Re: Disclosure of vulns and its legal aspects...

[steph <stevie () nerdshack com>]

Would a valid alternative not be to seek permission as a personal 
exercise to see if you can find any vulnerabilities, and then you would 
be able to report your findings to them without the risk of legal 
trouble, as it is essentially having prior permission.

A nicely worded letter/email would go a long way to helping get 
permission to do this

Steph

Craig Wright wrote:
> This is simple. You have NO rights to go looking for vulnerabilities on a web site you do not control.
>
> You can check your own systems all you like (excluding reverse engineering laws in some jursitictions). You can NEVER check a site which you do not copntrol without EXPLICT and EXPRESS permission legally. 
>
> "i would like carte blanche to investigate a bit more about it." Is just wrong. You are not the authorised protector of 
> the Web. You have no rights to do this. To do otherwise is to be a vigilantee. People have the right to be insecure. As an 
> analogy, I can leave my house unlocked - it is my right to be insecure and there is nothing you may do about it legally. After 
> the fact this may (and will) impact my insurance, but this is MY decision and you have no right to go about checking my 
> proverbial door.
>
> If you think that you have a right - look at Mr Cuthbert last year [1]. Maybe Mr Gray [2]. Even as Mr Cuthbert discovered, doing 
> "../.." "testing" or checking SQL input fields is illegal and usually criminal.
>
> The laws in the US and UK differ in statute. The common law foundation of property has deviated, but has a common basis. The law 
> of license is such that you never have a right in either place to do this. What varies is the penalty. It will be a 
> "simple" civil penalty in some places (ie you pay money) and a criminal felony offense in others. Worse this may be 
> International in that web sites are rarely local to you and this makes it worse again.
>
> Regards,
> Craig
>
> [1] R v Daniel Cuthbert {Horseferry Road Magistrates Court 07/10/2005} Computer Misuse Act 1990, s 1 Unauthorised access
> IT security consultant donated £30 to Disasters Emergency Committee Tsunami appeal website, then "checked" site security. 
> Defendant found guilty of unauthorised access "with deep regret", convicted and fined £400.
>
> [2] R v Raphael Gray {Swansea Crown Court 06/07/2001} Computer Misuse Act 1990 Unauthorised access - Unauthorised 
> modification
> Teenage hacker aka Curador demonstrated security weaknesses in e-commerce web-sites and accessed 23,000 credit card 
> records, some posted on his web-site. Guilty plea. Defendant convicted and sentenced to three years probation and 
> medical treatment for obsessive mental disorder.
>
>
>