[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Disclosure for Web Applications

From: Pete Herzog <lists@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] Disclosure for Web Applications
Date: Fri, 12 Jan 2007 11:20:02 +0100

Hi Bill,

Bill Newton wrote:

txs has an interesting point. Is it legal to put a tic mark in any text box on any website on the web? While, I'm sure some site owners might

txs is correct that you almost legally cannot test a tic box of an app if you can't do so locally on your own infrastructure. By "almost legally" I mean that you can unless the app you test is owned by a group with deeper pockets than yours then you will lose but hey, that's a hole we dug ourselves in as a public who lets this happen to us.

However, you do have the right to test your own government's sites. Why? Because it's yours too and as a concerned citizen it is your obligation. You don't have a right to break it or deny access to others because that's criminal where the severity of the punishment matching the severity of your actions. But that won't happen because the punishment will be extreme to serve as an example and to chill future "dissidents". If you're lucky, you'll have a jury and maybe even have 1 person in your jury who has a computer and an online life who understands you. But that's your gamble. Especially considering how many of you on this list either have never served on a jury or tried to snake out of jury duty when your picked or the fact that your background in computer security would get the prosecuting attorney to veto you. I'm saying this as the "hate" shown for lawyers is really somehow our own fault just as the laws are our own fault. Really, that industry is no worse than our own with its own whores, pimps, white and black knights, etc.

What if you shop there or are a client? Again you have the right to test them and make sure your safe. But having the right isn't the same as having the law behind you (if you're still reading then you know that we don't have justice we have laws- law is what keeps home pools fenced and puts those filthy non-fencing neighbors in jail whose pool some teen trespassed, climbed into after midnight, and drowned in). So what you have is the legal right to refuse service to those who are not transparent regarding their security measures. You can ask and if they tell you to go away you put your monthly $1 into another place. Why is it this way? Because losing 1 customer doesn't hurt them and they know you know that which is why you didn't go elsewhere and just suck it up. That's just how it is in civilized society. Right? <-- rhetorical

-pete.

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- RE: [WEB SECURITY] Disclosure for Web Applications
  - From: Bill Newton

Prev by Date: Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
Next by Date: [WEB SECURITY] Anti-DNS Pinning + Socket in FLASH
Previous by thread: RE: [WEB SECURITY] Disclosure for Web Applications
Next by thread: [WEB SECURITY] Article: A Positive Impact on Web Application Security (About WASC)
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site