RE: Informing Companies about security vulnerabilities...

From: Arian J. Evans (arian.evans@anachronic.com)
Date: Thu Oct 05 2006 - 15:17:51 EDT


btw// these "real-world" analogies are like guinea pigs.

They haven't a darn thing to do with the subject.

The subject is the law, which is not clearly defined on
these matters, but in the US you'll get a smattering of
wire-related laws, intention, and intended use interpretations.

If intended use wasn't defined, then we default to California
law where judges have upheld "if you can't define it, you
can't defend it", but if it was defined, then that's a whole
other gray area that I don't think most of us on this pen
test list are qualified to analyze (myself included).

Ask a Jennifer Grannick

Now, the interesting question we SHOULD /be discussing/
on this list, is who is going to be our Ralph Nader?

Some of this stuff is simply unsafe at any speed.

Right now, I get to chose between competent professional
or whistleblower (assuming I am competent). Not both.

-ae

> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of Levenglick, Jeff
> Sent: Thursday, October 05, 2006 1:04 PM
> To: Krpata, Tyler; bugtraq@cgisecurity.net;
> joe@learnsecurityonline.com; pen-test@securityfocus.com
> Cc: bugtraq@securityfocus.com
> Subject: RE: Informing Companies about security vulnerabilities...
>
> Tyler,
>
> What in the world are you talking about? If you read his
> email, he said
> that he was doing XXS and SQL injections on someone else's
> web site. In
> order for him to say that the SQL attack worked, he would have to see
> some data. Therefore, at the very least, he has viewed private data.
>
> What is VERY illegal is that fact that he knew there was an issue and
> then kept going. He should have stopped at that point and let the
> company know.
> (He should not have been there in the first place)
>
> A Good example-
> You walk along the sidewalk in a small town at night. All the
> stores are
> closed. For whatever reason you turn the door knob on each store you
> pass to see if the door is locked.
>
> You find one that is unlocked. A normal person would either close the
> door and leave or let someone know.
>
> This guy did the equivalent of going in the store to see if he could
> find other problems. Ie: A light is on, a fan is on...ect At that
> point, if you left a note telling the owner that not only was the door
> open, but you came in and tested everything in the store, I
> would think
> that he would call the cops and a lawyer and not you.
>
> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com]
> On Behalf Of Krpata, Tyler
> Sent: Wednesday, October 04, 2006 4:13 PM
> To: bugtraq@cgisecurity.net; joe@learnsecurityonline.com;
> pen-test@securityfocus.com
> Cc: bugtraq@securityfocus.com
> Subject: RE: Informing Companies about security vulnerabilities...
>
> "On the count of entering an apostrophe into the Search box on the
> plaintiff's web site, how do you plead?"
>
> ....doubtful.
>
> -----Original Message-----
> From: bugtraq@cgisecurity.net [mailto:bugtraq@cgisecurity.net]
> Sent: Wednesday, October 04, 2006 3:15 PM
> To: joe@learnsecurityonline.com; pen-test@securityfocus.com
> Cc: bugtraq@securityfocus.com
> Subject: RE: Informing Companies about security vulnerabilities...
>
> So you are admitting publicly that you and a class of
> students that you
> teach are illegally testing random public
> websites for the purpose of learning about security vulnerabilities?
> Sounds like you/your company need to speak
> with a lawyer.
>
> - Robert
> http://www.cgisecurity.com/ Application Security news and more
> http://www.cgisecurity.com/index.rss [RSS Security Feed]
>
> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com]
> On Behalf Of Joseph McCray
> Sent: Wednesday, October 04, 2006 3:07 AM
> To: pen-test@securityfocus.com
> Subject: Informing Companies about security vulnerabilities...
>
> This probably won't sound like that big of a deal, but it
> still bothered
> me so I figured I'd ask the list. I was teaching a Web Application
> Security class last week and we were performing simple XXS, SQL
> Injection, etc on the vulnerable web apps I use for class.
>
>
>
> --------------------------------------------------------------
> ----------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ?camp=7016
> 00000008bOW
> --------------------------------------------------------------
> ----------
>
>
>
> -----------------------------------------
> This e-mail message is private and may contain confidential or
> privileged information.
>
>
> --------------------------------------------------------------
> ----------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ?camp=701600000008bOW
> --------------------------------------------------------------
> ----------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:07 EDT