Vulnerability Development mailing list archives
[Fwd: Civil Disobedience]
From: Blue Boar <BlueBoar () thievco com>
Date: Tue, 16 Oct 2001 09:11:37 -0700
From an anonymous contributor.
BB
--Message--> This discussion has brought 2 points to my attention. Firstly, the port scanning being classified as an offence/attack. This *must* have some kind of limitations set on it. For example, my ISP conducts routine scans on their customers machines to ensure people aren't running public servers for eg., which would be in breach of the T&C of the service. Under this bill, because my ISP is probing my machine, does that make their actions illegal? I doubt I'd have any luck trying to bring a prosecution against them under this law. This would therefore set a precedent, which any good lawyer will be able to manipulate. This happens with any new and "radical" law - test cases come before the courts, and the results of these have a huge bearing on the interpretation of the statutes. However, ignoring that for the moment, consider an organisation like ORBS. Are they now in contravention of this law by scanning random machines outside of their control for a specific (excuse the loose phrase) "exploit", ie: open relay? But onto the more worrying part of this. From the message below:To qualify, an intrusion or attack would have to cause one of the following:<snip>2) physical injury to any person; 3) a threat to public health or safetyThis is a problem. A *BIG* problem. In my country we have 2 legal "tests", to assist in determining innocense or guilt. Firstly, the "Reasonable Man" test. This states that under the circumstances in question, what would any normal, reasonable human being do. For example, I try to telnet to my own server, and mistype the IP. I end up connecting to somebody else's server, and r00t it by accident. The "Reasonable Man" test says that I should disconnect from the system and possibly inform the system owner. Secondly, the "Egg Shell Skull" rule. This rule states that you are responsible for the end result of your actions regardless of whether they were intended or not. For example: "egg shell skull" is a medical condition where the sufferer has an extremely thin skull. If I was to hit a *normal* person round the head with an empty plastic bag, they may fall down but not sustain any injury. However, if I hit a person with an egg shell skull in the same way, I would kill them. In court, you would be tried on the basis of murder/manslaughter - it is irrelevant that you never intended to kill this person, and you had no way of knowing what the outcome of your actions were. Excuse the long description, however there is a reason. I work for a company that provides support to a company that sells "items" to the public (sorry for the obfuscation). These items will almost certainly cause death or serious injury if the stringent safety procedures are not met. Because we support the networks of this company, we have direct access from our offices via WAN links to the company in question. This means we can access the servers that are responsible for the manufacturing & safety processes. Now, imagine if an attacker tried to penetrate our network. There is nothing immediately obvious to warn an attacker of the above information. Assume they got past the first firewall and no further. Any good lawyer could present an argument that showed the attacker had broken rules 2 and 3 above. Using the reasonable man test, the attacker is guilty (a reasonable human would not try to hack a private system). Also, by penetrating the network, the attacker has no way of knowing what downstream effects they have caused (say the attacker changed the system clock on a server to mask his presence). It would be fairly easy to show that changing the time affected time based transaction systems, which in turn affected machines controlling safety procedures, which in turn means that the safety compliance status cannot be verified, thus causing a threat to public health & safety. Using the egg shell skull rule, this attacker is in serious danger of being prosecuted for manslaughter (you are responsible for the end result, regardless of your intentions), and they've not even touched anything. Now you may consider this a little far fetched or a stretch, and admittedly the last manslaughter part may be. However, look at Mitnick, SK8, and the multitude of others in their position. All treated with rules that bend more than my flexible American Express friend. Plenty of people look at contemporary legal decisions and quite rightly call them insane, illogical or bizzare. But these decisions stand nonetheless. Lawyer: "But Mr hacker, can you prove beyond all reasonable doubt that your accessing of this network did not in any way affect any other systems". Hacker: "No, I can't". Judge: "Here, have 25 to life"..... Just my opinion.
Current thread:
- [Fwd: Civil Disobedience] Blue Boar (Oct 16)