Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

a question on ethics / legality....

  • 21-05-2012 8:48am
    #1
    LoLth
    Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭


    I dont know how many of you are signed up to the Full Disclosure mailing list but there was one email today from Thor (Hammer of God) that got my attention:

    It seems he's been receiving promotional mail from a pentesting company and he has requested to be removed from their mailing list without success. So he responds:

    reproduced from Full disclosure vol 87 issue 26 "full-disclosure-request@lists.grok.org.uk"

    (headers removed)
    Hello Juan.

    After multiple requests for you to remove me from your unsolicited (and illegal) emails, I see you have refused to do so. This indicates and illustrates your acceptance of a "default opt-in until explicit opt-out" policy notwithstanding the fact you do not honor the opt-out.

    Though I still do not wish to receive your mails, I see you are offering penetration testing services. I find this interesting. In order to determine your ability to properly execute on penetration test deliverables, I request your permission to test any and all of your facilities in any way I deem appropriate including (by not limited to) your personal machines, the machines of your coworkers and family, and any other device I deem within scope of my testing. Further, I request you to grant full, unlimited access and authorization for me to test these devices in any way I see fit with full unadulterated impunity.

    As you have already illustrated your acceptance of a "default opt-in until explicit opt-out" policy, all I require for your acceptance is for you to send me an email containing any discussions regarding computer security testing or tools. This email serves as notice that further communications regarding pen testing services (or tools) will be an explicit acceptance of the terms set hereinto. This contract will be valid for one year from the date of this email.

    Again, any further communications regarding services will be your explicit acceptance of these terms.

    Thanks!

    Timothy ?Thor?? Mullen
    www.hammerofgod.com
    Thor?s Microsoft Security Bible

    now, I hate the default opt-in policy. I, personally, believe you should have to take action to receive information and not have the other way around.

    so, concerning the email above, what is your opinion of the "As you have already illustrated your acceptance of a "default opt-in until explicit opt-out" policy, all I require for your acceptance is for you to send me an email containing any discussions regarding computer security testing or tools. This email serves as notice that further communications regarding pen testing services (or tools) will be an explicit acceptance of the terms set hereinto. This contract will be valid for one year from the date of this email" section of the email?

    Is this in any way legal?

    if he does scan/probe the mail server or webserver or backend servers would this email in any way act as a defense? Could this be a way to kill two birds with one stone? stop spammers from addign you to mailing lists *and* provide curious security practitioners with varied and randomly configured targets.....


Comments

  • #2
    seamus
    Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    LoLth wrote: »
    Is this in any way legal?
    In this country, no. A contract requires both parties to willingly sign up to it. It's not possible to "automatically" agree to a contract.

    While there would be some defence to say that Thor received an email back and therefore assumed his offer had been accepted, it would be easily shown that Thor was well aware that he would receive an automatic email at some point and left the "acceptance" terms of his offer deliberately open in order to take advantage of this.

    It's a bit like, "If you want me to eat the pie, give me no sign".

    I'm not sure what the situation would be elsewhere. In this country, he would probably be subject to far more serious charges than the company. For them it's just a minor data protection breach, which is usually a civil matter. For him it's a criminal act.


  • #3
    infodox
    Registered Users, Registered Users 2 Posts: 126 ✭✭infodox


    In his position, I would not try it. They would have to EXPLICITLY agree to it for his ass to be covered, however, I suppose them emailing him could be seen as a sign of "Fine, go ahead", given the "terms" he gave them. Seriously doubt it would stand up in court though.

    Remember - some malware has an EULA prohibiting its use as malware, yet it is still used as malware and its authors tend to get in serious trouble. Agobot is a fine example.

    Though the crowd spamming him more than deserve it - I got a copy of their "Exploit Pack" product about a year ago for free, and it is scarily akin to a product called "Insect Pro" which was available some time back as well. Essentially ripped off Metasploit in a Python/Java wrapper, with some horrible added on features.

    Their browser exploit thing is... BeEF with a "wrapper". Basically a firm of spammers selling snake oil, nothing new at all, sadly.


Advertisement