ADDandy Posted December 18, 2008 Posted December 18, 2008 first some background we have a 'securities' 400 level comp sci class at my university (University of Saskatchewan). There is a project involved with this class, you can either right a report or do an experiment/proof of concept thing. because i suck at writing i am opting for the proof of concept. i was thinking of using a modified version of the U3 hacksaw and distribute it to the 'marks' after they complete a short survey on there electronic security habits. i want to modify the payload so that it does nothing malicious. the only thing i want the payload to do is report back to me something that could discern the user(mac address, static ip. something). What i would like to know is the legality of this and/or anything i could use to defend my actions? i would like to do this experiment but i won't risk my P.eng on it. Thanks guys -Andy Quote
DingleBerries Posted December 18, 2008 Posted December 18, 2008 Collecting the information without the users knowledge is illegal, and U3 hack are fail. Quote
Sparda Posted December 18, 2008 Posted December 18, 2008 I can't see how this could ever be considered braking the law. In fact I remember a story for a while back where some one or a group of people left memory sticks lying around a city centre just to see how many of them would phone home. The idea been that if some one malicious had done this, to see how many potential computers or people would have been effected. Quote
DingleBerries Posted December 18, 2008 Posted December 18, 2008 I guess it all depends on the intention of the experiment. If you are leaving sticks around to infect users and possible cause harm/damage it is illegal, but it is just as bad to take information from them with out their knowledge. Diumping IPs and MACs my not be "that" bad, but its unauthorized copying.Thats just IMO. Quote
wire Posted December 18, 2008 Posted December 18, 2008 ask your instructor My thoughts exactly. If your professor is on board with this idea then if it goes wrong they will hold some of the responsibility for it. Quote
SmoothCriminal Posted December 18, 2008 Posted December 18, 2008 If you just keep track of which usb goes to which user, you could have the payload just send out an email identifying itself with a number, which corresponds with your data on who got what usb drive. That way you are not technically getting user information (although you probably could get their IP address from this) from them. Though, I agree check with your instructor. Quote
digip Posted December 18, 2008 Posted December 18, 2008 Is there anything protecting the rights of white hat hackers? Common sense and use of good judgment. Quote
Loony Guitarist Posted December 18, 2008 Posted December 18, 2008 first some background we have a 'securities' 400 level comp sci class at my university (University of Saskatchewan). There is a project involved with this class, you can either right a report or do an experiment/proof of concept thing. because i suck at writing i am opting for the proof of concept. i was thinking of using a modified version of the U3 hacksaw and distribute it to the 'marks' after they complete a short survey on there electronic security habits. i want to modify the payload so that it does nothing malicious. the only thing i want the payload to do is report back to me something that could discern the user(mac address, static ip. something). What i would like to know is the legality of this and/or anything i could use to defend my actions? i would like to do this experiment but i won't risk my P.eng on it. Thanks guys -Andy Why do you have to discern the user? Why not modify it to just send you an e-mail that says "pwned" and then compare the amount of e-mails to the amount of thumb drives handed out. If you need to get demographic information as well Have it e-mail you a predetermined ID number and associate it with the survey the user filled out. As far as the legality of it all, definitely discuss the project with your professor. Even if you are not taking any information from the users you are essentially “Stealing” their bandwidth to send the message back to yourself. (I know big deal a whole k, if that, of bandwidth) Perhaps you could include a clause at the bottom of the survey (i.e. Fine print) that states that the user upon filling out the survey and accepting the USB drive allows you to use any and all information collected from the survey for your project. That should give you a paper document signed by the user saying that they basically gave you permission to have the U3 e-mail you as the Thumb drive is part of the survey. (Any lawyers understand this? Want to elaborate on it? Is it even an option?) Just a thought. Quote
digip Posted December 18, 2008 Posted December 18, 2008 If you asked for permission to try your POC on someones machine, with the teacher aware of it, I don't see how that would be a legal issue. In doing an expreiment or POC, what are the requirements outlined by the teacher? Does it say anything about doing things to other peoples machines being part of your experiment? If you have the idea on how to do the POC, why not just right about that in your report and be done with it. This way, you did not do anything illegal with regard to other peoples property, their permission or knowledge there in of your actions. You can always give a demonstration using your own machine if POC is needed. I don't see why other peoples machines would need to be involved in said experiment. Quote
DingleBerries Posted December 18, 2008 Posted December 18, 2008 If you asked for permission to try your POC on someones machine, with the teacher aware of it, I don't see how that would be a legal issue. You can always give a demonstration using your own machine if POC is needed. I don't see why other peoples machines would need to be involved in said experiment. Perhaps you could include a clause at the bottom of the survey (i.e. Fine print) that states that the user upon filling out the survey and accepting the USB drive allows you to use any and all information collected from the survey for your project. Those are my sentiments exactly. Included some type of clause and be sure to have them sign it and that they ARE AWARE THAT THEY ARE SINGING SOMETHING, like dont put it on the back of the paper and have them sign the front. Also discussing it with you instructor and having him give the go ahead will save you alot of trouble and heart ache if someone gets pissed. And there should be no reason to involve others computers in this. A simple personal survey should be enough. "Do you have autorun enabled on your personal PC(s)?", "If you found a thumb drive laying on the ground would you plug it in with out disabling autorun?", "How long have you been using a computer?" "Thank you for your time." And there you go, no harm no fail...lol get it Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.