Full Disclosure mailing list archives
Re: ACM.ORG data leak still there 4 days after announcing to CEO John White
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Mon, 22 Feb 2010 15:29:50 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, as I stated previously, the intent is critical in determining criminality based on the statue. Each sentence that includes "unauthorized access" also include "with intent." For instance: "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value" If you do accidentally mistype a URL it clearly is not a violation of the statue. If you utilize SQL injection to retrieve financial information in order to support a carding ring you clearly violate the statue. If you expose a vulnerability in order to report it to the responsible parties and to raise awareness, well, that falls into a gray area where "intent" is probably the crux of the decision. You can read the statute online in many places (http://www.law.cornell.edu/uscode/18/1030.html), it's worth checking out. One more time for emphasis - I'm not a lawyer ;) - -- Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey On 02/22/2010 03:19 PM, Benji wrote:
"Title 18 Section 1030, the Computer Fraud and Abuse Act of 1986, pretty much limits crimes to those intent on committing fraud or disclosing national secrets." Does that just cover fraud? Surely a database injection counts as unauthorised access? Does this mean that now anyone can start injecting websites and extracting data, and aslong as they dont use the data to 'commit fraud or dislose national secrets', or albeit, it cant be proved, that person is safe? On Mon, Feb 22, 2010 at 8:12 PM, Justin C. Klein Keane <justin () madirish net <mailto:justin () madirish net>> wrote: I'm not a lawyer, and I assume Benji isn't either, but it's worth noting that Title 18 Section 1030, the Computer Fraud and Abuse Act of 1986, pretty much limits crimes to those intent on committing fraud or disclosing national secrets. Exposing personal information doesn't seem to fit under any of the statutory definitions of crime unless you use that information to commit identity theft. The word "intent" figures prominently in that statute, so I'd surmise full-disclosure actually argues against this access being a crime. Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey On 02/22/2010 02:52 PM, Benji wrote:Not to be a dick or anything, but whether it should be or not is irrelevant, it is a crime. As you seem to be a "security expert"doing"penetration testing and security audits" I'm sure you'dunderstand thatfor example, a remote file include is literally just a case of 'modifying one parameter of an url'.You didnt enumerate passwords, well, I guess that makes the crime slightly less serious. Personal info isnt worth that much I've heard.Infact, by publishing data and the fact there is a hole, you couldarguethat infact you couldve made the situation worse for ACM. Hypothetically, now you've displayed that a hole is there, someonecouldgo and dump the database saving them the time of even looking for a vulnerable site.I'm just wondering what makes you so sure they wont do anythinglike that?On Mon, Feb 22, 2010 at 7:46 PM, the hacker <info () the-hacker info<mailto:info () the-hacker info><mailto:info () the-hacker info <mailto:info () the-hacker info>>> wrote:Hello BenjiI did not crack/enumerate any passwords, use buffer overflow with metasploit or whatever other tools...I dont think that by just modifying one parameter of an url you already break a law (or all people that have spelling problemswhenentering an url would be in jail).Also I have contacted ACM with my REAL name, address, phone number etc. via email.I've even called the CEO twice!So they know my identity because I just wanted to let them know about the problem on their website - but when they did notreact for4 days I extracted some sample data (I could have got much more) from the site to mail it to them. I've extracted enought to show them that its not just 10 addresses, but its far from everything.So I wonder why I should be in trouble for wanting to help them?Do you other guys on the list also think that this is alreadya crime?By the way, I've sent the mail with the data 2 hours ago but no reaction.Greetingsth_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAkuC6T4ACgkQkSlsbLsN1gB2BAb/VQeBpzAm14nu1MhU3zihzQKk QReXp/DAWUGigUDqP/xd4+oui6Up3TfEBhroW0p9MN4ICIKP0et+BcnfhbI+sNZf SHDl9erFNelzpMn2nc8A0Q+TZ9bTKP+XFKaqdeq2+luv/mOZXF3EFxc4jBy9Zqnc hxd5nDItcTBz5lAGV1j8ALWA9Tp967f+6rVUrGkwff0e0IljchdFrE19eSV8yyFA xpuhH87WDgwwtCySpY8MbkuEnps8brVV0rE4vEggDpo3MH8Qor4EcvUMlRifpNNZ KASp3E3mf5QtHdAZsKo= =0wcM -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ACM.ORG data leak still there 4 days after announcing to CEO John White the hacker (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Benji (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White the hacker (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Benji (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Justin C. Klein Keane (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Benji (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Justin C. Klein Keane (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Valdis . Kletnieks (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Christian Sciberras (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White the hacker (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White James W. Lytle (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Christian Sciberras (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White the hacker (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Benji (Feb 22)