[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] security audit - how to avoid legal prosecution

From: "Jay D. Dyson" <jdyson@xxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] security audit - how to avoid legal prosecution
Date: Wed, 8 Jun 2005 08:41:52 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 8 Jun 2005, Maxim Kostioukov wrote:

Would someone advise on how to approach in sense of legal agreements BEFORE doing any security research?

It's always a good idea to cover your butt when treading into murky legal territory...and digital security research gets darker and murkier by the minute these days.

For example, one is doing penetration tests on web apps without a written agreement or even worse - without the other side to be aware of the test, then informs the side about findings (not disclosure them publicly).

If you have no agreement, then you are not doing "research" in the eyes of the law; you are attacking. No matter how pure your motives or what manner of disclosure you do, the drones at the Effa-Bee-Eye and the local County Mounties will still treat you like you intentionally ran over a nun. And don't think the courts will be any kinder.

Look at it this way: if I see my neighbor has a window on his house that's always left half-open when he goes to work, I'm not entitled to go over to his house, crawl through his window and prove what a bad idea it is to leave one's window open in the name of "security research." If the black & whites roll up while I'm thumbing through this guy's DVD collection, you can bet my credibility for purity of motive isn't going to have a receptive audience. Even though I didn't do anything violent to get into the house and I didn't take anything, it's still Breaking and Entering coupled with Burglary. Don't even bother proclaiming your innocence. Everyone in jail is innocent...or so they say.

Any chance for legal prosecution to be fired in case if the other side just would like to do this? I think it is possible... Any advice?


	Here's your options:

	1.	Get a signed contract with the site's proprietors to
		do a penetration test, or
	2.	Get a copy of the software they use, build your own and
		have a rip-roarin' good time tearing it apart, or
	3.	Walk the other way and fugedaboudit.

- -Jay

   (    (                                                      _______
   ))   ))  .-"There's always time for a good cup of coffee"-.  >====<--.
 C|~~|C|~~| \----- Jay D. Dyson -- jdyson@xxxxxxxxxxxxx -----/ |    = |-'
  `--' `--'  `-- Pardon me, but am I on the right planet? --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFCpxHExzN3WIW0edsRAud9AKCbCjJyomqJXtz7cX/KGQDFakr8ewCfScse
L8uQRU8Dzmt3ePrujAy72gc=
=YRf2
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

References:
- [WEB SECURITY] security audit - how to avoid legal prosecution
  - From: Maxim Kostioukov

Prev by Date: [WEB SECURITY] Strange HTTP requests
Next by Date: Re: RE: [WEB SECURITY] security audit - how to avoid legal prosecution
Previous by thread: Re: [WEB SECURITY] security audit - how to avoid legal prosecution
Next by thread: Re: [WEB SECURITY] security audit - how to avoid legal prosecution [DEAD]
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site