Penetration Testing mailing list archives
Re: Informing Companies about security vulnerabilities...
From: Art Cooper <acooper () innerwall com>
Date: Fri, 06 Oct 2006 09:59:39 -0600
All, I have been reading this thread with great interest. I would like to remind all of us who choose to be computer and information security professionals of the "Ten Commandments of Computer Ethics" 1. Thou shalt not use a computer to harm other people 2. Thou shalt not interfere with other people's computer work 3. Thou shalt not snoop around in other people's computer files 4. Thou shalt not use a computer to steal 5. Thou shalt not use a computer to bear false witness 6. Thou shalt not copy or use proprietary software for which you have not paid 7. Thou shalt not use other people's computer resources without authorization or proper compensation 8. Thou shalt not appropriate other people's intellectual output 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing 10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans These are from the Computer Ethics Institute, and I live by them. I am also a part-time college professor, and I ALWAYS teach my students to abide by these rules. "Actively" snooping on a website during a class seems a bit risky, and violates the 7th Commandment. My 2 Cents for what it's worth. Best Regards, Coop Arthur B. Cooper Jr. ³COOP² Innerwall, Senior Information Security Consultant http://www.innerwall.com From: Craig Wright <cwright () bdosyd com au> Date: Fri, 6 Oct 2006 13:29:03 +1000 To: <"arian dotevansanachronic.com"@securityfocus.com>, <pen-test () securityfocus com> Cc: <bugtraq () securityfocus com> Conversation: Informing Companies about security vulnerabilities... Subject: RE: Informing Companies about security vulnerabilities... Resent-From: <pen-test-return-1078482641 () securityfocus com> Resent-Date: Thu, 5 Oct 2006 22:47:35 -0600 (MDT) Hello Arian, "Right now, I get to chose between competent professional or whistleblower (assuming I am competent). Not both." I would disagree. You can remain a professional and still do the whistleblower bit. Will you make enemies, yes and I state this from experience. Will it cost you money, yes. But the issue is that you can do both, even of there is a cost. I reported people in a company I owned 25% of 3 years ago. I still work. The clients were happier (compared to finding out otherwise) that they had been informed that they had been defrauded than otherwise. On one hand it cost me over $1,500,000, numerous death threats, working as an employee where I was the (wholly liable) director of the firm previously, about three years of civil legal action etc etc. On the other hand, I sleep at night. I reported a client who had hired me when I discovered kiddie porn on his system a few years back as well. The individual did not thank me, but I had the client for years later. The bit about being a professional is "how" you handle matters. Running to the press with every matter you find is not professional. Can I write a simple guide to acting professionally and how to handle everything that may arise, no? This is something which is garnished through time and experience (which stated, there are many tomes on the subject, some good). "Who is going to be our Ralph Nader?" We all should be. You might polarise people (I am either respected or hated vehemently with little in the middle) - but we are here as security professionals (or at least I hope that this is the case). We all have a duty. This is not a duty to scan sites and use them as test beds and class tools (or worse), If you report something and nothing is done, well you did your duty. Sleep well and ignore the rebuff. At the same time, we are professionals and not vigilantes - we have no right to judge the world and to take the enforcement of any issues we note to heart. More so, we have no right to actively look for holes in sites we have no connection to. Regards, Craig S Wright -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Arian J. Evans Sent: Friday, 6 October 2006 5:18 AM To: pen-test () securityfocus com Cc: bugtraq () securityfocus com Subject: RE: Informing Companies about security vulnerabilities... btw// these "real-world" analogies are like guinea pigs. They haven't a darn thing to do with the subject. The subject is the law, which is not clearly defined on these matters, but in the US you'll get a smattering of wire-related laws, intention, and intended use interpretations. If intended use wasn't defined, then we default to California law where judges have upheld "if you can't define it, you can't defend it", but if it was defined, then that's a whole other gray area that I don't think most of us on this pen test list are qualified to analyze (myself included). Ask a Jennifer Grannick Now, the interesting question we SHOULD /be discussing/ on this list, is who is going to be our Ralph Nader? Some of this stuff is simply unsafe at any speed. Right now, I get to chose between competent professional or whistleblower (assuming I am competent). Not both. -ae
-----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Levenglick, Jeff Sent: Thursday, October 05, 2006 1:04 PM To: Krpata, Tyler; bugtraq () cgisecurity net;
joe () learnsecurityonline com; pen-test () securityfocus com Cc: bugtraq () securityfocus com Subject: RE: Informing Companies about security vulnerabilities...
