Hey there pen-testers, take this with a grain of salt, it just got me
excited. I am really interested in everyones opinion on the matter or
corporate responsibility and ownership.
<RANT>
In an article posted to slashdot today
() a man
has been convicted of hacking when he casually and helpfully reported a
security vulnerability to the owners of a web site, in this case The
University of Southern California. It reads like it was some sort of
simple SQL injection and upon gleaning the information he reported it.
What are we to do as a community I ask? We should we, the good guys,
who are paid for our knowledge and ability to exploit mistakes,
oversights, and weaknesses then professionally report them to aid in the
securing of information capital (or anyone who reports the flaw for that
matter) worry about prosecution. It lends itself to a forcing the
technical community to sit on their laurels and wait for the people who
don't report issues to exploit them. Further it sounds very clear that
had he not notified them, they would have never known.
A security pro notices a flaw, checks to make sure he is not on crack by
'flipping a bit', deems the threat viable and is likely to be exploited,
notifies the owners, then get arrested and charged with unauthorized
access. We, as a or even The security community, should push
corporations, governments, and organized body's to take responsibility
and ownership of their problems. If they publish a site that is flawed
or exposing information then they are authorizing the retrieval of that
information. I'm not advocating that they laws should allow any jerk to
try and brute his or her way in to a public or private web site, but
come on.
If someone leaves their wallet in the park with no guard or protection,
I pick it up and bring it back to the owner, the owner didn't want me to
have it but I brought it back to him. Why in the hell should I have to
go to jail for returning it to him, why should I/we be punished for
doing the right thing?
I acknowledge this to be a rant but there must but some way to insist
that when people make something available to the public that it is their
responsibility to safeguard it and appreciate not persecute someone who
let's them know (for free I might add) that a weakness exists. This is
simple scapegoating, the University did something not advisable as a
good practice and instead of owning up to it they villafied a
professional pen-tester for offering valid advice.
</RANT>
Thanks,
Bill
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

So, one night, I'm taking a stroll along main street in my town. *I stop for a
rest, and happen to lean up against the front door of a store.

I notice the door gives a little bit - and out of curiousity and concern, push
a little harder.

The door opens.

I immediately stop what I am doing, and notify the owners and the authorities
that the premises are insecure.

By the absolute legal definition, I have indeed "broke and entered" the
premises.

Where the hell is motive in all of this? *I think that unless there was motive
to do some harm, this conviction is utterly ridiculous.

That's my quickie opinion on the matter.

Best,

Ian Scott

May 10, 2006 10:20 am, William Hancock wrote:
Hey there pen-testers, take this with a grain of salt, it just got me
excited. *I am really interested in everyones opinion on the matter or
corporate responsibility and ownership.

<RANT>
In an article posted to slashdot today
() a man
has been convicted of hacking when he casually and helpfully reported a
security vulnerability to the owners of a web site, in this case The
University of Southern California. *It reads like it was some sort of
simple SQL injection and upon gleaning the information he reported it.

What are we to do as a community I ask? *We should we, the good guys,
who are paid for our knowledge and ability to exploit mistakes,
oversights, and weaknesses then professionally report them to aid in the
securing of information capital (or anyone who reports the flaw for that
matter) worry about prosecution. *It lends itself to a forcing the
technical community to sit on their laurels and wait for the people who
don't report issues to exploit them. *Further it sounds very clear that
had he not notified them, they would have never known.

A security pro notices a flaw, checks to make sure he is not on crack by
'flipping a bit', deems the threat viable and is likely to be exploited,
notifies the owners, then get arrested and charged with unauthorized
access. *We, as a or even The security community, should push
corporations, governments, and organized body's to take responsibility
and ownership of their problems. *If they publish a site that is flawed
or exposing information then they are authorizing the retrieval of that
information. *I'm not advocating that they laws should allow any jerk to
try and brute his or her way in to a public or private web site, but
come on.

If someone leaves their wallet in the park with no guard or protection,
I pick it up and bring it back to the owner, the owner didn't want me to
have it but I brought it back to him. *Why in the hell should I have to
go to jail for returning it to him, why should I/we be punished for
doing the right thing?

I acknowledge this to be a rant but there must but some way to insist
that when people make something available to the public that it is their
responsibility to safeguard it and appreciate not persecute someone who
let's them know (for free I might add) that a weakness exists. *This is
simple scapegoating, the University did something not advisable as a
good practice and instead of owning up to it they villafied a
professional pen-tester for offering valid advice.

