lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimINOSRljwiY225u2BTwwqSIE1U0OY04jZ7Lc1W@mail.gmail.com>
Date: Wed, 16 Jun 2010 16:12:10 -0400
From: T Biehn <tbiehn@...il.com>
To: "Thor (Hammer of God)" <Thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Congratulations Andrew

Furthermore if I access an online resource and I notice that the information
ends and the URL has a &page=1 on the end and no link exists on that page to
say... &page=2 is that illegal?
On the same note, if I notice something that looks like a SELECT statement
in a URL (due to excellent coding) is it illegal for me to modify that
SELECT statement to return other information?
Is the legality of access to the resource something that must be explicitly
granted to me or is it some abstract property depending on the content I've
accessed? Is it legal to randomly fuzz web service arguments without knowing
the data that it will return?

Usually systems of this nature will have an EXPLICIT notice that you cannot
access data on it unless you're authorized OR will require (as it does now)
authentication.

Did the ICCID count as authentication if it is not explicitly labeled by
AT&T as such? A field like:
&password would clearly be illegal to brute force.

An analogy to a case with CLEARLY AND EXPLICITLY defined law regarding
private property doesn't really seem to fit.

-Travis


On Wed, Jun 16, 2010 at 3:58 PM, T Biehn <tbiehn@...il.com> wrote:

> So what grants you legal access to aol.com (HTTP port 80 get / )?
> I'm confused? Does search engine indexing grant legal access to online
> resources?
>
> -Travis
>
>
> On Wed, Jun 16, 2010 at 3:34 PM, Thor (Hammer of God) <
> Thor@...merofgod.com> wrote:
>
>> By the same logic, then yes you would.  Which is why the statement “if a
>> system has no password, then you have a legal right to whatever data is on
>> it” is complete horse hockey.
>>
>>
>>
>> Don’t take technical advice from your lawyer, and don’t take legal advice
>> from people on security lists.
>>
>>
>>
>> t
>>
>>
>>
>> *From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
>> full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *wilder_jeff
>> Wilder
>> *Sent:* Wednesday, June 16, 2010 11:56 AM
>> *To:* full-disclosure@...ts.grok.org.uk
>>
>> *Subject:* Re: [Full-disclosure] Congratulations Andrew
>>
>>
>>
>>
>> By that same standard.. if you leave your house unlocked.... does that
>> give someone the right to enter it?
>>
>> just my thoughts
>> ------------------------------
>>
>> Date: Wed, 16 Jun 2010 19:58:27 +0200
>> From: uuf6429@...il.com
>> To: tbiehn@...il.com
>> CC: full-disclosure@...ts.grok.org.uk; Valdis.Kletnieks@...edu
>> Subject: Re: [Full-disclosure] Congratulations Andrew
>>
>> Reminds be of Al Capone and tax evasion ;-)
>>
>> Good ol' America.
>>
>>
>>
>> On Wed, Jun 16, 2010 at 7:49 PM, T Biehn <tbiehn@...il.com> wrote:
>>
>> Yes.
>> The FBI was investigating the AT&T incident, presumably the AT&T incident
>> was what the fed were serving against.
>> What possible valid search warrant could be executed? There was no hack,
>> breach, illegal access of data, or anything else for that matter.
>>
>> If you leave a system online with no password which allows you to scrape
>> content you have a legal right to scrape that content.
>>
>> -Travis
>>
>>
>>
>> On Wed, Jun 16, 2010 at 11:10 AM, <Valdis.Kletnieks@...edu> wrote:
>>
>> On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:
>>
>> > I doubt the search warrant will hold up in court.
>>
>> Do you have any actual basis for saying that?  Sure, the warrant might be
>> bullshit, it might be solid - the article doesn't give us enough info
>> either
>> way to tell.
>>
>> "Auernheimer was also arrested in March for giving a false name to law
>> enforcement officers responding to a parking complaint."
>>
>> Sad.  The dude may have the intelligence to pull the hack, but not have
>> the
>> wisdom to not dig a hole deeper. Just man up and take the frikking parking
>> ticket. ;)
>>
>>
>>
>> --
>> FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
>> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
>> http://pastebin.com/f6fd606da
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> ------------------------------
>>
>> The New Busy is not the old busy. Search, chat and e-mail from your inbox.
>> Get started.<http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
> http://pastebin.com/f6fd606da
>



-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