Penetration Testing mailing list archives
Definitions of what is a security researcher
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 11 May 2006 16:40:19 +1000
Hello, Some people seem to have the idea that it is their right to go about testing security of systems on the web without permission. In my books this is (and always will be) a breach of the owners rights. Yes you have a right to be stupid, a right to be insecure and a right to not install adequate controls. What you do not have is a right to test the security of another site without their express permission. This is not vulnerability research. Vulnerability research - which mind you is not security research is about discovering flaws in software and systems on the market, not flaws in an implementation. Next there is a world of difference from noticing and reporting bad script on a page and to actually sending an active attack to test a site. Reading the source of a poorly written web page is one thing (and this in itself will oft show a large number of vulnerabilities). Attacking the site is another. The so called defence of "I did it to protect them" does not and never has held. Any action to property that is not expressly allowed (and a license to view a web site is just that - to view - not to test) is trespass. This is nothing new. Nearly a thousand years of law uphold this. From the times of King John where you had no right to check the security of the local lord's castle, you have no right to check the security of a site without express permission. The recent cases of Cuthbert in the UK, McCarty in thew US etc show a disregard for the rights of others. These people are not helping anyone. They make the industry look like a bunch of cowboys for a start and they violate the rights of others. This is not ethical behaviour and should be stopped. Yes it would be great if everyone had to be secured. You do not achieve this by randomly attacking sites just because you feel like it. There are ways to make sites more secure and attacking sites without permission is not one. Some of the police gun storage lockers in NSW, Australia have been shown to be unsafe by current standards. Should people attempt to break into police stations to see if they can steal a gun? They would of course only do it to help... Security professionals should act as a professional member of the security community. Professionals act when they are engaged too act, not as vigilantes with a personal vendetta against the world's insecure systems. Regards, Craig Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Definitions of what is a security researcher Craig Wright (May 11)