Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Vulnerabilites in new laws on computer hacking

from [Ansgar -59cobalt- Wiechers] Network Security [Permanent Link]
Subject: Re: Vulnerabilites in new laws on computer hacking
Date: Fri, 17 Feb 2006 14:23:26 +0100 
Paul,

On 2006-02-15 Paul Schmehl wrote:

--On Saturday, February 11, 2006 16:35:20 +0000 self-destruction@itsbest.com 
wrote:

New generations of teenagers will be scared of doing online
exploration. I'm not talking about damaging other companies' computer
systems. I'm talking about accessing them illegally *without*
revealing private information to the public or harming any data that
has been accessed. To me, there is a big difference between these two
types of attacks but I don't think that judges feel the same way.
Furthermore, I don't even think that judges understand the
difference.


To me there is not.  They're my systems.  Stay out, thank you very
much.

If you want to learn how to hack, set up your own network, install
some OSes, with various patch levels, and hack away.  You can learn
everything you need to know without ever touching a system you do not
own.  Get your buddies involved.  Hack each other's boxes.  But do not
hack into systems that do not belong to you.  That *should* be illegal
and you *should* be prosecuted.


while I agree with you that for learning and practicing it would suffice
to build your own systems to tamper with, I have to disagree on the part
that hacking into other people's systems *without* doing any damage
should be illegal.

Why is that? Well, first of all because the definition of what is and
what isn't hacking is very blurry. Is a portscan hacking? Is directory
traversal as in the case of Daniel Cuthbert [1] hacking?

In addition to that some vulnerabilities can be discovered only ITW,
simply because you cannot rebuild that environment in your lab. Two
years ago we had a case like that over here in Germany [2] (the article
is in german, but maybe an online translator will help). The OBSOC
(Online Business Solution Operation Center) system of the Deutsche
Telekom AG did not do proper authentication, so by manipulating the URL
you could access other customers' data. How would you detect such a
vulnerability without actually hacking the system? Is one supposed to
not notice these things? Will that really make them go away?

[1] http://taint.org/2005/10/12/205836a.html
[2] http://www.ccc.de/t-hack/stn/inhlt/drartkl.htm

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Vulnerabilites in new laws on computer hacking, ArkanoiD
Next by Date:  Re: Internet Explorer remotely exploitable vulnerability in JScript's document.write() method, temp
Previous by Thread:  Re: Vulnerabilites in new laws on computer hacking, Paul Schmehl
Next by Thread:  Re: Vulnerabilites in new laws on computer hacking, Crispin Cowan
Indexes:  [Date] [Thread] [Top] [All Lists]