From: Arian J. Evans (arian.evans@anachronic.com)
Date: Fri Oct 06 2006 - 11:30:40 EDT
This anecdotal dialogue really has nothing to do with
US laws, as I stated, and to a lesser degree, the UK
law, as I stated.
The UK computer abuse provision reads quite differently
than US law that govern these same areas.
The Judge in Daniel's trial acknowledged the almost
complete lack of case law in this field.
As for wisdom, well, to each their own. I have the
wisdom to know I'll find long term ethical happiness
by finding a path that actively dishonest software
vendors may be held accountable.
(note: I think only a small subset are actively
dishonest; of the rest I suspect only ignorance)
As for the rest, there's many stories only a Google
away about "child hackers" that almost always involve
an overzealous prosecutor and/or educational administrator.
The "hacking" usually ranges from too many HTTP GET
requests to tampering with a URL parameter, and it
almost always turns into a wrist slapping, so again
we have a clear lack of precedent.
Unless I'm missing something.
-ae
> -----Original Message-----
> From: Nathan Keltner [mailto:shiftnato@gmail.com]
> Sent: Friday, October 06, 2006 8:56 AM
> To: Arian Evans; pen-test@securityfocus.com
> Subject: Re: (illegal?) Informing Companies about security
> vulnerabilities...
>
> Remember Daniel Cuthbert from the UK?
>
> http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/
>
> He was convicted for typing in a directory traversal check, tacking a
> simple ../../ onto the URI. By that logic, I would think a simple '
> or 3=3-- would put you in the same boat. (Both are testing to see if
> its possible, but both could potentially return info you were not
> explicitly authorized to see.) The whole thing is pretty rediculous,
> but the cases are what the cases are, I guess.
>
> Regarding "The real threat is the injury & impact lawsuit from a
> misguided entity with deep pockets, not the criminal courts."
>
> While true (massive fines would hurt a lot more than a few weeks in
> jail), its still a few weeks in jail, and court costs, and etc. I
> don't know what the solution is, but given the environment, I don't
> see it as wise to knowingly put yourself in a position where charges
> could be brought up, especially when courts are showing they don't
> truely understand the issues involved. I wouldn't trust justice to
> prevail.
>
> Also, in searching for the above, I came across this recent article
> that pertains to the overall discussion:
>
> http://www.theregister.co.uk/2006/09/27/nz_bank_test_trial/
>
> Kid runs some tests against a banking app, calls the bank to tell them
> about their problems, calls the telco in between him and the bank to
> tell them their problems, then gets raided.
>
> In the end, he got out of it, but it was up in the air for a while,
> and certainly a bigger headache than anyone wants to go through
>
> -N
>
> On 10/5/06, Arian J. Evans <arian.evans@anachronic.com> wrote:
> >
> >
> > > -----Original Message-----
> > > From: listbounce@securityfocus.com
> > > [mailto:listbounce@securityfocus.com] On Behalf Of
> Levenglick, Jeff
> >
> > > Proof that -He knows that he did.
> > > Because he is teaching a class on security he should know it
> > > is illegal
> >
> > What, exactly, is illegal about it?
> >
> > I see people keep saying this, but no meat to the comments.
> >
> > Maybe, perhaps, this is defined by HTML tags in some courts?
> >
> > <b> is legal but <script> is not? How about hex html encoding?
> > Or what do you consider XSS testing?
> >
> > I submit what is legal has nothing to do with these things,
> > in the US, and to a lesser degree, the UK laws. I do not
> > know unfortunately enough about EU laws to comment.
> >
> > Someone said you have to see sensitive data to validate SQL
> > injection, which is a naïve statement. In certain cases, say
> > using MS tsql queries, I can tell quite easily if I can inject
> > SQL by terminating the query using: ;--
> >
> > Some simply with: '
> >
> > That is SQL syntax. That is SQL Injection. That does not expose
> > any sensitive data, and is also, evidently, valid input.
> >
> > Did I hack? Is it illegal?
> >
> > Please. The real threat is the injury & impact lawsuit from
> > a misguided entity with deep pockets, not the criminal courts.
> >
> > </mindless_speculations>
> >
> > -ae
> >
> >
> >
> >
> --------------------------------------------------------------
> ----------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> >
> http://www.cenzic.com/products_services/download_hailstorm.php
> ?camp=701600000008bOW
> >
> --------------------------------------------------------------
> ----------
> >
> >
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:08 EDT