</RANT>
--
Thanks,
Bill

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise, you need to proactively protect your applications from hackers.
Cenzic has the most comprehensive solutions to meet your application
security penetration testing and vulnerability management needs. You have
an option to go with a managed service (Cenzic ClickToSecure) or an
enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)

RqZP7edx4ihicfNos=
=NJlP
PGP SIGNATURE

not to nitpick or anything, but he hasn't been convicted yet. he has
been charged though. knowing the criminal justice system like I do,
it'll probably be another 2 years at least before a jury finds him
innocent :)

5/10/06, William Hancock <bill.hancock (AT) isthmusgroup (DOT) comwrote:
Hey there pen-testers, take this with a grain of salt, it just got me
excited. I am really interested in everyones opinion on the matter or
corporate responsibility and ownership.

<RANT>
In an article posted to slashdot today
() a man
has been convicted of hacking when he casually and helpfully reported a
security vulnerability to the owners of a web site, in this case The
University of Southern California. It reads like it was some sort of
simple SQL injection and upon gleaning the information he reported it.

What are we to do as a community I ask? We should we, the good guys,
who are paid for our knowledge and ability to exploit mistakes,
oversights, and weaknesses then professionally report them to aid in the
securing of information capital (or anyone who reports the flaw for that
matter) worry about prosecution. It lends itself to a forcing the
technical community to sit on their laurels and wait for the people who
don't report issues to exploit them. Further it sounds very clear that
had he not notified them, they would have never known.

A security pro notices a flaw, checks to make sure he is not on crack by
'flipping a bit', deems the threat viable and is likely to be exploited,
notifies the owners, then get arrested and charged with unauthorized
access. We, as a or even The security community, should push
corporations, governments, and organized body's to take responsibility
and ownership of their problems. If they publish a site that is flawed
or exposing information then they are authorizing the retrieval of that
information. I'm not advocating that they laws should allow any jerk to
try and brute his or her way in to a public or private web site, but
come on.

If someone leaves their wallet in the park with no guard or protection,
I pick it up and bring it back to the owner, the owner didn't want me to
have it but I brought it back to him. Why in the hell should I have to
go to jail for returning it to him, why should I/we be punished for
doing the right thing?

I acknowledge this to be a rant but there must but some way to insist
that when people make something available to the public that it is their
responsibility to safeguard it and appreciate not persecute someone who
let's them know (for free I might add) that a weakness exists. This is
simple scapegoating, the University did something not advisable as a
good practice and instead of owning up to it they villafied a
professional pen-tester for offering valid advice.

</RANT>
--
Thanks,
Bill

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

--

Syv Ritch wrote:
William Hancock wrote:

a man has been convicted of hacking when he casually and
helpfully reported a security vulnerability to the owners of a
web site, in this case The University of Southern California.
It reads like it was some sort of simple SQL injection and upon
gleaning the information he reported it.

1. Sorry, but that's not what I heard. He also went into the NASA and
other government agencies. Not only did he do "some pentesting"
outside. He actually went in, and from inside did further "things". We
don't know what he did inside, but he did enough to convince a judge
to send him to the the States.

If someone leaves their wallet in the park with no guard or
protection, I pick it up and bring it back to the owner,
the owner didn't want me to have it but I brought it back to
him. Why in the hell should I have to go to jail for returning
it to him, why should I/we be punished for doing the right
thing?

2. It's more like you find their wallet, see the credit card inside
and use the credit card for buying stuff to test if the credit card
works.

3. He is not convicted yet, he will be extradited to the US for trial.
Syv, I do believe you're talking about two different cases.

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

PGP SIGNED MESSAGE
Hash: SHA1

Wed, 10 May 2006 20:31:11 -0700
Syv Ritch <syv (AT) 911networks (DOT) comwrote:
1. Sorry, but that's not what I heard. He also went into the NASA
and other government agencies. Not only did he do "some
pentesting" outside. He actually went in, and from inside did
further "things". We don't know what he did inside, but he did
enough to convince a judge to send him to the the States.

You're talking about Gary McKinnon, a Brit who used (if I remember correctly from articles I read a while back when he got caught) really basic windows vulnerabilities such as unsecured shares, as well as a few other ancient tricks to mess around with nasa and pentagon computers, apparently in some sort of search for secret information about UF The slashdot article linked to in the original e-mail is about a completely different case, involving someone called "Bret McDanel".

