lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <4C197480.32137.FAFAA35@nick.virus-l.demon.co.uk>
Date: Thu, 17 Jun 2010 13:04:00 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Congratulations Andrew

bk to wilder_jeff Wilder:

> > By that same standard.. if you leave your house unlocked.... does
> > that give someone the right to enter it? 
> > 
> > just my thoughts
> 
> Sending from the right account this time...
> 
> It wasn't an unlocked house.  It was a table on the sidewalk with
> all the neighbors' Girlscout cookie order sheets on it.  Someone
> just happened to pickup not only their order sheet, but everyone
> else's too. 

That may be what _you_ see as a relevant analogy, but that's not how 
most legal systems will see it.  To most legal systems it matters not 
that the folk ostensibly responsible for "protecting" the data 
effectively just laid it all out (more or less) in public view.  The 
pertinent legal questions will likely revolve around whether the 
accessor could reasonably claim they did not know they were not 
authorized to access that data.

And how will the courts assess whether the accessor was authorized to 
access that data?  Simple -- they ask the "owner" of the data (AT&T) 
who will surely say "we did not authorize the defendant to access that 
data", and they will probably blandly add something like "and we took 
industry-standard measures to reasonably protect the data against 
unauthorized access".  Whilst the latter is apparently rather easily 
debunked, doing so is pretty irrelevant to defending an unauthorized 
access" charge, as regardless of how easily (trivially in this case) 
the access was obtained, the issue is "was that access authorized".

Many apparently stupid things have been built into our computer and 
technology laws.  These often don't actually make much sense if you 
think the objective of such laws should be to encourage data guardians 
to do a better job of their charge, but mostly these laws have been 
made to make it relatively easy to obtain prosecutions.

> Think you could get a theft prosecution for that?

And touche' to Valdis' response making fun of this part of your post 
too!



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