PHP Developers Network

[social_experiment]

I don't see anything ethically wrong with either spamming (whether it's effective is another question) or unauthorized pentesting as long as you are scrupulous about not using any information so acquired. (Might want to look into any legal aspects first, of course.) It's ballsy and it's arguably rude, but it's not the same as criminal hacking because the intent is entirely different.

Most laws regarding computer crimes don't seem to care about the intent, the more pertinent issue is that an illegal access was made.

[Mordred]

Most laws regarding computer crimes don't seem to care about the intent, the more pertinent issue is that an illegal access was made.

I think this is true for my local laws as well.
On the other hand there are cases where it's so painfully obvious that the site has a vulnerability, one could email them:
"Hi, I am Patrick O' UNION SELECT username, password FROM login, from the old and traditional Irish clan UNION SELECT username, password FROM login. I noticed a problem with your site... "

I *have* disclosed problems to some site owners and so far two things happen: full on ignore or "thanks, we'll fix it".

[social_experiment]

I *have* disclosed problems to some site owners and so far two things happen: full on ignore or "thanks, we'll fix it".

I think the email route is the safest option but looks like site owners rarely appreciate it enough to properly thank you properly. If history is anything to go by, you'd probably have to comprise their site, get access to some data and maybe somewhere down the line they will employ you.

[Eric!]

Most companies don't hire unknown security consultants. They are paranoid that way, in fact a little wary of programmer who knows the "black arts" coming in and "fixing" their problems. Especially if you are working remotely and not attached to any "brick-and-mortar" company.

I would suggest you start by going to a consulting house and doing some work through them. Once they get to know you and you get some big names/jobs on your resume then you can go solo.

On the other hand I get SEO spam almost constantly, so I would assume this approach must generate some business. Unfortunately most security is done in-house and even in small companies they just rely on the designers who always say, "Sure it's secure. Tight as a drum. No one can get past my code." I once did a job for a friend's company just as a favor. He asked me to double check their site as everyone in house was telling him how good it was. They had no SSL, no throttling on their login, exposed session data, etc. etc. Of course they didn't want to pay me to fix it though (and I don't normally do any security type stuff anyway). They were embarrassed and fixed it themselves.

Oh, and I HIGHLY recommend you don't PEN-TEST a site without permission just to get a job from them. This will automatically ruin their trust, your reputation and could get you into legal trouble. Sometimes companies are open to discussion about allowing you to test their site, but I would make sure you have some kind of arrangement that they pay you something for the results otherwise they will say thanks and pass it off to their software guys to fix.

[Eric!]

I had another thought that I know has worked for people. You could give talks at conventions about certain security problems and demonstrate how devastating a simple and common weak programming technique can be. Now you don't want to go to hacker conventions, but general business conventions about e-commerce or on-line sales where they don't normally hear about this kind of stuff but after seeing an impressive dog-and-pony show they might take you up on auditing their systems or refer you to other people in their company about doing work.

Having a published book also helps, especially in getting in the door as a presenter.

(BTW - Your database insertion = classic).

[greyhoundcode]

You could give talks at conventions ... Now you don't want to go to hacker conventions, but general business conventions about e-commerce or on-line sales where they don't normally hear about this kind of stuff

This approach has generated business for me - not in the context of security work, I hasten to add - and I've found joining Chambers of Commerce and similar bodies on is a good way to deliver these kinds of talk. Much of the horse work of promoting and organizing the talk itself (making a room available, emailing members and all that stuff) is then taken care of.