Penetration Testing mailing list archives
RE: (illegal?) Informing Companies about security vulnerabilities...
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Thu, 5 Oct 2006 17:02:49 -0500
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Levenglick, Jeff
Proof that -He knows that he did. Because he is teaching a class on security he should know it is illegal
What, exactly, is illegal about it? I see people keep saying this, but no meat to the comments. Maybe, perhaps, this is defined by HTML tags in some courts? <b> is legal but <script> is not? How about hex html encoding? Or what do you consider XSS testing? I submit what is legal has nothing to do with these things, in the US, and to a lesser degree, the UK laws. I do not know unfortunately enough about EU laws to comment. Someone said you have to see sensitive data to validate SQL injection, which is a naïve statement. In certain cases, say using MS tsql queries, I can tell quite easily if I can inject SQL by terminating the query using: ;-- Some simply with: ' That is SQL syntax. That is SQL Injection. That does not expose any sensitive data, and is also, evidently, valid input. Did I hack? Is it illegal? Please. The real threat is the injury & impact lawsuit from a misguided entity with deep pockets, not the criminal courts. </mindless_speculations> -ae ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- RE: Informing Companies about security vulnerabilities..., (continued)
- RE: Informing Companies about security vulnerabilities... alan (Oct 05)
- RE: Informing Companies about security vulnerabilities... Clemens, Dan (Oct 05)
- Re: Informing Companies about security vulnerabilities... mailing lists (Oct 05)
- Re: RE: Informing Companies about security vulnerabilities... jay.tomas (Oct 05)
- RE: Informing Companies about security vulnerabilities... Levenglick, Jeff (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- WAS Informing Companies NOW Announcing ' or 1=1-- Thor (Hammer of God) (Oct 06)
- Re: WAS Informing Companies NOW Announcing ' or 1=1-- Ian Scott (Oct 06)
- RE: WAS Informing Companies NOW Announcing ' or 1=1-- Arian J. Evans (Oct 06)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- RE: Informing Companies about security vulnerabilities... Levenglick, Jeff (Oct 05)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: (illegal?) Informing Companies about security vulnerabilities... Nathan Keltner (Oct 06)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- Re[4]: Informing Companies about security vulnerabilities... Matthew Leeds (Oct 06)