Security Basics mailing list archives
RE: application for an employment
From: Murad Talukdar <talukdar_m () subway com>
Date: Wed, 29 Mar 2006 12:32:15 +1000
Thanks Craig--as ever, I defer to your greater knowledge on these things-thanks for the full breakdown. (Where do you get most of this stuff from if you don't mind me asking--as you're in Oz too, I could do with pointing our corporate counsel to some more resources for localized referencing). Also, this made me think of how you can use Google to find 'vulnerabilities' (though perhaps not in the classic sense of the term) on web facing machines. (check out johnnyihackstuff). Would the law cover this kind of 'scanning'? I get the feeling it will catch up at some time soon if it doesn't already. Regards Murad Talukdar -----Original Message----- From: Craig Wright [mailto:cwright () bdosyd com au] Sent: Wednesday, March 29, 2006 7:54 AM To: Murad Talukdar; security-basics () securityfocus com Subject: RE: application for an employment Hello, First to your "Man in the Piddle attack". You would be guilty of any strict liability offences. You would also be liable under offences where negligence is involved. "Piddling" on the wall - missing the bowl etc is damage (I would not want to clean after you ;). There are defences to criminal trespass, being drunk would likely excuse you if you did not damage anything. Being drunk is not an excuse - unless you can show (proof is with you) that you did not voluntarily drink the alcohol. There are numerous people who have spent a few nights in the lockup for drunken escapades. There is a difference in Port scanning and vulnerability scanning - the law can treat these differently. Port scanning is not a criminal action UNLESS you cause damage. Damage includes causing a system to reboot. In the US damage is generally held (state by state varies) at being a minimum of $5,000. Getting an incident team in to investigate the reboot will cost more than 5k. Scanning across international boundaries does not make anything more or less legal. It makes enforceability more difficult. Action would need to first be brought in the country you scanned and than that country would need to seek to enforce it's orders under treaty rights. Scanning within Europe is an easy case. EC laws make criminal enforcement for all EU violations simple (in comparison). In cases where there is no treaty - things are more difficult. You may have action decided but not be able to enforce it. Sometimes it is easier to just contact the embassy of the nation involved. They may or may not do anything depending on the political climate. Port scanning in Nth Korea or China (without government permits etc) is an offence (as is owning the tools). Prove (and this is proof to a criminal level) who scanned you in Cn and the Chinese govt. may have the person shot (this is an ethical decision to make before you report to these countries). In most western countries, port scanning (and note port scanning - not vulnerability scanning) is not strictly illegal. Remember however that any damage makes the act illegal and criminal in many jurisdictions. The risk or causing damage may not be great, but the impact is. Thus the risk of doing this without authorisation is not worth the benefit. Regards Craig -----Original Message----- From: Murad Talukdar [mailto:talukdar_m () subway com] Sent: 28 March 2006 2:18 To: security-basics () securityfocus com Subject: RE: application for an employment When I was a wayward teenager, I once got very drunk during a KISS FM summer roadshow. The result of three hours of solid drinking in the sun was a very full bladder. Now, for some unknown reason I decided to tag onto a group of people that I had never met before and I actually managed to walk into their house un-noticed by them until we all got into the kitchen. There I was challenged by someone along the lines of, "Who the hell are you," (but with more, uhh, brio) at which point I replied that I needed to use their toilet. Needless to say they refused and politely, if a little roughly, ejected me forthwith. Now you could say that I was port scanning in the hope of finding somewhere to dump data that did not belong to the owners' of the house in question. Or something. Maybe I've got this whole analogy thing the wrong way round. Perhaps you could say that I was attempting a Man in the Piddle attack. I don't know. The port scanning issue is such a nebulous one-especially when applied across international boundaries. What does the law say where YOU are? What does the law say where you are about scanning OTHER countries? What does the law in another country say about you scanning their country from somewhere else. As someone has pointed out(and I'll defer to them on this point) the scanning is not illegal in Germany-with the usual conditions of course. Is it unethical? Hmmm. Should he tell the Uni? I don't think so. Not until he works out how they operate. Also, has Matthias posted with his real name? This whole thread would no doubt show up on a quick Google.....will they bother doing that? If the employers know anything about modern hiring resources then I'd expect the too.... Regards Murad Talukdar -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Tuesday, March 28, 2006 5:18 AM To: 'Craddock, Larry'; security-basics () securityfocus com Subject: RE: application for an employment It's more like throwing a stone at a window to see if it's open. Sometimes the stone bounces off the closed window, sometimes it sails through the open window, and sometimes it *breaks* the window. "I only wanted to find out if the window was open or closed" is not generally considered an excuse to avoid responsibility for the broken pane.... David Gillett Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: application for an employment, (continued)
- RE: application for an employment Andrew Williams (Mar 27)
- RE: application for an employment Craig Wright (Mar 28)
- RE: application for an employment Craig Wright (Mar 28)
- RE: application for an employment Craig Wright (Mar 28)
- RE: application for an employment Craig Wright (Mar 28)
- Re: application for an employment Cesc (Mar 29)
- RE: application for an employment Craig Wright (Mar 29)
- RE: Spam:RE: application for an employment Mark Gorman (Mar 29)
- Re: Spam:RE: application for an employment Ian Scott (Mar 30)
- RE: Spam:RE: application for an employment Mark Gorman (Mar 29)
- RE: application for an employment Craig Wright (Mar 29)
- RE: application for an employment Murad Talukdar (Mar 29)
- RE: application for an employment Craddock, Larry (Mar 29)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 30)
- RE: application for an employment David Gillett (Mar 30)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 30)
- RE: application for an employment David Gillett (Mar 31)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 31)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 30)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 31)