Jump to content

White Hat Protection

ADDandy

By ADDandy
in Security

 Share

Recommended Posts

ADDandy Newbie

ADDandy

Posted
Posted

first some background

we have a 'securities' 400 level comp sci class at my university (University of Saskatchewan). There is a project involved with this class, you can either right a report or do an experiment/proof of concept thing.

because i suck at writing i am opting for the proof of concept.

i was thinking of using a modified version of the U3 hacksaw and distribute it to the 'marks' after they complete a short survey on there electronic security habits.

i want to modify the payload so that it does nothing malicious. the only thing i want the payload to do is report back to me something that could discern the user(mac address, static ip. something).

What i would like to know is the legality of this and/or anything i could use to defend my actions?

i would like to do this experiment but i won't risk my P.eng on it.

Thanks guys

-Andy

Link to comment
Share on other sites
Sparda Newbie

Sparda

Posted
Posted

I can't see how this could ever be considered braking the law. In fact I remember a story for a while back where some one or a group of people left memory sticks lying around a city centre just to see how many of them would phone home. The idea been that if some one malicious had done this, to see how many potential computers or people would have been effected.

Link to comment
Share on other sites
DingleBerries Newbie

DingleBerries

Posted
Posted

I guess it all depends on the intention of the experiment. If you are leaving sticks around to infect users and possible cause harm/damage it is illegal, but it is just as bad to take information from them with out their knowledge. Diumping IPs and MACs my not be "that" bad, but its unauthorized copying.Thats just IMO.

Link to comment
Share on other sites
SmoothCriminal Newbie

SmoothCriminal

Posted
Posted

If you just keep track of which usb goes to which user, you could have the payload just send out an email identifying itself with a number, which corresponds with your data on who got what usb drive. That way you are not technically getting user information (although you probably could get their IP address from this) from them. Though, I agree check with your instructor.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

Is there anything protecting the rights of white hat hackers?

Common sense and use of good judgment.

Link to comment
Share on other sites
Loony Guitarist Newbie

Loony Guitarist

Posted
Posted
first some background

we have a 'securities' 400 level comp sci class at my university (University of Saskatchewan). There is a project involved with this class, you can either right a report or do an experiment/proof of concept thing.

because i suck at writing i am opting for the proof of concept.

i was thinking of using a modified version of the U3 hacksaw and distribute it to the 'marks' after they complete a short survey on there electronic security habits.

i want to modify the payload so that it does nothing malicious. the only thing i want the payload to do is report back to me something that could discern the user(mac address, static ip. something).

What i would like to know is the legality of this and/or anything i could use to defend my actions?

i would like to do this experiment but i won't risk my P.eng on it.

Thanks guys

-Andy

Why do you have to discern the user? Why not modify it to just send you an e-mail that says "pwned" and then compare the amount of e-mails to the amount of thumb drives handed out. If you need to get demographic information as well Have it e-mail you a predetermined ID number and associate it with the survey the user filled out.

As far as the legality of it all, definitely discuss the project with your professor. Even if you are not taking any information from the users you are essentially “Stealing” their bandwidth to send the message back to yourself. (I know big deal a whole k, if that, of bandwidth)

Perhaps you could include a clause at the bottom of the survey (i.e. Fine print) that states that the user upon filling out the survey and accepting the USB drive allows you to use any and all information collected from the survey for your project.

That should give you a paper document signed by the user saying that they basically gave you permission to have the U3 e-mail you as the Thumb drive is part of the survey. (Any lawyers understand this? Want to elaborate on it? Is it even an option?)

Just a thought.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

If you asked for permission to try your POC on someones machine, with the teacher aware of it, I don't see how that would be a legal issue.

In doing an expreiment or POC, what are the requirements outlined by the teacher? Does it say anything about doing things to other peoples machines being part of your experiment?

If you have the idea on how to do the POC, why not just right about that in your report and be done with it. This way, you did not do anything illegal with regard to other peoples property, their permission or knowledge there in of your actions. You can always give a demonstration using your own machine if POC is needed. I don't see why other peoples machines would need to be involved in said experiment.

Link to comment
Share on other sites
DingleBerries Newbie

DingleBerries

Posted
Posted
If you asked for permission to try your POC on someones machine, with the teacher aware of it, I don't see how that would be a legal issue.

You can always give a demonstration using your own machine if POC is needed. I don't see why other peoples machines would need to be involved in said experiment.

Perhaps you could include a clause at the bottom of the survey (i.e. Fine print) that states that the user upon filling out the survey and accepting the USB drive allows you to use any and all information collected from the survey for your project.

Those are my sentiments exactly. Included some type of clause and be sure to have them sign it and that they ARE AWARE THAT THEY ARE SINGING SOMETHING, like dont put it on the back of the paper and have them sign the front. Also discussing it with you instructor and having him give the go ahead will save you alot of trouble and heart ache if someone gets pissed.

And there should be no reason to involve others computers in this. A simple personal survey should be enough. "Do you have autorun enabled on your personal PC(s)?", "If you found a thumb drive laying on the ground would you plug it in with out disabling autorun?", "How long have you been using a computer?" "Thank you for your time."

And there you go, no harm no fail...lol get it

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...