lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 23 Feb 2006 07:54:51 +1100
From: "Craig Wright" <cwright@...syd.com.au>
To: "dave" <fla.linux@...il.com>, <security-basics@...urityfocus.com>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: Vulnerabilites in new laws on computer hacking



First I agree with some of the other posts in that this should be on
Security basics. So I have cross posted in an attempt to move this
discussion to the (in this instance) more relevant forum.

Dave demonstrates the point I was attempting to make. The trespass
argument is analogous to the computer crime in ways that seem to be
missed. In the US, UK and Australia there are a variety of computer
mis-use laws. I will not go into all the various US regs (there are over
50 jurisdictions), but to take an example from one Australian criminal
code:

<start legal quote>
"Section 170(1) of the Criminal Law Consolidation Act 1935 ("the Act")
provides that a person who commits a serious criminal trespass in a
place of residence is guilty of an offence. Section 170(3) defines a
"place of residence". It is convenient to note all of the terms of s
170. It provides:

(1) A person who commits a serious criminal trespass in a place of
residence is guilty of an offence.
Maximum penalty: Imprisonment for 15 years."
</start legal quote>

Trespass is not always just a fine and a slap on the wrist either. I
consider a 15 year goal term to be severe. What it is important to note
on all these is that the MAXIMUM term is exactly that it is the maximum
only. The judiciary has discression to issue a lesser term. Daniel
Cuthbert in the UK was let off easily and would have been punished even
less if he had told the truth from the start. Judges take a hard view to
lying under oath. They see it as an affront to their authority.

For non-repeat offenders it is oft the best defence (if one has done the
deed) to take the "it's a fair cop" approach and plead how sorry you are
etc.

I do agree that all laws are not fair. Nor have I stated this. As
trespass CAN result in an extended gaol term your point that an attacker
should get nothing more than trespass could be seen as more harsh - 15
years for the basic access is far more extreme than most computer misuse
offences have as a max. penalty.

People start stating that there is NO damage. This is never the case -
next rant...

Regards,
Craig

-----Original Message-----
From: dave [mailto:fla.linux@...il.com]
Sent: 23 February 2006 3:17
To: Craig Wright
Subject: Re: Vulnerabilites in new laws on computer hacking

Ignorance of the law??? The poster made an analogy between cracking a
computer and trespassing. So I responded in kind. Yes in Canada, England
or where ever, they might see cracking a computer as a serious felony
and prosecute accordingly...here in the US it almost considered
terrorism. Just because lands have inacted these laws doesnt make them
right or fair! THAT is the issue. Cracking a computer should be eqated
to trespassing and not B&E. Although I am no *criminal* I have been
arrested for trespassing a few times...I assure you I am not ignorant of
the (local) law in these matters...I just dont always agree with it! I
have a friend that *accidently* killed a man in a bar fight. He was
charged with manslaughter and did 4.5 years in a New Jersey state
prison. Now...from what I read about current computer laws it is
possible for me to get more time by breaking into a computer or writing
a virus etc...this is insanity!

Bottom line...whatever your current laws on computer hacking are they
are probably to harsh (despite all the 'neato' latin words).
Understanding the law doesnt mean it is a fair law! We all know how
serious authorities take computer crimes. We do not necessarily need to
know the statutes by heart to know that "if I get caught doing this I'm
going to do some time". These crazy laws are the reason for the original
post.

Is accessing some server somehwere and poking around really the same as
breaking into someones home? I mean, if I found someone poking around in
my server I would take appropriate actions. I can pull the server from
the net cause I have a backup server ready to go and I would just start
forensics to see what the attacker did. If I find someone in my home I
will shoot them on site without question. the laws in this matter are
quite different. Breaking into someones home IS serious (beyond invasion
of privacy)...it is way more serious then cracking some server and one
should not face the same charges or punishment...period. Simply breaking
into a computer is no more serious than simple trespassing (as long as
nothing harmful was done), accidents happen and should be dealt with
accordingly.

On the flip side one must remember that once an incedent report is
created a process must be undertaken by the admin of the system. The
admin must pull the cracked machine and dig around and try to find out
what the atttacker did and how far he got within the internal network.
This costs companies a lot of money! This is why companies get mad even
if you did nothing wrong. Big companies spend a crazy amount of money
every year in responding to these incedent reports. So yea...if you HAVE
to break into a computer system to learn about something or satisfy your
curiosity then choose wisely. Yo can cost a company hundreds or even
thousands of dollars even if you didnt do anything.

