[1926] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: WARNING: Break-in attempts

daemon@ATHENA.MIT.EDU (Paul D. Robertson)
Mon Jun 22 10:58:33 1998

Date: Mon, 22 Jun 1998 08:24:33 -0400 (EDT)
From: "Paul D. Robertson" <proberts@clark.net>
To: Jon Lewis <jlewis@inorganic5.fdt.net>
Cc: Rogier Wolff <R.E.Wolff@BitWizard.nl>,
  Shaun Hedges <shedges@shaw.wave.ca>, linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.95.980621120648.723I-100000@tarkin.fdt.net>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

On Sun, 21 Jun 1998, Jon Lewis wrote:

> On Sun, 21 Jun 1998, Rogier Wolff wrote:
> 
> > He modified the systems he attacked without consent or approval of the
> > owner. 
> > 
> > The modification consists of getting stuff into the log files.
> 
> If you mean probing the system remotely "modified" it by appending the log
> files....I'd say that's one hell of a stretch.  Opening connections to a
> few ports is not necessarily a breakin.

Stretch in logic, yes, stretch in the Oregon statute?  Please read it and 
draw your own conclusions.  Both the 1993 aned 1995 revisions are 
available at the lightlink site.  The gist is that if there is intent to 
access without authorization then it's illegal.
  
> > As far as I'm told, this would be enough to get a conviction in the
> > state of Oregon, and possibly many more. 
> 
> I doubt that.  Having recently dealt with the FBI in a case where real
> damage was done, I was quite surprised to find just how hard it is to get
> the FBI to take an interest and how hard it is for them to get the US
> Attorney to give them the go ahead to investigate a case.  You need to be

In the case of the state of Oregon, obviously you don't *need* the FBI, 
since it's a _state_ law.  Just a zealous local prosecutor, and you're set.

Federal law is very *easy* to break in computer cases, since an attack 
which happens across state lines is automatically an attack against a 
"Federal Interest Computer."  Because of this, the DOJ has set _guidelines_
for both the FBI's investigation, as well as federal prosecutors.  It's 
important to note that they are guidelines, which can be totally ignored by
all the involved parties.

Local jurisdictions don't have the same high watermarks for their 
guidelines, which is why it's almost always easier to prosecute under 
local statutes.
 
> able to show that thousands of dollars of damage has been done.  An
> unsuccessful breakin attempt doesn't cause a whole lot of financial 
> damage.  Then, even if you can show sufficient damage was done, you have a
> good chance of finding the person responsible is a minor (under 18 in the
> US), and the FBI can do nothing to them.  I guess I was unfortunate that
> neither the compromised system nor the person who compromised it, nor any
> of the other systems he was traced to were in Oregon.

Yes, it would appear that you were.  Once again though, the point of 
legality/illegality isn't always the same as the point of prosecution.  I 
would suggest that all administrators who may have to deal with breakin 
attempts spend some time with their general counsel, and learn about the 
relevent laws.  It's not certain that the investigating authorities will 
know what is and isn't germain.  If that fails, then there's always civil 
court, which doesn't have the same burdens of proof, nor the same burdens 
of federal prosecutor guidelines.

> 
> > It happened to Randal Schwartz, read about it at
> >    http://www.lightlink.com/spacenka/fors/
> > 
> > Americans, it could happen to you next time, do something about it!
> 
> Has anyone seriously looked into challenging the constitutionality of
> Oregon's computer crimes law?

Exactly which part of the US Consitution do you think is being violated?  
Now, IANAL, nor is Constitutional law in my sphere of interest outside of 
being a US Citizen, but I honestly don't see a conflict with the 
Constitution, common sense, perhaps, but not the Constitution.

Here's the "everything else" clause from the Oregon law:

(4) Any person who knowingly and without authorization uses,
    accesses or attempts to access any computer, computer system,
    computer network, or any computer software, program,
    documentation or data contained in such computer, computer
    system or computer network, commits computer crime.

Paragraph 4 is the misdemenor section, rm'ing a file maliciously can be 
felononius in Oregon.

If we expect broadly encompassing local laws to continue, and in the case 
of Oregon, I'd certainly never work there without doing so, I'd advise 
anyone working in the computer field in such jurisdictions to look 
seriously into gettin a signed statement from a company officer giving 
them the permission to access any and all systems or network components.  
It's time that administrators started protecting themselves from such 
laws.

Having seen that cases like the AA BBS where a California Adult BBS sysop 
was successfully prosecuted in Tennasee for violating their community 
standards sets some very interesting precedents about 
cross-jurisdictional enforcement in the US.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post