lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEJizbZ+UERNGR5sPbkcURHpeKg--f2fuUZc4RWoac8uVmRrSw@mail.gmail.com>
Date: Tue, 22 Jan 2013 08:32:11 +0000
From: Benji <me@...ji.com>
To: Nick FitzGerald <nick@...us-l.demon.co.uk>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Student expelled from Montreal college after
 finding vulnerability that compromised security of 250, 000

Someone please explain to me why he had to run a vulnerability scanner to
check one vulnerability, and again, how are we still arguing about this?
Whether you think he had a 'right' to test this or not, he was either too
dumb or too naive to know it was against the law.

If anyone would like to start arguing whether it's against the (Canadian)
law:

Section 342.1[4]<http://en.wikipedia.org/wiki/Criminal_code_section_342#cite_note-4>

Unauthorized use of computer is often used to laid charges for hacker or
someone who is involved in computer related offences. This section states:

Every one who, fraudulently and without colour of
right<http://en.wikipedia.org/wiki/Colour_of_right>
,
 (a) obtains, directly or indirectly, any computer service,(b) by means of
an electro-magnetic <http://en.wikipedia.org/wiki/Electro-magnetic>,
acoustic <http://en.wikipedia.org/wiki/Acoustics>, mechanical or other
device, intercepts or causes to be intercepted, directly or indirectly, any
function of a computer system,

I would suggest he broke section (b) and you could argue (a).

On Tue, Jan 22, 2013 at 3:46 AM, Nick FitzGerald
<nick@...us-l.demon.co.uk>wrote:

> Sanguinarious Rose to me:
>
> > And that is the reason why no one wants to report anything they find,
> > it's because of people like you and your kind of thinking.
>
> As you seem to have assumed a whole bunch about "my kind of thinking"
> that I did not put in the original post, I find the above laughable.
>
> > Did they public post all the private information?
> > No
>
> Agreed.
>
> > Did they try to use it for malious or illicit purposes?
> > No
>
> Not that we know from what seems to be a rather one-sided, self-serving
> to the victim, "the system screwed poor little me" telling of the
> story.
>
> > Did they report it when they found it?
> > Yes
>
> Agreed.
>
> > A horrible moral compass indeed!  ...
>
> No -- I said nothing about what could or should be considered about
> their moral compass _in finding_ the problem.  I did say they probably
> broke _both_ school/other ToS agreements and unauthorized access laws,
> but I did not say what I felt about that.
>
> It is often the case that minor transgressions of such nature are
> necessary in doing many useful things in the computer security domain.
> That alone makes it precarious territory in which to work and such
> issues should obviously be front-of-mind for _anyone_ potentially in
> such territory.
>
> > ...  Arrest these people for being
> > concerned and reporting it after stumbling upon security flaws!
> > Amiright?
>
> No, I did not say that either.
>
> What you seem to have missed (other than that you are reading things
> into my previous post that are not there) was that _after_ these two
> students notified the relevant system owners/operators and/or vendors,
> apparently only _one_ of them went back and did stuff that he probably
> should not have originally done (but that we can _probably_ excuse
> because of a "greater good"), _again_.
>
> _That_ is what tells us something critical about _his_ moral compass
> (either he does not have one, it is rather under-developed for a 20-
> year old or it is rather broken).
>
> Did you notice that this story was not titled "Youths expelled..." "or
> "Students expelled..." _despite_ the first sentence of any substance in
> the National Post article starting:
>
>    Ahmed Al-Khabaz ... was working on a mobile app ... when he and a
>    colleague discovered what he describes as "sloppy coding" in ...
>
> Did you notice how the rest of story fails to mention that his
> colleague was expelled?
>
> Poor journalism, missing a fairly major fact in the story?
>
> Or perhaps evidence that his "colleague" was not expelled because his
> colleague did not continue to mess with stuff that he should have (now)
> known he should not be messing with?
>
> If _both_ students had been expelled, surely the tone of indignation
> and righteousness would have been greater, so I doubt the fact that the
> article only talks of one student being expelled is due to journalistic
> oversight...
>
> So, Mr Rose, do you now see what you chose to avoid noticing on your
> first pass through this story and its "clever hacker cruelly
> ostracized" skew?
>
>
>
> Regards,
>
> Nick FitzGerald
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