On 2006-02-19 Ronald Chmara wrote:
On Feb 17, 2006, at 5:23 AM, Ansgar -59cobalt- Wiechers wrote:
I have to disagree on the part that hacking into other people's
systems *without* doing any damage should be illegal. Why is that?
Well, first of all because the definition of what is and what isn't
hacking is very blurry.
That depends on jurisdiction, but it seems pretty clear to me what is,
and isn't, legal and illegal hacking.
Well, to me it's not quite so clear.
Is a portscan hacking?
On someone else's machines? It is non-accidental probing of another
person's property in an attempt to gain information about how to
access it, without being invited to do so? That's illegal hacking.
A portscan is a probe to find out what services a publicly available
machine provides towards the Internet. I entirely fail to see what's
hacking about that, much less illegal hacking.
Is directory traversal as in the case of Daniel Cuthbert [1] hacking?
On someone else's machines? It is non-accidental probing of another
person's property in an attempt to gain information about how to
access it, without being invited to do so? That's illegal hacking.
That's ridiculous. Did you actually read what that case was about?
Besides, how am I invited to use a website? How am I invited to send
e-mail to someone (i.e. use their mail server)? You just asked for the
Internet to be shut down.
[...]
Two years ago we had a case like that over here in Germany [2] (the
article is in german, but maybe an online translator will help). The
OBSOC (Online Business Solution Operation Center) system of the
Deutsche Telekom AG did not do proper authentication, so by
manipulating the URL you could access other customers' data. How
would you detect such a vulnerability without actually hacking the
system?
OBSOC could contract out for regular testing and hacking with
*authorized* individuals. The system would likely have to be hacked,
but legally.
Whether they could or couldn't hire someone to do the testing is not the
point here. A customer noticed the vulnerability, and exploited it to
confirm it was real. Do you really believe he should be prosecuted for
that?
Is one supposed to not notice these things? Will that really make
them go away?
Making it "go away" requires companies to invest in their own
security. This includes regularly *hiring* people to hack at their
systems.
You didn't answer the first question: is one supposed to not notice
this kind of things? Do I have to trust that companies do their job
properly, even if there's evidence that they don't? You can't be serious
here.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
