On Wed, Mar 30, 2011 at 8:29 PM, Ryan Sears <[email protected]> wrote: > > How about the scenario in which one statically audit's some javascript > sitting on a site, to notice it does something in an unsafe manner, and can > be used in a XSS attack without actually making it happen?. There was no > actual 'attacking' done, but there was still a vulnerability discovered. Is > THAT considered an illegal act? Is putting a '<3' into a web form/comment > section considered attacking it if you look at the source to see how the > character translated? What if you just wanted to make an ascii heart? My > point is it's a very blurry line, and there are a lot of scenarios where one > may discover a vulnerability without even having to do anything. >
Like with most laws, the key point is "intent". If your intention was clearly not malicious, then you are safe. > > As for the source code disclosures, there was absolutely no 'attacking' > done. This was a huge oversight in the site devs, and they were giving that > information to anyone who requested it, plain and simple. What about the > Tumblr incident that happened a while ago? Just because they screwed up a > production script, they ended up leaking massive amounts of internal > infrastructure details, as well as private API keys, and other stuff that > could be used for nefarious means. Is it illegal to visit that page? I think > not, as THEY were putting the information out there (albeit by accident), > but I as a user have no way to know that. > > I understand what you're saying about them not asking people to look for > bugs, but it IS the internet. Companies don't typically ask external people > to audit their executables either, but people do it for a number of reasons > (mainly education). > > If they leave their site up, people will potentially poke at it. That's > just the way it is. If I have a vested interest in a company (be it monetary > or simply supporting it's cause), I personally want to see the site > flourish, because I am then a part of that site. I want to make sure that my > personal information is protected, and if I do find a bug somewhere, I > report it. I recently found a XSS in OpenDNS's landing page, and they were > very appreciative, very professional, and prompt to respond. This made me > WANT to work with them further to ensure that their infrastructure was > hardened to other forms of attack as well. I don't disclose these sorts of > issues publicly, because I give the developers a chance to fix it, and in my > past experience most companies are happy that I reported an issue, because I > could have just as easily not said anything. If it does come down to it > though, I follow my own public disclosure policy ( > http://talesofacoldadmin.com/disclosure.html) based off Rain Forest > Puppy's. It basically just asks for somewhat consistent lines of > communication after I disclose something. If the communication drops (or is > non-existent), then it's at my own discretion to disclose it in a public > forum. > > I don't HAVE to disclose anything to anyone, I CHOOSE to disclose it, but > if choosing to disclose something (even in private) means potential legal > troubles, then that takes away the motivation for me to disclose it in any > form. I'm still going to be finding bugs for my own educational purposes, > but I'll just stop disclosing them. That in itself starts to undermine the > internet as a whole, leading to the restriction of information exchange, > which is appalling. > > It IS technically illegal to do these sorts of tests without consent, but > at what point DOES it become a 'test'? There's some cases, granted, in which > the intention is clear (testing for blind SQL injections, etc) as they leave > a huge footprint, but there's no explicitly clear line in which it becomes > illegal. Is adding a ' to my name illegal? What if my 70+ year old > grandmother did it by accident? Could she be persecuted as well? You can't > apply the law to only some situations and not others. > > I also point you to one of my favorite XKCD's => http://xkcd.com/327/ > > Is naming your kid something like that technically illegal? Then that > starts getting into free-speech issues, which are most certainly protected > by the constitution. If I want my name to be "Ann <!@#$%^&*()> Hero", and > the site doesn't explicitly tell me I can't do so, then how can I be > expected to reasonably know where their boundaries are? I don't see any > terms of use for using their website anywhere. > > This is all just my opinion though, and sorry for the long message! > > Ryan > > ----- Original Message ----- > From: "Thor (Hammer of God)" <[email protected]> > To: "Ryan Sears" <[email protected]>, [email protected] > Cc: "full-disclosure" <[email protected]> > Sent: Wednesday, March 30, 2011 2:12:37 PM GMT -05:00 US/Canada Eastern > Subject: RE: [Full-disclosure] Vulnerabilities in *McAfee.com > > Well, I think there is a flip side to this, and that is the fact that no > one is asking these people to inspect their sites for vulnerabilities. > They are taking it upon themselves to scan the sites actively looking for > vulnerabilities for the sole purpose of exposing them. They