Re: What is an illegal act

["D. Bolliger" <info () dbolliger ch>]

Craig Wright am Donnerstag, 6. April 2006 00.06:
> Hi Dani,

Hi Craig

> Not all laws are based on legislation.
>
> > Is the fact that it , *sigh*, cannot be punished regrettable/unbearable?
>
> Not to me. There are others who would see this otherwise. I could not see
> myself even recommending an action against a person who even constantly
> scanned a site. I do not see that value of the action. This does not stop
> one being available. More on this in a follow-up post. I would not have
> taken the action that Sony has either, but my views on this are not of
> consequence.
> Commercial decision is right. Remember that many commercial firms think
> they are there to punish any transgressors of their rights (and this may
> lead to an action of the shareholders against the directors for taking an
> action against a person port scanning - but this is another issue again).

Maybe it's due to my bad english: I didn't get the impression that you 
described more the economical darwinism (the balances of power and the role 
of law in it) than your personal opinion.

I take this opportunity to try to stop further postings since my PONS is 
heavily used discussing with you :-)

I realized that one of the problems in this discussion spread over several 
threads was, in my view, the missing definition of several terms, starting 
with "port scanning" (what tools? how aggressive? how many ports? etc.). This 
complicates discussions in general.

[...]

> Do they try to stop all people port scanning them 
> - they can not just pick on arbitrary cases. They 
> need to demonstrate an intent to protect the property.

You refer to ICMP replies mentioned in another post, right?

> 2     Logs, They need to 
> have proof as well. Discovery will allow the defendant to see the logs -
> all of them. 

All logs that are not mine are in no way reliable for me (even my own are 
not always).

Even if the only traffic at reboot time was the port scan, I doubt this does 
manifest a proximate connection [de: Kausalzusammenhang] between the port  
scan and the reboot.
(maybe _sometimes_, and it could be seen from a core file or wherever, I don't 
know enough to assess that. I just know that normally a box does not reboot 
if portscanned [with appropriate care at least, in my experience])

[...]
> 3     The damage needs to be directly related to the action.

Again the problem with unreliable logs and the proximate connection ("directly 
related")

> This will answer the next question... 
>
> > I'll set up a box that crashes on every port scan. The box runs a database
> > . with a $300,000,000,000,000 thing. Of course I don't backup anything.
> > When I detect somebody port scanning having a lot of money, I take him to
> > court: "hey, I want some bucks. Want avoid that? Then prove that the
> > crash has nothing to do with your port scan!"
>
> First the claimant will only receive reasonable damages. (Lets ignore
> punitive cases in the USA). This would be the costs of recovery.

In the part snipped away you mentioned the value of the IP hold in a 
non-backed up database. My example of making money referred to that, just with 
augmented numbers.

[...]
> An example of a case where port scanner have caused reboots. A few years
> back, MS NT 4 had a few issues with TCP 135 and 1035. Certain scans that
> hit both these ports and closed "badly" would blue screen the system. If
> the drive had a corruption (lets take Exchange 5.5) on a file - data could
> be lost.

This example is really funny :-)
Best we don't discuss manufacturer specific crash features to keep the thread 
short :-)

> As for the disclaimer. This is a firm standard. It is a generalised
> disclaimer that I have no way of changing. 

Ok, I did not consider that. 

[...]

