Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Is what I am doing illegal?

Hybrid View

  1. #1
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default Is what I am doing illegal?

    Scenario: I have a server at home which is listening on port 80 out to the WWW.
    I also have a domain name for my webserver. The webserver is not publicly available, not in Google etc. Basically, you have to know either the domain name or IP to get into it.
    Well if I were to run a few clientside attack's on my webserver for testing purposes only and someone out of pure curiousity visits my server because he looked over my shoulder when I was on the site, would that be his own fault or me committing a crime?
    - Poul Wittig

  2. #2
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by Deathray View Post
    Scenario: I have a server at home which is listening on port 80 out to the WWW.
    I also have a domain name for my webserver. The webserver is not publicly available, not in Google etc. Basically, you have to know either the domain name or IP to get into it.
    Well if I were to run a few clientside attack's on my webserver for testing purposes only and someone out of pure curiousity visits my server because he looked over my shoulder when I was on the site, would that be his own fault or me committing a crime?
    Yours, period.
    dd if=/dev/swc666 of=/dev/wyze

  3. #3
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by Deathray View Post
    Scenario: I have a server at home which is listening on port 80 out to the WWW.
    I also have a domain name for my webserver. The webserver is not publicly available, not in Google etc. Basically, you have to know either the domain name or IP to get into it.
    Well if I were to run a few clientside attack's on my webserver for testing purposes only and someone out of pure curiousity visits my server because he looked over my shoulder when I was on the site, would that be his own fault or me committing a crime?
    Technically it would be yours. Although your intention is that the site be "private", obscuring the existence of the site merely by not allowing it to be listed via google does not make it private. It is public as long as there is a possibility of someone accessing it without restriction. If, however, you were to create an entry page requiring whoever happens to come across the site to login, presumably with credentials known only to you, then it would be their fault should they force their way in.



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Deathray View Post
    Scenario: I have a server at home which is listening on port 80 out to the WWW.
    I also have a domain name for my webserver. The webserver is not publicly available, not in Google etc. Basically, you have to know either the domain name or IP to get into it.
    Well if I were to run a few clientside attack's on my webserver for testing purposes only and someone out of pure curiousity visits my server because he looked over my shoulder when I was on the site, would that be his own fault or me committing a crime?
    If your Webserver is available from the internet then it is publicly available <period>. Just because it isn't in Google, doesn't mean it isn't on the internet. Google, believe it or not, is NOT the internet.

    If you're using it for testing porpoises, then it shouldn't be accessible from the public.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Quote Originally Posted by streaker69 View Post
    Google, believe it or not, is NOT the internet.


    You bite your blasphemous tongue!
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  6. #6
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by Deathray View Post
    Scenario: I have a server at home which is listening on port 80 out to the WWW.
    I also have a domain name for my webserver. The webserver is not publicly available, not in Google etc. Basically, you have to know either the domain name or IP to get into it.
    Well if I were to run a few clientside attack's on my webserver for testing purposes only and someone out of pure curiousity visits my server because he looked over my shoulder when I was on the site, would that be his own fault or me committing a crime?
    1) This probably breaks your ISP's Terms of Service.
    2) If someone stumbles upon your site and you somehow exploit/damage their machine/data it's your fault.
    3) Why not simply limit access to your web server to traffic originating via the same IP. (i.e.: Your traffic to your web server bound to an external IP should end up source and destination the same assuming you're NAT'd internally). From an internal machine if you go to www.whatismyip.com do you get the IP your web server is bound to? (From what you've described you should).
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  7. #7
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Thanks for the replies people, very good to know indeed.
    But let's say the webserver is running on a non-standard port such as 6112?
    Or what if there is a login page which says: Non authorized access prohibited! The password is NOT vesoazfg, and once vesoazfg is typed in, you are forwarded to the client side attacks. Then what? :P

    But instead of forwarding port 80 on the router, I changed the webserver to listen only on 127.0.0.1 and from now on, I will simply log into my SSH and tunnel firefox through it in order to view the website.

    Quote Originally Posted by thorin View Post
    1) This probably breaks your ISP's Terms of Service.
    2) If someone stumbles upon your site and you somehow exploit/damage their machine/data it's your fault.
    3) Why not simply limit access to your web server to traffic originating via the same IP. (i.e.: Your traffic to your web server bound to an external IP should end up source and destination the same assuming you're NAT'd internally). From an internal machine if you go to www.whatismyip.com do you get the IP your web server is bound to? (From what you've described you should).
    Yes, I do
    - Poul Wittig

  8. #8
    Member
    Join Date
    Nov 2007
    Posts
    220

    Default

    Putting it on a random port will only delay the time taken for an automated both to stumble on it... but it will happen... 'maybe' many years from now, but it will happen.

    What about if your first apge said 'THIS COMPUTER WILL HARM YOUR COMPUTER, tick this box to confirm you understand and agree'

    But then again you could bypass the page.. meh

    The SSH option is much better, impossible to stumble accross (just make is secure, use a key pair etc)
    &#119;&#116;&#102;&#63;

  9. #9
    Senior Member SephStorm's Avatar
    Join Date
    Aug 2008
    Posts
    166

    Default

    IMO you should research local and federal laws that could affect your situation. Section 1030 of the CFAA may apply, if someone did come across the server, however, the likelihood of a random user crawling the web, finding your server on an unusual port #, and then attempting to access it would be unlikely. Also, their unauthorized access of the device would make it difficult to prosecute, as they were breaking the law by attempting to access the system, and you did take measures to protect the general populace. I would not think many would be willing to take such a case to court.

    As for an automated bot, I'm less familiar with, however, I don't know if one access device damaging another would be prosecutable.
    "You're only smoke and mirrors..."

  10. #10
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by Deathray View Post
    Thanks for the replies people, very good to know indeed.
    But let's say the webserver is running on a non-standard port such as 6112?
    As others pointed out running on a non-standard port will only delay the inevitable.
    Or what if there is a login page which says: Non authorized access prohibited! The password is NOT vesoazfg, and once vesoazfg is typed in, you are forwarded to the client side attacks. Then what? :P
    I still don't think this will cover you. You can have no trespassing signs up on your property but if someone comes on your property and gets hurt you're still accountable (Unless you have a fence/guard dog etc. i.e.: apply the reasonable man test to a mechanism which would actually keep someone out).

    But instead of forwarding port 80 on the router, I changed the webserver to listen only on 127.0.0.1 and from now on, I will simply log into my SSH and tunnel firefox through it in order to view the website.
    If the web server is only bound to localhost then why not just bring it inside your router and let it have a NAT'd address and then don't bother SSH tunneling at all? If it has an internal NAT'd address there's no need to forward a port or tunnel anything.

    You'll just http://192.168.1.3 (er whatever) and your router will do the local routing per RFC 1918.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •