RE: application for an employment

["Craig Wright" <cwright () bdosyd com au>]

Hi,
In criminal offences there are both:
        1       Strict liability offences - i.e. manslaughter
        2       Actions which require Actus Rea and Mens Rea, this means a guilty mind, intent
                eg murder

The questions, did Matthias commit a criminal act - no. Was the act Matthias did illegal, yes. Was the effect of the 
act Matthias did enforceable, not unless he caused damage.

You may want to note that as of the 30th Apr 06 possession of tools (eg Nessus, John the cracker) will be illegal 
throughout the EU. There are exceptions. If you are in the role of a security tester (i.e. employed or freelance) than 
you are exempted.

Remember, that illegal does not equal criminal - people keep forgetting this as well. It is illegal to exceed the 
posted speed limit, but you have to do it in a manner that is dangerous before you go to goal.

Most young drivers who breach the speed limit do not intend damage when they hit an oncoming car after losing control. 
Most drink driving offences do not intend damage. There are many things that one may do without intending damage that 
result in damage.

Regards
Craig

-----Original Message-----
From: Hans Meier (John Doe) [mailto:security.department () tele2 ch]
Sent: 2 April 2006 9:19
To: Craig Wright; Güntert, Matthias; Ansgar -59cobalt- Wiechers
Subject: Re: application for an employment

Hi Craig

*sigh*, and no offence intended:

Below is kind of a "Lawyer's Hammer". With it you can, as a lawyer, stop every discussion with people not being a 
lawyer (the great mayority in the world).

The thing Matthias did, is, from a non-lawyers perspective, *very* *very*
*simple*: He did something without bad intention and without damage to anybody (exept maybe the law).

My impression is, generally spoken, that the simplified legal view of the world is compensated with the complexity of 
the laws [analogy: mathematics], developing to a weapon (there are, you know, countries where these kind of weapons are 
highly developed and highly disconnected from reality causing much social damage).

Everybody who misses a lawyer capable of handling this sort of weapons, is completely lost. I have known good people 
killed with such weapons (the lawyers said: Wrong! they killed themselves, we *just* followed the law)

But it's got off topic, admittedly.

Have a nice future,

Hans

Craig Wright am Sonntag, 2. April 2006 00.24:
> Hi
> The European Convention on Cybercrime was adopted by the Minister
> Committee of the European Council on November 8, 2001. It was signed
> by Germany and other member states of the European Council. It is,
> however, yet to be ratified in Germany. This does not change the status of the bill.
>
> The Bill is open to horizontal action and an individual in Germany (or
> any other member state) could take the issue to the European court of
> justice to force the German Govt. to enforce the provisions. A person
> from any other member state could also enforce this against action
> from an individual in other member states. This does not help with
> action to/from non-member states.
>
> In particular; Article 6: Misuse of devices/possession and misuse of
> systems and tools that are suitable for carrying out an action as in
> Article 2-5.
>
> This article does not, however, refer to the unauthorized use of
> security tools that are used for protective purposes, such as
> penetration tests when authorised. However - this does forclude
> general use of the said tools without explicit authorization.
>
> The fact that the German courts in 2000 dismissed a case based on port
> scanning as the CLCA did not have provisions for use of the tools used
> for port-scanning is irrelivant due to the signing of the convention in 2001.
>
> As for access to any web server, Sec. 3 ZKDSG [prohibition of
> commercial intervention to circumvent access control services] covers
> this. Sec. 3 ZKDSG [prohibition of commercial intervention to
> circumvent access control
> services]: "1.) The production, import and distribution of
> circumvention facilities for commercial purposes, 2.) the possession,
> technical installation, maintenance and exchange of circumvention
> facilities for commercial purposes and 3.) the promotion of
> circumvention facilities are prohibited."
>
> An access-controlled service is, for example, a password-protected WWW
> or FTP server. The purpose of a penetration test is to circumvent an
> existing security mechanism. This means that as soon as tools are used
> to perform the penetration test (circumvention facilities), an
> infringement of the ZKDSG is unavoidable. Thus it is advisable to
> obtain the relevant permission from the authorized user in case of any
> acts that could constitute a criminal offense.
>
> There is an exclusion for valid testing services. This requires the
> express authorisation of the site owner in writing.
>
> I suggest that you have a read of the Treaty on European Union i.e.
> the Maastricht Treaty Also read the Single European Act (SEA) 1987 The
> directives on rights Article I-33 of the constitution for Europe
>
> Craig
>
> PS doubt is never a qualification
> PPS I hate looking up German law.
> See -
> Grundgesetz, Artricle 18 in respect to artilce 14 on property rights.
>
> See
>
> Gesetz zum Schutz vor Mißbrauch personenbezogener Daten bei der
> Datenverarbeitung
>
> 20 December 20, 1990 (BGBl.I 1990 S.2954), as amended by the law of 14
> September, 1994 (BGBl. I S. 2325)
>
> See S.43
>
> Telekommunikationsgesetz (Telecommunications Act), see provisions
> under s.5
>
> "The amended Data Protection Act of 1990 is also intended to protect
> the individual from having his personal rights infringed upon"
>
>
>
>       -----Original Message-----
>       From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
>       Sent: Sun 2/04/2006 7:26 AM
>       To: Craig Wright
>       Cc:
>       Subject: Re: application for an employment
>
>       On 2006-04-02 Craig Wright wrote:
>       > Actually on a little research I suggest that you being German as you
>       > have stated check the records associated with the Bundesgerichtshof.
>
>       What decision exactly does IYHO support your claims. I am not aware of
>       any.
>
>       > You will find that most of your views on rights and property are wrong
>       > in Germany even.
>
>       I seriously doubt that. And I'm quite sure that my doubt (especially in
>       this case) is one hell of a lot more qualified than your claim.
>
>       Regards
>       Ansgar Wiechers
>       --
>       "All vulnerabilities deserve a public fear period prior to patches
>       becoming available."
>       --Jason Coombs on Bugtraq
>
>
>
> Liability limited by a scheme approved under Professional Standards
> Legislation in respect of matters arising within those States and
> Territories of Australia where such legislation exists.
>
> DISCLAIMER
> The information contained in this email and any attachments is
> confidential. If you are not the intended recipient, you must not use
> or disclose the information. If you have received this email in error,
> please inform us promptly by reply email or by telephoning +61 2 9286
> 5555. Please delete the email and destroy any printed copy.
>
> Any views expressed in this message are those of the individual
> sender. You may not rely on this message as advice unless it has been
> electronically signed by a Partner of BDO or it is subsequently
> confirmed by letter or fax signed by a Partner of BDO.
>
> BDO accepts no liability for any damage caused by this email or its
> attachments due to viruses, interference, interception, corruption or
> unauthorised access.

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------