The next bottom line...If someone breakes into a computer system and
looks around and gets caught they should AT THE MOST be charged with
trespassing if nothing malicious was done. Hey accidents happen so yes
sometimes production servers can go down etc...well THEN the intruder
will have to deal with aspect of their crime. Why should someone pay for
a crime that *might* have happened. When I was 15 some girls and myself
broke into this building to drink and have some fun. We got caught, I
was charged with trespassing...I paid my fine and went home. If I had
accidently caused a fire because I was drunk and stupid THEN the crime
would no longer be simple trespassing. I would then have to attempt to
make up for the damage. If I got caught breaking into the building again
(repeat offender) or if I was an adult with a prior history The
prosecutors would then push for B&E. I have a relative who works as a
prosecutor in the state attorneys office (Florida)...so yes, I
understand how the law actually works in these areas, not just what is
written down.


Craig Wright wrote:

>Hello,
>
>First on the trespass angle. In reality this would equate to more of a
>break and enter violation. The UK and EU laws in this respect have a
>good grounding in fitting the sentence to the crime. The range is based

>on the resultant effect.
>
>In the UK, the Computer Misuse Act 1990 (c.18) has a variant scale from

>6months and/or fine to 5 years and/or fine. This allows for a range of
>punishments from a suspended sentence to gaol.
>
>Canada in the "Criminal Code (RS 1985, c. C-46), Part XI: Wilful and
>Forbidden Acts in respect of Certain Property" Mischief in relation to
>data (s. 430(1.1)) uses a sliding scale from 2 years max imprisonment
>and/or fine to life where the action causes actual danger to life.
>Again this is not fixed. This offers judicial review and possible
>leeway in exceptional cases.
>
>Many of the acts also require that ACTUS NON FACIT REUM, NISI MENS SIT
>REA (The act itself does not constitute guilt unless done with a guilty
>intent) to be in effect. In effect there are defences against either
>severity or the charge in many cases.
>
>Many of the so called valid acts mentioned however mirror "real world"
>crimes in a number of ways. As an example, an attacker going to a site
>owner and stating they have probed the site and found a number of
>vulnerabilities. That they will tell the site owner what they are for a

>fee breaks several non-online rules of law.
>
>First, many jurisdictions have a requirement to give aide. There is no
>defence to a charge of "failure to provide assistance" in I offered for

>a price but they would not pay.
>
>Next there is a general expectation of property rights in most of the
>western world that is well defined and understood. In many places (eg
>some of Canada) a large number of people still leave their  doors
>unlocked. This is their right. By going into the from door and looking
>around the house you are violating the property rights of the owner of
>the property. This can get you several years in gaol.
>
>IGNORANTIA JURIS NEMINEM EXCUSAT (Ignorance of the law excuses no one).
>
>Not understanding the law in general is no excuse to apply this to the
>online world.
>
>Regards
>Craig
>
>-----Original Message-----
>From: dave [mailto:fla.linux@...il.com]
>Sent: 17 February 2006 11:36
>To: bugtraq@...urityfocus.com
>Subject: Re: Vulnerabilites in new laws on computer hacking
>
>Marcus,
>
>You use the analogy of trespassing to describe unauthorized access to a

>computer system or it's resources. I agree with you but I think a point

>was missed...
>
>The laws being passed today against *cyber crime* far exceed the basic
>property laws. If someone gains access to a system he does not have
>permission to access yes he has broken a law. But the punishment should

>fit the crime. To use your analogy: If I wandered into your field and I

>was caught and prosecuted I would face charges for basic
>trespassing...I would pay a fine and go about my business. If I was a
>repeat offender I might do 30 days. Let's say I cut a small hole in the

>fence so I could easily return (that pond of your has some great fish!)

>I would also be made to pay for the fence to be repaired etc... Now, If

>I cracked your server and poked around a bit (yea...in the wee hours of

>the morning) let's say I even set up a small backdoor so I could return

>again...If prosecuted what kind of punishment should I receive? Would
>you be content if i payed the court a 150 dollar fine? Also, can this
>act be classified as *cyber terrorism*? Too many this seems to be the
>direction the government will and is taking...even towards minor
>criminal offenses such as simple trespassing.
>
>I think what the poster was saying is this, "If a teenager could face
>possible *cyber terrorism* (or any serious felony) charges for trying
>to break into computer networks simple to learn then things have gone
>too far". Yes it is wrong and unethical but there is a ring of truth to

>his thought process (even if his post was ridiculous overall)...hey you

>might not care of the intentions of the trespasser but I do! To me
>there is a big difference between someone cracking my server to look
>around and more or less do nothing and someone looking to set up a
>warez site or use my server to host a phishing scam etc...
>
>Unauthorized access is unauthorized access and is never ok from a
>legitimate security (white hat) point of view. But whether or not the
>intruder had malicious intentions should weigh in too. I do NOT think
>it is ok to *cross the line*. But in the past I have played a prank or
>two that could probably be refered to as *crossing the line* but I am
>certainly no criminal.
>
>just my two cents...
> 
>

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