Bugtraq mailing list archives
Re: Vulnerabilites in new laws on computer hacking
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Fri, 17 Feb 2006 14:23:26 +0100
Paul, On 2006-02-15 Paul Schmehl wrote:
--On Saturday, February 11, 2006 16:35:20 +0000 self-destruction () itsbest com wrote:New generations of teenagers will be scared of doing online exploration. I'm not talking about damaging other companies' computer systems. I'm talking about accessing them illegally *without* revealing private information to the public or harming any data that has been accessed. To me, there is a big difference between these two types of attacks but I don't think that judges feel the same way. Furthermore, I don't even think that judges understand the difference.To me there is not. They're my systems. Stay out, thank you very much. If you want to learn how to hack, set up your own network, install some OSes, with various patch levels, and hack away. You can learn everything you need to know without ever touching a system you do not own. Get your buddies involved. Hack each other's boxes. But do not hack into systems that do not belong to you. That *should* be illegal and you *should* be prosecuted.
while I agree with you that for learning and practicing it would suffice to build your own systems to tamper with, I have to disagree on the part that hacking into other people's systems *without* doing any damage should be illegal. Why is that? Well, first of all because the definition of what is and what isn't hacking is very blurry. Is a portscan hacking? Is directory traversal as in the case of Daniel Cuthbert [1] hacking? In addition to that some vulnerabilities can be discovered only ITW, simply because you cannot rebuild that environment in your lab. Two years ago we had a case like that over here in Germany [2] (the article is in german, but maybe an online translator will help). The OBSOC (Online Business Solution Operation Center) system of the Deutsche Telekom AG did not do proper authentication, so by manipulating the URL you could access other customers' data. How would you detect such a vulnerability without actually hacking the system? Is one supposed to not notice these things? Will that really make them go away? [1] http://taint.org/2005/10/12/205836a.html [2] http://www.ccc.de/t-hack/stn/inhlt/drartkl.htm Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Vulnerabilites in new laws on computer hacking self-destruction (Feb 15)
- Re: Vulnerabilites in new laws on computer hacking Paul Schmehl (Feb 16)
- Re: Vulnerabilites in new laws on computer hacking Max Ashton (Feb 18)
- Re: Vulnerabilites in new laws on computer hacking Sysmin Sys73m47ic (Feb 18)
- Re: Vulnerabilites in new laws on computer hacking Ansgar -59cobalt- Wiechers (Feb 18)
- Re: Vulnerabilites in new laws on computer hacking Radoslav Dejanović (Feb 21)
- Re: Vulnerabilites in new laws on computer hacking Crispin Cowan (Feb 21)
- Re: Vulnerabilites in new laws on computer hacking Casper . Dik (Feb 24)
- Re: Vulnerabilites in new laws on computer hacking Ansgar -59cobalt- Wiechers (Feb 24)
- Message not available
- Re: Vulnerabilites in new laws on computer hacking Ansgar -59cobalt- Wiechers (Feb 21)
- Re: Vulnerabilites in new laws on computer hacking Paul Schmehl (Feb 16)
- Re: Vulnerabilites in new laws on computer hacking ArkanoiD (Feb 21)
- <Possible follow-ups>
- RE: Vulnerabilites in new laws on computer hacking Craig Wright (Feb 16)