I don't think that applies, as long as the machine wasn't a computer owned by the US government, wasn't a protected computer (accessible to the public is probably good cause), and there was no intent to defraud or extort. -----Original Message----- From: darrellat_private [mailto:darrellat_private] Sent: Wednesday, July 17, 2002 2:02 PM To: Thorat_private; PEN-TESTat_private Subject: RE: SQL Injection Legalities Check out http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/47/sectio ns/section_1030.html I think you'll find your answer US Title 18: Part I: Chapter 47, Section 1030 -----Original Message----- From: Deus, Attonbitus [mailto:Thorat_private] Sent: Wednesday, July 17, 2002 9:48 AM To: Pen-Test Subject: SQL Injection Legalities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I hesitate asking the group about law, but here goes: Lets say a site gives you the capability to search their product-base via a web input box. You know, the standard search/submit deal. You type in "bicycle" and it gives you everything that starts with "bicycle." Simple enough. As we all know, web app susceptibility to SQL injects runs amok; lets say in this case that instead of typing "bicycle," I type "bicycle' or 1=1--" and get all the products. Have I broken the law? More specifically, have I broken the law in the US? One could argue that the site is allowing me to specify what I want to see, and all I am doing is typing in what I want... Though the developer may not have intended for me to pull up the data like that, does my doing so constitute a crime? I'm not looking for ethical or moral debate here, I am hoping someone has some distinct legal experience who knows. Thanks. AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPTWfwYhsmyD15h5gEQLKuACgioeYyenUFEbI6HXpYbo5AjL920cAoNJv ANJ4aOg8vjqGS5JSZK2V5Hyt =nm/7 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Jul 22 2002 - 07:23:06 PDT