WebApp Sec mailing list archives
Re: Off topic: what is sensitive information on a website?
From: "Griffiths, Ian" <ian.griffiths () liv-coll ac uk>
Date: Fri, 28 Jan 2005 15:46:48 -0000
Responses based on my current understanding of the law are inline. ----- Original Message ----- From: "Dave Ryan" <dave () mongers org> To: <webappsec () securityfocus com> Sent: Friday, January 28, 2005 12:24 PM Subject: Off topic: what is sensitive information on a website?
if I attempt to inject SQL into a database to return data, but this data has not been marked sensitive (i.e. the site security policy is not communicated to the user) am I committing a crime?
Yes, assuming that you wouldn't have access to that same data through authorised means.
is the site in olation by not affording the information adequate protection?
Yes, assuming that there isn't a disproportionate amount of effort required to secure things, ie. if the system is secure bar an unknown and previously undisclosed vulnerability you are OK. If the policies are lazy and vulnerabilities are not acted upon, yes.
have I committed a crime by putting the system into a state where it generates an error code (assume the system has not been damaged/modified/etc due to this activity).
No, unless someone can prove your intent of a larger attack.
must I be informed of what constitutes misuse on each website I visit?
No.
Current thread:
- Off topic: what is sensitive information on a website? Dave Ryan (Jan 28)
- Re: Off topic: what is sensitive information on a website? Griffiths, Ian (Jan 28)
- Re: Off topic: what is sensitive information on a website? Martin Mačok (Jan 28)
- Re: Off topic: what is sensitive information on a website? focus (Jan 28)
- <Possible follow-ups>
- RE: Off topic: what is sensitive information on a website? Michael Silk (Jan 28)