wants without retribution – 9 months of the year he is working in Africa with no real oversight, the other 3 months of the year, my GF is onsite.

The legal documents from the charity are a good idea, I had not considered that at all as my GF is the main director. It will be easy for me to get approval on that.

The mention of the Hak5 Hacksaw is perfect, as my GF can bring by a USB key with photographs of the children or similar things on it to “upload”, then come back later and do the same again. I would just have to pick programs that won’t be detected by AV programs, but that is easy enough to do. I really like this idea as she can audit the keylogger data (or forward it to me) and there is no overt program installation going on.

[lupin]

Is it possible to get a lawyers advice on whether this monitoring activity you are considering is legal, or even on questionable ground, in this particular African country? Its easy to assume that an African country wont have laws governing this type of thing, especially considering how slow even advanced Western countries have been to institute laws governing computer misuse, but if this isn't true you REALLY don't want to be caught by the African police violating any law while still inside that African country. The potential consequences for your girlfriend (or yourself if you ever visit) could be far worse than just having some of the charities money appropriated into financing this dishonest guys lifestyle. And that's especially true if that activity seems to be attacking this "baksheesh" behavior that's considered a way of life over there.

[NaZirCon]

My current place of residence is outside of the USA (Balkans). And i'm painfully aware of fabricated laws. The best thing i could recommend is to study laws of the particular country and act accordingly. Or, as ancient proverb says : "When in Rome, Act Like a Roman".
You'll save the both of you a lot of troubles.