lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.OSF.4.44.0402041105010.22096-100000@oppie.physics.umd.edu>
Date: Wed, 4 Feb 2004 11:39:18 -0500 (EST)
From: "Thomas M. Payerle" <payerle@...sics.umd.edu>
To: Daniel.Capo@....net.br
Cc: chris@...lix.hedonism.cx, <emsi@...rtners.pl>,
	<computerguy@....rr.com>, <BUGTRAQ@...urityfocus.com>
Subject: Re: Major hack attack on the U.S. Senate


On Tue, 3 Feb 2004 Daniel.Capo@....net.br wrote:

> Christian Vogel wrote:
> What concerns me most is that not one objection I received addressed the
> point I made. I spoke of the _legal_ definition of "hacking", and all
> people came up with was disagreement based on their own personal
> feelings on the matter.
While you are probably somewhat justified in the lack of discussion on
your "legal definition" of "hacking", you must bear in mind that in the US
legal system interpretation by the courts is as (more?) important than
what is written.  I certainly appreciated your bringing this definition
into the discussion, as it was quite eye-opening.  But as you comment, this
is not a field you specialize in, and so it is unclear how correct your
interpretation is (and I suspect that very few bugtraq readers are any better
qualified).

As was once commented in a seminar for IT techs about copyrights, there are
only nine people in the country that know what the copyright law means in
any particular case, referring to the justices of the Supreme Court.  (And
actually, there are probably only five, as it needn't be an unanimous decision:)

I certainly dislike the phrasing of the legal definition that you provided
(I did not verify your statement, nor check for other possible legal
definitions, but am trusting your research).  However, I suspect even with
that definition the interpretation has quite a bit of play.  I doubt it would
be considered hacking on my part if I visited www.whitehouse.gov, clicked a
seemingly innocuous link, and received top secret information, even though
by an extremely strict reading of your definition it would be.  If we change
that to I randomly try www.whitehouse.gov/topSecret.html, which is not linked
to another page anywhere, the matter becomes slightly gray (after all, the
name topSecret in the URL suggests that they do not want it universally
distributed.  I suspect the fact that it is on a web server without any
protection would more strongly suggest that it was for universally distributed).

An unprotected SMB share is a very gray area, and personal opinions become
quite relevant even from a legal standpoint (again, perhaps only the personal
opinions of the nine Supreme Court justices, but personal opinions nonetheless).
The fact that the Rep sysadmin informed the Dem counterpart of the "security
hole" suggests that the Republicans were aware that the material was not meant
for public display.  The fact that the hole was not patched in a timely manner
afterwards, however, might suggest that it was (or at least that was not
considered sensitive).
>
> Excuse me, but personal feelings in this matter is irrelevant. People
> objected to the press applying the term "hacking" to what happened, and
> I pointed out that their usage was correct according to the law,
> assuming their portrayal of the events was accurate.
The press is not constrained to using the legal definition, and indeed I would
expect the usage was meant to be the more everyday usage.  If the case went
to court, and the Republicans were found not guilty of the hacking charge and
launched a suit against the press for libel/slander (I think there is a slight
legal distinction between the two, but I do not recall which is appropriate
for this case), I suspect the press will quite quickly state they were using
the more vernacular definition of "hacking" and not a legal definition.

I feel that the use of the term "hacking" was a bit sensationalist on the part
of the press, and my reading of the quotes given of the headlines, etc. did
not make it sound like they were intending a legally precise usage.  That, of
course, is merely an opinion.  I would even venture to say that it is an
opinion which may be dismissed simply because I follow bugtraq; after all,
it can reasonably be claimed that bugtraq readers have jargonized the term
"hacking" to the point where it is different from the general public usage.
There was once (still is?) a group of IT folk who would have vehemently
objected to the use of "hacking" in reference to any unethical behavior,
insisting that the proper term is "cracking" (a "hacker" simply being a
computer enthusiast who does elegant/tricky things).
.  And indeed,


Tom Payerle
Dept of Physics				payerle@...sics.umd.edu
University of Maryland			(301) 405-6973
College Park, MD 20742-4111		Fax: (301) 314-9525



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