Full Disclosure mailing list archives
Re: ACM.ORG data leak still there 4 days after announcing to CEO John White
From: Christian Sciberras <uuf6429 () gmail com>
Date: Mon, 22 Feb 2010 22:11:14 +0100
Valdis & Benji, I don't recall the OP saying he did a open test, nor injecting anything the database, and a much as I've read, not even RFI. Causing a server to spit out sensitive information without modification (unauthorized access and service failures/denial of service) surely doesn't count as a crime. Someone picking up $1000 from a road is obviously not a criminal either (assuming the money is legit), getting into a bank on the other hand is a crime. I'm speaking this from a little personal experience of mine, where I came upon several XSS exploits on a gov't main site (it's nothing), however, point being I didn't go there with the intent to do any harm, and didn't have to, to notice the serious flaw. That said, something I did in Malta could be punished by beheading in Iran for what I know (and a severe fine in the US). It all depends on the law. Assuming it is a fair and comprehensible one (or simply outdated) this kind of "attack" is not covered or puts the defendant [company/gov't] in serious implications (such as in my case where the gov't is bound by law to provide a high uptime service with as much security as possible - yet it had serious but basic flaws). Regards, Chris. On Mon, Feb 22, 2010 at 9:45 PM, <Valdis.Kletnieks () vt edu> wrote:
On Mon, 22 Feb 2010 20:19:44 GMT, Benji said:Does that just cover fraud? Surely a database injection counts as unauthorised access? Does this mean that now anyone can start injecting websites and extracting data, and aslong as they dont use the data to 'commit fraud or dislose national secrets', or albeit, it cant be proved, that person is safe?That's a gray area. Intent does matter: "naked" - not wearing any clothes. "nekkid" - naked and up to something. Do you want to bet 3-5 in the pen that the DA won't be able to convince a jury you didn't have intent? That's why it's always recommended you have a written "Get out of jail free" card when doing a pen test - that significantly raises the bar to proving you were up to no good. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ACM.ORG data leak still there 4 days after announcing to CEO John White the hacker (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Benji (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White the hacker (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Benji (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Justin C. Klein Keane (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Benji (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Justin C. Klein Keane (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Valdis . Kletnieks (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Christian Sciberras (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White the hacker (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White James W. Lytle (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Christian Sciberras (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White the hacker (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Benji (Feb 22)