Re: Legal Question about privacy

[tcleary2 () csc com au]

> But if you break into the AT&T Phone network and then begin using their 
phones and talking about how you are going to "stick it to AT&T" then they 
should have a >right to monitor your communication and trace your call.  
You broke into their equipment.  It's kind of like if I had two vehicles, 
one of which I didn't care about, and that >one happened to get stolen.  
Then I contacted the police who tracked down the thief, but they told me 
that he could drive around in the car and do whatever he wanted >until he 
decided to bring it back or wreck it.  Everyone would think that was 
crazy.


Dear Josh,

I was interested to read your email because I think your use of analogies 
from the law enforcement field is illuminating.

However, as an ex-cop I can give you a counter example that might be 
interesting.

Under U.K. law ( the type I used to enforce... ) you couldn't report a 
hire car stolen, or indeed if you lent your car to someone and they failed 
to return it ( cf. a honeypot where you permit a hacker to "drive" your 
system? )

The reason for this is that in order to have someone else take the wheel ( 
and thus the risks inherent in being a driver ) they must not have 
permission from the owner/keeper to drive the car away before they commit 
an offence.

In order to prove most offences, one of the fundamental principles is that 
of "unauthorised" activity.

One of the potential problems of trying to prove a crime with evidence of 
activities happening on a honeypot is that the "offender" may try to claim 
that because he could never affect anything outside the "playpen" and 
since he must have had implicit permission to get onto the box ( you did 
leave it insecure on purpose, right?  ;-) then he has not committed any 
crimes.

Letting people walk under such circumstances is the kind of thing courts 
do.....

Regards,

tom.

__________________________________________________
Security Consultant/Analyst
CSC
Ph: +61 8 9429 6478    Email: tcleary2 () csc com au
----------------------------------------------------------------------------------------
This email, including any attachments, is intended only for use by the 
addressee(s) and may contain confidential and/or personal information and 
may also be the subject of legal privilege. Any personal information 
contained in this email is not to be used or disclosed for any purpose 
other than the purpose for which you have received it. If you are not the 
intended recipient, you must not disclose or use the information contained 
in it. In this case, please let me know by return email, delete the 
message permanently from your system and destroy any copies.
----------------------------------------------------------------------------------------