lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 19 Feb 2006 14:47:00 +0100
From: Ansgar -59cobalt- Wiechers <bugtraq@...netcobalt.net>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilites in new laws on computer hacking


On 2006-02-19 Ronald Chmara wrote:
> On Feb 17, 2006, at 5:23 AM, Ansgar -59cobalt- Wiechers wrote:
>> I have to disagree on the part that hacking into other people's
>> systems *without* doing any damage should be illegal. Why is that?
>> Well, first of all because the definition of what is and what isn't
>> hacking is very blurry.
> 
> That depends on jurisdiction, but it seems pretty clear to me what is,
> and isn't, legal and illegal hacking.

Well, to me it's not quite so clear.

>> Is a portscan hacking?
> 
> On someone else's machines? It is non-accidental probing of another
> person's property in an attempt to gain information about how to
> access it, without being invited to do so? That's illegal hacking.

A portscan is a probe to find out what services a publicly available
machine provides towards the Internet. I entirely fail to see what's
hacking about that, much less illegal hacking.

>> Is directory traversal as in the case of Daniel Cuthbert [1] hacking?
> 
> On someone else's machines? It is non-accidental probing of another
> person's property in an attempt to gain information about how to
> access it, without being invited to do so? That's illegal hacking.

That's ridiculous. Did you actually read what that case was about?
Besides, how am I invited to use a website? How am I invited to send
e-mail to someone (i.e. use their mail server)? You just asked for the
Internet to be shut down.

[...]
>> Two years ago we had a case like that over here in Germany [2] (the
>> article is in german, but maybe an online translator will help). The
>> OBSOC (Online Business Solution Operation Center) system of the
>> Deutsche Telekom AG did not do proper authentication, so by
>> manipulating the URL you could access other customers' data. How
>> would you detect such a vulnerability without actually hacking the
>> system?
> 
> OBSOC could contract out for regular testing and hacking with
> *authorized* individuals. The system would likely have to be hacked,
> but legally.

Whether they could or couldn't hire someone to do the testing is not the
point here. A customer noticed the vulnerability, and exploited it to
confirm it was real. Do you really believe he should be prosecuted for
that?

>> Is one supposed to not notice these things? Will that really make
>> them go away?
> 
> Making it "go away" requires companies to invest in their own
> security. This includes regularly *hiring* people to hack at their
> systems.

You didn't answer the first question: is one supposed to not notice
this kind of things? Do I have to trust that companies do their job
properly, even if there's evidence that they don't? You can't be serious
here.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq


Powered by blists - more mailing lists