According to theregister.co.uk:
"Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee." (
http://www.theregister.co.uk/2005/10/05/dec_case/) and
"After making a donation, and not seeing a final confirmation or thank-you page, Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories" (
http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/).
This is legal hair-splitting. Yes, you are right. Who knows whether the judges would consider "port scanning" just as bad as "illegally attempt of securing access to a computer" (as defined in the UK "Computer Misuse Act 1990 (
c.18)").
----- Original Message -----
From: "Drew Masters" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, June 02, 2006 9:33 AM
Subject: Re: Fw: [Full-disclosure] scanning
>
> Drew
>
> On 02/06/06, Lawrence Tang <[EMAIL PROTECTED]> wrote:
> >
> > "Vulnerability test" is not "port scan". It could involve attempt to
> > "penetrate" or even penetration of the website through a vulnerable server
> > script for instance. In this particular case, we don't know what RA 8792 in
> > the Philippines says and/or what Tridel Technologies, Inc did. But in
> > general, "port scan" is supposed to be only checking which TCP/IP ports are
> > open for connection without going through the entire process of connection.
> > There is no question of penetration. How could any authority prosecute this
> > legitimately? If I, by mistake, attempt a connection to a site, could I be
> > in legal trouble? How many ports constitute "port scanning"?
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
