[1934] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: WARNING: Break-in attempts

daemon@ATHENA.MIT.EDU (Paul D. Robertson)
Tue Jun 23 03:33:35 1998

Date: Mon, 22 Jun 1998 20:20:35 -0400 (EDT)
From: "Paul D. Robertson" <proberts@clark.net>
To: Jon Lewis <jlewis@inorganic5.fdt.net>
Cc: Rogier Wolff <R.E.Wolff@BitWizard.nl>,
  Shaun Hedges <shedges@shaw.wave.ca>, linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.95.980622184248.723f-100000@tarkin.fdt.net>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

On Mon, 22 Jun 1998, Jon Lewis wrote:

> This "authorization" issue is far too vague.  If I send a broadcast icmp
> echo request into some remote network because I'm scanning the net to make
> a list of possible smurf amp networks, is that unauthorized access?  If
> they don't want me sending icmp echo requests, they should filter them. If
> I run my copy of Word for Windows under WABI, is that unauthorized use of
> a licensed program?  Word was certainly not intended to be used under
> other operating systems.  If I run Crack on a system that I maintain, but
> my employer didn't specifically tell me to, is that unauthorized access?

Well, the last one at least has been at least partially answered.
 
> contract.  Maybe that's a huge stretch.

Grand Canyonish methinks.  I doubt you'd get the contracts part upheld 
anywhere anyway, it's too easy to put fun stuff in a contract ;)

> > (4) Any person who knowingly and without authorization uses,
> >     accesses or attempts to access any computer, computer system,
> >     computer network, or any computer software, program,
> >     documentation or data contained in such computer, computer
> >     system or computer network, commits computer crime.
> 
> This part is just too vague.  Is it a crime to ping a system in Oregon? 
> Nobody's given me authorization to do so.  The silver lining though is
> that this makes it pretty clearly a crime to relay spam through computers
> located in Oregon. 

It would seem that a broad interpretation would make it illegal to visit 
a Web site in Oregon without prior notice.  It was certainly eye-opening 
when I first read it.  

It's all bets off when the lawyers come to play.  
One of the things I think fairly critical in the whole notification 
argument comes from administrator liability.  If I *don't* report a 
break-in, and my company suffers harm, will the shareholders be able to 
file suit for negligence?  Some of the lawgeeks I've spoken to say this 
is inevitable.  I spent a lot of time going over this with some of our 
corporate counsel, who was of the opinion that "best common practice" was 
all that was necessary.  In the intervening time, it's been pointed out 
to me that BCP failed the legal test of time in about 1938 in a case of 
lifejackets and barges in the Great Lakes or something.  

The Trade Secrets Act also looked pretty worrying to me, and I'm glad the 
AG has made a crusade of approving every case, but political times 
change, and while we have laws like these on the books, it's more 
important to look at *what* behaviour is acceptable than the likelyhood 
of currently getting a prosecution (from both sides of the fence).

I won't even run portscans for known friendlies anymore without 
permission in writing, but then I'm paranoid.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post