Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Exploits

  • 26-03-2008 6:52pm
    #1
    Moderators, Education Moderators, Technology & Internet Moderators, Regional South East Moderators Posts: 24,056 Mod ✭✭✭✭


    Quick question. This one has been on my mind recently, iv always wondered what the case would be in the following (hypothetical) situation.

    A team of people who are into web security go around testing some big sites, like Credit Unions or Banks, and even smaller sites for possibly security issues within there site. On one test, the team find that they can do a major security breach and look into peoples accounts or deface the site.

    Can these people who come forward to the company and report the issue to their IT Team, get in trouble for breaching server security?

    Iv seen a lot of sites out there that report security flaws, but they all go under nicknames and probably use proxies. I assume its for their own safety?

    If it was me, id prefer to know about a security issue that could affect my customers. Even if I was not aware of what an SSL Cert on a website can do for my shopping cart or customers security.

    Just curious as to what the legal stance on this is in Ireland? Iv only seen the problem arise once in Ireland with the Eircom routers but he came forward publicly and identified the flaw and threatened to go public unless they acted. I don't think he was ever prosecuted. Can they?


Comments

  • Registered Users, Registered Users 2 Posts: 78,574 ✭✭✭✭Victor


    White Hat -v- Black Hat activity there is probably little difference legally, except that the Black Hat goes a few steps further and does the defacing / skims the credit card numbers / sells the e-mail list to PRINCE GOODWILL UGO, OF LAGOS NIGERIA or some similar character.

    Its akin to trespassing. Any trespassing is illegal and potentially you can be prosecuted. However, going beyond a mere "look around" will substantially increase the severity of the charges. Realise that a white hat isn't too far from someone walking in to your house, sitting on the couch and flicking through your TV - he can't claim a defence of "you left the door open". However, if he only saw the TV from your front porch its another matter.

    Best policy if you find a security weakness is to inform the site owner, without looking too far. You could even offer them help in fixing it.


  • Moderators, Entertainment Moderators, Politics Moderators Posts: 14,549 Mod ✭✭✭✭johnnyskeleton


    As regards prosecution, I don't think there is specific legislation for interfering with another person's website.

    However, there is dishonesty and the intention of making a gain or causing a loss to another person, it could be a fraud offence (e.g. unlawful use of a computer s.9 T&F 2001).


  • Legal Moderators, Society & Culture Moderators Posts: 4,338 Mod ✭✭✭✭Tom Young


    I am of the view that we need similar laws to the UK and some other jurisdictions in respect of online crime and tracing. e.g., RIPA in the UK. We are toothless to some extent in the criminal context where the above is concerned. Though the CP Act of 1989 is fairly ok.

    Tom


Advertisement