Re: as security pro's, how do you use the web now?

[ACMurray () cmp com]

Hi Daniel,

This is an interesting issue. I can see why it's tempting to poke around the
site to see if it's secure--after all, you have a right to protect yourself.
That said, I still think it's unethical, even if it was just a half-hearted
cracking attempt; breaking the law just to check whether someone else might be
able to break the law isn't a defensible position.

Ethics aside, doing a half-hearted crack job probably isn't that helpful anyway;
just because you didn't break in doesn't mean someone else can't. And if you did
break in, what makes you think that putting in an order via phone makes your
data more secure than doing it via the Web site?  Your credit card info is still
going to be entered into a database that may or may not be secure, and will be
handled by employees who may or may not be trustworthy.

If you're really that worried about the security of the site, I think you're
better off not doing business with them.

Just my two cents.

Best,
Andrew


Andrew Conry-Murray
Technology Editor
Network Magazine
acmurray () cmp com
(415) 947-6342



                                                                                                                        
              
                      Rogan Dawes                                                                                       
              
                      <discard@dawes.z         To:      Daniel <deeper () gmail com>                                    
                 
                      a.net>                   cc:      webappsec () securityfocus com                                  
                 
                                               bcc:                                                                     
              
                      01/14/2005 08:15         Subject: Re: as security pro's, how do you use the web now?              
              
                      AM                                                                                                
              
                      Please respond                                                                                    
              
                      to "lists AT                                                                                      
              
                      dawes DOT za DOT                                                                                  
              
                      net"                                                                                              
              
                                                                                                                        
              
                                                                                                                        
              




Daniel wrote:
> With more of my purchases being made on the web today, i'm always
> concerned that the site I'm using is making use of decent security
> standards.
>
> Last night i was purchasing some art on line and when it came to the
> payment section, the whole thing was iffy and didn't seem right. Even
> on the most basic input field, there was no validation being performed
> (yes i added a back tick, and even though some might find this wrong,
> i would like to know that my banking details are being handled in
> accordance with UK data protection laws)
>
> I didn't go any further and decided to phone in my order via the phone.
>
> Does anyone else do this?
> I know that it opens up a whole can of worms regarding acceptable
> usage of the site, and it would be interesting to see what other
> people think.
>
> Daniel

Hi Daniel,

I think that in the absence of any other means of determining the
overall security of a site (some recently issued reputable security
certification, perhaps), that sort of test is roughly equivalent to
rattling your front door after you have locked it, to ensure that it
stays locked.

While perhaps conflicting with the letter of the law, I don't think that
it is an entirely unreasonable thing to perform one or two "peace of
mind" tests before you hand over your details.

What I'm trying to say is that I commend you for your vigilance, even if
I am not that vigilant myself.

Regards,

Rogan

"Back ticks" (``), however, are unlikely to reveal much about the
security of the site. They are generally used by a Unix shell for
command interpolation, rather than as string delimiters in a SQL
command. Did you mean "single quotes" (''), perhaps?
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"






__________________________________________________________________________________________

Any views or opinions are solely those of the author and do not necessarily
represent those of CMP Media LLC, 600 Community Drive, Manhasset, NY 11030.

The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material.  If you
are not the intended recipient of this message please do not read, copy, use or
disclose this communication and notify the sender immediately.  It should be
noted that any review, retransmission, dissemination or other use of, or taking
action or reliance upon, this information by persons or entities other than the
intended recipient is prohibited.
__________________________________________________________________________________________