Re: Full-Disclosure Digest, Vol 83, Issue 21

[Valdis.Kletnieks () vt edu]

On Tue, 17 Jan 2012 11:08:02 EST, "Mikhail A. Utin" said:
> So far it has been very interesting discussion, but nevertheless nobody went to the Source, which is the Law,

18 USC 1030 is the governing Federal statute in the US.  In addition, many of the
states have their own legislation.

http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html

"having knowingly accessed a computer without authorization or exceeding
authorized access, and by means of such conduct having obtained information..."

Note that "protected computer" doesn't mean "secured" - it means "protected under
the terms of this law", which includes any system:

"which is used in or affecting interstate or foreign commerce or communication,
including a computer located outside the United States that is used in a manner
that affects interstate or foreign commerce or communication of the United
States;"

which is basically *any* system on the Internet.

Basically, you use a flaw to extract secret info from a "protected computer",
and you aren't an authorized pen tester with a signed "get out of jail free"
card from the owner of the computer, you just bought yourself a felony rap.

That's part of why CISO's don't want to hire the kiddies that whacked them - if
they come forward they're basically copping to a felony.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/