It is not illegal to pen-test web applications on your classroom
servers, and then as an exercise, check for web sites running the
vulnerable apps and send emails telling them of the vulnerability.
This is not like pen-testing the company's web site without permission,
and your students will be thrilled to have something useful to do with
their fledgling skills.
Giving a talk on the vulnerability at the Black Hat convention might
get you fired from ISS though.
Wolf Halton
http://www.networkdefense-dot-biz
> -----Original Message-----
> From: bugtraq (at) cgisecurity (dot) net [email concealed] [mailto:bugtraq (at) cgisecurity (dot) net [email concealed]]
> Sent: Wednesday, October 04, 2006 3:15 PM
> To: joe (at) learnsecurityonline (dot) com [email concealed]; pen-test (at) securityfocus (dot) com [email concealed]
> Cc: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: RE: Informing Companies about security vulnerabilities...
>
> So you are admitting publicly that you and a class of students that
> you
> teach are illegally testing random public
> websites for the purpose of learning about security vulnerabilities?
> Sounds like you/your company need to speak
> with a lawyer.
>
> - Robert
> http://www.cgisecurity.com/ Application Security news and more
> http://www.cgisecurity.com/index.rss [RSS Security Feed]
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of Joseph McCray
> Sent: Wednesday, October 04, 2006 3:07 AM
> To: pen-test (at) securityfocus (dot) com [email concealed]
> Subject: Informing Companies about security vulnerabilities...
>
> This probably won't sound like that big of a deal, but it still
> bothered
> me so I figured I'd ask the list. I was teaching a Web Application
> Security class last week and we were performing simple XXS, SQL
> Injection, etc on the vulnerable web apps I use for class.
>
>
ht
--
Summer Special - Make Money on Your Phone Bill Arrowstars.com
Computer support network: http://tech.groups.yahoo.com/group/Tech_Answers/?yguid=11909323
Eggs from Happy Chickens! Catwood Farms - 1960 Hightower Trail, Conyers GA 30012-1822 - 678-384-4930
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
It is not illegal to pen-test web applications on your classroom
servers, and then as an exercise, check for web sites running the
vulnerable apps and send emails telling them of the vulnerability.
This is not like pen-testing the company's web site without permission,
and your students will be thrilled to have something useful to do with
their fledgling skills.
Giving a talk on the vulnerability at the Black Hat convention might
get you fired from ISS though.
Wolf Halton
http://www.networkdefense-dot-biz
> -----Original Message-----
> From: bugtraq (at) cgisecurity (dot) net [email concealed] [mailto:bugtraq (at) cgisecurity (dot) net [email concealed]]
> Sent: Wednesday, October 04, 2006 3:15 PM
> To: joe (at) learnsecurityonline (dot) com [email concealed]; pen-test (at) securityfocus (dot) com [email concealed]
> Cc: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: RE: Informing Companies about security vulnerabilities...
>
> So you are admitting publicly that you and a class of students that
> you
> teach are illegally testing random public
> websites for the purpose of learning about security vulnerabilities?
> Sounds like you/your company need to speak
> with a lawyer.
>
> - Robert
> http://www.cgisecurity.com/ Application Security news and more
> http://www.cgisecurity.com/index.rss [RSS Security Feed]
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of Joseph McCray
> Sent: Wednesday, October 04, 2006 3:07 AM
> To: pen-test (at) securityfocus (dot) com [email concealed]
> Subject: Informing Companies about security vulnerabilities...
>
> This probably won't sound like that big of a deal, but it still
> bothered
> me so I figured I'd ask the list. I was teaching a Web Application
> Security class last week and we were performing simple XXS, SQL
> Injection, etc on the vulnerable web apps I use for class.
>
>
ht
--
Summer Special - Make Money on Your Phone Bill Arrowstars.com
Computer support network: http://tech.groups.yahoo.com/group/Tech_Answers/?yguid=11909323
Eggs from Happy Chickens! Catwood Farms - 1960 Hightower Trail, Conyers GA 30012-1822 - 678-384-4930
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
[ reply ]