Re: (illegal?) Informing Companies about security vulnerabilities...

["Nathan Keltner" <shiftnato () gmail com>]

Remember Daniel Cuthbert from the UK?

http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/

He was convicted for typing in a directory traversal check, tacking a
simple ../../ onto the URI.   By that logic, I would think a simple '
or 3=3-- would put you in the same boat.  (Both are testing to see if
its possible, but both could potentially return info you were not
explicitly authorized to see.)  The whole thing is pretty rediculous,
but the cases are what the cases are, I guess.

Regarding "The real threat is the injury & impact lawsuit from a
misguided entity with deep pockets, not the criminal courts."

While true (massive fines would hurt a lot more than a few weeks in
jail), its still a few weeks in jail, and court costs, and etc.  I
don't know what the solution is, but given the environment, I don't
see it as wise to knowingly put yourself in a position where charges
could be brought up, especially when courts are showing they don't
truely understand the issues involved.  I wouldn't trust justice to
prevail.

Also, in searching for the above, I came across this recent article
that pertains to the overall discussion:

http://www.theregister.co.uk/2006/09/27/nz_bank_test_trial/

Kid runs some tests against a banking app, calls the bank to tell them
about their problems, calls the telco in between him and the bank to
tell them their problems, then gets raided.

In the end, he got out of it, but it was up in the air for a while,
and certainly a bigger headache than anyone wants to go through

-N

On 10/5/06, Arian J. Evans <arian.evans () anachronic com> wrote:
> > -----Original Message-----
> > From: listbounce () securityfocus com
> > [mailto:listbounce () securityfocus com] On Behalf Of Levenglick, Jeff
>
> > Proof that -He knows that he did.
> > Because he is teaching a class on security he should know it
> > is illegal
>
> What, exactly, is illegal about it?
>
> I see people keep saying this, but no meat to the comments.
>
> Maybe, perhaps, this is defined by HTML tags in some courts?
>
> <b> is legal but <script> is not? How about hex html encoding?
> Or what do you consider XSS testing?
>
> I submit what is legal has nothing to do with these things,
> in the US, and to a lesser degree, the UK laws. I do not
> know unfortunately enough about EU laws to comment.
>
> Someone said you have to see sensitive data to validate SQL
> injection, which is a naïve statement. In certain cases, say
> using MS tsql queries, I can tell quite easily if I can inject
> SQL by terminating the query using:  ;--
>
> Some simply with: '
>
> That is SQL syntax. That is SQL Injection. That does not expose
> any sensitive data, and is also, evidently, valid input.
>
> Did I hack? Is it illegal?
>
> Please. The real threat is the injury & impact lawsuit from
> a misguided entity with deep pockets, not the criminal courts.
>
> </mindless_speculations>
>
> -ae
>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------