lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 3 Oct 2008 15:18:52 -0500
From: "Michael Krymson" <krymson@...il.com>
To: degeneracypressure@...il.com, full-disclosure@...ts.grok.org.uk
Subject: Re: [inbox] Re: Supporters urge halt to, hacker's,
	extradition to US

Sorry, I fail at email and at first didn't send it to FD, and when I thought
I had, I munged the address. Go me! I'll see how badly I can bungle this up
further by pulling this back to FD. Is it ok if I leave the post intact at
the bottom? :)

I just wanted to let you know I know a tiny bit how the American system
works (I live here). "Beyond reasonable doubt" is typically a murder trial
thing. But reasonable doubt in general is typical when interpreting and
applying laws. It's just when one uses that "beyond reasonable doubt" that
it evokes murdermurdermurder thoughts. What a reasonable person believs is a
lot different than saying there is no doubt about something. In one case
you're trying to prove guilt as much as possible, in the other you're just
trying to apply common sense.

I'd stick by my saying entertain a blank password is like testing a door and
finding it unlocked, or that is accepts my key that I just happened to have
in my pocket. Just because it works does not imply I'm welcome. I would say
that a reasonable person would understand that.

Thanks for the response, by the way, despite my fails.

On Wed, Oct 1, 2008 at 10:26 AM, Eliah Kagan
<degeneracypressure@...il.com>wrote:

> I suppose I shouldn't post this to FD, as you have not done so. Very
> well. Please feel free to post your reply to FD if you wish, so long
> as you include my entire post unedited, at the top. (Of course I
> cannot legally constrain you from doing it any other way--all this is
> a matter of etiquette.)
>
> I may not wish to continue this for too long if others will be unable
> to read our arguments, but that's OK.
>
> Michael Krymson wrote:
> > If I reach my hand out to the door, I can feel the knob. I attempt to
> turn
> > it, and it yields to my movement. In turning the knob, the door accepts
> my
> > interaction, pulls the bolt out of the frame, swings upon well-oiled
> hinges
> > with nary a complaint and allows me to enter. Am I doing something
> illegal
> > (oh say, trespassing)? It would seem to me that the door is allowing me
> to
> > enter, in fact, nearly welcoming the action.
> >
> > For the troll, I would switch this up to say this is a public building
> after
> > hours. Someone leaves the door unlocked. Is this "public domain" as he is
> > wont to throw around (without demonstrating any understanding of the
> term)?
>
> So we have my analogy and your analogy. Which is right?
>
> Actually I don't think you've found the problem with my analogy. My
> analogy corresponds far better than yours, because when you open an
> unlocked door, the door is not an active participant. Whereas when you
> connect to a server, the server has to actually *do* something.
>
> The problem with my analogy, which may or may not be fatal to it, is
> that for a client to send FIN ACK and then continue to send TCP
> datagrams is clearly not illegal, though according to my analogy that
> would correspond to saying "I'm leaving your house now," and staying.
> And for a host to totally the RST flag is also not illegal (and rather
> useful sometimes: http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf), though
> for the client to do that would correspond to ignoring "GTFO of my
> house!" My analogy would actually render illegal, actions that are
> clearly legal and perhaps even harmless and useful. But it's still
> food for thought. Is accessing a server really like entering a
> structure on somebody's property? What are the limitations of that
> analogy? It may be a useful analogy, but you need to justify it if
> you're going to convict someone on the basis of it.
>
> >> Is that a totally wrong analogy? Maybe. If it is, are we be sure it is
> >> a wrong analogy, BEYOND REASONABLE DOUBT?
> >
> > This isn't a murder trial. You don't need emotionally charged terms. :)
>
> You may be unfamiliar with how the American legal system works. We use
> the reasonable doubt standard in all criminal proceedings, not just
> murder proceedings. The good news is that if you didn't know that and
> were on an American jury, the judge would tell you as part of his or
> her instructions to the jury. Can you imaging the judge talking about
> "beyond a reasonable doubt" in any criminal proceeding (e.g.
> jaywalking) and a juror telling the judge not to use emotionally
> charged terms!?
>
> That term is emotionally charged because people in the US (at least
> used to) believe in the rights of the accused. Oh, I can censor my
> language so as not to invoke people's commitment to justice? No
> thanks. I'll stick with the legally correct and emotionally charged
> terms.
>
> > Really, we can use the term 'reasonable' for issues like this.Would an
> > average reasonable person think that accessing a government computer
> system
> > because it had a blank password in a login prompt that he normally would
> not
> > know the account information for, is a bad thing? Possibly illegal?
>
> The question is not if a reasonable person could think the act was
> illegal. The question is if any reasonable and informed person, in
> light of the arguments and evidence presented in the trial (which has
> not yet happened), could think the act was *not* illegal. If any such
> person could come to that conclusion, and the jury realizes that
> **even if the jury doesn't itself come to that conclusion**, then the
> jury is required to acquit. This is the reasonable doubt standard.
>
> > We can
> > argue semantics all day,
>
> Semantic arguments are extremely important in a court, so there is no
> reason for us not to discuss them.
>
> > but in many situations, it is the spirit of the law
> > and what a reasonable person concludes, that is key.
>
> With what extraordinary evidence (as Carl Sagan would say) do you
> support that extraordinary claim?
>
> In no remotely civilized nation is it possible to convict someone in a
> criminal proceeding on the basis of the "spirit" of the law! Imagine
> that--"sir, you're technically innocent, but we're going to jail you
> anyway because it would really make sense if what you did had been
> illegal."
>
> Let's clarify something. The criminal allegation is computer fraud,
> right? The question is then whether or not obtaining access by
> entering a blank password in a password prompt is *fraudulent*.
>
> -Eliah
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