Full Disclosure mailing list archives
Re: Rate Stratfor's Incident Response
From: Giles Coochey <giles () coochey net>
Date: Thu, 12 Jan 2012 23:36:29 +0000
On 12/01/2012 23:30, Byron Sonne wrote:
If you go to a website and do a bit of clicking around that's normal behaviour, walking past the house, having a look at the front rose garden etc...Hello,Bad analogy. Closer would be if you have a house that's got a driveway on a public street, and you claim it's not breaking and entering if you walk up the driveway, try the doorknob, find it unlocked, and let yourself in without the permission of the residents. Saying that "anybody could walk up and let themselves in the door" doesn't make it legal.This is a pretty classic analogy that I've used many times myself, but for many years now I've found myself questioning it... I mean good analogies are valuable, but I think in this case it falls down. Mostly, there's the expectation of physical security or, at least, privacy, when it comes to a house. If someone's rattling door knobs, it's not unreasonable to expect that they could be there to rob or do you harm, as the human race does not have a significant history of peaceful/harmless door rattling practices (that I know of). Now, when it comes to the internet and networks in general, we've entered a whole new world where many old ways of looking at things, tempting as they are, don't fit. There's also no real relevance to fearing for your physical safety if someone's probing your net. To a good extent I might be talking out of my ass here, but I'd welcome feedback.
If you go to a website and do some hand tweaking of the URL to see if you get to stuff that shouldn't be there, well that's trying the doorknob of the house to see if it's locked etc...
If you write and/or use a tool to mass check loads of potential URLs... attempt SQL injections etc... you see where I'm going.
If you use the results of that tool or get lucky with the URL tweaks and take confidential documents or alter records on the backend, well that's just plain theft and/or fraud.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Fwd: Rate Stratfor's Incident Response, (continued)
- Re: Fwd: Rate Stratfor's Incident Response coderman (Jan 16)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 12)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 12)
- Re: Rate Stratfor's Incident Response Laurelai (Jan 12)
- Re: Rate Stratfor's Incident Response Ian Hayes (Jan 12)
- Re: Rate Stratfor's Incident Response Laurelai (Jan 12)
- Re: Rate Stratfor's Incident Response Giles Coochey (Jan 12)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 12)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 12)
- Re: Rate Stratfor's Incident Response Byron Sonne (Jan 12)
- Re: Rate Stratfor's Incident Response Giles Coochey (Jan 12)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)
- Re: Rate Stratfor's Incident Response Jeffrey Walton (Jan 12)
- Re: Rate Stratfor's Incident Response BMF (Jan 12)
- Re: Rate Stratfor's Incident Response Thor (Hammer of God) (Jan 12)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 13)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)
- Re: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 13)
- Re: Rate Stratfor's Incident Response Giles Coochey (Jan 13)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)
- Re: Rate Stratfor's Incident Response Paul Schmehl (Jan 13)