Re: [funsec] OK, all you EU guys who took the CEH just wasted your money
Not really a catch22, just a fancy way of saying that possession of burglary tools is a Class 5 felony. Problem is, a crowbar could be a burglary tool, so if I merely have a crowbar on me, by the wording of that code, that means that I have intent to burgle so it's a class5 felony. Michael P. Blanchard Senior Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE Office of Information Security Risk Management EMC ² Corporation 32 Coslin Drive Southboro, MA 01772 From: funsec-boun...@linuxbox.org [mailto:funsec-boun...@linuxbox.org] On Behalf Of Remo Cornali Sent: Saturday, March 31, 2012 4:34 AM To: funsec@linuxbox.org Subject: Re: [funsec] OK, all you EU guys who took the CEH just wasted your money On 31/03/2012 04:46, valdis.kletni...@vt.edumailto:valdis.kletni...@vt.edu wrote: Code of Virginia - Section 18.2-94 - Possession of burglarious tools, etc.If any person have in his possession any tools, implements or outfit, with intent to commit burglary, robbery or larceny, upon conviction thereof he shall be guilty of a Class 5 felony. The possession of such burglarious tools, implements or outfit by any person other than a licensed dealer, shall be prima facie evidence of an intent to commit burglary, robbery or larceny. That sounds like unadulterated Comma 22 to me: possession of burglarious tools is a felony *only* with intent to commit burglary, *but* the possession of burglarious tools shall be prima facie evidence of an intent to commit burglary. Why do I need a driver's license to drive a car, but I only need to be elected to forge such legal masterpieces? Ciao! Remo ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, all you EU guys who took the CEH just wasted your money
That sounds like unadulterated Comma 22 to me: possession of burglarious tools is a felony *only* with intent to commit burglary, *but* the possession of burglarious tools shall be prima facie evidence of an intent to commit burglary. Well, you have to unpack prima facie a little there. It means at first glace or before any rebuttal or similar things. It means that if you have a crowbar the prosecutor (if he's bored enough, or you hit on his daughter) can make a case against you and maybe get you to court, but if you can say sometimes I need to open crates; see, here's an opened crate in my garage!, the judge should then say have a nice day. For some value of should... DC ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, all you EU guys who took the CEH just wasted your money
But that also means that just by owning a crowbar, you could wind up in federal penitentiary... Especially because if you hit on the prosecuter's daughter that you ALSO hit on the judges daughter because they are always WAY cuter So bang! You're doin 5-7 just for owning a crowbar you got at Lowes :-( Mike B From: David M Chess [mailto:ch...@us.ibm.com] Sent: Monday, April 02, 2012 12:41 PM To: funsec@linuxbox.org funsec@linuxbox.org Subject: Re: [funsec] OK, all you EU guys who took the CEH just wasted your money That sounds like unadulterated Comma 22 to me: possession of burglarious tools is a felony *only* with intent to commit burglary, *but* the possession of burglarious tools shall be prima facie evidence of an intent to commit burglary. Well, you have to unpack prima facie a little there. It means at first glace or before any rebuttal or similar things. It means that if you have a crowbar the prosecutor (if he's bored enough, or you hit on his daughter) can make a case against you and maybe get you to court, but if you can say sometimes I need to open crates; see, here's an opened crate in my garage!, the judge should then say have a nice day. For some value of should... DC ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, all you EU guys who took the CEH just wasted your money
The subject line above and this link below were posted, without the correct response: http://www.europarl.europa.eu/news/nl/pressroom/content/20120326IPR41843/html/Hacking-IT-systems-to-become-a-criminal-offence Ethical (the E in CEH) hackers would only attack systems that belong to organizations that gave them written permission to do so. The new laws would be inapplicable to that scenario. Therefore their certification could still hold InfoSec employment and salary value. And anyone who attacks systems without a written Get out of jail free card does so at the risk of their own freedom (obviously). Let freedom never perish in your hands. - Joseph Addison Peace, Vic ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, all you EU guys who took the CEH just wasted your money
On Fri, 30 Mar 2012 12:46:04 -0700, Vic Vandal said: Ethical (the E in CEH) hackers would only attack systems that belong to organizations that gave them written permission to do so. The new laws would be inapplicable to that scenario. From the fine article's first paragraph: Possessing or distributing hacking software and tools would also be an offence, Got a copy of Metasploit or Nessus on your laptop? Better not visit the EU with that laptop in your possession. And what will pen-testers use to run pen-tests, if they can't have hacking software and tools? I don't know the exact wording proposed - possession or distribution with intent to commit a crime would be a heck of a lot easier to deal with. The devil is in the details. Consider that almost every car has a tire iron - and they're not weapons until you try to use them on something other than your own car's tires. pgpmAxvwKCwl9.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, all you EU guys who took the CEH just wasted your money
I'm assuming Germany provides an example as to how tools will be treated. BB On 3/30/12 1:04 PM, valdis.kletni...@vt.edu wrote: On Fri, 30 Mar 2012 12:46:04 -0700, Vic Vandal said: Ethical (the E in CEH) hackers would only attack systems that belong to organizations that gave them written permission to do so. The new laws would be inapplicable to that scenario. From the fine article's first paragraph: Possessing or distributing hacking software and tools would also be an offence, Got a copy of Metasploit or Nessus on your laptop? Better not visit the EU with that laptop in your possession. And what will pen-testers use to run pen-tests, if they can't have hacking software and tools? I don't know the exact wording proposed - possession or distribution with intent to commit a crime would be a heck of a lot easier to deal with. The devil is in the details. Consider that almost every car has a tire iron - and they're not weapons until you try to use them on something other than your own car's tires. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, all you EU guys who took the CEH just wasted your money
