[WEB SECURITY] security audit - how to avoid legal prosecution

Jay D. Dyson jdyson at treachery.net
Wed Jun 8 11:41:52 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 8 Jun 2005, Maxim Kostioukov wrote:

> Would someone advise on how to approach in sense of legal agreements 
> BEFORE doing any security research?

 	It's always a good idea to cover your butt when treading into 
murky legal territory...and digital security research gets darker and 
murkier by the minute these days.

> For example, one is doing penetration tests on web apps without a 
> written agreement or even worse - without the other side to be aware of 
> the test, then informs the side about findings (not disclosure them 
> publicly).

 	If you have no agreement, then you are not doing "research" in the 
eyes of the law; you are attacking.  No matter how pure your motives or 
what manner of disclosure you do, the drones at the Effa-Bee-Eye and the 
local County Mounties will still treat you like you intentionally ran over 
a nun.  And don't think the courts will be any kinder.

 	Look at it this way: if I see my neighbor has a window on his 
house that's always left half-open when he goes to work, I'm not entitled 
to go over to his house, crawl through his window and prove what a bad 
idea it is to leave one's window open in the name of "security research." 
If the black & whites roll up while I'm thumbing through this guy's DVD 
collection, you can bet my credibility for purity of motive isn't going to 
have a receptive audience.  Even though I didn't do anything violent to 
get into the house and I didn't take anything, it's still Breaking and 
Entering coupled with Burglary.  Don't even bother proclaiming your 
innocence.  Everyone in jail is innocent...or so they say.

> Any chance for legal prosecution to be fired in case if the other side 
> just would like to do this? I think it is possible... Any advice?

 	Here's your options:

 	1.	Get a signed contract with the site's proprietors to
 		do a penetration test, or
 	2.	Get a copy of the software they use, build your own and
 		have a rip-roarin' good time tearing it apart, or
 	3.	Walk the other way and fugedaboudit.

- -Jay

    (    (                                                      _______
    ))   ))  .-"There's always time for a good cup of coffee"-.  >====<--.
  C|~~|C|~~| \----- Jay D. Dyson -- jdyson at treachery.net -----/ |    = |-'
   `--' `--'  `-- Pardon me, but am I on the right planet? --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFCpxHExzN3WIW0edsRAud9AKCbCjJyomqJXtz7cX/KGQDFakr8ewCfScse
L8uQRU8Dzmt3ePrujAy72gc=
=YRf2
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list