Read before you snark.

Phoebe
PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)

I7PzIlkzcsGeGvyxFY=
=zjh2
PGP SIGNATURE

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

Wed, May 10, 2006 at 09:20:22AM -0500, William Hancock wrote:

In an article posted to slashdot today

ummmmyeah.

He's getting what he deserved. He emailed info regarding a previous
employeer to a 3rd party. Leave security (practice, working in a) out
of it.

Actually, let's go even more basic. He accessed the computers of a
former employeer? Jackass.

(Sorry hopefully I don't know all the details of this case, but base my
opinion off the sob story Ms. Granick wrote for Wired)

John

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

There are some interesting debates developing here! :-)

I would argue the main point in this case is - unauthorised access -
No matter how much good will is arguably present (think about the Daniel
Cuthbert
<case
in terms of the same defense) you have gained unauthorised access. As
ethical IT security experts, with all our knowledge, skill and esoteric
talent, we do not have a right to gain unauthorised access. I hate to
agree with Craig Wright (as I believe his comments on this list to be
too acidic and un-supportive to the novice - although his frustration is
completely understandable) however computer misuse legislation across
the world carries a golden thread, you must have permission to access a
computer system.

It is frustrating to observe the naivety and yet arguably the good will
of these individuals who are sentenced to a jail terms (each case on
it's own merits/demerits of course). I think generally the professional
community is evolving through professionals bodies, and doing a good
job. However I believe it is important to maintain the distinction
between the professionals who follow a code of ethics and maintain good
morals and practices, with those that are not and do not.

As ever the balance between liberty, freedom of speech, and suppression
by the state/corporate entities is ever present as we walk through life.

Interesting times.

Stu

Ian Scott wrote:
So, one night, I'm taking a stroll along main street in my town. I stop for a
rest, and happen to lean up against the front door of a store.

I notice the door gives a little bit - and out of curiousity and concern, push
a little harder.

The door opens.

I immediately stop what I am doing, and notify the owners and the authorities
that the premises are insecure.

By the absolute legal definition, I have indeed "broke and entered" the
premises.

Where the hell is motive in all of this? I think that unless there was motive
to do some harm, this conviction is utterly ridiculous.

That's my quickie opinion on the matter.

Best,

Ian Scott

May 10, 2006 10:20 am, William Hancock wrote:

>Hey there pen-testers, take this with a grain of salt, it just got me
>excited. I am really interested in everyones opinion on the matter or
>corporate responsibility and ownership.
>>
><RANT>
>In an article posted to slashdot today
>() a man
>has been convicted of hacking when he casually and helpfully reported a
>security vulnerability to the owners of a web site, in this case The
>University of Southern California. It reads like it was some sort of
>simple SQL injection and upon gleaning the information he reported it.
>>
>What are we to do as a community I ask? We should we, the good guys,
>who are paid for our knowledge and ability to exploit mistakes,
>oversights, and weaknesses then professionally report them to aid in the
>securing of information capital (or anyone who reports the flaw for that
>matter) worry about prosecution. It lends itself to a forcing the
>technical community to sit on their laurels and wait for the people who
>don't report issues to exploit them. Further it sounds very clear that
>had he not notified them, they would have never known.
>>
>A security pro notices a flaw, checks to make sure he is not on crack by
>'flipping a bit', deems the threat viable and is likely to be exploited,
>notifies the owners, then get arrested and charged with unauthorized
>access. We, as a or even The security community, should push
>corporations, governments, and organized body's to take responsibility
>and ownership of their problems. If they publish a site that is flawed
>or exposing information then they are authorizing the retrieval of that
>information. I'm not advocating that they laws should allow any jerk to
>try and brute his or her way in to a public or private web site, but
>come on.
>>
>If someone leaves their wallet in the park with no guard or protection,
>I pick it up and bring it back to the owner, the owner didn't want me to
>have it but I brought it back to him. Why in the hell should I have to
>go to jail for returning it to him, why should I/we be punished for
>doing the right thing?
>>
>I acknowledge this to be a rant but there must but some way to insist
>that when people make something available to the public that it is their
>responsibility to safeguard it and appreciate not persecute someone who
>let's them know (for free I might add) that a weakness exists. This is
>simple scapegoating, the University did something not advisable as a
>good practice and instead of owning up to it they villafied a
>professional pen-tester for offering valid advice.
>>
></RANT>
>>
>>
>Thanks,
>Bill
>>
>
>This List Sponsored by: Cenzic
>>
>Concerned about Web Application Security?
>Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
>Choice Award from eWeek. As attacks through web applications continue to
>rise, you need to proactively protect your applications from hackers.
>Cenzic has the most comprehensive solutions to meet your application
>security penetration testing and vulnerability management needs. You have
>an option to go with a managed service (Cenzic ClickToSecure) or an
>enterprise software
>(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
>help you:
>And, now for a limited time we can do a FREE audit for you to confirm your
>results from other product. Contact us at request (AT) cenzic (DOT) com for details.
>
>
>

