[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] ACM.ORG data leak still there 4 days after announcing to CEO John White
- To: Valdis.Kletnieks@xxxxxx
- Subject: Re: [Full-disclosure] ACM.ORG data leak still there 4 days after announcing to CEO John White
- From: Christian Sciberras <uuf6429@xxxxxxxxx>
- Date: Mon, 22 Feb 2010 22:11:14 +0100
Valdis & Benji,
I don't recall the OP saying he did a open test, nor injecting
anything the database, and a much as I've read, not even RFI.
Causing a server to spit out sensitive information without
modification (unauthorized access and service failures/denial of
service) surely doesn't count as a crime.
Someone picking up $1000 from a road is obviously not a criminal
either (assuming the money is legit), getting into a bank on the other
hand is a crime.
I'm speaking this from a little personal experience of mine, where I
came upon several XSS exploits on a gov't main site (it's nothing),
however, point being I didn't go there with the intent to do any harm,
and didn't have to, to notice the serious flaw.
That said, something I did in Malta could be punished by beheading in
Iran for what I know (and a severe fine in the US). It all depends on
the law. Assuming it is a fair and comprehensible one (or simply
outdated) this kind of "attack" is not covered or puts the defendant
[company/gov't] in serious implications (such as in my case where the
gov't is bound by law to provide a high uptime service with as much
security as possible - yet it had serious but basic flaws).
Regards,
Chris.
On Mon, Feb 22, 2010 at 9:45 PM, <Valdis.Kletnieks@xxxxxx> wrote:
> On Mon, 22 Feb 2010 20:19:44 GMT, Benji said:
>
>> Does that just cover fraud? Surely a database injection counts as
>> unauthorised access?
>>
>> Does this mean that now anyone can start injecting websites and extracting
>> data, and aslong as they dont use the data to 'commit fraud or dislose
>> national secrets', or albeit, it cant be proved, that person is safe?
>
> That's a gray area. Intent does matter:
>
> "naked" - not wearing any clothes.
> "nekkid" - naked and up to something.
>
> Do you want to bet 3-5 in the pen that the DA won't be able to convince a jury
> you didn't have intent?
>
> That's why it's always recommended you have a written "Get out of jail free"
> card when doing a pen test - that significantly raises the bar to proving you
> were up to no good.
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/