Re: Vulnerabilites in new laws on computer hacking

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-02-19 Ronald Chmara wrote:
> On Feb 17, 2006, at 5:23 AM, Ansgar -59cobalt- Wiechers wrote:
> > I have to disagree on the part that hacking into other people's
> > systems *without* doing any damage should be illegal. Why is that?
> > Well, first of all because the definition of what is and what isn't
> > hacking is very blurry.
>
> That depends on jurisdiction, but it seems pretty clear to me what is,
> and isn't, legal and illegal hacking.

Well, to me it's not quite so clear.

> > Is a portscan hacking?
>
> On someone else's machines? It is non-accidental probing of another
> person's property in an attempt to gain information about how to
> access it, without being invited to do so? That's illegal hacking.

A portscan is a probe to find out what services a publicly available
machine provides towards the Internet. I entirely fail to see what's
hacking about that, much less illegal hacking.

> > Is directory traversal as in the case of Daniel Cuthbert [1] hacking?
>
> On someone else's machines? It is non-accidental probing of another
> person's property in an attempt to gain information about how to
> access it, without being invited to do so? That's illegal hacking.

That's ridiculous. Did you actually read what that case was about?
Besides, how am I invited to use a website? How am I invited to send
e-mail to someone (i.e. use their mail server)? You just asked for the
Internet to be shut down.

[...]
> > Two years ago we had a case like that over here in Germany [2] (the
> > article is in german, but maybe an online translator will help). The
> > OBSOC (Online Business Solution Operation Center) system of the
> > Deutsche Telekom AG did not do proper authentication, so by
> > manipulating the URL you could access other customers' data. How
> > would you detect such a vulnerability without actually hacking the
> > system?
>
> OBSOC could contract out for regular testing and hacking with
> *authorized* individuals. The system would likely have to be hacked,
> but legally.

Whether they could or couldn't hire someone to do the testing is not the
point here. A customer noticed the vulnerability, and exploited it to
confirm it was real. Do you really believe he should be prosecuted for
that?

> > Is one supposed to not notice these things? Will that really make
> > them go away?
>
> Making it "go away" requires companies to invest in their own
> security. This includes regularly *hiring* people to hack at their
> systems.

You didn't answer the first question: is one supposed to not notice
this kind of things? Do I have to trust that companies do their job
properly, even if there's evidence that they don't? You can't be serious
here.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq