Announcement

Collapse
No announcement yet.

CanSecWest hacking contest UPDATE (How did your OS fair?)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

    CanSecWest UPDATE

    Laptop With Vista Attack Code Listed on eBay:

    http://www.pcworld.com/article/id,14...l?tk=nl_dnxnws

    Comment


    • #32
      Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

      I will grant xor many of the points he's making... but i think that the key issue i have with the situation (as Chris pointed out) in addition to them taking that asshattery too far is the voided warranty due to hard disk removal.

      nowadays, hard drives (at least on normal computers, i don't know about Macs... someone please correct me) are all in their own very nice and simple caddy which can be removed by popping off a plastic panel and taking out two to four screws. a monkey on acid could do that effectively.

      i think that any company who will not protect your data properly should be obligated to let you remove the hard disk before any service is performed or else automatically win a spot in the fucktard hall of fame.
      "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
      - Trent Reznor

      Comment


      • #33
        Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

        Chris also brings up some very valid privacy and responsibility concerns.

        You are doing pen testing for a client which you have signed a rigorous NDA.

        In the course of your pen testing you discover the worst kind of child pr0n. You are legally bound by your NDA, but morally and ethically bound to tell the authorities. There is also the business aspect, if you tell the authorities how will this hurt your practice?

        What do you do?

        xor
        Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

        Comment


        • #34
          Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

          Originally posted by xor View Post
          Chris also brings up some very valid privacy and responsibility concerns.

          You are doing pen testing for a client which you have signed a rigorous NDA.

          In the course of your pen testing you discover the worst kind of child pr0n. You are legally bound by your NDA, but morally and ethically bound to tell the authorities. There is also the business aspect, if you tell the authorities how will this hurt your practice?

          What do you do?

          xor
          I've never signed an NDA, but don't they normally define what can and cannot be disclosed? Meaning, you cannot disclose corporate secrets, but anything not defined is fair game.

          Plus, when you issue your report, you could always state that you found kiddie porn on a certain machine and allow the company to deal with it.
          A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

          Comment


          • #35
            Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

            Originally posted by streaker69 View Post
            I've never signed an NDA, but don't they normally define what can and cannot be disclosed? Meaning, you cannot disclose corporate secrets, but anything not defined is fair game.

            Plus, when you issue your report, you could always state that you found kiddie porn on a certain machine and allow the company to deal with it.
            Playing devils advocate here.

            Suppose time goes by and the company chooses not to do anything about it. If you don't report it don't you then become an accessory after the fact?

            Some crimes whether you are guilty or not a mere accusation is enough. Hope Thorn chimes in here.

            xor
            Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

            Comment


            • #36
              Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

              Originally posted by xor View Post
              Playing devils advocate here.

              Suppose time goes by and the company chooses not to do anything about it. If you don't report it don't you then become an accessory after the fact?

              Some crimes whether you are guilty or not a mere accusation is enough. Hope Thorn chimes in here.

              xor
              <yawns, scratches, sucks on coffee> Did someone mention my name?

              It depends on the state. Although generally, I'd say that yes, if you have knowledge of a criminal act, and you fail to act on it in reasonable time, you may be charged with an accessory after the fact. "Reasonable" being the operative word. Jur1st can probably provide more interpretation on what's "reasonable" under most laws, but it usually comes down to what would the average Joe Citizen find to be reasonable.

              It may also depend on the state's particular laws and the contract/NDA, and the details in those documents.

              Frankly, my position would be that I'd advise the CEO, Board of Directors and company's Counsel, and give them a deadline to act or I would. Because otherwise that puts my butt on the line.

              Child porn is pretty clear cut. What's more slippery is finding things that might not be quite as easily defined. Example: How about finding what appears to be a second set of books on the CFO's PC. Is it some sort SOX violation, or are the doing a conversion from one bookkeeping package to another, and haven't told you? Are you liable criminally if you have strong suspicions, only report it to the company and then watch them sit back and do nothing?
              Thorn
              "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

              Comment


              • #37
                Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

                Originally posted by xor View Post
                Playing devils advocate here.

