.

Damn This Sucks!

<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Thu May 04, 2006 2:26 pm

Damn This Sucks!

This is why you always CYA!  >:(

http://www.securityfocus.com/news/11389?ref=rss

What do you all think of this?
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu May 04, 2006 3:32 pm

Re: Damn This Sucks!

I hate to be on the side of the prosecution, but hear me out first. Although Eric McCarty provided information on what he did and acted 'responsibly' after the fact, by not getting permission at all, the burden of proof is now on himself, not the prosecution. It now becomes impossible for him to prove that he did NOT use any of his findings for ill will.

Think of this hypothetical - what if someone else with malicious intent did the same exact thing that Eric did, but he also grabbed more data than he reported to the authorities and sold it to the mafia. How could the prosecution or the institution know the difference between this malicious intruder and Eric? They can't. And I'm sure that the professional criminal can sound very convincing as to how innocent he really is.

How about another... I don't know you and you have no idea who I am. I break into your house and approach you after the fact. I say that I've been in your house, and to prove it, your wife has some really interesting leather lingerie. I didn't take it all - only enough to prove I was in there. You should really have better security before someone with malicious intent comes along. This doesn't even pass the laugh test. Handcuffs would be on me quicker than I could finish my flimsy logical agrument.

Take this as a very clear warning. This is why every ethical hacking and pen testing book and/or methodology clearly states to get permission before doing any testing.

Maybe with the onslaught of regulations where a pen test will eventually be required by law and cost a LOT of $$$$, those needing these services can post a freely available online form. The freelance researcher looking to help can fill out the form, send it in, get verified or whatever else the institution decides to do, and off he goes. They know who he is, he gets to practice his research skills and they also get a free security checkup. Clearly more details would have to be worked out, but the concept is easy enough.

Anyway... I'll stop typing now.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Fri May 05, 2006 3:37 am

Re: Damn This Sucks!

True dat!  Good point.  That is why if you do these a signed consent form is paramount!
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

oyle

User avatar

Sr. Member
Sr. Member

Posts: 264

Joined: Mon Jan 02, 2006 11:19 am

Location: Cleveland Ohio

Post Sat May 06, 2006 10:10 am

Re: Damn This Sucks!

Good point Don, but you forgot one IMPORTANT little fact. When you get permission, GET IT IN WRITING!! As part of my forensics studies, I recently attempted to do a data recovery for a local school. I was unsuccessful, but I had paperwork that gave me permission. Without paperwork, it's still your word against theirs. Remember, Oral contracts (by handshake, or verbal agreements) is never binding in court. I am NOT a lawyer. Perhaps EC-council should add another module going deeper into the laws. My courseware when I did the class hit on the federal laws applicable at the time (2004), but it was only the basics. My instructor, who was a Juris Doctorate, told us "If you are ever arrested for terrorism (cyber-terrorism) YOU DO NOT get to speak to a lawyer".
MCP, MCP+I, MCSA, MCSE(NT4/W2K), CCNA, CCA, NWCCC, VH-PIRTS, CEH
--------------------
"hackers are like jedi, crackers are like the sith: do not fall prey to the dark side".

From 1337 h4x0r h4ndb00k: "the ten laws of geek", law x
                  -Tapeworm
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Sat May 06, 2006 10:23 am

Re: Damn This Sucks!

Oyle wrote:Good point Don, but you forgot one IMPORTANT little fact. When you get permission, GET IT IN WRITING!! As part of my forensics studies, I recently attempted to do a data recovery for a local school. I was unsuccessful, but I had paperwork that gave me permission. Without paperwork, it's still your word against theirs. Remember, Oral contracts (by handshake, or verbal agreements) is never binding in court. I am NOT a lawyer. Perhaps EC-council should add another module going deeper into the laws. My courseware when I did the class hit on the federal laws applicable at the time (2004), but it was only the basics. My instructor, who was a Juris Doctorate, told us "If you are ever arrested for terrorism (cyber-terrorism) YOU DO NOT get to speak to a lawyer".




Massoui-sp? got a lawyer.  He was arrested for terrorism was he not?
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

oyle

User avatar

Sr. Member
Sr. Member

Posts: 264

Joined: Mon Jan 02, 2006 11:19 am

Location: Cleveland Ohio

Post Sat May 06, 2006 2:34 pm

Re: Damn This Sucks!

Like I said, I'm not a lawyer. If I remember correctly, when my instructor said that, I think hew was referring to the arrest process. While you are under arrest and "being processed", you do not get the opportunity to consult with a lawyer. But after you've been sitting in the can for awhile, I guess you have to get a lawyer to prepare for your trial. Even terrorists DO get trials, as we saw with moussasuoi, or however you spell his name.

Don seems to have a lot of connections; maybe Don knows a lawyer he can contact to ask about this and clarify? I MIGHT be wrong, here.
MCP, MCP+I, MCSA, MCSE(NT4/W2K), CCNA, CCA, NWCCC, VH-PIRTS, CEH
--------------------
"hackers are like jedi, crackers are like the sith: do not fall prey to the dark side".

From 1337 h4x0r h4ndb00k: "the ten laws of geek", law x
                  -Tapeworm
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Sun May 07, 2006 11:22 am

Re: Damn This Sucks!

Remember, Oral contracts (by handshake, or verbal agreements) is never binding in court.


Even without writing down something a verbal agreement is as equal to a written contract - the problem with it is just you could (and probably will) run into troubles to prove it !

So in essence Oyle is right: never do something without written permission, that will prevent a lot of discussion (and perhaps a lot of trouble too).
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software