EU laws were already passed 5 years ago that made the production, downloading (possession), purchasing (possession), or distribution of hacking tools a criminal offense. As far as I know no ethical InfoSec professionals have been tossed in jail over that. The possession of hacking tools has to be with intent of performing a criminal act in order to gain any sort of conviction, regardless of poor original wording in the laws themselves. It's not illegal to possess a tire iron (as mentioned in the email below), but that makes a decent segue to a similar point. It is a crime in the state where I live to have lockpicking tools in your possession - if you're illegally breaking and entering with them. But if you're a locksmith and you're not illegally breaking and entering, you can carry those tools every day and never be worried about being found guilty of a crime. Bottom line: If your job is to do pen-testing (and you can prove it), then you have nothing to worry about in simply possessing tools to do your job. If you are in school studying InfoSec (and you can prove it), then you have nothing to worry about in simply possessing tools related to your studies. If you're also using those tools illegally, well Lawmakers may be short-sighted, but then there are courts, judges, and juries that have to take all the facts under consideration before handing down a sentence. That's where the rubber hits the road, and is why no InfoSec pro need lose any sleep over this. I would personally also hope that no person who doesn't have an InfoSec job or isn't formally studying InfoSec, but is trying to learn on their own ,doesn't have to worry about this, and that judges and juries would exonerate them if wrongfully charged. But I can't make that statement with the same assurance that InfoSec pros and formal students get. Furthermore if organizations (and government agencies) are prevented from having their systems tested for vulnerabilities then the criminals will run rampant over those non-audited networks. Make that more rampant than they already are. Even short-sighted lawmakers don't want that, and fittingly their networks and systems would be pwned alongside all the rest. The U.S. Department of Defense isn't so short-sighted. CEH was added to one of its network defense directives in 2010. And DoD is quite big on offensive as well as defensive InfoSec-related practices. As long as coders write shoddy code and admins aren't ultra diligent in hardening network systems, that posture will not change. NOTE: I'm not promoting CEH, which was loosely used as a reference in this thread's start by someone other than myself. That acronym and cert is just along for the ride here, but could be dropped from the thread. -Vic - Original Message - From: Valdis Kletnieks valdis.kletni...@vt.edu To: Vic Vandal vvan...@well.com Cc: funsec@linuxbox.org Sent: Friday, March 30, 2012 4:04:51 PM Subject: Re: [funsec] OK, all you EU guys who took the CEH just wasted your money On Fri, 30 Mar 2012 12:46:04 -0700, Vic Vandal said: Ethical (the E in CEH) hackers would only attack systems that belong to organizations that gave them written permission to do so. The new laws would be inapplicable to that scenario. From the fine article's first paragraph: Possessing or distributing hacking software and tools would also be an offence, Got a copy of Metasploit or Nessus on your laptop? Better not visit the EU with that laptop in your possession. And what will pen-testers use to run pen-tests, if they can't have hacking software and tools? I don't know the exact wording proposed - possession or distribution with intent to commit a crime would be a heck of a lot easier to deal with. The devil is in the details. Consider that almost every car has a tire iron - and they're not weapons until you try to use them on something other than your own car's tires. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, all you EU guys who took the CEH just wasted your money
On Fri, 30 Mar 2012 18:05:44 -0700, Vic Vandal said: It's not illegal to possess a tire iron (as mentioned in the email below), but that makes a decent segue to a similar point. It is a crime in the state where I live to have lockpicking tools in your possession - if you're illegally breaking and entering with them. But if you're a locksmith and you're not illegally breaking and entering, you can carry those tools every day and never be worried about being found guilty of a crime. The important grey area is if you're not a locksmith, merely a hobbyist, and have lockpicks on you. Where I live, the law says: Code of Virginia - Section 18.2-94 - Possession of burglarious tools, etc.If any person have in his possession any tools, implements or outfit, with intent to commit burglary, robbery or larceny, upon conviction thereof he shall be guilty of a Class 5 felony. The possession of such burglarious tools, implements or outfit by any person other than a licensed dealer, shall be prima facie evidence of an intent to commit burglary, robbery or larceny. As far as I can tell, Mississippi and Nevada are the other states where mere possession is evidence of intent. In the other 47 states, the DA has to do some actual work to prove intent. http://www.lockpickguide.com/legalityoflockpicks.html pgpckLKHujM7S.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] OK, all you EU guys who took the CEH just wasted your money ...
http://www.europarl.europa.eu/news/nl/pressroom/content/20120326IPR41843/ht ml/Hacking-IT-systems-to-become-a-criminal-offence == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org Why am I doing this? Is this the best thing I can be doing right now? (No, I'm not referring particularly to Twitter...) - http://twitter.com/#!/jgsphd/status/104915503465758722 victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, all you EU guys who took the CEH just wasted your money ...
On Thu, 29 Mar 2012 17:06:21 -0700, Rob, grandpa of Ryan, Trevor, Devon Hannah said: http://www.europarl.europa.eu/news/nl/pressroom/content/20120326IPR41843/html/Hacking-IT-systems-to-become-a-criminal-offence So.. what's the difference between attack tools and a good pentester's toolkit? pgpcY5UKC4V3x.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, all you EU guys who took the CEH just wasted your money ...
On Thu, Mar 29, 2012 at 9:21 PM, valdis.kletni...@vt.edu wrote: On Thu, 29 Mar 2012 17:06:21 -0700, Rob, grandpa of Ryan, Trevor, Devon Hannah said: http://www.europarl.europa.eu/news/nl/pressroom/content/20120326IPR41843/html/Hacking-IT-systems-to-become-a-criminal-offence So.. what's the difference between attack tools and a good pentester's toolkit? I was thinking the same thing. Justice is blind, which means its color blind too. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.