|
It’s pretty scary stuff, which is why rule number zero of pentesting is get permission, in writing, clearly stating what is and isn’t allowed. Pretty timely, some pentesters hired to audit a courthouse just got their charges dropped. The court system hired them, but apparently there was some friction with the sheriffs department who arrested them, and after the fact brought up some bogus charges say they exceeded the scope of their audit. The paperwork released later clearly said “limited physical bypass”, which the sheriff said they overstepped. https://www.secureworldexpo.com/industry-news/pentesters-jailed-arrested
|
# ¿ Jan 12, 2021 16:58 |
|
|
# ¿ May 14, 2024 14:10 |
|
Worth noting that these laws are extremely broad because lots of companies are uniquely vulnerable to being hacked. Secure code is hard to write and often orthogonal to quickly written or performant or simple to maintain code, and especially companies that are small or don’t have a tech focus will have tons of vulnerabilities lying out in public. Legally it shouldn’t matter, but the wide scope of laws against hacking disincentivizes a lot of attacks.
|
# ¿ Jan 12, 2021 22:09 |
|
Much like copywriter law, hacking laws have become load-bearing bubblegum in the us economy. Also, if anyone wants an accessible way to see exactly how insecure we are, I can’t stop recommending James Mickens. 30 minute video but he’s entertaining enough to stay engaged even without a technical background: https://vimeo.com/135347162
|
# ¿ Jan 13, 2021 23:19 |
|
Terebus posted:In my ideal world, if the data is publicly accessible and it is intended to be that way as well, aka. a Parler post that is visible to anyone with an account, I don't think anyone should be charged for accessing and making a copy of it. If Parler in this case had taken even the slightest effort to encrypt or secure the data, then I think that should open up the hacker to chargers. The essence comes down to the intent of the data owner; if even the most rudimentary attempt is made to secure and keep private some specific data, then the attempt to get said data, no matter how insecurely it is being stored, is effectively breaking in and stealing. I see it as stealing Amazon packages, one of the easiest crimes ever, but it's still a crime and you shouldn't do it. This kind of standard would also need actual penalties and charges for insecure companies that get hacked and expose peoples personal information. GDPR has done a lot for that in europe but in the US you’re basically hoping a lawsuit works out.
|
# ¿ Jan 17, 2021 02:04 |
|
Aramis posted:The answer (as far as I know, I'm no lawyer) is that it depends on the intent of the developper of the site. I don’t know about that, people have been charged and imprisoned on hacks involving forced browsing. You could probably make a case saying “if the earnings report wasn’t listed on the webpage with a list of earnings reports, why else would you have sent a request to that URL besides getting information the rest of the market doesn’t have?” At which point if the government has a vested interest in putting you in jail, the SEC comes out, and you need a small army of legal representation. Now I’m almost certain no ones getting prosecuted for this since there’s more negative PR prosecuting someone for the hack and having headlines about the trash security on Intel’s side. That said, if the leak was more damaging or sensitive I could have imagined it ending up in court.
|
# ¿ Jan 26, 2021 03:15 |
|
|
# ¿ May 14, 2024 14:10 |
|
Aramis posted:If the url is /reports/QN_20XX_Infographics.pdf quarter after quarter, then it should be 100% expected that someone, if not a small army, will be F5’ing the poo poo out of that url. Assuming the naming is consistent, then putting the file online absolutely qualifies as making the information public. Totally agree, it’s a brain dead security breach, Intel poo poo the bed with the lights on. I’m just considering from the pentest end, a spidering attack versus a forced browsing attack would have very different discussions with a customer as far as scope and ROE. I imagine similarly in court, especially in a world where plenty of newcomers to the internet could plausibly never type out a url in their lives, a forced browsing attack could be seen as subverting the way a website is meant to work. Like, it’s obvious to some of us, but to a septuagenarian judge who just Altavistas up the Yahoo! Mail every day, explaining why you were manually going to a url that wasn’t on the intel page might not go well. Yeah, it’s easy to some of us, but it’s also easy to type in ‘ or ‘1’=‘1 into every text field you find and that can definitely get you charged. Fake edit: wow, the code tag is pointless
|
# ¿ Jan 26, 2021 03:44 |