Paul Jones’s profile

Latest Comments

1

Happy to be on board! You know, that will make twice that you've missed this talk -- makes one feel neglected. ;-)

Posted in Paul Jones Joins OmniTI.

Fri, 28 Sep 2007 at 18:18:57 GMT


2

Here's a much a better one, from earlier in the thread (the entirety of which bears reading):

http://www.webappsec.org/lists/webs...6/msg00037.html

Posted in Ethics and Security.

Mon, 11 Jul 2005 at 20:20:33 GMT


3

Hi again --

The "Web Application Security Consortium" seems to agree with the "approval" framework, if primarily as a matter of law rather than ethics. (I think the two coincide in this case; law and ethics do not always match, as we know. ;-)

http://www.webappsec.org/lists/webs...6/msg00081.html

Posted in Ethics and Security.

Mon, 11 Jul 2005 at 19:49:26 GMT


4

Hi, Derick,

I completely agree that security flaws are the fault of the programmer. I do what security testing I know how to; I don't know as much as Chris or Ilia or others about the various flaws, so I am an imperfect tester. I depend in some cases for others to point out where I have erred.

So my point is about how ethical persons go about testing for flaws. Certainly I would not expect an *un*ethical person to give me notice; that's part of what makes him an unethical bad guy.

But if a person is an ethical good-guy, I *do* expect him to give notice that he's testing my systems. Otherwise, I have no way of knowing if the "testing" is benign or malevolent. In addition, I epxect an ethical person to tell me what he found. What better way to improve the state of security than to tell your target what you discovered?

Perhaps I am naive to think that professional programmers want to help other programmers improve their craft.

Posted in Ethics and Security.

Mon, 11 Jul 2005 at 18:40:26 GMT


5

Hi Ilia -- you say: "These included people who think that rather then solving problems, it is better to chase after people who find them."

Dude, nobody's chasing after you (at least not me). I like the idea of vuln testing, I just want (as a target) to be notified when you're doing it so I know I'm not being attacked.

You also say, "Back in the early days of net when the community mostly consisted for engineers and scientists and hackers this were a lot simpler." You're correct; when the network was primarily a tool for research, things were easier. But now the network is public, and "testers" need to behave in a more socially-friendly manner.

Finally, as far as people who test security, "most do it out of shear curiosity of and quest of understanding and helping people improve their systems." Wonderful! Ask me first before "helping" me to improve -- or at least tell me in advance that you're preparing a lesson for me.

Again, it's not hard, and I'm not trying to stop anyone -- I'm just saying that you need at the very least to communicate your intentions, and really ought to get approval before tooling through a site that is not yours. Is that such a hard task?

Posted in Ethics and Security.

Mon, 11 Jul 2005 at 13:15:24 GMT


6

"I am nearly convinced that prior notification is necessary."

Hey cool. :-)

"I'll provide a more thorough answer and response at a later date."

I look forward to it. :-)

Also, and not to keep going at it piecemeal, any set of guidelines should include what you are **not** allowed to do. If everything is allowed, or "the right to do anything else as necessary is reserved", then it's not really a set of ethics, it's notice that one gets to do what one wants, when one wants, for one's own reasons.

Posted in Ethics and Security.

Sun, 10 Jul 2005 at 22:40:54 GMT


7

Quick followup -- even by relaxed standards, the person who "researched" the Solar and Cortex sites has not proved himself an ethical tester; he has yet to notify me by any means of the vulnerabilities he discovered. (And no, me seeing the results of his "research" in my comments is not notification; that's me stumbling onto the scene.)

Posted in Ethics and Security.

Sun, 10 Jul 2005 at 21:48:00 GMT


8

Hi Chris --

You say, "I think we need to be more forgiving rather than less when it comes to judging those with good intentions."

I completely agree. However, the only way to know if a tester's intentions are honorable is if that tester communicates those intentions to the target. Otherwise, the test may well look like an attack, from the target's point of view, which is why otherwise benign research would be seen as malicious.

What set of rules would **you** consider ethical when it comes to testing other people's public sites? (Note that I ask about "public sites" and not merely "open-source applications," which you can download and test on your own system.)

If you would, please let your reply take into consideration that it should be possible for the target to distinguish legitimate research behaviors from malicious penetration behaviors; if nobody else can tell, then the tester may be either good or bad, with no way to discern.

As long as there are published rules, and not merely "good intentions," we can start the basis of a more relaxed standard of ethics.

Posted in Ethics and Security.

Sun, 10 Jul 2005 at 21:43:29 GMT


9

M(e)rry x(mass) to you too. :-)

Posted in Holiday Greeting.

Sat, 18 Dec 2004 at 03:07:49 GMT


10

It would be **very** helpful to know the methodology and parameters of your test.

Incidentally, your experimentation could well be perceived as a series of attacks. White-hat though you may be, the manner is still a bit black-hat.

Thanks. :-)

Posted in PHP Security Experiments.

Tue, 02 Nov 2004 at 00:22:33 GMT


About

  • Twitter: @pmjones
  • Location: Memphis, TN
  • Joined: November 2004
  • Comments: 10