[1934] in linux-security and linux-alert archive
[linux-security] Re: WARNING: Break-in attempts
daemon@ATHENA.MIT.EDU (Paul D. Robertson)
Tue Jun 23 03:33:35 1998
Date: Mon, 22 Jun 1998 20:20:35 -0400 (EDT)
From: "Paul D. Robertson" <proberts@clark.net>
To: Jon Lewis <jlewis@inorganic5.fdt.net>
Cc: Rogier Wolff <R.E.Wolff@BitWizard.nl>,
Shaun Hedges <shedges@shaw.wave.ca>, linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.95.980622184248.723f-100000@tarkin.fdt.net>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
On Mon, 22 Jun 1998, Jon Lewis wrote:
> This "authorization" issue is far too vague. If I send a broadcast icmp
> echo request into some remote network because I'm scanning the net to make
> a list of possible smurf amp networks, is that unauthorized access? If
> they don't want me sending icmp echo requests, they should filter them. If
> I run my copy of Word for Windows under WABI, is that unauthorized use of
> a licensed program? Word was certainly not intended to be used under
> other operating systems. If I run Crack on a system that I maintain, but
> my employer didn't specifically tell me to, is that unauthorized access?
Well, the last one at least has been at least partially answered.
> contract. Maybe that's a huge stretch.
Grand Canyonish methinks. I doubt you'd get the contracts part upheld
anywhere anyway, it's too easy to put fun stuff in a contract ;)
> > (4) Any person who knowingly and without authorization uses,
> > accesses or attempts to access any computer, computer system,
> > computer network, or any computer software, program,
> > documentation or data contained in such computer, computer
> > system or computer network, commits computer crime.
>
> This part is just too vague. Is it a crime to ping a system in Oregon?
> Nobody's given me authorization to do so. The silver lining though is
> that this makes it pretty clearly a crime to relay spam through computers
> located in Oregon.
It would seem that a broad interpretation would make it illegal to visit
a Web site in Oregon without prior notice. It was certainly eye-opening
when I first read it.
It's all bets off when the lawyers come to play.
One of the things I think fairly critical in the whole notification
argument comes from administrator liability. If I *don't* report a
break-in, and my company suffers harm, will the shareholders be able to
file suit for negligence? Some of the lawgeeks I've spoken to say this
is inevitable. I spent a lot of time going over this with some of our
corporate counsel, who was of the opinion that "best common practice" was
all that was necessary. In the intervening time, it's been pointed out
to me that BCP failed the legal test of time in about 1938 in a case of
lifejackets and barges in the Great Lakes or something.
The Trade Secrets Act also looked pretty worrying to me, and I'm glad the
AG has made a crusade of approving every case, but political times
change, and while we have laws like these on the books, it's more
important to look at *what* behaviour is acceptable than the likelyhood
of currently getting a prosecution (from both sides of the fence).
I won't even run portscans for known friendlies anymore without
permission in writing, but then I'm paranoid.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@clark.net which may have no basis whatsoever in fact."
PSB#9280
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null