[Fwd: Civil Disobedience]

[Blue Boar <BlueBoar () thievco com>]

> From an anonymous contributor.

                                BB

> --Message-->
>
> This discussion has brought 2 points to my attention. Firstly, the port
> scanning being classified as an offence/attack. This *must* have some kind
> of limitations set on it. For example, my ISP conducts routine scans on
> their customers machines to ensure people aren't running public servers for
> eg., which would be in breach of the T&C of the service. Under this bill,
> because my ISP is probing my machine, does that make their actions illegal?
> I doubt I'd have any luck trying to bring a prosecution against them under
> this law. This would therefore set a precedent, which any good lawyer will
> be able to manipulate. This happens with any new and "radical" law - test
> cases come before the courts, and the results of these have a huge bearing
> on the interpretation of the statutes. However, ignoring that for the
> moment, consider an organisation like ORBS. Are they now in contravention of
> this law by scanning random machines outside of their control for a specific
> (excuse the loose phrase) "exploit", ie: open relay?
>
> But onto the more worrying part of this. From the message below:
>
> > To qualify, an intrusion or attack would
> > have to cause one
> > of the following:
> <snip>
> > 2) physical injury to any person;
> > 3) a threat to public health or safety
>
> This is a problem. A *BIG* problem. In my country we have 2 legal "tests",
> to assist in determining innocense or guilt. Firstly, the "Reasonable Man"
> test. This states that under the circumstances in question, what would any
> normal, reasonable human being do. For example, I try to telnet to my own
> server, and mistype the IP. I end up connecting to somebody else's server,
> and r00t it by accident. The "Reasonable Man" test says that I should
> disconnect from the system and possibly inform the system owner. Secondly,
> the "Egg Shell Skull" rule. This rule states that you are responsible for
> the end result of your actions regardless of whether they were intended or
> not. For example: "egg shell skull" is a medical condition where the
> sufferer has an extremely thin skull. If I was to hit a *normal* person
> round the head with an empty plastic bag, they may fall down but not sustain
> any injury. However, if I hit a person with an egg shell skull in the same
> way, I would kill them. In court, you would be tried on the basis of
> murder/manslaughter - it is irrelevant that you never intended to kill this
> person, and you had no way of knowing what the outcome of your actions were.
>
> Excuse the long description, however there is a reason. I work for a company
> that provides support to   a company that sells "items" to the public (sorry
> for the obfuscation). These items will almost certainly cause death or
> serious injury if the stringent safety procedures are not met. Because we
> support the networks of this company, we have direct access from our offices
> via WAN links to the company in question. This means we can access the
> servers that are responsible for the manufacturing & safety processes.
>
> Now, imagine if an attacker tried to penetrate our network. There is nothing
> immediately obvious to warn an attacker of the above information. Assume
> they got past the first firewall and no further. Any good lawyer could
> present an argument that showed the attacker had broken rules 2 and 3 above.
> Using the reasonable man test, the attacker is guilty (a reasonable human
> would not try to hack a private system). Also, by penetrating the network,
> the attacker has no way of knowing what downstream effects they have caused
> (say the attacker changed the system clock on a server to mask his
> presence). It would be fairly easy to show that changing the time affected
> time based transaction systems, which in turn affected machines controlling
> safety procedures, which in turn means that the safety compliance status
> cannot be verified, thus causing a threat to public health & safety. Using
> the egg shell skull rule, this attacker is in serious danger of being
> prosecuted for manslaughter (you are responsible for the end result,
> regardless of your intentions), and they've not even touched anything.
>
> Now you may consider this a little far fetched or a stretch, and admittedly
> the last manslaughter part may be. However, look at Mitnick, SK8, and the
> multitude of others in their position. All treated with rules that bend more
> than my flexible American Express friend. Plenty of people look at
> contemporary legal decisions and quite rightly call them insane, illogical
> or bizzare. But these decisions stand nonetheless. Lawyer: "But Mr hacker,
> can you prove beyond all reasonable doubt that your accessing of this
> network did not in any way affect any other systems". Hacker: "No, I can't".
> Judge: "Here, have 25 to life".....
>
> Just my opinion.