Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Definitions of what is a security researcher

from [Craig Wright] Network Security [Permanent Link]
Subject: Definitions of what is a security researcher
Date: Thu, 11 May 2006 16:40:19 +1000 

Hello,
Some people seem to have the idea that it is their right to go about
testing security of systems on the web without permission. In my books
this is (and always will be) a breach of the owners rights. Yes you have
a right to be stupid, a right to be insecure and a right to not install
adequate controls.

What you do not have is a right to test the security of another site
without their express permission. This is not vulnerability research.
Vulnerability research - which mind you is not security research is
about discovering flaws in software and systems on the market, not flaws
in an implementation.

Next there is a world of difference from noticing and reporting bad
script on a page and to actually sending an active attack to test a
site. Reading the source of a poorly written web page is one thing (and
this in itself will oft show a large number of vulnerabilities).
Attacking the site is another.

The so called defence of "I did it to protect them" does not and never
has held. Any action to property that is not expressly allowed (and a
license to view a web site is just that - to view - not to test) is
trespass. This is nothing new. Nearly a thousand years of law uphold
this. From the times of King John where you had no right to check the
security of the local lord's castle, you have no right to check the
security of a site without express permission.

The recent cases of Cuthbert in the UK, McCarty in thew US etc show a
disregard for the rights of others. These people are not helping anyone.
They make the industry look like a bunch of cowboys for a start and they
violate the rights of others. This is not ethical behaviour and should
be stopped.

Yes it would be great if everyone had to be secured. You do not achieve
this by randomly attacking sites just because you feel like it. There
are ways to make sites more secure and attacking sites without
permission is not one.

Some of the police gun storage lockers in NSW, Australia have been shown
to be unsafe by current standards. Should people attempt to break into
police stations to see if they can steal a gun? They would of course
only do it to help...

Security professionals should act as a professional member of the
security community. Professionals act when they are engaged too act, not
as vigilantes with a personal vendetta against the world's insecure
systems.

Regards,
Craig


Liability limited by a scheme approved under Professional Standards Legislation 
in respect of matters arising within those States and Territories of Australia 
where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If 
you are not the intended recipient, you must not use or disclose the 
information. If you have received this email in error, please inform us 
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the 
email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may 
not rely on this message as advice unless it has been electronically signed by 
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a 
Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments 
due to viruses, interference, interception, corruption or unauthorised access.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Definitions of what is a security researcher, Craig Wright <=
Previous by Date:  [Fwd: Re: Pentester convicted..], William Hancock
Next by Date:  Sniffing traffic of an enabled cisco router, Hugo Vinicius Garcia Razera
Previous by Thread:  [Fwd: Re: Pentester convicted..], William Hancock
Next by Thread:  Sniffing traffic of an enabled cisco router, Hugo Vinicius Garcia Razera
Indexes:  [Date] [Thread] [Top] [All Lists]