mailing list archives
Re: Full-Disclosure Digest, Vol 83, Issue 21
From: "Mikhail A. Utin" <mutin () commonwealthcare org>
Date: Tue, 17 Jan 2012 11:08:02 -0500
So far it has been very interesting discussion, but nevertheless nobody went to the Source, which is the Law, and used
US Codes (or any others) as reference in the consideration of cases and examples. "To the best of my judgment" does
not help too much and we are getting the result as "You are right, and You are right as well".
Anybody's going to the Source? Any experience with? It may bring us to the common ground and would be very helpful in
future real life cases.
Mikhail Utin, CISSP
From: full-disclosure-bounces () lists grok org uk [full-disclosure-bounces () lists grok org uk] On Behalf Of
full-disclosure-request () lists grok org uk [full-disclosure-request () lists grok org uk]
Sent: Saturday, January 14, 2012 7:00 AM
To: full-disclosure () lists grok org uk
Subject: Full-Disclosure Digest, Vol 83, Issue 21
Send Full-Disclosure mailing list submissions to
full-disclosure () lists grok org uk
To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
full-disclosure-request () lists grok org uk
You can reach the person managing the list at
full-disclosure-owner () lists grok org uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."
Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.
1. Re: Rate Stratfor's Incident Response (Benjamin Kreuter)
2. Re: Rate Stratfor's Incident Response (Paul Schmehl)
3. Re: Fwd: Rate Stratfor's Incident Response (Paul Schmehl)
4. Re: Rate Stratfor's Incident Response (J. von Balzac)
5. Re: Rate Stratfor's Incident Response (Benjamin Kreuter)
6. Re: Rate Stratfor's Incident Response (Benjamin Kreuter)
7. Re: Rate Stratfor's Incident Response (Michael Schmidt)
8. Re: Rate Stratfor's Incident Response (Paul Schmehl)
9. Re: Rate Stratfor's Incident Response (Laurelai)
10. Re: Rate Stratfor's Incident Response (Gage Bystrom)
11. Re: Rate Stratfor's Incident Response (Paul Schmehl)
12. Re: Rate Stratfor's Incident Response (Benjamin Kreuter)
13. Re: Rate Stratfor's Incident Response (Valdis.Kletnieks () vt edu)
14. Re: Rate Stratfor's Incident Response (Valdis.Kletnieks () vt edu)
Date: Fri, 13 Jan 2012 11:15:44 -0500
From: Benjamin Kreuter <ben.kreuter () gmail com>
Subject: Re: [Full-disclosure] Rate Stratfor's Incident Response
To: full-disclosure () lists grok org uk
<20120113111544.11bf0cb2 () d-172-27-99-46 bootp virginia edu>
Content-Type: text/plain; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 12 Jan 2012 23:36:29 +0000
Giles Coochey <giles () coochey net> wrote:
On 12/01/2012 23:30, Byron Sonne wrote:
Bad analogy. Closer would be if you have a house that's got a
driveway on a public street, and you claim it's not breaking and
entering if you walk up the driveway, try the doorknob, find it
unlocked, and let yourself in without the permission of the
residents. Saying that "anybody could walk up and let themselves
in the door" doesn't make it legal.
This is a pretty classic analogy that I've used many times myself,
but for many years now I've found myself questioning it... I mean
good analogies are valuable, but I think in this case it falls down.
Mostly, there's the expectation of physical security or, at least,
privacy, when it comes to a house. If someone's rattling door knobs,
it's not unreasonable to expect that they could be there to rob or
do you harm, as the human race does not have a significant history
of peaceful/harmless door rattling practices (that I know of).
Now, when it comes to the internet and networks in general, we've
entered a whole new world where many old ways of looking at things,
tempting as they are, don't fit. There's also no real relevance to
fearing for your physical safety if someone's probing your net.
To a good extent I might be talking out of my ass here, but I'd
If you go to a website and do a bit of clicking around that's normal
behaviour, walking past the house, having a look at the front rose
Under some definition of "normal." If you ask me for my DOB and I
enter my name, is that normal? Plenty of users make mistakes like that
all the time; how do you determine that one was being malicious whereas
another just made a routine error? Where do you draw the line? Is it
abnormal to try to use a web server as a proxy? Is it abnormal to ask
for a directory listing?
We all know what we *want* users to do. That is not necessarily what
we should expect out of them, and crying about how illegal it is to do
something unexpected does nothing to advance the state of computer
If you go to a website and do some hand tweaking of the URL to see if
you get to stuff that shouldn't be there, well that's trying the
doorknob of the house to see if it's locked etc...
So truncating the URL to get a directory listing should be considered
an attempt to "break into" a system? I think that is a little extreme.
If you write and/or use a tool to mass check loads of potential
URLs... attempt SQL injections etc... you see where I'm going.
So using wget is something that should be considered malicious? Plenty
of people use wget and various "download tools" to fetch the entire
tree of documents on a website. I think it is a stretch to call that
malicious, and I am sure that people have happened upon confidential
documents by doing this.
If you use the results of that tool or get lucky with the URL tweaks
and take confidential documents or alter records on the backend, well
that's just plain theft and/or fraud.
Altering records is certainly fraud or some related crime -- I do not
think that the fact that a computer was involved should make any
difference here. Downloading a document, however, is another story.
Here is something fun (and to the best of my knowledge, completely
legal) that you can try: search for "this document is confidential"
on Google. Many of the results are related to keeping confidential
documents secure...and then some appear to actually be confidential
business, legal, or government documents that Google has indexed. Not
only has Google indexed these apparently confidential documents, but
many of them appear to by cached.
Should we conclude that since Google automatically searches for more
URLs to index, and then indiscriminately copies the documents it finds,
that Google is a massive conspiracy to commit some crime?
- -- Ben
Benjamin R Kreuter
UVA Computer Science
brk7bx () virginia edu
CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential
and privileged information for the use of the designated recipients named above. If you are
not the intended recipient, you are hereby notified that you have received this communication
in error and that any review, disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in error, please reply to the
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication
please visit our Internet web site at http://www.commonwealthcare.org.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Re: Full-Disclosure Digest, Vol 83, Issue 21 Mikhail A. Utin (Jan 17)