lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 17 Feb 2006 14:23:26 +0100
From: Ansgar -59cobalt- Wiechers <bugtraq@...netcobalt.net>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilites in new laws on computer hacking


Paul,

On 2006-02-15 Paul Schmehl wrote:
> --On Saturday, February 11, 2006 16:35:20 +0000 self-destruction@...best.com wrote:
>> New generations of teenagers will be scared of doing online
>> exploration. I'm not talking about damaging other companies' computer
>> systems. I'm talking about accessing them illegally *without*
>> revealing private information to the public or harming any data that
>> has been accessed. To me, there is a big difference between these two
>> types of attacks but I don't think that judges feel the same way.
>> Furthermore, I don't even think that judges understand the
>> difference.
> 
> To me there is not.  They're my systems.  Stay out, thank you very
> much.
> 
> If you want to learn how to hack, set up your own network, install
> some OSes, with various patch levels, and hack away.  You can learn
> everything you need to know without ever touching a system you do not
> own.  Get your buddies involved.  Hack each other's boxes.  But do not
> hack into systems that do not belong to you.  That *should* be illegal
> and you *should* be prosecuted.

while I agree with you that for learning and practicing it would suffice
to build your own systems to tamper with, I have to disagree on the part
that hacking into other people's systems *without* doing any damage
should be illegal.

Why is that? Well, first of all because the definition of what is and
what isn't hacking is very blurry. Is a portscan hacking? Is directory
traversal as in the case of Daniel Cuthbert [1] hacking?

In addition to that some vulnerabilities can be discovered only ITW,
simply because you cannot rebuild that environment in your lab. Two
years ago we had a case like that over here in Germany [2] (the article
is in german, but maybe an online translator will help). The OBSOC
(Online Business Solution Operation Center) system of the Deutsche
Telekom AG did not do proper authentication, so by manipulating the URL
you could access other customers' data. How would you detect such a
vulnerability without actually hacking the system? Is one supposed to
not notice these things? Will that really make them go away?

[1] http://taint.org/2005/10/12/205836a.html
[2] http://www.ccc.de/t-hack/stn/inhlt/drartkl.htm

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