How about this, rather than warning specifically, warn them generally specifically, "That is, a server running anything other than the latest PHP would have security bugs here, here, and here". Don't say that you have hacked those systems, but do warn them that they have problems generally in the area. Then, if they want to know more, require them to give you a hold harmless agreement. ----- Original Message ----- From: "Paul Hosking" <[EMAIL PROTECTED]> To: "Billy D Walls" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, February 27, 2002 12:14 AM Subject: Re: A question on the law.
> I am not a lawyer. I have no legal background. This is not legal > advice. This is my personal opinion based on personal experience and > observation within various Infosec activities in Corporate and US > Government environments. And its cynical. You have been warned. :) > > On Fri, 2002-02-22 at 21:54, Billy D Walls wrote: > > > networks bandwidth free of charge, is there a way LEGALLY to tell these > > people how bad the security is without getting shot. I don't want to go to > > jail, I don't want to be called a terrorist, I just want to tune these > > people into a clue...? > > In the perfect world, dropping a quick email to the network owners > alerting them of their vulnerability would be enough. You would get a > polite thank-you. Maybe a request for more information. You would feel > happy that you helped and they would be better off for your help. > > Enter the real world. > > Your notification will cause confusion within the IT ranks. Decision > Makers will be asking about "evil hackers" managing to "hack the > network" despite the expensive firewalls and anti-virus software. > Managers will go in to CYA mode. It will be decided "something must be > done" although its very possible nobody will understand the technical > issues involved. Someone will mention knowing an agent at the FBI. You > will become the focus of a criminal investigation. > > In short, its possible your warning will be well received. But it is > more likely that you will be punnished for your effort. Your gain > probably does not justify your risk if you came forward with this > information. > > Infosec has a number of tenets. For those who are interested in > infosec, the most important may very well be "before you test any > organization's information security posture, you should have WRITTEN > permission to do so." This comes from an ongoing history of individuals > being prosecuted for minor infractions in the name of computer > security. One of the most famous of such cases is Randal Schwartz: > > http://www.lightlink.com/spacenka/fors/ > http://www.rahul.net/jeffrey/ovs/ > > -- > > .: Paul Hosking . [EMAIL PROTECTED] > .: InfoSec . 408.829.9402 > > .: PGP KeyID: 0x42F93AE9 > .: 7B86 4F79 E496 2775 7945 FA81 8D94 196D 42F9 3AE9
