WebApp Sec mailing list archives
Re: Web security breach changes the lives of 119 people
From: "Ed Tracy @ Aspect Security" <ed.tracy () aspectsecurity com>
Date: Mon, 28 Mar 2005 15:36:47 -0500
Michael,Thanks for your professionalism in your response. I'd like to articulate my point (comments inline).
Michael Silk wrote:
No, neither. I used hacking in the layman's sense. "Doing something unethical on an IT system."Ed, I guess you mean "hacking" as in performing an illegal action; not "hacking" (as the original intent of the word - http://www.catb.org/jargon/html/meaning-of-hack.html).
That's true. And in cases like this people typically make some assumptions so that they can have a discussion on a concrete topic. I think it's fair to assume (or that it's known) that the applicants:In this specific case I don't think there is enough info out about exactly what instructions were given to the students who did the URLmodification.
1. knew there was a date in the future upon which they would be receiving notification
2. identified themselves to the system3. modified url parms to attempt to access something in the site that wasn't normally in their interface -OR- 4. submitted a published url that they knew would offer them information that wasn't supposed to be available until a future date
If you don't agree with this case description, let me know. But if you don't, then we may not have anything interesting to argue about.
This is exactly what I was referring to when I used the term, "warped." This is not a trivial thing to people who are not familiar with the Web. As further illustrated by your analogy to finding $5 on the sidewalk, I think your expertise has you thinking that this is so easy that the person just stumbled across it. I feel strongly that regardless of how easy it was to stumble across it, the person still knew that they were trying to access a part of the website that would provide them data that they weren't supposed to have access to. (If you disagree with this, please be specific, as it is this assumption that I base the rest of my argument on.)It's such a trivial thing (modifying the URL) that it is a little unreasonable for the person performing the action to knowwhat they were doing was 'wrong'.
Considering they knowingly made this action, they are culpable in my book, period. And yes, the vendor/school, whoever, should bear some responsibility, too. But this is independent of the applicants culpability. I've heard brought this up a lot and most people in the industry only want to talk about what Harvard should have done and should do. Outside our industry, people focus on the individual's culpability. What ever happened to independence of components?
Then let me ask you. If Harvard HAD done more...and the applicant tried the url manipulation without any success, would that diminish their culpability? No, I don't think so. They still tried to do something wrong. Kinda like our attempted murder charge in the criminal justice system.You suggest that if Harvard had done more, or less, it wouldn't 'diminsh their culpability'. Well I couldn't disagree more. As
-- Ed * Edward Tracy, CISSP * ed.tracy () aspectsecurity com <mailto:ed.tracy () aspectsecurity com> (443) 745-6270 (cell) (301) 604-4882 (office) (781) 240-7886 (fax) *Aspect Security™*Securing your applications at the source <http://aspectsecurity.com/about.html>
http://www.aspectsecurity.comDo your developers know the top ten web application security mistakes <http://aspectsecurity.com/topten>?
Current thread:
- Re: Web security breach changes the lives of 119 people, (continued)
- Re: Web security breach changes the lives of 119 people Jason Coombs (Mar 09)
- RE: Web security breach changes the lives of 119 people Kim Dyer (Mar 13)
- RE: Web security breach changes the lives of 119 people Altheide, Cory B. (IARC) (Mar 09)
- RE: Web security breach changes the lives of 119 people Griffiths, Ian (Mar 13)
- RE: Web security breach changes the lives of 119 people Bill Nichols (Mar 13)
- Re: Web security breach changes the lives of 119 people El C0chin0 (Mar 18)
- Re: Web security breach changes the lives of 119 people Jeff Williams (Mar 20)
- RE: Web security breach changes the lives of 119 people roger . franks (Mar 18)
- Re: Web security breach changes the lives of 119 people ed . tracy (Mar 22)
- Re: Web security breach changes the lives of 119 people Peter Conrad (Mar 23)
- Message not available
- Re: Web security breach changes the lives of 119 people Ed Tracy @ Aspect Security (Mar 29)
- Re: Web security breach changes the lives of 119 people Cory Foy (Mar 29)
- Message not available
- Message not available
- Re: Web security breach changes the lives of 119 people Michael Silk (Mar 29)
- Re: Web security breach changes the lives of 119 people Jason Coombs (Mar 09)