Not to be a dick or anything, but whether it should be or not is irrelevant, it is a crime. As you seem to be a "security expert" doing "penetration testing and security audits" I'm sure you'd understand that for example, a remote file include is literally just a case of 'modifying one parameter of an url'.
You didnt enumerate passwords, well, I guess that makes the crime slightly less serious. Personal info isnt worth that much I've heard. Infact, by publishing data and the fact there is a hole, you could argue that infact you couldve made the situation worse for ACM. Hypothetically, now you've displayed that a hole is there, someone could go and dump the database saving them the time of even looking for a vulnerable site. I'm just wondering what makes you so sure they wont do anything like that? On Mon, Feb 22, 2010 at 7:46 PM, the hacker <i...@the-hacker.info> wrote: > Hello Benji > > I did not crack/enumerate any passwords, use buffer overflow with > metasploit or whatever other tools... > > I dont think that by just modifying one parameter of an url you already > break a law (or all people that have spelling problems when entering an url > would be in jail). > > Also I have contacted ACM with my REAL name, address, phone number etc. via > email. > > I've even called the CEO twice! > > So they know my identity because I just wanted to let them know about the > problem on their website - but when they did not react for 4 days I > extracted some sample data (I could have got much more) from the site to > mail it to them. I've extracted enought to show them that its not just 10 > addresses, but its far from everything. > > So I wonder why I should be in trouble for wanting to help them? > > Do you other guys on the list also think that this is already a crime? > > By the way, I've sent the mail with the data 2 hours ago but no reaction. > > Greetings > > th > > > > > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/