Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: ACM.ORG data leak still there 4 days after announcing to CEO John White
From: Christian Sciberras <uuf6429 () gmail com>
Date: Mon, 22 Feb 2010 22:11:14 +0100

Valdis & Benji,

I don't recall the OP saying he did a open test, nor injecting
anything the database, and a much as I've read, not even RFI.
Causing a server to spit out sensitive information without
modification (unauthorized access and service failures/denial of
service) surely doesn't count as a crime.
Someone picking up $1000 from a road is obviously not a criminal
either (assuming the money is legit), getting into a bank on the other
hand is a crime.

I'm speaking this from a little personal experience of mine, where I
came upon several XSS exploits on a gov't main site (it's nothing),
however, point being I didn't go there with the intent to do any harm,
and didn't have to, to notice the serious flaw.

That said, something I did in Malta could be punished by beheading in
Iran for what I know (and a severe fine in the US). It all depends on
the law. Assuming it is a fair and comprehensible one (or simply
outdated) this kind of "attack" is not covered or puts the defendant
[company/gov't] in serious implications (such as in my case where the
gov't is bound by law to provide a high uptime service with as much
security as possible - yet it had serious but basic flaws).

Regards,
Chris.



On Mon, Feb 22, 2010 at 9:45 PM,  <Valdis.Kletnieks () vt edu> wrote:
On Mon, 22 Feb 2010 20:19:44 GMT, Benji said:

Does that just cover fraud? Surely a database injection counts as
unauthorised access?

Does this mean that now anyone can start injecting websites and extracting
data, and aslong as they dont use the data to 'commit fraud or dislose
national secrets', or albeit, it cant be proved, that person is safe?

That's a gray area. Intent does matter:

"naked" - not wearing any clothes.
"nekkid" - naked and up to something.

Do you want to bet 3-5 in the pen that the DA won't be able to convince a jury
you didn't have intent?

That's why it's always recommended you have a written "Get out of jail free"
card when doing a pen test - that significantly raises the bar to proving you
were up to no good.




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]