hypothetically speaking
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: hypothetically speaking

  1. #1
    Member
    Join Date
    Jul 2003
    Posts
    68

    Thumbs down hypothetically speaking

    Hypothetically speaking here....

    If i find that a website has a weak password protection to enter it ,can i make this known to the site owner.

    Or,would that not be a good idea ?

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    111
    Sure, I would think any constructive comment to the site owner would be appreciated. I would at least let it be known that you have no intention of breaking through that protection yourself, but just so that website is more secure. How weak is the password protection? Can you give any other details about the site? Hope it helps out...
    Carrie: Someone\'s definition of what constitutes cheating is in direct proportion to how much they themselves want to cheat.
    Miranda: That\'s moral relativism!
    Carrie: I prefer to think of it as quantum cheating.

  3. #3
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    That's a sticky situation - on one hand, the site owner could be very grateful to you for reporting this hole in the security of the site - on the other hand, you could be accused of 'hacking' (term used loosely here), and may find yourself in trouble.

    Personally, if I found the hole, I'd report it to the owner - I believe in security and the owner should know about the hole...

    After all, if the hole was found by one person, it can most certainly be found by several more - while the first may not take advantage of the hole, the others might, which could be bad news for the site owner..
    - Maverick

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I once had a situation where my web server was being horrendously attacked, (Code Red/Nimda), by a single server on the net. Just to see how bad it was I scanned it and found a terminal services port open. For a giggle I connected to it and found that the combination administrator/password actually worked. After a bit more digging I discovered that this company is a computer consulting company in Washington DC that boasts such customers as the IRS and ATF....... I simply called their ISP and informed them of the problem. It seems to me that you give yourself a little protection that way and the "victim" company takes it as less of an insult if their own ISP calls them.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Member
    Join Date
    Jul 2003
    Posts
    68
    It`s a wesite that uses applet password wizard....iread that these sites are very weakly protected....joylock.class

    a

    i have no intensions of entering the site,just wanted to see if i could do what i read, and it took me a total of 10 minutes to decrypt the first password and there are 218 in the source.

    coffeecup.com is junk and would advise not to use.

  6. #6
    Member
    Join Date
    Aug 2001
    Posts
    52
    I would send the admin an anonymous email, explaining the weak ecryption. I would also mention that the email is only anonymous for your own protection. Try this site:

    http://www.sendfakemail.com/
    3 Easy Steps To Fixing Windows (Permanently!)
    1) Insert Linux Installation CD (Any Distro)
    2) Read Included Documentation on \"Installing\"
    3) Install Linux

  7. #7
    Senior Member
    Join Date
    Jul 2002
    Posts
    315
    That's a real tight situation but in the case of security it would be nice to let the site owner know IMO. The way you go about letting them know is what you need to take in consideration.

    If you can get the info. to them and you will not get into trouble then go ahead and do that. I know I would be greatful if someone told me that my site was not all the secure but a lot of people don't react the way I do. So just becareful as to the way you relay the information.

    Good luck in which ever way you decide to go and let us know the owner's response if you tell.

    Guidance...
    - The mind is too beautiful to waste...
    Cutty


  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    theres no 'legal' way you can find out the strength of a password. you must in some way test its strength. so if you feel you should tell the admin make sure you do it anonymously because you never know when you're going to run accross an admin with his head up his ass
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    Member
    Join Date
    Jul 2003
    Posts
    68
    Thanks for the insight in this matter.

    I think i will just keep it to myself, this seems the wise thing to do.

    /exit

  10. #10
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    another idea is to contact the site and ask for permission...don't tell them that you have done anything yet. something along the lines of..... (remember social engineering 101)

    I am a computer science student at XXXXX university. I have been doing an emphasis in security. I recently read something reguarding the weakness of passwords used by the applet password wizard, and I noticed that your site was using it. I was wondering if I could test what I have read, and return the results to you.

    Thank you for you time
    XXXXXX
    Doing something like that, IF they ever take the time to reply, they will probably tell you no... (although not always as long as you promise full disclosure) But you have informed them abou tthe weakness, and sometimes, they may even let you test it. You can't do any more then that. You haven't admitted to doing anything wrong, so they can't complain.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides