[WEB SECURITY] security audit - how to avoid legal prosecution
rsradvan at unixworks.net
Wed Jun 8 14:26:57 EDT 2005
See comments below...
At Wed, 8 Jun 2005 15:59:42 +0100, you wrote:
>> Any chance for legal prosecution
>"Ring, ring. Hello, Mr.Smith? I notice that you have a 1998 Ford. Are you aware there is a manufacturers defect in the central locking system? Don't worry though; I've broken into your car, just to confirm that it is indeed faulty (I like your 6-track; very retro). If you give me a $1000 I can tell you how I broke in, and if you are lucky I can even help get the manufacturer to fix the fault."
** The abovestated example, YES, you would. Corporate America calls this "extortion". Look at prior cases involving NY Times, but in that case, the gent was simply performing a "gratis customer service". They still nailed his a** to the cross. Why? They didn't give him permission -- he was, essentially -- "digitally trespassing".
>Noticing a flaw through normal use is acceptable (anyone want to guess how many high profile site's forms break with a name like O'Neal?). Researching someone's site without authorisation is an entirely different kettle of fish, and depending upon your and their physical location, the exact details will be covered by one jurisdiction or other. For additional reading see the UK Computer Misuse Act etc.
** Um.....check other statutes, of which now, within the United States, we have many laws that would permanently put someone into a nice, dark, damp place for the ermainder of their livable years. Let's see what we have that we can use: U.S. PATRIOT Act of 2001, Cyber Security Enhancement Act of 2002, if they're 1 of 15 (now 17) sectors that make up 'critical infrastructure', they would be covered under the Critical Infrastructure Information Act of 2002, and here's a WHOLE mess of laws that are currently enforced by U.S. DOJ: http://www.usdoj.gov/criminal/cybercrime/fedcode.htm.
>Unauthorised access is generally illegal. Expecting an organisation to be anything other than hostile to such an approach would be naïve.
** Again, see above. Nothing like being labeled as a terrorist, eh?
Bob Radvanovsky, CISM, CIFI, REM, CIPS
[/unixworks] "knowledge squared is information shared"
rsradvan at unixworks.com | http://www.unixworks.com
(630) 673-7740 [CELL] | (847) 519-5184 [PAGER] | (412) 774-0373 [FAX]
The Web Security Mailing List
The Web Security Mailing List Archives
More information about the websecurity