Dani

> -----Original Message-----
> From: D. Bolliger [mailto:info () dbolliger ch]
> Sent: 5 April 2006 7:47
> To: security-basics () securityfocus com
> Subject: Re: What is an illegal act
>
> Hello all,
>
> This thread has been separated from "application for an employment" by
> Matthias Güntert. My intention is not to discuss the difference between
> legal and criminal per se, but with respect to the discussion mentioned.
>
> Craig Wright am Montag, 3. April 2006 00.19:
> > Hello,
>
> Hello Craig
>
> please excuse my tone (if appropriate, english is not my native language)
> and the sarcasm found in this reply.
>
> > There is a lot of confusion regarding what is an illegal act. In part,
> > numerous people on the list think that a criminal act is the only type
> > of illegal act.
>
> The wording "is" suggests an objective observation about reality. But your
> statement covers a linguistic, a juridical definition, an abstractum
> slipped over reality by interested parties.
>
> Most people on this list (I think) are more technically focused than
> juridical. That (partially) explains the "confusion" (the term as you use
> it here makes only sense in the "juridical universe" provided by the
> lawyer's view).
>
> [snipped away a more detailed description of the juridical view]
>
> > In each case there is also an issue of enforceability.
> > Many actions are illegal but not enforceable.
>
> speak: an issue of power of the interested parties to invent laws and
> pushing them into legislation by powerful lobbying.
>
> "Who has the power, is right" (who said that again?)
>
> [...]
>
> > Is port scanning [illegal], yes - but this is more difficult.
>
> Good oportunity to refrain from yes-no / black-white polarity: Non-lawyers
> say something like "maybe", "depends", "sometimes" etc. instead of "yes -
> but this is more difficult".
>
> > Port scanning (without authorisation) is illegal. The difficultly is that
> > - 1 Without damage to the site being scanned
>
> Is it really so easy? Is there a straightforward (technical!) connection
> between port scanning and producing damage? I have big doubts on that.
>
> >     - port scanning
> > violations are not enforceable. It is still illegal but there can be
> > no punishment.
>
> Is the fact that it , *sigh*, cannot be punished regrettable/unbearable?
>
> To me, this statement expresses something only of interest for lawyers, and
> irrelevant for others, since it has no consequences for them.
>
> >     2       Port scanning (without any resultant damage)
>
> Again: The connection, expressed by "resultant", is not as straightforward
> as this rhetoric suggests.
>
> >     is not a
> > criminal offence unless the damage exceeds a set (local jurisdiction)
> > amount
> >     3       Civil action is available - but this requires something
> > to act on (again damage etc)
> >
> > In the case of civil action with any level of damage, which would
> > include an incident response there are actions that the site owner can
> > take. They could act on the Tort of Negligence, the issue is that the
> > damages awarded for this would likely be nominal at best and are
> > unlikely to even cover costs. For this reason - few companies act on
> > this as it is not a commercial decision.
>
> Now we get nearer to the point: "commercial decicion" is the keyword here.
> Think SCO.
>
> [snipped further details of the juridical universe]
>
> > In cases of criminal offences - proof is generally (not everywhere)
> > beyond reasonable doubt (about 90% certain) In civil and
> > administrative cases the proof is anything over 50% - balance of
> > probability
>
> And the probability is obvious. By no means influenced by rhetoric,
> convincing the judges, having better lawyers (and more money to pay them),
> more time resources... ;-)
>
> > Further in a civil case, the onus is on the defendant to show that
> > his/her action did not result in the damage.
>
> That's very nice for the suitor... How to prove *not* done the damage? This
> demand is kafkaesque!
>
> > So lets take the case of port scanning.
>
> Yes, let's take this case:
> > The server reboots and the
> > database on the server (bad idea I know to have WWW and DB on the same
> > system - but welcome to the real world) fails without a backup. A week
> > before the company who owned the server/database had an evaluation of
> > the worth of the IP on the database come in at $250,000 (not as large
> > as you may think for a corporate IP database valuation as it includes
> > cost to rebuild and recollate the data)
>
> I'll set up a box that crashes on every port scan. The box runs a database
> with a $300,000,000,000,000 thing. Of course I don't backup anything. When
> I detect somebody port scanning having a lot of money, I take him to court:
> "hey, I want some bucks. Want avoid that? Then prove that the crash has
> nothing to do with your port scan!"
>
> > In this case, the activity other than valid traffic at the time the
> > server reboots is your port scan.
>
> And maybe my extraordinary honest hard work makes me a rich man. ;-)
>
> Sorry, there is a lack of technical understanding concerning port scans and
> its effects.
>
> > The company decides to prosecute. The database in the US and your are
> > in central Europe. Under the provisions of the Cybercrime treaty the
> > company who owns the server can do 1 of several things,
> >     1       Criminal Damage - in either jurisdiction
> >     2       Action in Tort (negligence, trespass etc)
> >     3       Action in Common law (in the US) for will
> >     4       Violation of the patriot act - provisions for cyber
> > trespass etc.
> > The company can choose the action and jurisdiction to best suit their
> > needs - not yours.
>
> Comfortable for the company and its lawyers!
>
> > If they have taken the action under a criminal sanction in their
> > jurisdiction, they may seek to extradite you. There is not specific
> > treaty for extradition needed - this is defined in the Cybercrime
> > convention. If you are in a country that has ratified (all members of
> > the EC included) this, than you have no way of stopping this other
> > than to prove that you have not caused the damage.
> >
> > In the case of a civil action, this is started in the jurisdiction
> > based on 2 factors,
> >     1       Ability to enforce the judgement
> >     2       the likely outcome (in the US there are punitive
> > damages)
> > An action in the US where damages are awarded may result in an action
> > in your jurisdiction for enforcement as your jurisdiction will not
> > necessarily recognise the decisions of the US court. So this may be a
> > case in the US followed by a case in the place you come from to
> > enforce the US decision.
> >
> > If the action is all within the same jurisdiction, than the issues are
> > simplified.
>
> Or: If the action is *not* within the same jurisdiction, then the issues
> are more *complicated*. This way to express it would be more precise, since
> the normal case (in the sense of well known, traditional) is a locally
> handled jurisdiction.
>
> But let's complicate the rules of the game by expanding it on a global
> level. More to earn then.
>
> > Either way - the end result is that you (the person port scanning)
> > will be out of pocket. Laywers and advisors cost money. Lose and
> > expect to have even more costs.
>
> Now we reached the point. Thanks for your honesty.
>
> [...]
>
> > DISCLAIMER
> > The information contained in this email and any attachments is
> > confidential.
>
> Please elaborate on (private) confidentiality on a (public) mailing list.
>
> > If you are not the intended recipient,
>
> How can I decide that? Who are the intended recipients? Are there any non
> intended recipients? May I forward your posting?
>
> [...]
>
> Dani

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------