| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 03 Feb 2004 17:08:45 -0500
From: "Bernie, CTA" <cta@...in.net>
To: Bugtraq@...urityfocus.com
Cc: rsh@...rect.com, moderator.for.bugtraq@...urityfocus.com
Subject: Re: [security] Re: Major hack attack on the U.S. Senate
On 2 Feb 2004 at 23:02, rsh@...rect.com wrote:
> >On Fri, 23 Jan 2004 Daniel.Capo@....net.br wrote:
> >
> >> > Which means the Democrats screwed up setting up their own
> >> > share point and allowed public access to it. There was no
> >> > "computer glitch" which was "exploited". This was
> >> > completely a human screw-up. And there was no hacking
> >> > ("exploitation of a computer glitch") done by the
> >> > Republicans. Unless you wish to call clicking on a share
> >> > point configured with public access and opening it up
> >> > "hacking".
> >>
> >> AFAIK, "hacking" is legally defined in the USA as being
> >> unauthorized access to computer resources. It doesn't matter
> >> if the resource was adequately protected (or protected at all)
> >> in first place or not. If you were not given permission to
> >> make use of that resource, you are criminally liable.
> >>
> >Do you have an explicit permission to read the content of a
> >www.cnn.com? What is the difference between opening a web URL
> >and a network share?
>
> In a word, Intent. If a CNN intends you to read the news on
> their web site and gets advertising revenue when you do, you are
> not hacking when you go there. If the Senate does NOT intend you
> to read their files and leaves open a network share in error or
> through ignorance, you are hacking when you go there. As silly
> as it seems, that is the way the laws were designed to work.
>
<<<
I believe the US Courts would find that the "Intent" of the
Democrats to assert that their files were not for public access,
alone not persuasive. It's my experience that the Court would
perhaps look at the facts associated with the following primary
questions
1. Was there a Security or Computer / Network User Policy in
force which all users (Parties) were aware of, or better yet
signed, specifically identifying how public and private realms
are delineated, and how access to private files is administered?
I would wager that there was no such Policy in place, and
therefore no way to establish a Chinese wall.
2. Where there any safeguards in place to restrict access to
authorized users, and if so were these circumvented and by who?
In this case, safeguards could have been implemented, and it may
have been the Intent of the Democrats to do so, but the fact
remains that they were not. Therefore, no hack or willful
breech of the systems security occurred.
3. Were there any notices (i.e. the word Confidential,
Restricted, etc, placed in the Header, Footer or Watermark of
the Document Files) or file/directory naming convention e.g.
Confidential - Republicans Keep Out, indicating that the files
were confidential or more specifically not for public access? If
there were such notices or naming convention an argument could
be made that parties did receive notice that the files were to
be considered private or not for public access.
4. If there were notices or marks indicating that the files and
their content were private, then, did the person who accessed
and disclosed content of these files do so with the "Intent" to
cause harm to the Author? Well, that is a tough one. Obviously
both sides are involved in the game of political tactics,
(information warfare), against their opponents "Party". However,
the law looks at harm to an individual, so was any individual
hurt by the disclosure? Was that the intent of the disclosing
party?
I would analyze the transaction and occurrences in this case by
drawing an analogy to that of a Public Library. In such a
Library, there are books and records, which are made available
to the Public, although notice of this is typically not placed
on each book or record (file). However, there are also areas
(rooms) within the premises, which may contain other books and
records (such as operational and administrative records) that
the Library considers private for access by authorized personal.
Typically, the Library would take measures to secure these areas
and ensure that access to these rooms is controlled, doors
locked, or notice is displayed indicating that the area is
Private, i.e., General Public Keep Out.
Likewise, the Democrats may have had the Intent to establish
that certain areas and its contents were private, but failed to
mark these areas (Directories) or ensure that safeguards were
properly implemented to control access. The bottom line is that
basic security policies, procedures and safeguards were not in
effect in the Senate's Network to prevent unauthorized access,
or more importantly alert the casual user that the files are
private and not public domain.
-
-
****************************************************
Bernie
Chief Technology Architect
Chief Security Officer
cta@...in.net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go
// to avoid the pure labor of honest thinking."
// Honest thought, the real business capital.
// Observe> Think> Plan> Think> Do> Think>
*******************************************************
Powered by blists - more mailing lists