-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello,
as I stated previously, the intent is critical in determining criminality based on the statue. Each sentence that includes "unauthorized access" also include "with intent." For instance: "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value" If you do accidentally mistype a URL it clearly is not a violation of the statue. If you utilize SQL injection to retrieve financial information in order to support a carding ring you clearly violate the statue. If you expose a vulnerability in order to report it to the responsible parties and to raise awareness, well, that falls into a gray area where "intent" is probably the crux of the decision. You can read the statute online in many places (http://www.law.cornell.edu/uscode/18/1030.html), it's worth checking out. One more time for emphasis - I'm not a lawyer ;) - -- Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey On 02/22/2010 03:19 PM, Benji wrote: > "Title 18 Section 1030, the Computer Fraud and Abuse Act of 1986, > pretty much limits crimes to those intent on committing fraud or > disclosing national secrets." > > Does that just cover fraud? Surely a database injection counts as > unauthorised access? > > Does this mean that now anyone can start injecting websites and > extracting data, and aslong as they dont use the data to 'commit fraud > or dislose national secrets', or albeit, it cant be proved, that person > is safe? > > On Mon, Feb 22, 2010 at 8:12 PM, Justin C. Klein Keane > <[email protected] <mailto:[email protected]>> wrote: > > I'm not a lawyer, and I assume Benji isn't either, but it's worth noting > that Title 18 Section 1030, the Computer Fraud and Abuse Act of 1986, > pretty much limits crimes to those intent on committing fraud or > disclosing national secrets. Exposing personal information doesn't seem > to fit under any of the statutory definitions of crime unless you use > that information to commit identity theft. The word "intent" figures > prominently in that statute, so I'd surmise full-disclosure actually > argues against this access being a crime. > > Justin C. Klein Keane > http://www.MadIrish.net > > The digital signature on this message can be confirmed > using the public key at http://www.madirish.net/gpgkey > > On 02/22/2010 02:52 PM, Benji wrote: >> Not to be a dick or anything, but whether it should be or not is >> irrelevant, it is a crime. As you seem to be a "security expert" > doing >> "penetration testing and security audits" I'm sure you'd > understand that >> for example, a remote file include is literally just a case of >> 'modifying one parameter of an url'. > >> You didnt enumerate passwords, well, I guess that makes the crime >> slightly less serious. Personal info isnt worth that much I've heard. > >> Infact, by publishing data and the fact there is a hole, you could > argue >> that infact you couldve made the situation worse for ACM. >> Hypothetically, now you've displayed that a hole is there, someone > could >> go and dump the database saving them the time of even looking for a >> vulnerable site. > >> I'm just wondering what makes you so sure they wont do anything > like that? > >> On Mon, Feb 22, 2010 at 7:46 PM, the hacker <[email protected] > <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> wrote: > >> Hello Benji > >> I did not crack/enumerate any passwords, use buffer overflow with >> metasploit or whatever other tools... > >> I dont think that by just modifying one parameter of an url you >> already break a law (or all people that have spelling problems > when >> entering an url would be in jail). > >> Also I have contacted ACM with my REAL name, address, phone number >> etc. via email. > >> I've even called the CEO twice! > >> So they know my identity because I just wanted to let them know >> about the problem on their website - but when they did not > react for >> 4 days I extracted some sample data (I could have got much more) >> from the site to mail it to them. I've extracted enought to show >> them that its not just 10 addresses, but its far from everything. > >> So I wonder why I should be in trouble for wanting to help them? > >> Do you other guys on the list also think that this is already > a crime? > >> By the way, I've sent the mail with the data 2 hours ago but no >> reaction. > >> Greetings > >> th > > > > > > > > >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAkuC6T4ACgkQkSlsbLsN1gB2BAb/VQeBpzAm14nu1MhU3zihzQKk QReXp/DAWUGigUDqP/xd4+oui6Up3TfEBhroW0p9MN4ICIKP0et+BcnfhbI+sNZf SHDl9erFNelzpMn2nc8A0Q+TZ9bTKP+XFKaqdeq2+luv/mOZXF3EFxc4jBy9Zqnc hxd5nDItcTBz5lAGV1j8ALWA9Tp967f+6rVUrGkwff0e0IljchdFrE19eSV8yyFA xpuhH87WDgwwtCySpY8MbkuEnps8brVV0rE4vEggDpo3MH8Qor4EcvUMlRifpNNZ KASp3E3mf5QtHdAZsKo= =0wcM -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
