[WEB SECURITY] security audit - how to avoid legal prosecution

Achim Hoffmann kirke11 at securenet.de
Thu Jun 9 03:34:58 EDT 2005


the discussion drives away from the initial question to more general social
or ethical things, I know.
Anyway some more short comments, then I stop to discuss it ;-)

On Wed, 8 Jun 2005, Jay D. Dyson wrote:

!! > What is "unauthorised access" if not expressed on the website itself?

!! saying, "I know it when I see it."

true for people with proper skills, but how about all the other 6 billions?

!!  	In a general sense, unauthorized access is doing anything beyond
!! the scope of a program's primary, intended purpose.

fully agreed to that (silently substituting unauthorised by illegal), but why
is searching for
    "' onmouseover="alert('heureca);"
not the intended purpose? I'm searching for it!
Same applies to my personal password:
   ' or 1=1 '--

!! well outside the bounds of information it requests for its functioning)

as I said: you need to tell every user the bounds.
As programmer and/or authority you can't expect the same level of skills
and knowledge for each user. You need to tell them what you expect, or make
an idiot-proof program. The first is simple, the latter is (more) secure.

!! > Please teach the programers to validate *any* data instead of
!! > criminalising user with laws.

!! .. law-abiding folk while leaving
!! the criminal element at liberty to do what they want.

hmm, do you know any criminal accepting other people's laws?
If so, they are not criminals :-)
Laws do not stop illegal access, hence don't make anything secure.

-- Achim


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list