Security Basics mailing list archives
RE: application for an employment
From: "Ramsdell, Scott" <sramsdell () stinsonmoheck com>
Date: Mon, 3 Apr 2006 13:06:00 -0500
Craig Wright has tried exhaustively to clear this issue up. David Gillett provided an excellent "throw a rock at a window to see if it's open" analogy. Hans (sorry, deleted the email and don't have the last name) suggested the misunderstanding on this thread is a difference in societal customs and norms. All very good points and well made. I would like to contribute the following for anyone who may still be uncertain, and who can recognize the intellectual recklessness of at least one other outspoken poster in this thread. I would like to return to two of the previous points, expressing them with a real world analogy. The points I would like to address are that (1) IP addresses are public (the point was inferred then that the public can do with them as they will), and (2) how does Google get permission to visit my site? My family has brick and mortar businesses in the US. These businesses are "open to the public". There needs to be a very clear point made here: the businesses are private, they were financed privately by those who registered properly to offer goods to the public. The businesses are by no means offered by a government as public resources, forced to endure the abuse from society's lowest common denominator. My family's businesses have one door open to the public, the front door. It is clearly labeled as the front door of a publicly available business, and well understood by the US public to be the proper way to gain access to the publicly available goods inside. The following will get you arrested at my family's businesses: 1) coming in through the back door, locked or not, even during business hours (analogous to coming in on an admin port) 2) coming in through the window, locked or not, even during business hours (analogous to coming in on an unknowingly improperly configured service's port) 3) standing in the front doors and not letting others in (analogous to a DoS) 4) continuously entering and leaving the front doors, preventing others from coming or going (analogous to a half-open syn attack) 5) entering the premises through the publicly available front door and shoplifting (analogous to coming in over port 80 and stealing my documents you weren't supposed to have) 6) standing out front of my family's publicly available store with no intent to enter talking to customers (gathering reconnaissance, perhaps to have an adult purchase alcohol or cigarettes (MitM attack), loosely analogous to port scanning) 7) standing across the street and staring at the store for an extended period of time (gathering reconnaissance , perhaps to find social engineering possibilities, again loosely analogous to a port scan) 8) posing as a vendor/supplier/etc. (analogous to impersonation) Each of the above real world possibilities would be precipitated with "casing". "Casing" is illegal, because of the intent. My family's stores are "public". That in no way implies the public has any say over how the resources of the store are used. Abuses will be punished. How does the public get approval to enter the stores? By using the front door and obeying commonly understood and accepted social practices. -Scott -----Original Message----- From: Craig Wright [mailto:cwright () bdosyd com au] Sent: Sunday, April 02, 2006 8:24 PM To: Ansgar -59cobalt- Wiechers Cc: security-basics () securityfocus com Subject: RE: application for an employment Hello Ansgar, You are failing to understand the distinction between illegal and criminal. The fact that you are not able to be charged or that there is not any enforceable action available does not stop an action being illegal. The fact that there is not a penal code associated with an action also does not make it legal. This is a condition associated with enforceability. As for reading up the articles, Ansgar - I have. I have formal training in EU law and International commercial law. You? In the case where a party to the treaty (i.e. a nation) has not ratified the legislation the court has to approach the International court of justice for directions. These directions are binding under the treaty. In reference to; "It does for at least the public facing pages." does not refer to public facing servers. In no way is it valid to argue that the external interface of a VPN concentrator is available for public use. My legal training may be English (and Australian), but the EU treaty is the same. As far as the conditions associated with the ratification of the conventions is concerned it does not matter that you are German, English etc. You are also taking the document as face value without looking to the related data needed to interpret it. You asked what EM is, "EM" is Explanatory Memorandum. From this you will note that "A port scan is not punishable under the Penal Code. For an explanation, please refer to Chapter 4 of this manual" This means that the act is not to be treated as criminal. This does not make the act unactionable as a civil violation or and administrative offence. This is that it is still illegal, but only actionable if there is resultant damage. Again - illegal and criminal are not the same. Trying to treat them as such is wrong. Criminal is a subset of illegal. Illegal is the superset. You also forget that many sites use publicly routed addressing behind a firewall. So attempting to scan these is an attempt to scan a protected device. To conclude, this is not as far as I have been concerned a private conversation. At no point have you stated that it was to me. It is a thread from a list, started on a list. Unless you state it to be private and off the list I will not assume that this is the manner of the communication. In this I have received messages that have been BCC'd to the list from yourself. I do not wish to ascertain your thoughts, so unless you state the conversation to be private and I agree to this, I will assume that it is not. This is not a communication started in a private manner. Regards Craig -----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: 3 April 2006 10:43 To: Craig Wright Cc: security-basics () securityfocus com Subject: Re: application for an employment On 2006-04-03 Craig Wright wrote:
I don't know why you are taking a private conversation back on-list,
but so be it.
