Re: Vulnerabilites in new laws on computer hacking
On 2006-02-19 Ronald Chmara wrote:
> On Feb 17, 2006, at 5:23 AM, Ansgar -59cobalt- Wiechers wrote:
>> I have to disagree on the part that hacking into other people's
>> systems *without* doing any damage should be illegal. Why is that?
>> Well, first of all because the definition of what is and what isn't
>> hacking is very blurry.
>
> That depends on jurisdiction, but it seems pretty clear to me what is,
> and isn't, legal and illegal hacking.
Well, to me it's not quite so clear.
>> Is a portscan hacking?
>
> On someone else's machines? It is non-accidental probing of another
> person's property in an attempt to gain information about how to
> access it, without being invited to do so? That's illegal hacking.
A portscan is a probe to find out what services a publicly available
machine provides towards the Internet. I entirely fail to see what's
hacking about that, much less illegal hacking.
>> Is directory traversal as in the case of Daniel Cuthbert [1] hacking?
>
> On someone else's machines? It is non-accidental probing of another
> person's property in an attempt to gain information about how to
> access it, without being invited to do so? That's illegal hacking.
That's ridiculous. Did you actually read what that case was about?
Besides, how am I invited to use a website? How am I invited to send
e-mail to someone (i.e. use their mail server)? You just asked for the
Internet to be shut down.
[...]
>> Two years ago we had a case like that over here in Germany [2] (the
>> article is in german, but maybe an online translator will help). The
>> OBSOC (Online Business Solution Operation Center) system of the
>> Deutsche Telekom AG did not do proper authentication, so by
>> manipulating the URL you could access other customers' data. How
>> would you detect such a vulnerability without actually hacking the
>> system?
>
> OBSOC could contract out for regular testing and hacking with
> *authorized* individuals. The system would likely have to be hacked,
> but legally.
Whether they could or couldn't hire someone to do the testing is not the
point here. A customer noticed the vulnerability, and exploited it to
confirm it was real. Do you really believe he should be prosecuted for
that?
>> Is one supposed to not notice these things? Will that really make
>> them go away?
>
> Making it "go away" requires companies to invest in their own
> security. This includes regularly *hiring* people to hack at their
> systems.
You didn't answer the first question: is one supposed to not notice
this kind of things? Do I have to trust that companies do their job
properly, even if there's evidence that they don't? You can't be serious
here.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq