Security Basics mailing list archives
What is an illegal act
From: "Craig Wright" <cwright () bdosyd com au>
Date: Mon, 3 Apr 2006 08:19:40 +1000
Hello, There is a lot of confusion regarding what is an illegal act. In part, numerous people on the list think that a criminal act is the only type of illegal act. Any act that is a breach of primary, secondary or delegated legislation is illegal. Any administrative offence or breach of the common law is illegal. Some of the types of offences include: Strict liability offences - intention is not relevant Administrative offences Offences which act against the sanctity of the court or parliament (eg contempt) Civil offences (eg Tort actions) Criminal offences (offences that are listed on the local crimes act or equivalent. In each case there is also an issue of enforceability. Many actions are illegal but not enforceable. Any nation that has ratified the cyber crimes act (eg EU, US, NZ AU etc) will have to comply with the terms. How this is done is a matter for the local jurisdiction. Is Pen.Testing illegal without authorisation - easy yes. Is port scanning, yes - but this is more difficult. Port scanning (without authorisation) is illegal. The difficultly is that - 1 Without damage to the site being scanned - port scanning violations are not enforceable. It is still illegal but there can be no punishment. 2 Port scanning (without any resultant damage) is not a criminal offence unless the damage exceeds a set (local jurisdiction) amount 3 Civil action is available - but this requires something to act on (again damage etc) In the case of civil action with any level of damage, which would include an incident response there are actions that the site owner can take. They could act on the Tort of Negligence, the issue is that the damages awarded for this would likely be nominal at best and are unlikely to even cover costs. For this reason - few companies act on this as it is not a commercial decision. This does not make the act any more or less illegal. Speeding and doing 108k in a 100k zone is still illegal. It is not likely that you will be pulled over for this, but it is still an offence. It is also not likely that you will be charged for ever having port scanned (and not done anything else) a site. This does not make the act more than it is. It is still an illegal act. It is not a criminal act in itself, but this is not what is meant by illegal. In cases of criminal offences - proof is generally (not everywhere) beyond reasonable doubt (about 90% certain) In civil and administrative cases the proof is anything over 50% - balance of probability Further in a civil case, the onus is on the defendant to show that his/her action did not result in the damage. So lets take the case of port scanning. The server reboots and the database on the server (bad idea I know to have WWW and DB on the same system - but welcome to the real world) fails without a backup. A week before the company who owned the server/database had an evaluation of the worth of the IP on the database come in at $250,000 (not as large as you may think for a corporate IP database valuation as it includes cost to rebuild and recollate the data) In this case, the activity other than valid traffic at the time the server reboots is your port scan. The company decides to prosecute. The database in the US and your are in central Europe. Under the provisions of the Cybercrime treaty the company who owns the server can do 1 of several things, 1 Criminal Damage - in either jurisdiction 2 Action in Tort (negligence, trespass etc) 3 Action in Common law (in the US) for will 4 Violation of the patriot act - provisions for cyber trespass etc. The company can choose the action and jurisdiction to best suit their needs - not yours. If they have taken the action under a criminal sanction in their jurisdiction, they may seek to extradite you. There is not specific treaty for extradition needed - this is defined in the Cybercrime convention. If you are in a country that has ratified (all members of the EC included) this, than you have no way of stopping this other than to prove that you have not caused the damage. In the case of a civil action, this is started in the jurisdiction based on 2 factors, 1 Ability to enforce the judgement 2 the likely outcome (in the US there are punitive damages) An action in the US where damages are awarded may result in an action in your jurisdiction for enforcement as your jurisdiction will not necessarily recognise the decisions of the US court. So this may be a case in the US followed by a case in the place you come from to enforce the US decision. If the action is all within the same jurisdiction, than the issues are simplified. Either way - the end result is that you (the person port scanning) will be out of pocket. Laywers and advisors cost money. Lose and expect to have even more costs. Regards, Craig Dr Craig S Wright DTh MNSA MMIT CISA CISM CISSP ISSMP ISSAP G7799 GCFA AFAIM Manager - Computer Assurance Services BDO Chartered Accountants & Advisers Level 19, 2 Market Street, Sydney, NSW 2001 Telephone: +61 2 9286 5555 Fax: +61 2 9993 9705 Direct: +61 2 9286 5497 <Mailto:CWright () bdosyd com au> Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- What is an illegal act Craig Wright (Apr 03)
- Re: What is an illegal act D. Bolliger (Apr 05)
- <Possible follow-ups>
- Re: What is an illegal act Bob Radvanovsky (Apr 03)
- RE: What is an illegal act Craig Wright (Apr 06)
- Re: What is an illegal act D. Bolliger (Apr 06)