may say that > they are doing it "to ensure that the vendors fix their problems" but it's > not really any of their business to do so. > > I think someone would be hard pressed to justify (defend) their actions > when they basically "attack" a site that they don't own, without permission, > with the express intent of finding a vulnerability. That's the difference > between a "test" and an "attack." It doesn't matter how trivial their > finds are, or what the outcome of the scan is, it is the fact that no one > asked, nor wants them to do this. > > Technically, what they are doing is in fact illegal - in the US anyway. > So there is another aspect of this that deserves some discussion, I think. > > t > > > >-----Original Message----- > >From: [email protected] [mailto:full-disclosure- > >[email protected]] On Behalf Of Ryan Sears > >Sent: Wednesday, March 30, 2011 10:45 AM > >To: [email protected] > >Cc: full-disclosure > >Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com > > > >Seriously. I gotta say I feel like people at Cenzic (and Mcafee for that > matter), > >if anyone should understand that a XSS should really only be construed a > >'criminal act' if it's indeed used to attack someone. If a group is taking > the time > >out of their day to find and disclose issues to Mcafee, they should > probably be > >thankful. What about finding a vulnerability in Mcafee's virus scanner? > Could > >that be construed as a 'criminal act' if they disclose it? Where do you > draw the > >line? > > > >Basically this sort of thing pushes the community into silence until > something > >truly criminal happens. I'm not saying give anyone massive amounts of > credit > >for publishing a few XSS bugs (because there's millions of them out > there), > >but don't label them as a criminal for trying to help. That's just idiotic > IMO. > > > >If you run an enterprise level solution for antivirus AND web > vulnerability > >testing, the community understands that it's a process not unlike any > other. > >There will be bugs, but it only demolishes the image of Mcafee to see them > >handle it like this in particular. If they would have been appreciative > about it, > >and promptly fixed their website (or at the very least maintained friendly > >contact) this incident would have pretty much gone un-noticed. > > > >Look at LastPass as an example. > > > >http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html > > > >They had someone poking at their site, who managed to find a XSS bug using > >CRLF injections. They were appreciative of the find, 2.5 hrs later the > issue was > >fixed, and there was that blog post about exactly what they were going to > do > >about it. They took full responsibility for the fact that THEIR coding was > to > >blame, and basically said 'This is what happened, and this is why it will > >probably never happen again'. This spoke hugely to me (as I'm sure it did > the > >rest of the community) because it shows a company that's willing to admit > it > >made a mistake, as opposed to sitting on their haunches and blaming people > >for looking for these sorts of bugs. Oh and not every customer of their > service > >has to pay massive licensing fees, as there's a free version as well. In > my mind > >at least this equates to a company that cares more about their customers > that > >don't pay a single dime, then a company who forces people to pay massive > >amounts of coin for shaky automated scanning and services. That's just the > >way I see it though. > > > > > >Someone's gotta tell the emperor he has no clothes on. > > > >Ryan > > > >----- Original Message ----- > >From: "Jeffrey Walton" <[email protected]> > >To: "YGN Ethical Hacker Group" <[email protected]> > >Cc: "full-disclosure" <[email protected]> > >Sent: Wednesday, March 30, 2011 1:05:42 PM GMT -05:00 US/Canada Eastern > >Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com > > > >On Wed, Mar 30, 2011 at 8:44 AM, YGN Ethical Hacker Group <[email protected] > > > >wrote: > >> According to xssed.com, there are two remaining XSS issues: > >> > >> https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); // > >> https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); // > >> > >> > >> You guys know our disclosed issues are very simple and can easily be > >> found through viewing HTML/JS source codes and simple Google Hacking > >> > >(http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.m > >cafee.com). > >> > >> However, it was criticized as 'illegal break-in' by Cenzic's CMO, > >> http://www.cenzic.com/company/management/khera/, according to > >Network > >> World News editor - Ellen Messmer. Thus, the next target is Cenzic > >> web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner > >> is. > >Too funny.... I wonder is Aaron Barr is consulting for Cenzic. > > > >Jeff > > > >>> [SNIP] > > > >_______________________________________________ > >Full-Disclosure - We believe in it. > >Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >Hosted and sponsored by Secunia - http://secunia.com/ > > > >_______________________________________________ > >Full-Disclosure - We believe in it. > >Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
