From: Craig Wright (cwright@bdosyd.com.au)
Date: Thu May 11 2006 - 02:40:19 EDT
Hello,
Some people seem to have the idea that it is their right to go about
testing security of systems on the web without permission. In my books
this is (and always will be) a breach of the owners rights. Yes you have
a right to be stupid, a right to be insecure and a right to not install
adequate controls.
What you do not have is a right to test the security of another site
without their express permission. This is not vulnerability research.
Vulnerability research - which mind you is not security research is
about discovering flaws in software and systems on the market, not flaws
in an implementation.
Next there is a world of difference from noticing and reporting bad
script on a page and to actually sending an active attack to test a
site. Reading the source of a poorly written web page is one thing (and
this in itself will oft show a large number of vulnerabilities).
Attacking the site is another.
The so called defence of "I did it to protect them" does not and never
has held. Any action to property that is not expressly allowed (and a
license to view a web site is just that - to view - not to test) is
trespass. This is nothing new. Nearly a thousand years of law uphold
this. From the times of King John where you had no right to check the
security of the local lord's castle, you have no right to check the
security of a site without express permission.
The recent cases of Cuthbert in the UK, McCarty in thew US etc show a
disregard for the rights of others. These people are not helping anyone.
They make the industry look like a bunch of cowboys for a start and they
violate the rights of others. This is not ethical behaviour and should
be stopped.
Yes it would be great if everyone had to be secured. You do not achieve
this by randomly attacking sites just because you feel like it. There
are ways to make sites more secure and attacking sites without
permission is not one.
Some of the police gun storage lockers in NSW, Australia have been shown
to be unsafe by current standards. Should people attempt to break into
police stations to see if they can steal a gun? They would of course
only do it to help...
Security professionals should act as a professional member of the
security community. Professionals act when they are engaged too act, not
as vigilantes with a personal vendetta against the world's insecure
systems.
Regards,
Craig
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:56 EDT