                Suppose time goes by and the company chooses not to do anything about it. If you don't report it don't you then become an accessory after the fact?

                Some crimes whether you are guilty or not a mere accusation is enough. Hope Thorn chimes in here.

                xor
                Oddly enough, here's an article that's kind of along these lines.

                http://www.cnsnews.com/ViewNation.as...20080402a.html

                Granted, no NDA involved, but the employee was told by her supervisor not to report the crime.
                A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                Comment


                • #38
                  Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

                  The easiest way to deal with this is before it becomes an issue. We put a clause in our Rules of Engagement that states that any illegal content will be reported to client management and the appropriate law enforcement agency. Both our team and the authorized client representatives (which usually includes a member of their legal team) sign these Rules of Engagement and therefore we are in the clear NDA wise if we discover illegal content on a target system and report it to law enforcement.

                  If you are doing pen test work and don't have a similar clause in your agreement you really should discuss it with your legal team and get it added. All the Rules of Engagement are is a big CYA document so you don't get fucked later.
                  perl -e 'print pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'

                  Comment


                  • #39
                    Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

                    Originally posted by Deviant Ollam View Post
                    nowadays, hard drives (at least on normal computers, i don't know about Macs... someone please correct me) are all in their own very nice and simple caddy which can be removed by popping off a plastic panel and taking out two to four screws. a monkey on acid could do that effectively.
                    Like I said, only the new MacBooks make it easy to swap a drive. The new MacBook Pros require removing the topcase (where the keyboard is) to get to the drive. In the old white iBooks you had to almost completely disassemble the machine.

                    Comment


                    • #40
                      Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

                      Just to test out Apple, the next time I bring in my laptop I will see if I can get the employee's to remove the hard drive and hand it back to me before shipping it off.

                      I have talked to many of the people at the Apple store, and one customer that came in with a MacBook had his hard drive removed and they did not say anything about it what so ever, maybe he got hit with charges when he came to pick it up, I don't know.

                      Would be interesting to know.

                      Comment


                      • #41
                        Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

                        Originally posted by 0x58 View Post
                        Just to test out Apple, the next time I bring in my laptop I will see if I can get the employee's to remove the hard drive and hand it back to me before shipping it off.

                        I have talked to many of the people at the Apple store, and one customer that came in with a MacBook had his hard drive removed and they did not say anything about it what so ever, maybe he got hit with charges when he came to pick it up, I don't know.

                        Would be interesting to know.
                        I've sent in a couple hundred laptops into Apple with non-apple drives in them, they never said a thing.

                        Comment


                        • #42
                          Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

                          Originally posted by barry99705 View Post
                          I've sent in a couple hundred laptops into Apple with non-apple drives in them, they never said a thing.
                          While there's plenty of people who would shout "personal anecdotes are not hard data" (and this would apply both ways in this scenario, actually) i think Chris' larger point pertains to stated policies more than specific company behavior.

                          It may be the case that 9 times out of 10 they turn their head and just service things for you anyway, but the fact that somewhere in black and white people are making ass-face assertions is a real pain, particularly when it can potentially come back to bite you. It's never easy getting a soulless, monolithic corporation to honor your requests for help under the best of conditions... it can be an even bigger headache when you've transgressed against the fine print, even if it was fine print that historically was ignored.
                          "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
                          - Trent Reznor

                          Comment


                          • #43
                            Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

                            Originally posted by Chris View Post
                            You misunderstand. If one person is using Safari that means one person is using OS X...and that my good man is one too many.
                            Not any more Chris. The latest update for iTunes installed Safari on my Windoze box at work.
                            DaKahuna
                            ___________________
                            Will Hack for Bandwidth

                            Comment


                            • #44
                              Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

                              Originally posted by DaKahuna View Post
                              Not any more Chris. The latest update for iTunes installed Safari on my Windoze box at work.
                              Yup, iTunes tried to do that tonight to my wife's PC.
                              Thorn
                              "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                              Comment


                              • #45
                                Re: CanSecWest hacking contest UPDATE (How did your OS fair?)

                                Yeah, I noticed that Apple's updater is now pushing Safari. I politely declined.
                                "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

                                Comment

                                Working...
                                X