[Full-disclosure] n3td3v group slams RSA for encouraging illegal anti-phishing tactics
n3td3v at gmail.com
Sat Apr 1 00:53:27 BST 2006
"But do you remmeber back to the Make love not spam saga? Yeah, the big
players tried to "attack" the bad guys and look were they ended up. You, by
attacking anything, forwhatever reason, with the same method as the
attacker, could land you in jail. While with your attack you may lock up
phishers in coordination with banks, the phishers lawyers could also claim
by law, that the anti-phishing site was also breaking the law by flooding a
database, even if the database is malicious or otherwise legitmate."
"With this in mind, are the RSA say its OK to DDoS fake login pages that the
public think are phishing sites with fake information to take the phishing
sites down? Or maybe the RSA didn't think too far into it before making
their "illegal tactics" public. I guess nobody in the industry learned from
makelovenotspam.com and the whole Lycos affair."
"Well, Chris, it looks to me by the RSA publishing this information that
are encouraging anyone with a botnet to send thousands of bogus queries to a
web form, which would crash a mail server or database, which belonged to a
company, that the phishers had previously hacked and the company was
previously unaware was being used in a phishing attempt. So now it seems the
RSA are sending out information about their activities, which could
infulence scriptkids/ hackers etc who own large bot nets to attack anything
they see as a "phish". Although, just by individuals of the public sending a
single query per user to a phish login form, could cause the same affect as
a malicious users bot network."
The above is in response to
-------------- next part --------------
An HTML attachment was scrubbed...
Full-Disclosure is hosted and sponsored by Secunia.