Penetration Testing mailing list archives
RE: (illegal?) Informing Companies about security vulnerabilities...
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Fri, 6 Oct 2006 10:30:40 -0500
This anecdotal dialogue really has nothing to do with US laws, as I stated, and to a lesser degree, the UK law, as I stated. The UK computer abuse provision reads quite differently than US law that govern these same areas. The Judge in Daniel's trial acknowledged the almost complete lack of case law in this field. As for wisdom, well, to each their own. I have the wisdom to know I'll find long term ethical happiness by finding a path that actively dishonest software vendors may be held accountable. (note: I think only a small subset are actively dishonest; of the rest I suspect only ignorance) As for the rest, there's many stories only a Google away about "child hackers" that almost always involve an overzealous prosecutor and/or educational administrator. The "hacking" usually ranges from too many HTTP GET requests to tampering with a URL parameter, and it almost always turns into a wrist slapping, so again we have a clear lack of precedent. Unless I'm missing something. -ae
-----Original Message----- From: Nathan Keltner [mailto:shiftnato () gmail com] Sent: Friday, October 06, 2006 8:56 AM To: Arian Evans; pen-test () securityfocus com Subject: Re: (illegal?) Informing Companies about security vulnerabilities... Remember Daniel Cuthbert from the UK? http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/ He was convicted for typing in a directory traversal check, tacking a simple ../../ onto the URI. By that logic, I would think a simple ' or 3=3-- would put you in the same boat. (Both are testing to see if its possible, but both could potentially return info you were not explicitly authorized to see.) The whole thing is pretty rediculous, but the cases are what the cases are, I guess. Regarding "The real threat is the injury & impact lawsuit from a misguided entity with deep pockets, not the criminal courts." While true (massive fines would hurt a lot more than a few weeks in jail), its still a few weeks in jail, and court costs, and etc. I don't know what the solution is, but given the environment, I don't see it as wise to knowingly put yourself in a position where charges could be brought up, especially when courts are showing they don't truely understand the issues involved. I wouldn't trust justice to prevail. Also, in searching for the above, I came across this recent article that pertains to the overall discussion: http://www.theregister.co.uk/2006/09/27/nz_bank_test_trial/ Kid runs some tests against a banking app, calls the bank to tell them about their problems, calls the telco in between him and the bank to tell them their problems, then gets raided. In the end, he got out of it, but it was up in the air for a while, and certainly a bigger headache than anyone wants to go through -N On 10/5/06, Arian J. Evans <arian.evans () anachronic com> wrote:-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf OfLevenglick, JeffProof that -He knows that he did. Because he is teaching a class on security he should know it is illegalWhat, exactly, is illegal about it? I see people keep saying this, but no meat to the comments. Maybe, perhaps, this is defined by HTML tags in some courts? <b> is legal but <script> is not? How about hex html encoding? Or what do you consider XSS testing? I submit what is legal has nothing to do with these things, in the US, and to a lesser degree, the UK laws. I do not know unfortunately enough about EU laws to comment. Someone said you have to see sensitive data to validate SQL injection, which is a naïve statement. In certain cases, say using MS tsql queries, I can tell quite easily if I can inject SQL by terminating the query using: ;-- Some simply with: ' That is SQL syntax. That is SQL Injection. That does not expose any sensitive data, and is also, evidently, valid input. Did I hack? Is it illegal? Please. The real threat is the injury & impact lawsuit from a misguided entity with deep pockets, not the criminal courts. </mindless_speculations> -ae-------------------------------------------------------------- ----------This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.http://www.cenzic.com/products_services/download_hailstorm.php ?camp=701600000008bOW-------------------------------------------------------------- ----------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: Informing Companies about security vulnerabilities..., (continued)
- Re: Informing Companies about security vulnerabilities... mailing lists (Oct 05)
- Re: RE: Informing Companies about security vulnerabilities... jay.tomas (Oct 05)
- RE: Informing Companies about security vulnerabilities... Levenglick, Jeff (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- WAS Informing Companies NOW Announcing ' or 1=1-- Thor (Hammer of God) (Oct 06)
- Re: WAS Informing Companies NOW Announcing ' or 1=1-- Ian Scott (Oct 06)
- RE: WAS Informing Companies NOW Announcing ' or 1=1-- Arian J. Evans (Oct 06)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- RE: Informing Companies about security vulnerabilities... Levenglick, Jeff (Oct 05)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: (illegal?) Informing Companies about security vulnerabilities... Nathan Keltner (Oct 06)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- Re[4]: Informing Companies about security vulnerabilities... Matthew Leeds (Oct 06)
- Re: Informing Companies about security vulnerabilities... Art Cooper (Oct 06)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)