lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f5dc671002221219s46cba0f2r48060a16f71f0545@mail.gmail.com>
Date: Mon, 22 Feb 2010 20:19:44 +0000
From: Benji <me@...ji.com>
To: "Justin C. Klein Keane" <justin@...irish.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: ACM.ORG data leak still there 4 days after
	announcing to CEO John White

"Title 18 Section 1030, the Computer Fraud and Abuse Act of 1986,
pretty much limits crimes to those intent on committing fraud or
disclosing national secrets."

Does that just cover fraud? Surely a database injection counts as
unauthorised access?

Does this mean that now anyone can start injecting websites and extracting
data, and aslong as they dont use the data to 'commit fraud or dislose
national secrets', or albeit, it cant be proved, that person is safe?

On Mon, Feb 22, 2010 at 8:12 PM, Justin C. Klein Keane
<justin@...irish.net>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'm not a lawyer, and I assume Benji isn't either, but it's worth noting
> that Title 18 Section 1030, the Computer Fraud and Abuse Act of 1986,
> pretty much limits crimes to those intent on committing fraud or
> disclosing national secrets.  Exposing personal information doesn't seem
> to fit under any of the statutory definitions of crime unless you use
> that information to commit identity theft.  The word "intent" figures
> prominently in that statute, so I'd surmise full-disclosure actually
> argues against this access being a crime.
>
> Justin C. Klein Keane
> http://www.MadIrish.net
>
> The digital signature on this message can be confirmed
> using the public key at http://www.madirish.net/gpgkey
>
> On 02/22/2010 02:52 PM, Benji wrote:
> > Not to be a dick or anything, but whether it should be or not is
> > irrelevant, it is a crime. As you seem to be a "security expert"  doing
> > "penetration testing and security audits" I'm sure you'd understand that
> > for example, a remote file include is literally just a case of
> > 'modifying one parameter of an url'.
> >
> > You didnt enumerate passwords, well, I guess that makes the crime
> > slightly less serious. Personal info isnt worth that much I've heard.
> >
> > Infact, by publishing data and the fact there is a hole, you could argue
> > that infact you couldve made the situation worse for ACM.
> > Hypothetically, now you've displayed that a hole is there, someone could
> > go and dump the database saving them the time of even looking for a
> > vulnerable site.
> >
> > I'm just wondering what makes you so sure they wont do anything like
> that?
> >
> > On Mon, Feb 22, 2010 at 7:46 PM, the hacker <info@...-hacker.info
> > <mailto:info@...-hacker.info>> wrote:
> >
> >     Hello Benji
> >
> >     I did not crack/enumerate any passwords, use buffer overflow with
> >     metasploit or whatever other tools...
> >
> >     I dont think that by just modifying one parameter of an url you
> >     already break a law (or all people that have spelling problems when
> >     entering an url would be in jail).
> >
> >     Also I have contacted ACM with my REAL name, address, phone number
> >     etc. via email.
> >
> >     I've even called the CEO twice!
> >
> >     So they know my identity because I just wanted to let them know
> >     about the problem on their website - but when they did not react for
> >     4 days I extracted some sample data (I could have got much more)
> >     from the site to mail it to them. I've extracted enought to show
> >     them that its not just 10 addresses, but its far from everything.
> >
> >     So I wonder why I should be in trouble for wanting to help them?
> >
> >     Do you other guys on the list also think that this is already a
> crime?
> >
> >     By the way, I've sent the mail with the data 2 hours ago but no
> >     reaction.
> >
> >     Greetings
> >
> >     th
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iPwEAQECAAYFAkuC5UoACgkQkSlsbLsN1gDjtgcAkqDKNk/sHQfRiVyEgNkw2twF
> I8WpeYQKaHKYzmU7CqDiMTjt/h7LXoLsTgKuLCfCleh3Jw7Q+drvKwHCabSwVheu
> Pt7ZcJBxXv7QCvOFRZOnxlZllsYEPS8heZ0kQnki8RGcU8SP1l83XBx6LvuqTZb4
> qkFGPpyKyE/JzHnjysfcVgxp7KapYROaRW+6hH8K5keQ4JiVJxIX3A9MYWgFQh5y
> lAZGjU7dmLAChCQ9QGzHcQXsZtZUhJjaSIhSG5zNLub5FvWfMoq2gsc3CNcY8FQM
> LkF+D+4/UWb8u8XrjhA=
> =XN4r
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