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

No matter how noble he thought his actions to be the bottom line is that
he unlawfully accessed the system and copied several private records of
students. He never obtained permission as a pen tester to carry out any
tests against that site. His initial discovery should of stopped at the
passive point or in all theory should not of started at all. he
suspected there to be a issue he should of contacted the school. Instead
he took the active approached and exploited the site "stealing" student
information.

Now I dont agree fully one way or the other on his actions or the courts
ruling as there is always things left out of the story or altered by the
press.

Hey there pen-testers, take this with a grain of salt, it just got me
excited. I am really interested in everyones opinion on the matter or
corporate responsibility and ownership.

<RANT>
In an article posted to slashdot today
() a man
has been convicted of hacking when he casually and helpfully reported a
security vulnerability to the owners of a web site, in this case The
University of Southern California. It reads like it was some sort of
simple SQL injection and upon gleaning the information he reported it.

What are we to do as a community I ask? We should we, the good guys,
who are paid for our knowledge and ability to exploit mistakes,
oversights, and weaknesses then professionally report them to aid in the
securing of information capital (or anyone who reports the flaw for that
matter) worry about prosecution. It lends itself to a forcing the
technical community to sit on their laurels and wait for the people who
don't report issues to exploit them. Further it sounds very clear that
had he not notified them, they would have never known.

A security pro notices a flaw, checks to make sure he is not on crack by
'flipping a bit', deems the threat viable and is likely to be exploited,
notifies the owners, then get arrested and charged with unauthorized
access. We, as a or even The security community, should push
corporations, governments, and organized body's to take responsibility
and ownership of their problems. If they publish a site that is flawed
or exposing information then they are authorizing the retrieval of that
information. I'm not advocating that they laws should allow any jerk to
try and brute his or her way in to a public or private web site, but
come on.

If someone leaves their wallet in the park with no guard or protection,
I pick it up and bring it back to the owner, the owner didn't want me to
have it but I brought it back to him. Why in the hell should I have to
go to jail for returning it to him, why should I/we be punished for
doing the right thing?

I acknowledge this to be a rant but there must but some way to insist
that when people make something available to the public that it is their
responsibility to safeguard it and appreciate not persecute someone who
let's them know (for free I might add) that a weakness exists. This is
simple scapegoating, the University did something not advisable as a
good practice and instead of owning up to it they villafied a
professional pen-tester for offering valid advice.

</RANT>
--
Thanks,
Bill

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise,
you need to proactively protect your applications from hackers. Cenzic has
the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with
a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

--

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

>>If someone leaves their wallet in the park with no guard or protection,
>>I pick it up and bring it back to the owner, the owner didn't want me to
>>have it but I brought it back to him.
>>Why in the hell should I have to
>>go to jail for returning it to him, why should I/we be punished for
>>doing the right thing?

Not the best analogy IMH
Finding mentally impared persons, taking money out of their pockets and then
telling them we can do so as we hand it back seems like a better analogy.

The analogy has the mentally impared managing companies and websites, which
makes it not good, but better. Kind of funny, but not good.

Maybe the first thing we need is a good community analogy that won't offend.

Anyway

I believe we need to keep a sober perspective and obey the law,
understanding there will be carnage we can do nothing about that the
mentally impared have every right to inflict on themselves and their
customers until the law says otherwise.

And we need some laws in place to protect reasonable actions by knowledgable
persons trying to protect society.

Someday we will have an entry:
"for pentesters"

very best regards,
David

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

Because I BELIEVE there is a "LT" more here than meets the eye I wonder
if he took the evidence to the Univ. and they ignore him If so, then
perhaps he had an axe to grind My point is this - what ACTUAL DAMAGE was
caused? Most lawyers will tell you that you MUST prove there was malice and
ACTUAL DAMAGE.

