lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8440.1326821291@turing-police.cc.vt.edu>
Date: Tue, 17 Jan 2012 12:28:11 -0500
From: Valdis.Kletnieks@...edu
To: "Mikhail A. Utin" <mutin@...monwealthcare.org>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Full-Disclosure Digest, Vol 83, Issue 21

On Tue, 17 Jan 2012 11:08:02 EST, "Mikhail A. Utin" said:
> So far it has been very interesting discussion, but nevertheless nobody went to the Source, which is the Law,

18 USC 1030 is the governing Federal statute in the US.  In addition, many of the
states have their own legislation.

http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html

"having knowingly accessed a computer without authorization or exceeding
authorized access, and by means of such conduct having obtained information..."

Note that "protected computer" doesn't mean "secured" - it means "protected under
the terms of this law", which includes any system:

"which is used in or affecting interstate or foreign commerce or communication,
including a computer located outside the United States that is used in a manner
that affects interstate or foreign commerce or communication of the United
States;"

which is basically *any* system on the Internet.

Basically, you use a flaw to extract secret info from a "protected computer",
and you aren't an authorized pen tester with a signed "get out of jail free"
card from the owner of the computer, you just bought yourself a felony rap.

That's part of why CISO's don't want to hire the kiddies that whacked them - if
they come forward they're basically copping to a felony.


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