An ethical obligation to not answer questions seeking to circumvent IT policies? I've come across a few questions where the user asks something like, "How do I set up a server when the IT department won't let me?" U...--prophetes.ai

An ethical obligation to not answer questions seeking to circumvent IT policies? I've come across a few questions where the user asks something like, "How do I set up a server when the IT department won't let me?" Usually the questions are asked by a relatively inexperienced user. They usually require more of a "how-to" than a detailed analysis of a security flaw. In this discussion, some people felt that vulnerabilities should be openly discussed, and I agree. I don't think that there should be any censorship based on the idea of obfuscation. However, I think that when it is clear that an inexperienced user is seeking to circumvent IT Policies in a way that may be harmful or dangerous to that person or that person's company we should close the question. I think that as a community of system administrators we owe it to each other to set a good example for IT Users.

We already do... mostly. The only thing I've seen linger are questions concerning "legitimate" hacking (like a user who forgot the password on their home computer or similar). Even those tend to get a response similar to "there's plenty of sites out there with directions on breaking into Windows, we don't need it here too".

If it's suspiciously or obviously against company policy, I do my best to shut them down immediately. The others I'm still against as it's rare for a SA who follows best practices to have to engage in any questionable behaviors.

On the topic of exploit analysis (white hat), that's a security professional's field, and the reason IT Security has it's own site.