vudukungfu: Hang on, someone's at the back door.
Mein Fuhrer I Can Walk: The good news thus far being that they haven't taken any action against him. Let's hope for the moment that the Auzzie cops have better sense than their US counterparts on this matter./pipe dream, I know//or is it tubes...
Fluid: Unless you have the explicit consent of the one whose security you are testing, you can't really expect the law to be on your side if they decide to prosecute. If he intends to be a security researcher, he should be aware of his legal position.
uttertosh: Actually the Company is, more than probably, just covering it's ass from a (perceived) legal perspective.
ginkor: The sane thing to do is not contact such potential bullies directly, but to contact a reputable organization involved in such things to do it for you, like EFF in the US.The most important thing is that, when they ask for your identity, respond with the statement that "I wish to remain anonymous, so could you please provide me with a randomized 7-digit contact password, so that if we speak in the future, I can use it to identify myself." This is a handle for them to grasp, so they will be far more comfortable.This is a real handy trick and you should remember it, in case you need it.
DON.MAC: uttertosh: Actually the Company is, more than probably, just covering it's ass from a (perceived) legal perspective.The "company" is the state gov't.
AverageAmericanGuy: This is why I don't try to make money on the security side. Too much risk of idiot 'clients' and not enough payoff at the end of the day.
gaslight: I actually just sent that comic to a software developer. He is trying to assemble a team to sell his product and thinks he's got the perfect thing. He's absolutely resistant to any creation of a product development plan, or even creating an issue tracker. Worse, he wants to sell the product at a consumer level and thinks tech support won't be an issue.The very first time I entered something in a search field the apostrophe I included threw a hard SQL error with no error handling so I sent him the Johnny Droptables cartoon. Last night he sent me a Dear John letter thanking me for my input but my emphasis on planning is clearly indicative that I'm not a good fit.Some people you can't help.
EdNortonsTwin: I'm just an A/V guy but I notice a trend in IT, in general, for sidelining the smartest people and placing borderline incompetent / unethical folks at the helm. This seems true wether it be the NSA or good sized corporations.wtf?
interstellar_tedium: This is the most basic attack, we worried about this back in 1997 when I was developing a web front end to a database of atomic and molecular data. We took an effort to limit the input even then, and even though the data was not sensitive in any way. This is just lazy, lazy programming and shows incompetence on the part of the programmers, designers and especially senior management; the fact that any website has this vulnerability in this day and age is inexcusable.
BitwiseShift: [fast-images.picyou.com image 850x850]
The Voice of Doom: DeathByGeekSquadHas anyone stopped to wonder why he was looking for SQL injection vulnerabilities in the first place?Sometimes you don't have to look because the sites shove them into your face.Like, when you're old school and have your browser ask you for confirmation before accepting a cookie and then some webshop wants to set a cookie with value "update orders set foo=bar where..".Or you're interested in how the big guys do some stuff and you take a look at the HTML and scripting of the pros:[img.fark.net image 850x354]
Links are submitted by members of the Fark community.
When community members submit a link, they also write a custom headline for the story.
Other Farkers comment on the links. This is the number of comments. Click here to read them.
You need to create an account to submit links or post comments.
Click here to submit a link.
Also on Fark
Submit a Link »
Copyright © 1999 - 2017 Fark, Inc | Last updated: Apr 29 2017 05:58:53
Runtime: 0.444 sec (443 ms)