RE: Interesting conviction

["Craig Wright" <cwright () bdosyd com au>]

> Mr Cuthbert was simply attempting to verify the security of an
institution that he had decided to entrust his credit card details to.

First - this is not possible using a blind pen test anyway - this would
give no idea of the database security or internal practices - so this
excuse has zero merit to start with.

It is easy to make excuses when you are caught - the issue is that he
was caught and as such was likely to have done this on more than this
occasion. As such what are the motives - profit maybe - "Hello I broke
into your site and it is not secure, for $xxxx I will tell you how to
fix it" (which is extortion by the way and caries an even greater
penalty).

For this to be a professional industry - we all need to act
professionally - this is not a professional act.

Will he be rewarded with a contract on the speaking circuit like Mitnick
- that is another question? When we stop acting like cowboys and stop
thinking of these people as heroes rather than the scum they are, we may
get somewhere and be considered professionals.

Craig

-----Original Message-----
From: Rogan Dawes [mailto:discard () dawes za net] 
Sent: 10 October 2005 1:40
To: Mike Messick
Cc: jay.tomas () infosecguru com; pen-test () securityfocus com
Subject: Re: Interesting conviction

Mike Messick wrote:
> You're quite right!  ;-)
>
> Here's mine:
>
> I think the article's editorial comments about causing problems for 
> security professional and penetration testing are pure crap.
[snip]

> Most laws are written with intent in mind.  That Mr. Cutbert didn't 
> intend to do anything bad once he got in is really immaterial - that 
> he *intended to gain entry in an unauthorized fashion* is what 
> constituted the violation and his subsequent conviction.

[snip]
> Just because you don't steal the TV after you crowbar the front door 
> open doesn't mean you won't go to prison for unlawful entry.  Or not 
> get shot by the owner (in some states).  The fact that you don't have 
> permission to be there in the first place is what matters (at least
under current law).
>

Mr Cuthbert was simply attempting to verify the security of an
institution that he had decided to entrust his credit card details to.

Granted, one should not try to break into the vault of a bank to check
their security, but I think that his intent was somewhat closer to
rattling the lock on the safety deposit box after dropping your money
in, to make sure that someone else can't just come along and help
themself.

Rogan

------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------