Re: Off topic: what is sensitive information on a website?

["Griffiths, Ian" <ian.griffiths () liv-coll ac uk>]

Responses based on my current understanding of the law are inline.

----- Original Message ----- 
From: "Dave Ryan" <dave () mongers org>
To: <webappsec () securityfocus com>
Sent: Friday, January 28, 2005 12:24 PM
Subject: Off topic: what is sensitive information on a website?


>         if I attempt to inject SQL into a database to return data, but
>         this data has not been marked sensitive (i.e. the site security
>         policy is not communicated to the user) am I committing a crime?

Yes, assuming that you wouldn't have access to that same data through
authorised means.

>        is the site in
>        olation by not affording the information adequate protection?

Yes, assuming that there isn't a disproportionate amount of effort required
to secure things, ie. if the system is secure bar an unknown and previously
undisclosed vulnerability you are OK.  If the policies are lazy and
vulnerabilities are not acted upon, yes.

>         have I committed a crime by putting the system into a
>         state where it generates an error code (assume the system has
>         not been damaged/modified/etc due to this activity).

No, unless someone can prove your intent of a larger attack.

>     must I be informed of what constitutes misuse on
>     each website I visit?

No.