Tyler,
What in the world are you talking about? If you read his
email, he said that he was doing XXS and SQL injections on someone else's
web site. In order for him to say that the SQL attack worked, he would have to see some data. Therefore, at the very least, he has viewed private data.
What is VERY illegal is that fact that he knew there was an issue and then kept going. He should have stopped at that point and let the company know. (He should not have been there in the first place)
A Good example- You walk along the sidewalk in a small town at night. All the
stores are closed. For whatever reason you turn the door knob on each store you pass to see if the door is locked.
You find one that is unlocked. A normal person would either close the door and leave or let someone know.
This guy did the equivalent of going in the store to see if he could find other problems. Ie: A light is on, a fan is on...ect At that point, if you left a note telling the owner that not only was the door open, but you came in and tested everything in the store, I
would think that he would call the cops and a lawyer and not you.
-----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Krpata, Tyler Sent: Wednesday, October 04, 2006 4:13 PM To: bugtraq () cgisecurity net; joe () learnsecurityonline com; pen-test () securityfocus com Cc: bugtraq () securityfocus com Subject: RE: Informing Companies about security vulnerabilities...
"On the count of entering an apostrophe into the Search box on the plaintiff's web site, how do you plead?"
....doubtful.
-----Original Message----- From: bugtraq () cgisecurity net [mailto:bugtraq () cgisecurity net]
Sent: Wednesday, October 04, 2006 3:15 PM To: joe () learnsecurityonline com; pen-test () securityfocus com Cc: bugtraq () securityfocus com Subject: RE: Informing Companies about security vulnerabilities...
So you are admitting publicly that you and a class of
students that you teach are illegally testing random public
websites for the purpose of learning about security vulnerabilities? Sounds like you/your company need to speak with a lawyer.
- Robert
http://www.cgisecurity.com/ Application Security news and more http://www.cgisecurity.com/index.rss [RSS Security Feed]
-----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Joseph McCray Sent: Wednesday, October 04, 2006 3:07 AM To: pen-test () securityfocus com Subject: Informing Companies about security vulnerabilities...
This probably won't sound like that big of a deal, but it
still bothered me so I figured I'd ask the list. I was teaching a Web Application Security class last week and we were performing simple XXS, SQL Injection, etc on the vulnerable web apps I use for class.
-------------------------------------------------------------- ---------- This List Sponsored by: Cenzic
Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ?camp=7016 00000008bOW -------------------------------------------------------------- ----------
----------------------------------------- This e-mail message is private and may contain confidential or privileged information.
-------------------------------------------------------------- ---------- This List Sponsored by: Cenzic
Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ?camp=701600000008bOW -------------------------------------------------------------- ----------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=70160000 0008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: (illegal?) Informing Companies about security vulnerabilities..., (continued)
- Re: (illegal?) Informing Companies about security vulnerabilities... Nathan Keltner (Oct 06)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- Re: RE: Informing Companies about security vulnerabilities... none (Oct 05)
- RE: RE: Informing Companies about security vulnerabilities... Levenglick, Jeff (Oct 05)
- RE: Informing Companies about security vulnerabilities... mr . nasty (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- Re: RE: RE: Informing Companies about security vulnerabilities... none (Oct 05)
- Re[4]: Informing Companies about security vulnerabilities... Matthew Leeds (Oct 06)
- Re: RE: Informing Companies about security vulnerabilities... stillnone (Oct 05)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 05)
- Re: Informing Companies about security vulnerabilities... Art Cooper (Oct 06)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 06)
- RE: Informing Companies about security vulnerabilities... jason (Oct 06)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 06)
- Informing Companies about security vulnerabilities... Erin Carroll (Oct 06)
- Re: RE: Informing Companies about security vulnerabilities... v0083mw02 (Oct 06)
- Informing Companies about security vulnerabilities... me (Oct 06)
- RE: Informing Companies about security vulnerabilities... Michael Scheidell (Oct 09)