As I am having the same conversation with multiple people on and off
the list it is simpler to have it on the list.
Then I suggest you ask for permission to do so first, because dragging private communication into public is not only offensive but may be considered an actual offense under german jurisdiction (the BGH already decided on this, see Az. I ZR 211/53).
In particular; Article 6: Misuse of devices/possession and misuse of
systems and tools that are suitable for carrying out an action as in
Article 2-5.
You obviously fail to understand that for these articles to apply I
have to actually do something illegitimate. However, contrary to your
belief using a portscanner to find out what services a host provides,
or even using an open relay to send out mail (as long as it's not
spam, but this is covered by other laws), is NOT illegal.
Actually, you fail to comprehend that these are being setup as strict
liability offenses. This is similar to how a parking ticket is strict
liability as a simplistic way of explaining the concept. Just as you
do not need to have intent to get a parking ticket - you do not need
intent for the A 2.5 issues.
Wrong. Each of the articles 2 through 5 and also article 6 *expressly* state "when committed intentionally". Read it up. And the discussed matter is still not subject to these laws, because all of them require that either the action was illegal to begin with or that at least some actual damage was done. The former is not the case and the latter is not subject to this discussion, no matter how often you try to bring it in.
No. This is exactly the point where you are wrong. I do have the
right to access a host without getting explicit permission
beforehand, so these laws simply don't apply.
EM paragraphs 47-48, 58, 62, 68 and 77
What is "EM" supposed to mean? The european convention on cyber-crime has only 48 articles, and I fail to see what other document you might be referring to by that abbreviation.
also make clear that the use of such tools for the purpose of security
testing authorized by the system owner is not a crime. You are not the
system owner or as a member of the public authorised.
As long as they say nothing about a general prohibit it doesn't matter in which cases they are expressly allowed. That's just examples.
However, what service a host on the Internet is running, does in no
way qualify as privacy-related data.
Actually it can and generally does -
No. If you really believe so, you are misinterpreting the term privacy as it is used in the BDSG. privacy-related data are data that can be associated with a person (like address, date of birth, license number, medical records, etc.). The term does not generally refer to all data that may be considered private.
just as a system has some public facing pages does not make it all
public information.
It does for at least the public facing pages. [ Article 6 snipped ]
Article 5 - transmitting data without right that causes harm. If the
port scanner intentionally or not causes a system to reboot for
whatever reason, then there is an offence. What you feel, like want -
irrelevant.
This is NOT what article 5 says. You may want to make a reality-check: | Article 5 - System interference | | Each Party shall adopt such legislative and other measures as may be | necessary to establish as criminal offences under its domestic law, | when committed intentionally, the serious hindering without right of | the functioning of a computer system by inputting, transmitting, | damaging, deleting, deteriorating, altering or suppressing computer | data. You'll note that contrary to your belief the article actually does say that intent is a required precondition. You'll also note, that the article talks about "serious hindering". Whether a single reboot would qualify as such is arguable. And I already said from the beginning that one in fact may be held liable for causing damage, even if it was done unintentionally. However, this does by no means imply that the action leading to the damage was illegal to begin with. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. ------------------------------------------------------------------------ --- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- This communication is from a law firm and may contain confidential and/or privileged information. If it has been sent to you in error, please contact the sender for instructions concerning return or destruction, and do not use or disclose the contents to others. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: application for an employment, (continued)
- RE: application for an employment Craig Wright (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- Re: application for an employment Anthony Ettinger (Apr 03)
- RE: application for an employment Mike Fetherston (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Raoul Armfield (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- RE: application for an employment Ramsdell, Scott (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 05)
- RE: application for an employment John E. Fleming (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 05)
- RE: application for an employment onowlin (Apr 03)
- RE: application for an employment Craddock, Larry (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- Re: application for an employment c.s.wright (Apr 04)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- Message not available
- Re: Port scanning/illegalities Ansgar -59cobalt- Wiechers (Apr 05)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)