I agree he acted stupid, but I'm just afraid it may start a precedent. I
also agree he should have had permission, but I just can't help but have
a "gut-feeling" there's more here than meets the eye I have only been in
IT for 28 years, but I'm still learning

Coop

Thu, 11 May 2006 17:41:21 -0400, lee.e.rian wrote
"Art Cooper" <acooper (AT) pop (DOT) innerwall.comwrote on 05/11/2006
11:25:57 AM:

I agree Bill. The fact they use information HE provided to then convict
him
is completely ridiculous

If he actually did provide the information to USC that would be one thing.
But he breaks in, steals personal records, doesn't notify USC about the
security problem, and sends the personal records to a reporter!?

from
,70857-0.html?tw=wn_index_6

"McCarty is a professional computer security consultant who
noticed that there was a problem with the way the University of
Southern California had constructed its web page for online
applications. A database programming error allowed outsiders to
obtain applicants' personal information, including Social Security
numbers.

For proof, the man copied seven applicants' personal records and
anonymously sent them to a reporter for SecurityFocus. The journalist
notified the school, the school fixed the problem, and the
reporter wrote an article about it."

Why would anyone try to defend this behavior much less get upset
when he's prosecuted?

Lee

Wed, 10 May 2006 09:20:22 -0500, William Hancock wrote
Hey there pen-testers, take this with a grain of salt, it just got me
excited. I am really interested in everyones opinion on the matter
or corporate responsibility and ownership.

<RANT>
In an article posted to slashdot today

() a
man has been convicted of hacking when he casually and helpfully
reported a security vulnerability to the owners of a web site, in
this case The University of Southern California. It reads like it
was some sort of simple SQL injection and upon gleaning the
information he reported it.
< snip >

Best Regards,
Coop

Arthur B. Cooper Jr. "Coop"
Senior Network Engineer
Innerwall, Inc.
http://www.innerwall.com
US Mobile: 719-640-7223
acooper (AT) innerwall (DOT) com

"Most men lead lives of quiet desperation
and go to the grave with the song still in them."
* Henry David Thoreau *

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

I'm surprised that there are people who claim to be pen-testers that
are even surprised that he has been charged under the circumstances.
Anyone remember Randal Schwartz, Intel and Randals felony conviction?
And remember, Randal was employed at Intel. His defense was (surprise)
that he was being a good samaritan showing the flaws in their
security.

You can agree or disagree with whether these sorts of prosecutions
make sense but to be surprised that they occur defies belief. The
bottom line is that you generally don't test other peoples systems
without permission and expect not to have bad things happen to you.

I'm by no means advocating security through obscurity. I cannot
condone random individuals actively attacking a websites security
under the guise of helping. What would your position be if his
activity had been identified and he had been arrested and charged
before emailing Securityfocus?

Just a few thoughts.

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

Let me list some actual damage. The company now knows that someone
who was not authorized, and did not have the best interests of the
company in mind (or else they would have contacted the company with
their findings, not the company's customers or journalists) had access
to basically Anything and Everything in their computer systems.

Therefore, the Actual Damage is the re-evaluation of all systems, and
verification of all data on those compromised systems, to ensure that
the company's data has not been twiddled with/changed/modified.

What assurance does the company have that this criminal (and yes,
it it criminal to break into a system without authorization) didn't
fiddle with the data, perhaps even putting in code that will either
cause the company to automatically send out payments to someone who
doesn't deserve them, or erase records of expected payments, etc.?
What if the criminal set up something on these computers to make it
appear as if the company itself was performing a criminal activity,
that will later cause the leaders of the company to be arrested?

A defense of "I didn't do anything" does not lead much credence to
a criminal's testimony.

It costs lots of money to pay employees (and likely expert consultants
as well) for their time to clean up and verify the systems. And what
if they aren't as diligent as the original criminal thinks they should
be? If something was planted by the criminal, this Criminal can now
come back and once again report to the media and the company's customers
that the cleanup was not done properly. Thus the company has to spend
more money being diligent in their response.

Money is Actual Damage, Mr. Cooper.

Art Cooper wrote:

Because I BELIEVE there is a "LT" more here than meets the eye I wonder
if he took the evidence to the Univ. and they ignore him If so, then
perhaps he had an axe to grind My point is this - what ACTUAL DAMAGE was
caused? Most lawyers will tell you that you MUST prove there was malice and
ACTUAL DAMAGE.

