Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: ACM.ORG data leak still there 4 days after announcing to CEO John White
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Mon, 22 Feb 2010 15:12:58 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm not a lawyer, and I assume Benji isn't either, but it's worth noting
that Title 18 Section 1030, the Computer Fraud and Abuse Act of 1986,
pretty much limits crimes to those intent on committing fraud or
disclosing national secrets.  Exposing personal information doesn't seem
to fit under any of the statutory definitions of crime unless you use
that information to commit identity theft.  The word "intent" figures
prominently in that statute, so I'd surmise full-disclosure actually
argues against this access being a crime.

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey

On 02/22/2010 02:52 PM, Benji wrote:
Not to be a dick or anything, but whether it should be or not is
irrelevant, it is a crime. As you seem to be a "security expert"  doing
"penetration testing and security audits" I'm sure you'd understand that
for example, a remote file include is literally just a case of
'modifying one parameter of an url'.

You didnt enumerate passwords, well, I guess that makes the crime
slightly less serious. Personal info isnt worth that much I've heard.

Infact, by publishing data and the fact there is a hole, you could argue
that infact you couldve made the situation worse for ACM.
Hypothetically, now you've displayed that a hole is there, someone could
go and dump the database saving them the time of even looking for a
vulnerable site.

I'm just wondering what makes you so sure they wont do anything like that?

On Mon, Feb 22, 2010 at 7:46 PM, the hacker <info () the-hacker info
<mailto:info () the-hacker info>> wrote:

    Hello Benji

    I did not crack/enumerate any passwords, use buffer overflow with
    metasploit or whatever other tools...

    I dont think that by just modifying one parameter of an url you
    already break a law (or all people that have spelling problems when
    entering an url would be in jail).

    Also I have contacted ACM with my REAL name, address, phone number
    etc. via email.

    I've even called the CEO twice!

    So they know my identity because I just wanted to let them know
    about the problem on their website - but when they did not react for
    4 days I extracted some sample data (I could have got much more)
    from the site to mail it to them. I've extracted enought to show
    them that its not just 10 addresses, but its far from everything.

    So I wonder why I should be in trouble for wanting to help them?

    Do you other guys on the list also think that this is already a crime?

    By the way, I've sent the mail with the data 2 hours ago but no
    reaction.

    Greetings

    th








_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkuC5UoACgkQkSlsbLsN1gDjtgcAkqDKNk/sHQfRiVyEgNkw2twF
I8WpeYQKaHKYzmU7CqDiMTjt/h7LXoLsTgKuLCfCleh3Jw7Q+drvKwHCabSwVheu
Pt7ZcJBxXv7QCvOFRZOnxlZllsYEPS8heZ0kQnki8RGcU8SP1l83XBx6LvuqTZb4
qkFGPpyKyE/JzHnjysfcVgxp7KapYROaRW+6hH8K5keQ4JiVJxIX3A9MYWgFQh5y
lAZGjU7dmLAChCQ9QGzHcQXsZtZUhJjaSIhSG5zNLub5FvWfMoq2gsc3CNcY8FQM
LkF+D+4/UWb8u8XrjhA=
=XN4r
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]