On 2006-02-19 Ronald Chmara wrote: > On Feb 17, 2006, at 5:23 AM, Ansgar -59cobalt- Wiechers wrote: >> I have to disagree on the part that hacking into other people's >> systems *without* doing any damage should be illegal. Why is that? >> Well, first of all because the definition of what is and what isn't >> hacking is very blurry. > > That depends on jurisdiction, but it seems pretty clear to me what is, > and isn't, legal and illegal hacking. Well, to me it's not quite so clear. >> Is a portscan hacking? > > On someone else's machines? It is non-accidental probing of another > person's property in an attempt to gain information about how to > access it, without being invited to do so? That's illegal hacking. A portscan is a probe to find out what services a publicly available machine provides towards the Internet. I entirely fail to see what's hacking about that, much less illegal hacking. >> Is directory traversal as in the case of Daniel Cuthbert [1] hacking? > > On someone else's machines? It is non-accidental probing of another > person's property in an attempt to gain information about how to > access it, without being invited to do so? That's illegal hacking. That's ridiculous. Did you actually read what that case was about? Besides, how am I invited to use a website? How am I invited to send e-mail to someone (i.e. use their mail server)? You just asked for the Internet to be shut down. [...] >> Two years ago we had a case like that over here in Germany [2] (the >> article is in german, but maybe an online translator will help). The >> OBSOC (Online Business Solution Operation Center) system of the >> Deutsche Telekom AG did not do proper authentication, so by >> manipulating the URL you could access other customers' data. How >> would you detect such a vulnerability without actually hacking the >> system? > > OBSOC could contract out for regular testing and hacking with > *authorized* individuals. The system would likely have to be hacked, > but legally. Whether they could or couldn't hire someone to do the testing is not the point here. A customer noticed the vulnerability, and exploited it to confirm it was real. Do you really believe he should be prosecuted for that? >> Is one supposed to not notice these things? Will that really make >> them go away? > > Making it "go away" requires companies to invest in their own > security. This includes regularly *hiring* people to hack at their > systems. You didn't answer the first question: is one supposed to not notice this kind of things? Do I have to trust that companies do their job properly, even if there's evidence that they don't? You can't be serious here. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
