[aquadrop]

>'Unauthorized security testing == Malicious attack' I don't agree with that. Although I do think that unauthorized testing is unethical and you should get permission first, but treating it the same as successful attack and punishing the same is wrong. The main difference is intention. And Mr. Al-Khabaz notified relevant authorities and did get thanks at first. If we compare this case to your example about locks, I'd say that Mr. Al-Khabaz walked around your house, saw the broken lock on your back door, then came to your front door, knocked and told you about that. Maybe you may wonder why he would walk around your house in the first place and accuse him of being weird, but can you accuse him in breaking in and stealing?

P.S. Since the author of the article is known for partnering with students defending organizations, the whole story can be one sided, and it would be good to judge after hearing another side. E.g. it could be not the first issue, or there's traces of something more than just security inspection.

[puerto]

You missed my point. Like I said, I'm not commenting the penalty. In my opinion, it's too hard. But this is only my opinion after hearing (just like you said) just one side of the story.

The main problem with unauthorized testing (putting aside technical problems) is that person who performs it is in _very_ difficult position explaining her intentions. She already did what is considered the _second_ stage in hacker attack. Until she can prove her good intentions, this is rightfully treated as a malicious attack.

This is what my equation means. I think everybody on this forum should be aware of this. Don't get yourself in trouble for not knowing this.

[aquadrop]

> She already did what is considered the _second_ stage in hacker attack

Considered by who? There's companies which pay you money if you can find bug in their software. And that's open offer, they don't say 'wait, we'll get ready at 8 p.m. friday and then you can check'. What do you think would Google do, if this student used scanner(or something else) on gmail and found bug and then told Google about it?

I still think that intention is key difference here. And as you said 'that person who performs it is in _very_ difficult position explaining her intentions'. That's why you shouldn't do any unauthorized checks, because even if you wanted to tell about your findings to the relevant authorities, you can be caught before that and then you'r screwed. But Mr. Al-Khabaz informed university/company and was initiator of that talk, so it kinda clears him. He was able reasonable explain his intentions and his punishment could be just some warning(of course if there's no any significant moments we don't know about). Also he didn't get any credit for help he did by finding the bug.

[puerto]

Scanning is the second phase of the standard hacker attack procedure. Phases of hacking:

Phase 1—Reconnaissance Phase 2—Scanning Phase 3—Gaining Access Phase 4—Maintaining Access Phase 5—Covering Tracks

Regarding this guy's intention, you're probably right. The main reason why I'm commenting here is that guys with good intentions don't get themselves in the trouble for not knowing what they're doing.

Finding vulnerabilities in software on your machine and hacking other people's systems are entirely different things. By testing software you're not violating anything (except maybe EULA for some licences). By hacking other people's systems, you're committing a crime.

> What do you think would Google do, if this student used scanner(or something else) on gmail and found bug and then told Google about it? At first, they would treat it like an attack. Like almost any other company would do. I have no idea what would happen later.

[Dylan16807]

But you wouldn't call reconnaissance hacking, would you? That's just vaguely looking at the site and information about the company. Step 2, pointed at something like a webserver, does not connect to any systems the person is not supposed to have access to. Only step 3 crosses the line.

[puerto]

Good point, I wouldn't call reconnaissance hacking. For two reasons: 1) It's a passive method 2) It's not done on the attacked system.

Scanning is an active method and it's done on the attacked system. Web scanning is not the same as web crawling (downloading pages of the site). It include all kinds of invasive tests, like SQL Injection, XSS, command injection and other attack attempts. It can cause many kinds of problems, named here in this thread.

From security perspective, scanning is an attack. Everyone who uses these tools should be aware of this.

[thefreeman]

Companies paying bounties for bugs are explicitly giving you the right to pen test their applications. This changes nothing in terms of unauthorized scanning = malicious attack.