PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sat Nov 22, 2014 3:41 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 21 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Thu Sep 29, 2011 5:36 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2775
Location: .za
JeremyG wrote:
I don't see anything ethically wrong with either spamming (whether it's effective is another question) or unauthorized pentesting as long as you are scrupulous about not using any information so acquired. (Might want to look into any legal aspects first, of course.) It's ballsy and it's arguably rude, but it's not the same as criminal hacking because the intent is entirely different.

Most laws regarding computer crimes don't seem to care about the intent, the more pertinent issue is that an illegal access was made.

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Fri Sep 30, 2011 1:58 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
social_experiment wrote:
Most laws regarding computer crimes don't seem to care about the intent, the more pertinent issue is that an illegal access was made.

I think this is true for my local laws as well.
On the other hand there are cases where it's so painfully obvious that the site has a vulnerability, one could email them:
"Hi, I am Patrick O' UNION SELECT username, password FROM login, from the old and traditional Irish clan UNION SELECT username, password FROM login. I noticed a problem with your site... "

I *have* disclosed problems to some site owners and so far two things happen: full on ignore or "thanks, we'll fix it".


Top
 Profile  
 
PostPosted: Fri Sep 30, 2011 4:39 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2775
Location: .za
Mordred wrote:
I *have* disclosed problems to some site owners and so far two things happen: full on ignore or "thanks, we'll fix it".

I think the email route is the safest option but looks like site owners rarely appreciate it enough to properly thank you properly. If history is anything to go by, you'd probably have to comprise their site, get access to some data and maybe somewhere down the line they will employ you.

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Fri Sep 30, 2011 7:13 pm 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
Most companies don't hire unknown security consultants. They are paranoid that way, in fact a little wary of programmer who knows the "black arts" coming in and "fixing" their problems. Especially if you are working remotely and not attached to any "brick-and-mortar" company.

I would suggest you start by going to a consulting house and doing some work through them. Once they get to know you and you get some big names/jobs on your resume then you can go solo.

On the other hand I get SEO spam almost constantly, so I would assume this approach must generate some business. Unfortunately most security is done in-house and even in small companies they just rely on the designers who always say, "Sure it's secure. Tight as a drum. No one can get past my code." I once did a job for a friend's company just as a favor. He asked me to double check their site as everyone in house was telling him how good it was. They had no SSL, no throttling on their login, exposed session data, etc. etc. Of course they didn't want to pay me to fix it though (and I don't normally do any security type stuff anyway). They were embarrassed and fixed it themselves.

Oh, and I HIGHLY recommend you don't PEN-TEST a site without permission just to get a job from them. This will automatically ruin their trust, your reputation and could get you into legal trouble. Sometimes companies are open to discussion about allowing you to test their site, but I would make sure you have some kind of arrangement that they pay you something for the results otherwise they will say thanks and pass it off to their software guys to fix.


Top
 Profile  
 
PostPosted: Sun Oct 02, 2011 6:42 pm 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
I had another thought that I know has worked for people. You could give talks at conventions about certain security problems and demonstrate how devastating a simple and common weak programming technique can be. Now you don't want to go to hacker conventions, but general business conventions about e-commerce or on-line sales where they don't normally hear about this kind of stuff but after seeing an impressive dog-and-pony show they might take you up on auditing their systems or refer you to other people in their company about doing work.

Having a published book also helps, especially in getting in the door as a presenter.

(BTW - Your database insertion = classic).


Top
 Profile  
 
PostPosted: Mon Oct 10, 2011 10:24 am 
Offline
Forum Regular
User avatar

Joined: Mon Feb 11, 2008 5:22 am
Posts: 611
Eric! wrote:
You could give talks at conventions ... Now you don't want to go to hacker conventions, but general business conventions about e-commerce or on-line sales where they don't normally hear about this kind of stuff

This approach has generated business for me - not in the context of security work, I hasten to add - and I've found joining Chambers of Commerce and similar bodies on is a good way to deliver these kinds of talk. Much of the horse work of promoting and organizing the talk itself (making a room available, emailing members and all that stuff) is then taken care of.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 21 posts ]  Go to page Previous  1, 2

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group