lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 22 Feb 2010 22:11:14 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: ACM.ORG data leak still there 4 days after
	announcing to CEO John White

Valdis & Benji,

I don't recall the OP saying he did a open test, nor injecting
anything the database, and a much as I've read, not even RFI.
Causing a server to spit out sensitive information without
modification (unauthorized access and service failures/denial of
service) surely doesn't count as a crime.
Someone picking up $1000 from a road is obviously not a criminal
either (assuming the money is legit), getting into a bank on the other
hand is a crime.

I'm speaking this from a little personal experience of mine, where I
came upon several XSS exploits on a gov't main site (it's nothing),
however, point being I didn't go there with the intent to do any harm,
and didn't have to, to notice the serious flaw.

That said, something I did in Malta could be punished by beheading in
Iran for what I know (and a severe fine in the US). It all depends on
the law. Assuming it is a fair and comprehensible one (or simply
outdated) this kind of "attack" is not covered or puts the defendant
[company/gov't] in serious implications (such as in my case where the
gov't is bound by law to provide a high uptime service with as much
security as possible - yet it had serious but basic flaws).

Regards,
Chris.



On Mon, Feb 22, 2010 at 9:45 PM,  <Valdis.Kletnieks@...edu> wrote:
> On Mon, 22 Feb 2010 20:19:44 GMT, Benji said:
>
>> Does that just cover fraud? Surely a database injection counts as
>> unauthorised access?
>>
>> Does this mean that now anyone can start injecting websites and extracting
>> data, and aslong as they dont use the data to 'commit fraud or dislose
>> national secrets', or albeit, it cant be proved, that person is safe?
>
> That's a gray area. Intent does matter:
>
> "naked" - not wearing any clothes.
> "nekkid" - naked and up to something.
>
> Do you want to bet 3-5 in the pen that the DA won't be able to convince a jury
> you didn't have intent?
>
> That's why it's always recommended you have a written "Get out of jail free"
> card when doing a pen test - that significantly raises the bar to proving you
> were up to no good.
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