lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri Jun 2 16:47:26 2006 From: tang.luong at gmail.com (Lawrence Tang) Subject: Fw: scanning According to theregister.co.uk: "Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee." ( http://www.theregister.co.uk/2005/10/05/dec_case/) and "After making a donation, and not seeing a final confirmation or thank-you page, Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories" ( http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/). This is legal hair-splitting. Yes, you are right. Who knows whether the judges would consider "port scanning" just as bad as "illegally attempt of securing access to a computer" (as defined in the UK "Computer Misuse Act 1990 (c.18)"). ----- Original Message ----- From: "Drew Masters" <drewmasters@...il.com> To: <full-disclosure@...ts.grok.org.uk> Sent: Friday, June 02, 2006 9:33 AM Subject: Re: Fw: [Full-disclosure] scanning > It's worth looking into the Daniel Cuthbert case in the UK. > > Drew > > On 02/06/06, Lawrence Tang <tang.luong@...il.com> wrote: > > > > "Vulnerability test" is not "port scan". It could involve attempt to > > "penetrate" or even penetration of the website through a vulnerable server > > script for instance. In this particular case, we don't know what RA 8792 in > > the Philippines says and/or what Tridel Technologies, Inc did. But in > > general, "port scan" is supposed to be only checking which TCP/IP ports are > > open for connection without going through the entire process of connection. > > There is no question of penetration. How could any authority prosecute this > > legitimately? If I, by mistake, attempt a connection to a site, could I be > > in legal trouble? How many ports constitute "port scanning"? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060602/4c61eea6/attachment.html
Powered by blists - more mailing lists