[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Rate Stratfor's Incident Response



On Sat, Jan 14, 2012 at 12:32 PM, Ferenc Kovacs <tyra3l@xxxxxxxxx> wrote:
>
>
> On Sat, Jan 14, 2012 at 4:33 PM, Sanguinarious Rose
> <SanguineRose@xxxxxxxxxxxxxxxxx> wrote:
>>
>> I've been watching this chat for a while
>
>
> you didn't watched properly.
> nobody said that you shouldn't report vulnerabilities.
> we discussed whether would it help or not if one would hire the kiddies
> owning their sites.
> and we discussed why is it bad if you report the vulnerability and back it
> up with the proof that you compromised that said system.
>

It was the tone of the discussion and implying that people reporting
it are down right criminals that sparked me. I added a bit of my own
personal viewpoints in there as well.

On the kiddies, I can't see the advantage of hiring a professional
sqlmap and havij operator.

> I always report the vulns that I stumble upon (from my own email and such)
> and while I'm doing this in good faith, I would never dare to actively
> exploit that vuln for better proof, because if they sue me, they would win.
> So I try to keep it that way, that I cannot be held responsible, because I
> didn't broke any law.

I do agree and can't see the real need for someone to actually prove
it like that which is rather over the line in being illegal. It also
requires more work then is even required to report it.

> I also think that for a full penetration testing, one shouldn't act without
> prior agreement with the owner and having that written down.
> To go back to the irl analogy: even if I'm doing it in good faith, so that I
> would report the owner or fix the lock myself, I shouldn't try to open every
> door and window on a "random" house, nor should I take a photo of his
> belongings that I can prove that I was there.
>

That is an obvious or it is illegal.

> --
> Ferenc Kovács
> @Tyr43l - http://tyrael.hu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/