lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri Jun  2 16:47:26 2006
From: tang.luong at gmail.com (Lawrence Tang)
Subject: Fw: scanning

According to theregister.co.uk:

"Cuthbert is accused of attempting a directory traversal attack on the
donate.bt.com site which handles credit card payments on behalf of the
Disasters Emergency Committee." (
http://www.theregister.co.uk/2005/10/05/dec_case/) and
"After making a donation, and not seeing a final confirmation or thank-you
page, Cuthbert put ../../../ into the address line. If the site had been
unprotected this would have allowed him to move up three directories" (
http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/).

This is legal hair-splitting. Yes, you are right. Who knows whether the
judges would consider "port scanning" just as bad as "illegally attempt of
securing access to a computer" (as defined in the UK "Computer Misuse Act
1990 (c.18)").

----- Original Message ----- From: "Drew Masters" <drewmasters@...il.com>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Friday, June 02, 2006 9:33 AM
Subject: Re: Fw: [Full-disclosure] scanning


> It's worth looking into the Daniel Cuthbert case in the UK.
>
> Drew
>
> On 02/06/06, Lawrence Tang <tang.luong@...il.com> wrote:
> >
> > "Vulnerability test" is not "port scan". It could involve attempt to
> > "penetrate" or even penetration of the website through a vulnerable
server
> > script for instance. In this particular case, we don't know what RA 8792
in
> > the Philippines says and/or what Tridel Technologies, Inc did. But in
> > general, "port scan" is supposed to be only checking which TCP/IP ports
are
> > open for connection without going through the entire process of
connection.
> > There is no question of penetration. How could any authority prosecute
this
> > legitimately? If I, by mistake, attempt a connection to a site, could I
be
> > in legal trouble? How many ports constitute "port scanning"?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060602/4c61eea6/attachment.html

Powered by blists - more mailing lists