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

Well Karyn,

As one who has been in IT for 28 years (Including Intel and IT for the US
Air Force), and as one who also is published on the matter and has spent the
last 10 years dedicating myself to Information Security, AND as on who has
taught at two institutes of so-called "Higher Learning" part-time for many
years, I will tell you that I say those things BECAUSE a University is
involved. If you want to see politics, hysteria, and childish behavior on
EVERY level, go teach. I have taught BS and MS level students, and the BS in
College IT departments is unsurpassed!

The fact this gentleman had "SME" sort of realtionship with the University
tells me there was an axe to grind by one side or the other. The University
has more cloat and money, therefore they succeed and this gentleman "Sucks-
Seed".

I have also personally testified at sveral court proceedings concerning these
very activities, and I can tell you that in 99% of the cases I was involved
in, there was a "Witch Hunt" and a LT more involved then we are getting from
this article. Did he do wrong? YES - no doubt, but I feel the response you
have made as to DAMAGE is inflated. Are you a lawyer? You sure sound like
one

Regards,
Coop

Arthur B. Cooper Jr. "Coop"
Senior Network Engineer
Innerwall, Inc.
http://www.innerwall.com
acooper (AT) innerwall (DOT) com

"Most men lead lives of quiet desperation
and go to the grave with the song still in them."
* Henry David Thoreau *

Fri, 12 May 2006 13:55:03 -0400, Karyn Pichnarczyk wrote
Let me list some actual damage. The company now knows that someone
who was not authorized, and did not have the best interests of the
company in mind (or else they would have contacted the company with
their findings, not the company's customers or journalists) had
access to basically Anything and Everything in their computer systems.

Therefore, the Actual Damage is the re-evaluation of all systems, and
verification of all data on those compromised systems, to ensure that
the company's data has not been twiddled with/changed/modified.

What assurance does the company have that this criminal (and yes,
it it criminal to break into a system without authorization) didn't
fiddle with the data, perhaps even putting in code that will either
cause the company to automatically send out payments to someone who
doesn't deserve them, or erase records of expected payments, etc.?
What if the criminal set up something on these computers to make it
appear as if the company itself was performing a criminal activity,
that will later cause the leaders of the company to be arrested?

A defense of "I didn't do anything" does not lead much credence to
a criminal's testimony.

It costs lots of money to pay employees (and likely expert
consultants as well) for their time to clean up and verify the
systems. And what if they aren't as diligent as the original
criminal thinks they should be? If something was planted by the
criminal, this Criminal can now come back and once again report to
the media and the company's customers that the cleanup was not done
properly. Thus the company has to spend more money being diligent
in their response.

Money is Actual Damage, Mr. Cooper.

Art Cooper wrote:

Because I BELIEVE there is a "LT" more here than meets the eye I
wonder
if he took the evidence to the Univ. and they ignore him If so, then
perhaps he had an axe to grind My point is this - what ACTUAL DAMAGE
was
caused? Most lawyers will tell you that you MUST prove there was malice
and
ACTUAL DAMAGE.

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request (AT) cenzic (DOT) com for details.

PGP SIGNED MESSAGE
Hash: SHA1

Fri, 12 May 2006 13:55:03 -0400
Karyn Pichnarczyk <karyn (AT) sandstorm (DOT) netwrote:

Therefore, the Actual Damage is the re-evaluation of all systems, and
verification of all data on those compromised systems, to ensure that
the company's data has not been twiddled with/changed/modified.

I wouldn't argue that what the people mentioned in the articles did was ethical (or particularly sane). However, surely once a critical flaw like that is discovered at all the data accessed must be considered potentially-compromised, whether the flaw was discovered by someone who had permission to look or not. The data was available relatively easily to anyone who took a look. There's a good possibility that there have already been intruders who weren't so gracious as to identify themselves. The intruder who identifies themselves is not responsible for this "damage", as the damage exists with or without them. I think the actual damage you refer to is just logical phallacy to cover the issue that a piece of critical technology is seriously flawed. An intruder who does nothing to a company but inform them of a security flaw doesn't hurt the company, as the problem was there before they arrived.

A defense of "I didn't do anything" does not lead much credence to
a criminal's testimony.

No, but identifying yourself as the perp does in a few legal systems.
PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)

4ShGJ0dYxLJndbs4Y4qh2cU=
=jWhX
PGP SIGNATURE