Penetration Testing mailing list archives
Re: (illegal?) Informing Companies about security vulnerabilities...
From: "Nathan Keltner" <shiftnato () gmail com>
Date: Fri, 6 Oct 2006 08:56:25 -0500
Remember Daniel Cuthbert from the UK? http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/ He was convicted for typing in a directory traversal check, tacking a simple ../../ onto the URI. By that logic, I would think a simple ' or 3=3-- would put you in the same boat. (Both are testing to see if its possible, but both could potentially return info you were not explicitly authorized to see.) The whole thing is pretty rediculous, but the cases are what the cases are, I guess. Regarding "The real threat is the injury & impact lawsuit from a misguided entity with deep pockets, not the criminal courts." While true (massive fines would hurt a lot more than a few weeks in jail), its still a few weeks in jail, and court costs, and etc. I don't know what the solution is, but given the environment, I don't see it as wise to knowingly put yourself in a position where charges could be brought up, especially when courts are showing they don't truely understand the issues involved. I wouldn't trust justice to prevail. Also, in searching for the above, I came across this recent article that pertains to the overall discussion: http://www.theregister.co.uk/2006/09/27/nz_bank_test_trial/ Kid runs some tests against a banking app, calls the bank to tell them about their problems, calls the telco in between him and the bank to tell them their problems, then gets raided. In the end, he got out of it, but it was up in the air for a while, and certainly a bigger headache than anyone wants to go through -N On 10/5/06, Arian J. Evans <arian.evans () anachronic com> wrote:
> -----Original Message----- > From: listbounce () securityfocus com > [mailto:listbounce () securityfocus com] On Behalf Of Levenglick, Jeff > Proof that -He knows that he did. > Because he is teaching a class on security he should know it > is illegal What, exactly, is illegal about it? I see people keep saying this, but no meat to the comments. Maybe, perhaps, this is defined by HTML tags in some courts? <b> is legal but <script> is not? How about hex html encoding? Or what do you consider XSS testing? I submit what is legal has nothing to do with these things, in the US, and to a lesser degree, the UK laws. I do not know unfortunately enough about EU laws to comment. Someone said you have to see sensitive data to validate SQL injection, which is a naïve statement. In certain cases, say using MS tsql queries, I can tell quite easily if I can inject SQL by terminating the query using: ;-- Some simply with: ' That is SQL syntax. That is SQL Injection. That does not expose any sensitive data, and is also, evidently, valid input. Did I hack? Is it illegal? Please. The real threat is the injury & impact lawsuit from a misguided entity with deep pockets, not the criminal courts. </mindless_speculations> -ae ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- RE: Informing Companies about security vulnerabilities..., (continued)
- RE: Informing Companies about security vulnerabilities... Clemens, Dan (Oct 05)
- Re: Informing Companies about security vulnerabilities... mailing lists (Oct 05)
- Re: RE: Informing Companies about security vulnerabilities... jay.tomas (Oct 05)
- RE: Informing Companies about security vulnerabilities... Levenglick, Jeff (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- WAS Informing Companies NOW Announcing ' or 1=1-- Thor (Hammer of God) (Oct 06)
- Re: WAS Informing Companies NOW Announcing ' or 1=1-- Ian Scott (Oct 06)
- RE: WAS Informing Companies NOW Announcing ' or 1=1-- Arian J. Evans (Oct 06)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- RE: Informing Companies about security vulnerabilities... Levenglick, Jeff (Oct 05)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: (illegal?) Informing Companies about security vulnerabilities... Nathan Keltner (Oct 06)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- Re[4]: Informing Companies about security vulnerabilities... Matthew Leeds (Oct 06)
- Re: Informing Companies about security vulnerabilities... Art Cooper (Oct 06)