FFH5 Premium Member join:2002-03-03 Tavistock NJ |
FFH5
Premium Member
2012-Nov-26 9:22 am
Security Researchers? or really just hackers?Too many so-called security researchers are just hackers until they get caught. Then they start claiming to be researchers. Real security researchers would contact the company ahead of time and notify the target about what they are doing. Failure to get an ok 1st makes you a hacker and not a researcher. |
|
ArrayListDevOps Premium Member join:2005-03-19 Mullica Hill, NJ |
The difference between it security research and hacking is that one gets caught and the other doesn't. This was a grey hat job, if it had been black hat AT&T would have never known about it.
IMO, AT&T was really lucky here. They could have been left in the dark for a very long time about this issue. They should be grateful that the scope of the problem was contained. |
|
kaila join:2000-10-11 Lincolnshire, IL |
to FFH5
said by FFH5:...Real security researchers would contact the company ahead of time and notify the target about what they are doing. Failure to get an ok 1st makes you a hacker and not a researcher.... Not sure that would guarantee one from prosecution, even if given permission.... |
|
|
to FFH5
I would agree somewhat but would require that to be considered a hacker you must exploit it for personal gain and not give the company a chance to fix it. Both of which were violated by these 2 individuals.
If you "hack" a system privately (permission or not), inform them of such and provide them a reasonable time to fix it and they don't, that is on them if you then make it public. That is providing a public service.
You stating the only legitimate security is if you are hired is pure BS. Most companies will not put the money into finding them and even more wont admit it is there and fix it until they are forced to. Thus, it is a public service unless they are extorting the company or trying to use it for personal gain in some way. |
|
|
to FFH5
That is not always the case. Not all real security researchers have any sympathy for their targets. Many believe in full disclosure. They are not required to notify the affected entities. That is just a common courtesy.
In this case however, it appears the researchers were just asshats intent on causing harm.
Just because they are hackers/asshats, does not make their actions any different from the thousands of others who call themselves researchers. |
|
nonymous (banned) join:2003-09-08 Glendale, AZ |
to FFH5
said by FFH5:Too many so-called security researchers are just hackers until they get caught. Then they start claiming to be researchers. Real security researchers would contact the company ahead of time and notify the target about what they are doing. Failure to get an ok 1st makes you a hacker and not a researcher. Depends on what you are doing. I have just stumbled upon flaws occasionally without even trying. So there is no way I would have prewarned anyone as I was not even trying to find the flaw it was just there. |
|
FFH5 Premium Member join:2002-03-03 Tavistock NJ |
FFH5
Premium Member
2012-Nov-26 10:10 am
said by nonymous:said by FFH5:Too many so-called security researchers are just hackers until they get caught. Then they start claiming to be researchers. Real security researchers would contact the company ahead of time and notify the target about what they are doing. Failure to get an ok 1st makes you a hacker and not a researcher. Depends on what you are doing. I have just stumbled upon flaws occasionally without even trying. So there is no way I would have prewarned anyone as I was not even trying to find the flaw it was just there. Coming across a flaw accidentally is not hacking. But given the laws as they are about hacking, it would make me leery about reporting it or telling anyone about it. Legally you are completely in the clear, but if someone at a corporation wants to be a jerk, you might have to spend money on lawyers to prove your innocence. |
|
MizzatWill post for thumbs Premium Member join:2003-05-03 Atlanta, GA |
to Skippy25
The problem with your definition is that it isn't the definition in the law. It is an unaurthorized connection to a computer. Did you get permission to access the computer dslreports.com is on? No? Well you're in violation of the same law. One could argue that is is publically accessable, well so was the information they got. It's a poorly written law, but they "hackers" could have conducted themselves better. Also, from what I read, they did contact AT&T prior to leaking it to Gawker. |
|
|
I would agree accessing data would be unlawful, finding a vulnerability by "hacking" is not. It is one thing to discover an open door, it is another to enter it. Sorry if I was not clear in what I wrote. In my personal opinion, the internet is a much safer place because of rogue hackers that do it just to do it and not exploit. I welcome and thank them. It are the morons like these 2 that try to game the system for exploitation that I think should be lined up in front of a small hole they just dug. |
|
Anonymous_Anonymous Premium Member join:2004-06-21 127.0.0.1 |
said by Skippy25:I would agree accessing data would be unlawful, finding a vulnerability by "hacking" is not.
It is one thing to discover an open door, it is another to enter it. Sorry if I was not clear in what I wrote.
In my personal opinion, the internet is a much safer place because of rogue hackers that do it just to do it and not exploit. I welcome and thank them.
It are the morons like these 2 that try to game the system for exploitation that I think should be lined up in front of a small hole they just dug. I found a bug on a website from a major company. That allowed me to re log in (to my user id) to the site with out entering my password vulnerability only worked if you had psychical access to your computer. I promptly notified the said company and they fixed it. |
|