[1926] in linux-security and linux-alert archive
[linux-security] Re: WARNING: Break-in attempts
daemon@ATHENA.MIT.EDU (Paul D. Robertson)
Mon Jun 22 10:58:33 1998
Date: Mon, 22 Jun 1998 08:24:33 -0400 (EDT)
From: "Paul D. Robertson" <proberts@clark.net>
To: Jon Lewis <jlewis@inorganic5.fdt.net>
Cc: Rogier Wolff <R.E.Wolff@BitWizard.nl>,
Shaun Hedges <shedges@shaw.wave.ca>, linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.95.980621120648.723I-100000@tarkin.fdt.net>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
On Sun, 21 Jun 1998, Jon Lewis wrote:
> On Sun, 21 Jun 1998, Rogier Wolff wrote:
>
> > He modified the systems he attacked without consent or approval of the
> > owner.
> >
> > The modification consists of getting stuff into the log files.
>
> If you mean probing the system remotely "modified" it by appending the log
> files....I'd say that's one hell of a stretch. Opening connections to a
> few ports is not necessarily a breakin.
Stretch in logic, yes, stretch in the Oregon statute? Please read it and
draw your own conclusions. Both the 1993 aned 1995 revisions are
available at the lightlink site. The gist is that if there is intent to
access without authorization then it's illegal.
> > As far as I'm told, this would be enough to get a conviction in the
> > state of Oregon, and possibly many more.
>
> I doubt that. Having recently dealt with the FBI in a case where real
> damage was done, I was quite surprised to find just how hard it is to get
> the FBI to take an interest and how hard it is for them to get the US
> Attorney to give them the go ahead to investigate a case. You need to be
In the case of the state of Oregon, obviously you don't *need* the FBI,
since it's a _state_ law. Just a zealous local prosecutor, and you're set.
Federal law is very *easy* to break in computer cases, since an attack
which happens across state lines is automatically an attack against a
"Federal Interest Computer." Because of this, the DOJ has set _guidelines_
for both the FBI's investigation, as well as federal prosecutors. It's
important to note that they are guidelines, which can be totally ignored by
all the involved parties.
Local jurisdictions don't have the same high watermarks for their
guidelines, which is why it's almost always easier to prosecute under
local statutes.
> able to show that thousands of dollars of damage has been done. An
> unsuccessful breakin attempt doesn't cause a whole lot of financial
> damage. Then, even if you can show sufficient damage was done, you have a
> good chance of finding the person responsible is a minor (under 18 in the
> US), and the FBI can do nothing to them. I guess I was unfortunate that
> neither the compromised system nor the person who compromised it, nor any
> of the other systems he was traced to were in Oregon.
Yes, it would appear that you were. Once again though, the point of
legality/illegality isn't always the same as the point of prosecution. I
would suggest that all administrators who may have to deal with breakin
attempts spend some time with their general counsel, and learn about the
relevent laws. It's not certain that the investigating authorities will
know what is and isn't germain. If that fails, then there's always civil
court, which doesn't have the same burdens of proof, nor the same burdens
of federal prosecutor guidelines.
>
> > It happened to Randal Schwartz, read about it at
> > http://www.lightlink.com/spacenka/fors/
> >
> > Americans, it could happen to you next time, do something about it!
>
> Has anyone seriously looked into challenging the constitutionality of
> Oregon's computer crimes law?
Exactly which part of the US Consitution do you think is being violated?
Now, IANAL, nor is Constitutional law in my sphere of interest outside of
being a US Citizen, but I honestly don't see a conflict with the
Constitution, common sense, perhaps, but not the Constitution.
Here's the "everything else" clause from the Oregon law:
(4) Any person who knowingly and without authorization uses,
accesses or attempts to access any computer, computer system,
computer network, or any computer software, program,
documentation or data contained in such computer, computer
system or computer network, commits computer crime.
Paragraph 4 is the misdemenor section, rm'ing a file maliciously can be
felononius in Oregon.
If we expect broadly encompassing local laws to continue, and in the case
of Oregon, I'd certainly never work there without doing so, I'd advise
anyone working in the computer field in such jurisdictions to look
seriously into gettin a signed statement from a company officer giving
them the permission to access any and all systems or network components.
It's time that administrators started protecting themselves from such
laws.
Having seen that cases like the AA BBS where a California Adult BBS sysop
was successfully prosecuted in Tennasee for violating their community
standards sets some very interesting precedents about
cross-jurisdictional enforcement in the US.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@clark.net which may have no basis whatsoever in fact."
PSB#9280
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null