[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.44.0401241227520.7720-100000@keg.the7thbeer.com>
Date: Sat, 24 Jan 2004 12:32:11 -0800 (PST)
From: ed@...7thbeer.com
To: Dinesh Nair <dinesh@...haque.com>
Cc: Daniel.Capo@....net.br, <computerguy@....rr.com>,
<BUGTRAQ@...urityfocus.com>
Subject: Re: Major hack attack on the U.S. Senate
> which begs the question, unless it was explicitly labelled as such, how
> would the accessor know that he was committing unauthorized access ?
Notice is not required to constitute an offense generally under the
criminal laws (there are exceptions elsewhere, but this is not one of
them) of the United States. For example, trespass does not require you
show posting of "No Trespassing" signs. Courts will generally hold one to
a reasonable person standard and consider the actus reus and
the mens rea of the defendant. In other words, a judicial shaking of the
finger coupled with a "you should know better" is sufficient. You do not
need to have a banner saying "Authorized users only" to "criminalize" the
act. Similarly, lack of a banner does not "decriminalize" the act.
> this is quite similar to sites say, accidentally exporting windows or nfs
> shares out to the internet. a query of the server will return a mount
> request legitimate.
Nothing of the sort. You may have other liability for accidentally
exporting an NFS or CIFS share to the net, but you do not negate criminal
liability for invasion of that share. Yes, there are some exceptions
about areas of the public domain, but IIRC accidental sharing does not
constitute public domain.
-ed
Powered by blists - more mailing lists