* George Imburgia (gtiat_private) [020717 10:29]: > > Recently, the federal government started a program to recruit utility > workers, postal employees, truck drivers and such into an informant > program; > > http://www.citizencorps.gov/tips.html > > When you choose to join, it takes you to; > > https://www.citizencorps.gov/citizen/jsp/volunteerform.jsp?programName=5 > > After looking at the source code of this url, it became apparent that > sanity checking of user input is done on the client. Testing confirmed > that this is exploitable. > > In other words, it's easy to retrieve a list of their volunteer > informants. > > Apparently they plan to address issues like this the easy way, by locking > up people that exploit it for life. This is a FEMA site, which would > qualify for a life sentence under the "Cyber Security Enhancement Act of > 2002". > > > George Imburgia > Senior Network Security Engineer > Capitol Networking > gtiat_private Unless you somehow cause or attempt to cause somebody's death by exploiting this weakness, you won't be subject to the lifetime maximum. Sec. 105(5)(B) under the Cyber Security Enhancement Act says "if the offender knowingly or recklessly causes or attempts to cause death from conduct in violation of subsection (a)(5)(A)(i), a fine under this title or imprisonment for any term of years or for life, or both." Apropos penalties would probably be those in Sec. 108(b) which amend Sec. 2701(b) of title 18, United States Code. Thats just my assumption. IANAL. -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18
This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 08:20:01 PDT