« Questions to Amrit on effective vulnerability management | Main | Google-DoubleClick, memories of days of the Internet gone by »

April 13, 2007



Hey Alan. I am blogging this as well but thought I would post here too.

Read this quote from your post over and over again;

"supposed white hats are afraid of potential legal prosecution for hacking into web apps without permission"

The key two word here are "WITHOUT PERMISSION". As much as I hate the terms "White Hat Hacker" "Black Hat Hacker" and "Gray Hat Hacker" the difference between a so called White Hat and a Black Hat is the law and is that whole getting permission thing.

I do not give a shit who you are or what your intentions are. You break into a site without permission, you have broken the law and you must deal with whatever comes your way. I am saying this from experience as I once did this exact thing to a major e-commerce company and luckily, I did not end up ruining my career or end up in jail. If I had, it would have been my own doing and yes, I would have deserved it.

You are not doing any of the e-commerce sites any favors by, for free, exposing security weaknesses in their site. In fact, you are doing them a disservice because you will have saved them from embarrassment and shown them that there is really no point in properly investing in their security infrastructure.

Good guy breaks in to a site. They may or may not fix it, but they will paint the good guy in a bad way then move on with their business. Bad guy breaks in to a site, steals credit card numbers and the site owner is now forced to deal with the security issues and pays the penalty of lost customer confidence.

Take it a step further and after the bad guy is done, the company compromised will go out and hire the good guys.

The comments to this entry are closed.