Bugtraq mailing list archives
Re: Vulnerabilites in new laws on computer hacking
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Sun, 19 Feb 2006 14:47:00 +0100
On 2006-02-19 Ronald Chmara wrote:
On Feb 17, 2006, at 5:23 AM, Ansgar -59cobalt- Wiechers wrote:I have to disagree on the part that hacking into other people's systems *without* doing any damage should be illegal. Why is that? Well, first of all because the definition of what is and what isn't hacking is very blurry.That depends on jurisdiction, but it seems pretty clear to me what is, and isn't, legal and illegal hacking.
Well, to me it's not quite so clear.
Is a portscan hacking?On someone else's machines? It is non-accidental probing of another person's property in an attempt to gain information about how to access it, without being invited to do so? That's illegal hacking.
A portscan is a probe to find out what services a publicly available machine provides towards the Internet. I entirely fail to see what's hacking about that, much less illegal hacking.
Is directory traversal as in the case of Daniel Cuthbert [1] hacking?On someone else's machines? It is non-accidental probing of another person's property in an attempt to gain information about how to access it, without being invited to do so? That's illegal hacking.
That's ridiculous. Did you actually read what that case was about? Besides, how am I invited to use a website? How am I invited to send e-mail to someone (i.e. use their mail server)? You just asked for the Internet to be shut down. [...]
Two years ago we had a case like that over here in Germany [2] (the article is in german, but maybe an online translator will help). The OBSOC (Online Business Solution Operation Center) system of the Deutsche Telekom AG did not do proper authentication, so by manipulating the URL you could access other customers' data. How would you detect such a vulnerability without actually hacking the system?OBSOC could contract out for regular testing and hacking with *authorized* individuals. The system would likely have to be hacked, but legally.
Whether they could or couldn't hire someone to do the testing is not the point here. A customer noticed the vulnerability, and exploited it to confirm it was real. Do you really believe he should be prosecuted for that?
Is one supposed to not notice these things? Will that really make them go away?Making it "go away" requires companies to invest in their own security. This includes regularly *hiring* people to hack at their systems.
You didn't answer the first question: is one supposed to not notice this kind of things? Do I have to trust that companies do their job properly, even if there's evidence that they don't? You can't be serious here. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Vulnerabilites in new laws on computer hacking self-destruction (Feb 15)
- Re: Vulnerabilites in new laws on computer hacking Paul Schmehl (Feb 16)
- Re: Vulnerabilites in new laws on computer hacking Max Ashton (Feb 18)
- Re: Vulnerabilites in new laws on computer hacking Sysmin Sys73m47ic (Feb 18)
- Re: Vulnerabilites in new laws on computer hacking Ansgar -59cobalt- Wiechers (Feb 18)
- Re: Vulnerabilites in new laws on computer hacking Radoslav Dejanović (Feb 21)
- Re: Vulnerabilites in new laws on computer hacking Crispin Cowan (Feb 21)
- Re: Vulnerabilites in new laws on computer hacking Casper . Dik (Feb 24)
- Re: Vulnerabilites in new laws on computer hacking Ansgar -59cobalt- Wiechers (Feb 24)
- Message not available
- Re: Vulnerabilites in new laws on computer hacking Ansgar -59cobalt- Wiechers (Feb 21)
- Re: Vulnerabilites in new laws on computer hacking Paul Schmehl (Feb 16)
- Re: Vulnerabilites in new laws on computer hacking ArkanoiD (Feb 21)
- <Possible follow-ups>
- RE: Vulnerabilites in new laws on computer hacking Craig Wright (Feb 16)
- Message not available
- RE: Vulnerabilites in new laws on computer hacking Marcus J. Ranum (Feb 16)
- Re: Vulnerabilites in new laws on computer hacking dave (Feb 18)
- Re: Vulnerabilites in new laws on computer hacking Seth Breidbart (Feb 18)
- Re: Vulnerabilites in new laws on computer hacking ArkanoiD (Feb 21)
- Message not available
- Re: Vulnerabilites in new laws on computer hacking ArkanoiD (Feb 18)