Cenzic 232 Patent
Paid Advertising
web application security lab

Proving Innocence

I was perusing the forums and tr1pp33 asked an interesting question about ethics in testing. The second half of his question actually got me thinking. It’s kind of interesting regarding the ethics of testing remote sites are although we’ve gone though that conversation. However, the second half of his question was if testing is illegal and how do you prove intent. It got me thinking is around how do you prove that you’re innocent if you actually didn’t do it, but someone else forced you to hack on their behalf.

If I force someone else to hack on my behalf, how can I prove that I didn’t intentionally do it. But then that brings up a second question which is if I can prove it wasn’t me by saying I’ve got spyware on my computer, perhaps it’s worth installing spyware in the off chance I do get caught so I can plead innocense. Okay, but back to the problem, how do you prove it in the case of CSRF or session riding?

The only obvious thing I could think of was logging. If you log everything you do (either on the local host with something like slogger (thank you to Jordan Wiens for the link). You could also log at the proxy level (you may miss https traffic unless you use an SSL accelerator MITM to slow down/log/process the results). Ultimately though, even that doesn’t show intent, because I could have had every intention on clicking on links that would force my browser to do something. If I can coordinate to get others to infect me with a virus or XSS worm or something else, I can somehow absolve myself of the crime. It’s a tricky subject, certainly.

2 Responses to “Proving Innocence”

  1. hackathology Says:

    This is had me got into thinking too. Its a really hard process to stop all the malicious stuff and even harder to defend yourself. :(

  2. Michael Says:

    My ”wisdom” came at the expense of Randal Schwartz, when he was convicted for password cracking [wikipedia:Randal_L._Schwartz]. I’ve been lucky. As an honest hacker, get permission in writing — I’ll post a sample in my blog. If getting permission isn’t feasible, then be very wary. I’ve worked with the best of the cyber crime guys, but for every one of them, there seem to be several others ready to prosecute substitute teachers for porn or the unlucky bloke that types “../../..” — Of course, we don’t hear about the smart D.A. who knows better. In the US, I think any __attempt__ to perform unauthorized access to a SCADA or Banking system is a felony. Be smart, protect your actions with something legally defensible, and in the worst case, lawyer-up fast — even if you think you are one of the good guys.