RE: application for an employment

["Craig Wright" <cwright () bdosyd com au>]

Hello,
First to your "Man in the Piddle attack". You would be guilty of any
strict liability offences. You would also be liable under offences where
negligence is involved. "Piddling" on the wall - missing the bowl etc is
damage (I would not want to clean after you ;). There are defences to
criminal trespass, being drunk would likely excuse you if you did not
damage anything.

Being drunk is not an excuse - unless you can show (proof is with you)
that you did not voluntarily drink the alcohol. There are numerous
people who have spent a few nights in the lockup for drunken escapades.

There is a difference in Port scanning and vulnerability scanning - the
law can treat these differently. Port scanning is not a criminal action
UNLESS you cause damage. Damage includes causing a system to reboot. In
the US damage is generally held (state by state varies) at being a
minimum of $5,000. Getting an incident team in to investigate the reboot
will cost more than 5k.

Scanning across international boundaries does not make anything more or
less legal. It makes enforceability more difficult. Action would need to
first be brought in the country you scanned and than that country would
need to seek to enforce it's orders under treaty rights. Scanning within
Europe is an easy case. EC laws make criminal enforcement for all EU
violations simple (in comparison).

In cases where there is no treaty - things are more difficult. You may
have action decided but not be able to enforce it. Sometimes it is
easier to just contact the embassy of the nation involved. They may or
may not do anything depending on the political climate. Port scanning in
Nth Korea or China (without government permits etc) is an offence (as is
owning the tools). Prove (and this is proof to a criminal level) who
scanned you in Cn and the Chinese govt. may have the person shot (this
is an ethical decision to make before you report to these countries).

In most western countries, port scanning (and note port scanning - not
vulnerability scanning) is not strictly illegal. Remember however that
any damage makes the act illegal and criminal in many jurisdictions. The
risk or causing damage may not be great, but the impact is. Thus the
risk of doing this without authorisation is not worth the benefit.

Regards
Craig

-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m () subway com]
Sent: 28 March 2006 2:18
To: security-basics () securityfocus com
Subject: RE: application for an employment

When I was a wayward teenager, I once got very drunk during a KISS FM
summer roadshow. The result of three hours of solid drinking in the sun
was a very full bladder. Now, for some unknown reason I decided to tag
onto a group of people that I had never met before and I actually
managed to walk into their house un-noticed by them until we all got
into the kitchen. There I was challenged by someone along the lines of,
"Who the hell are you," (but with more, uhh, brio) at which point I
replied that I needed to use their toilet.
Needless to say they refused and politely, if a little roughly, ejected
me forthwith.

Now you could say that I was port scanning in the hope of finding
somewhere to dump data that did not belong to the owners' of the house
in question. Or something. Maybe I've got this whole analogy thing the
wrong way round.
Perhaps you could say that I was attempting a Man in the Piddle attack.
I don't know. The port scanning issue is such a nebulous one-especially
when applied across international boundaries. What does the law say
where YOU are? What does the law say where you are about scanning OTHER
countries?
What does the law in another country say about you scanning their
country from somewhere else. As someone has pointed out(and I'll defer
to them on this point) the scanning is not illegal in Germany-with the
usual conditions of course.

Is it unethical? Hmmm.
Should he tell the Uni? I don't think so. Not until he works out how
they operate.

Also, has Matthias posted with his real name? This whole thread would no
doubt show up on a quick Google.....will they bother doing that? If the
employers know anything about modern hiring resources then I'd expect
the too....

Regards
Murad Talukdar

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu]
Sent: Tuesday, March 28, 2006 5:18 AM
To: 'Craddock, Larry'; security-basics () securityfocus com
Subject: RE: application for an employment

  It's more like throwing a stone at a window to see if it's open.
Sometimes the stone bounces off the closed window, sometimes it sails
through the open window, and sometimes it *breaks* the window.
"I only wanted to find out if the window was open or closed" is not
generally considered an excuse to avoid responsibility for the broken
pane....

David Gillett

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------