July 14th, 2003, 07:48 PM
Hypothetically speaking here....
If i find that a website has a weak password protection to enter it ,can i make this known to the site owner.
Or,would that not be a good idea ?
July 14th, 2003, 07:53 PM
Sure, I would think any constructive comment to the site owner would be appreciated. I would at least let it be known that you have no intention of breaking through that protection yourself, but just so that website is more secure. How weak is the password protection? Can you give any other details about the site? Hope it helps out...
Carrie: Someone\'s definition of what constitutes cheating is in direct proportion to how much they themselves want to cheat.
Miranda: That\'s moral relativism!
Carrie: I prefer to think of it as quantum cheating.
July 14th, 2003, 07:54 PM
That's a sticky situation - on one hand, the site owner could be very grateful to you for reporting this hole in the security of the site - on the other hand, you could be accused of 'hacking' (term used loosely here), and may find yourself in trouble.
Personally, if I found the hole, I'd report it to the owner - I believe in security and the owner should know about the hole...
After all, if the hole was found by one person, it can most certainly be found by several more - while the first may not take advantage of the hole, the others might, which could be bad news for the site owner..
July 14th, 2003, 08:04 PM
I once had a situation where my web server was being horrendously attacked, (Code Red/Nimda), by a single server on the net. Just to see how bad it was I scanned it and found a terminal services port open. For a giggle I connected to it and found that the combination administrator/password actually worked. After a bit more digging I discovered that this company is a computer consulting company in Washington DC that boasts such customers as the IRS and ATF....... I simply called their ISP and informed them of the problem. It seems to me that you give yourself a little protection that way and the "victim" company takes it as less of an insult if their own ISP calls them.......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
July 14th, 2003, 08:07 PM
It`s a wesite that uses applet password wizard....iread that these sites are very weakly protected....joylock.class
i have no intensions of entering the site,just wanted to see if i could do what i read, and it took me a total of 10 minutes to decrypt the first password and there are 218 in the source.
coffeecup.com is junk and would advise not to use.
July 14th, 2003, 09:09 PM
I would send the admin an anonymous email, explaining the weak ecryption. I would also mention that the email is only anonymous for your own protection. Try this site:
3 Easy Steps To Fixing Windows (Permanently!)
1) Insert Linux Installation CD (Any Distro)
2) Read Included Documentation on \"Installing\"
3) Install Linux
July 14th, 2003, 09:37 PM
That's a real tight situation but in the case of security it would be nice to let the site owner know IMO. The way you go about letting them know is what you need to take in consideration.
If you can get the info. to them and you will not get into trouble then go ahead and do that. I know I would be greatful if someone told me that my site was not all the secure but a lot of people don't react the way I do. So just becareful as to the way you relay the information.
Good luck in which ever way you decide to go and let us know the owner's response if you tell.
- The mind is too beautiful to waste...
July 14th, 2003, 10:26 PM
theres no 'legal' way you can find out the strength of a password. you must in some way test its strength. so if you feel you should tell the admin make sure you do it anonymously because you never know when you're going to run accross an admin with his head up his ass
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
July 15th, 2003, 02:17 AM
Thanks for the insight in this matter.
I think i will just keep it to myself, this seems the wise thing to do.
July 15th, 2003, 02:34 AM
another idea is to contact the site and ask for permission...don't tell them that you have done anything yet. something along the lines of..... (remember social engineering 101)
Doing something like that, IF they ever take the time to reply, they will probably tell you no... (although not always as long as you promise full disclosure) But you have informed them abou tthe weakness, and sometimes, they may even let you test it. You can't do any more then that. You haven't admitted to doing anything wrong, so they can't complain.
I am a computer science student at XXXXX university. I have been doing an emphasis in security. I recently read something reguarding the weakness of passwords used by the applet password wizard, and I noticed that your site was using it. I was wondering if I could test what I have read, and return the results to you.
Thank you for you time
\"Ignorance is bliss....
but only for your enemy\"