dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
261

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

FFH5

Premium Member

Security Researchers? or really just hackers?

Too many so-called security researchers are just hackers until they get caught. Then they start claiming to be researchers. Real security researchers would contact the company ahead of time and notify the target about what they are doing. Failure to get an ok 1st makes you a hacker and not a researcher.

ArrayList
DevOps
Premium Member
join:2005-03-19
Mullica Hill, NJ

ArrayList

Premium Member

The difference between it security research and hacking is that one gets caught and the other doesn't. This was a grey hat job, if it had been black hat AT&T would have never known about it.

IMO, AT&T was really lucky here. They could have been left in the dark for a very long time about this issue. They should be grateful that the scope of the problem was contained.
kaila
join:2000-10-11
Lincolnshire, IL

kaila to FFH5

Member

to FFH5
said by FFH5:

...Real security researchers would contact the company ahead of time and notify the target about what they are doing. Failure to get an ok 1st makes you a hacker and not a researcher....

Not sure that would guarantee one from prosecution, even if given permission....
Skippy25
join:2000-09-13
Hazelwood, MO

Skippy25 to FFH5

Member

to FFH5
I would agree somewhat but would require that to be considered a hacker you must exploit it for personal gain and not give the company a chance to fix it. Both of which were violated by these 2 individuals.

If you "hack" a system privately (permission or not), inform them of such and provide them a reasonable time to fix it and they don't, that is on them if you then make it public. That is providing a public service.

You stating the only legitimate security is if you are hired is pure BS. Most companies will not put the money into finding them and even more wont admit it is there and fix it until they are forced to. Thus, it is a public service unless they are extorting the company or trying to use it for personal gain in some way.
jvanbrecht
join:2007-01-08
Bowie, MD

jvanbrecht to FFH5

Member

to FFH5
That is not always the case. Not all real security researchers have any sympathy for their targets. Many believe in full disclosure. They are not required to notify the affected entities. That is just a common courtesy.

In this case however, it appears the researchers were just asshats intent on causing harm.

Just because they are hackers/asshats, does not make their actions any different from the thousands of others who call themselves researchers.
nonymous (banned)
join:2003-09-08
Glendale, AZ

nonymous (banned) to FFH5

Member

to FFH5
said by FFH5:

Too many so-called security researchers are just hackers until they get caught. Then they start claiming to be researchers. Real security researchers would contact the company ahead of time and notify the target about what they are doing. Failure to get an ok 1st makes you a hacker and not a researcher.

Depends on what you are doing. I have just stumbled upon flaws occasionally without even trying. So there is no way I would have prewarned anyone as I was not even trying to find the flaw it was just there.

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

FFH5

Premium Member

said by nonymous:

said by FFH5:

Too many so-called security researchers are just hackers until they get caught. Then they start claiming to be researchers. Real security researchers would contact the company ahead of time and notify the target about what they are doing. Failure to get an ok 1st makes you a hacker and not a researcher.

Depends on what you are doing. I have just stumbled upon flaws occasionally without even trying. So there is no way I would have prewarned anyone as I was not even trying to find the flaw it was just there.

Coming across a flaw accidentally is not hacking. But given the laws as they are about hacking, it would make me leery about reporting it or telling anyone about it. Legally you are completely in the clear, but if someone at a corporation wants to be a jerk, you might have to spend money on lawyers to prove your innocence.

Mizzat
Will post for thumbs
Premium Member
join:2003-05-03
Atlanta, GA

Mizzat to Skippy25

Premium Member

to Skippy25
The problem with your definition is that it isn't the definition in the law. It is an unaurthorized connection to a computer. Did you get permission to access the computer dslreports.com is on? No? Well you're in violation of the same law. One could argue that is is publically accessable, well so was the information they got. It's a poorly written law, but they "hackers" could have conducted themselves better. Also, from what I read, they did contact AT&T prior to leaking it to Gawker.
Skippy25
join:2000-09-13
Hazelwood, MO

Skippy25

Member

I would agree accessing data would be unlawful, finding a vulnerability by "hacking" is not.

It is one thing to discover an open door, it is another to enter it. Sorry if I was not clear in what I wrote.

In my personal opinion, the internet is a much safer place because of rogue hackers that do it just to do it and not exploit. I welcome and thank them.

It are the morons like these 2 that try to game the system for exploitation that I think should be lined up in front of a small hole they just dug.

Anonymous_
Anonymous
Premium Member
join:2004-06-21
127.0.0.1

Anonymous_

Premium Member

said by Skippy25:

I would agree accessing data would be unlawful, finding a vulnerability by "hacking" is not.

It is one thing to discover an open door, it is another to enter it. Sorry if I was not clear in what I wrote.

In my personal opinion, the internet is a much safer place because of rogue hackers that do it just to do it and not exploit. I welcome and thank them.

It are the morons like these 2 that try to game the system for exploitation that I think should be lined up in front of a small hole they just dug.

I found a bug on a website from a major company. That allowed me to re log in (to my user id) to the site with out entering my password vulnerability only worked if you had psychical access to your computer. I promptly notified the said company and they fixed it.