From: Jason Mayer (slamboy@gmail.com)
Date: Thu May 11 2006 - 08:37:54 EDT
not to nitpick or anything, but he hasn't been convicted yet. he hasbeen charged though. knowing the criminal justice system like I do,it'll probably be another 2 years at least before a jury finds himinnocent :)
On 5/10/06, William Hancock <bill.hancock@isthmusgroup.com> wrote:> Hey there pen-testers, take this with a grain of salt, it just got me> excited. I am really interested in everyones opinion on the matter or> corporate responsibility and ownership.>> <RANT>> In an article posted to slashdot today> (http://it.slashdot.org/article.pl?sid=06/05/10/112259&from=rss) a man> has been convicted of hacking when he casually and helpfully reported a> security vulnerability to the owners of a web site, in this case The> University of Southern California. It reads like it was some sort of> simple SQL injection and upon gleaning the information he reported it.>> What are we to do as a community I ask? We should we, the good guys,> who are paid for our knowledge and ability to exploit mistakes,> oversights, and weaknesses then professionally report them to aid in the> securing of information capital (or anyone who reports the flaw for that> matter) worry about prosecution. It lends itself to a forcing the> technical c
ommunity to sit on their laurels and wait for the people who> don't report issues to exploit them. Further it sounds very clear that> had he not notified them, they would have never known.>> A security pro notices a flaw, checks to make sure he is not on crack by> 'flipping a bit', deems the threat viable and is likely to be exploited,> notifies the owners, then get arrested and charged with unauthorized> access. We, as a or even The security community, should push> corporations, governments, and organized body's to take responsibility> and ownership of their problems. If they publish a site that is flawed> or exposing information then they are authorizing the retrieval of that> information. I'm not advocating that they laws should allow any jerk to> try and brute his or her way in to a public or private web site, but> come on.>> If someone leaves their wallet in the park with no guard or protection,> I pick it up and bring it back to the owner, the owner didn't want me to> have it but I brought it back
to him. Why in the hell should I have to> go to jail for returning it to him, why should I/we be punished for> doing the right thing?>> I acknowledge this to be a rant but there must but some way to insist> that when people make something available to the public that it is their> responsibility to safeguard it and appreciate not persecute someone who> let's them know (for free I might add) that a weakness exists. This is> simple scapegoating, the University did something not advisable as a> good practice and instead of owning up to it they villafied a> professional pen-tester for offering valid advice.>> </RANT>>>> Thanks,> Bill>> ------------------------------------------------------------------------------> This List Sponsored by: Cenzic>> Concerned about Web Application Security?> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's> Choice Award from eWeek. As attacks through web applications continue to rise,> you need to proactively protect your applications from hackers. Cenzi
c has the> most comprehensive solutions to meet your application security penetration> testing and vulnerability management needs. You have an option to go with a> managed service (Cenzic ClickToSecure) or an enterprise software> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can> help you: http://www.cenzic.com/news_events/wpappsec.php> And, now for a limited time we can do a FREE audit for you to confirm your> results from other product. Contact us at request@cenzic.com for details.> ------------------------------------------------------------------------------>>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:56 EDT