| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Jan 2012 11:15:44 -0500 From: Benjamin Kreuter <ben.kreuter@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Rate Stratfor's Incident Response -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, 12 Jan 2012 23:36:29 +0000 Giles Coochey <giles@...chey.net> wrote: > On 12/01/2012 23:30, Byron Sonne wrote: > > Hello, > > > >> Bad analogy. Closer would be if you have a house that's got a > >> driveway on a public street, and you claim it's not breaking and > >> entering if you walk up the driveway, try the doorknob, find it > >> unlocked, and let yourself in without the permission of the > >> residents. Saying that "anybody could walk up and let themselves > >> in the door" doesn't make it legal. > > This is a pretty classic analogy that I've used many times myself, > > but for many years now I've found myself questioning it... I mean > > good analogies are valuable, but I think in this case it falls down. > > > > Mostly, there's the expectation of physical security or, at least, > > privacy, when it comes to a house. If someone's rattling door knobs, > > it's not unreasonable to expect that they could be there to rob or > > do you harm, as the human race does not have a significant history > > of peaceful/harmless door rattling practices (that I know of). > > > > Now, when it comes to the internet and networks in general, we've > > entered a whole new world where many old ways of looking at things, > > tempting as they are, don't fit. There's also no real relevance to > > fearing for your physical safety if someone's probing your net. > > > > To a good extent I might be talking out of my ass here, but I'd > > welcome feedback. > > > If you go to a website and do a bit of clicking around that's normal > behaviour, walking past the house, having a look at the front rose > garden etc... Under some definition of "normal." If you ask me for my DOB and I enter my name, is that normal? Plenty of users make mistakes like that all the time; how do you determine that one was being malicious whereas another just made a routine error? Where do you draw the line? Is it abnormal to try to use a web server as a proxy? Is it abnormal to ask for a directory listing? We all know what we *want* users to do. That is not necessarily what we should expect out of them, and crying about how illegal it is to do something unexpected does nothing to advance the state of computer security. > If you go to a website and do some hand tweaking of the URL to see if > you get to stuff that shouldn't be there, well that's trying the > doorknob of the house to see if it's locked etc... So truncating the URL to get a directory listing should be considered an attempt to "break into" a system? I think that is a little extreme. > If you write and/or use a tool to mass check loads of potential > URLs... attempt SQL injections etc... you see where I'm going. So using wget is something that should be considered malicious? Plenty of people use wget and various "download tools" to fetch the entire tree of documents on a website. I think it is a stretch to call that malicious, and I am sure that people have happened upon confidential documents by doing this. > If you use the results of that tool or get lucky with the URL tweaks > and take confidential documents or alter records on the backend, well > that's just plain theft and/or fraud. Altering records is certainly fraud or some related crime -- I do not think that the fact that a computer was involved should make any difference here. Downloading a document, however, is another story. Here is something fun (and to the best of my knowledge, completely legal) that you can try: search for "this document is confidential" on Google. Many of the results are related to keeping confidential documents secure...and then some appear to actually be confidential business, legal, or government documents that Google has indexed. Not only has Google indexed these apparently confidential documents, but many of them appear to by cached. Should we conclude that since Google automatically searches for more URLs to index, and then indiscriminately copies the documents it finds, that Google is a massive conspiracy to commit some crime? - -- Ben - -- Benjamin R Kreuter UVA Computer Science brk7bx@...ginia.edu - -- "If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them." - George Orwell -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAEBCgAGBQJPEFi3AAoJEOV0+MnZK9ijFNAP/R9mYhjezuPybs2vd/Yuyzm3 4FHYFCBHmBjdur7N0yiYI+pUTlWTHGZwPYrakk9IXHS/TxbucQSQFTtuL508giCJ 4YlpvcFKPLl+xxMcJjE6u7J1PA4wygTk4ZH9sQswmiDPp7Lw0diacfQ5Bcj/qUhw uCL7gYJr//qogdfN0rBK4tyBZ6UIQ5abhY8HU1VoEIxW2ai3/4Ca1PVYYhDaRYY5 FAArm4NWwan5dL3hKpsoaAnTkQVjJ091Yn40r7JlZJbjOBfettUSUi+aQ03xX/vx sYksqyoERBM11D4uwnFltSstgN2sLzULcVCcDho6cglXKKh+MKaND3TW+op+iebS WjAiJhUIV1iptkhTiiKDsbkF8y0DMr4TMwhtUnTy8yThPbKSahJPypkk9vOtj8/v kEkS0tUD8pUwZ3bY2uhao2QmO9kERrUpdpW1tg/BEFWrOxVcJd1ASS0iT0UcFGUt qvyHW2+HGGDD5etj/iduV75vEYwvXnD1hRjrdT1JEZvmrLelzuSvKa2jL87aRqPP 0GGDerM9ConCi24WnpClVLJX+pUCxCVYHcvjRBndhLqCLjrMBKSt86KakT+djLF6 644kevCwSnu310feFXmIWhuwYIDrKMsdgA1fkvfxlqcSt0oFVECPrrv6FQRO5nwO hyxXEtkQY5iEHiIoaGkF =PWxe -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists