[WEB SECURITY] security audit - how to avoid legal prosecution

Jay D. Dyson jdyson at treachery.net
Wed Jun 8 17:45:36 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 8 Jun 2005, Achim Hoffmann wrote:

> What is "unauthorised access" if not expressed on the website itself?

 	Lately it seems that the definition of "unauthorized access" has 
gone the way of the definition of obscenity.  There are some hard and fast 
rules, but it usually boils down to someone in a position of authority 
saying, "I know it when I see it."

 	In a general sense, unauthorized access is doing anything beyond 
the scope of a program's primary, intended purpose.  So if you're feeding 
a ridiculous quality or quantity of data to a program (the kind that is 
well outside the bounds of information it requests for its functioning) 
and you actually manage to get the program to do something interesting, 
then *voila*...unauthorized access.  Come with us, mister...and don't talk 
to the other boys and girls.

> Please teach the programers to validate *any* data instead of 
> criminalising user with laws.

 	It is the tendency of the logic-deprived to pass new laws 
criminalizing perfectly reasonable conduct.  That is why we have the 
abomination that is the Digital Millennium Copyright Act (DMCA) and a host 
of other laws that handicap only the local, law-abiding folk while leaving 
the criminal element at liberty to do what they want.

- -Jay

    (    (                                                      _______
    ))   ))  .-"There's always time for a good cup of coffee"-.  >====<--.
  C|~~|C|~~| \----- Jay D. Dyson -- jdyson at treachery.net -----/ |    = |-'
   `--' `--'  `-- Pardon me, but am I on the right planet? --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFCp2cIxzN3WIW0edsRAoesAJ9BFDyc5XUoFZR/Z3Q2Q+OCZu3yKgCfYLpb
ulLDN8LCJflWHtO3m9IOMfs=
=inG5
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list