On Tue, 17 Jan 2012 11:08:02 EST, "Mikhail A. Utin" said: > So far it has been very interesting discussion, but nevertheless nobody went > to the Source, which is the Law, 18 USC 1030 is the governing Federal statute in the US. In addition, many of the states have their own legislation. http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html "having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information..." Note that "protected computer" doesn't mean "secured" - it means "protected under the terms of this law", which includes any system: "which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;" which is basically *any* system on the Internet. Basically, you use a flaw to extract secret info from a "protected computer", and you aren't an authorized pen tester with a signed "get out of jail free" card from the owner of the computer, you just bought yourself a felony rap. That's part of why CISO's don't want to hire the kiddies that whacked them - if they come forward they're basically copping to a felony.
Attachment:
pgpvamhl3vuyw.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/