RE: Off topic: what is sensitive information on a website?

[Michael Silk <michaelsilk () gmail com>]

My opinion would be if you think you are doing something wrong, then
it probably are.

I.e. consider the Irishman named "O'reilly", if he types that in as
his username, and causes an error code, is he performing an illegal
act? No. But say you do it, "with intent" to causing an error, which
would then provide you with more information which you intend to use
to break into the system, then yes - you are performing an illegal
act.

Anyway, what answer are you looking for here? 

The best person to ask here is a lawyer (even if you think they don't
know what they are talking about), because if you get into trouble,
they will be the ones representing you :)

-- Michael


> -----Original Message-----
> From: Dave Ryan [mailto:dave () mongers org] 
> Sent: Friday, 28 January 2005 11:25 PM
> To: webappsec () securityfocus com
> Subject: Off topic: what is sensitive information on a website?
>
> Hi list,
>
> This is possibly off topic, but I figured that the technical 
> experts in the field were better positioned to offer a 
> helpful answer/opinion to my questions.
>
> In the course of accessing a website (which, for our 
> purposes, we will consider as "the platforms necessary to 
> deliver the services provide") what constitutes legal and 
> illegal access to information?
>
>     1.  Is an authentication and authorisation procedure required to
>         grant access to what $SITEX deems sensitive? What is 
> the minimum
>         requirement for distinguishing between public/sensitive
>         information? At what point must a user be notified about this?
>
>     2.  Must information be classified? Must users of the site,
>         regardless of whether they are authorised to access sensitive
>         information be notified that certain information is stored on
>         the site and authorisation must be granted prior to accessing?
>         (again, this relates to 1)
>
>     3.  In the absence of an authentication/authorisation procedure,
>         what constitutes as protection for the information? 
> For example
>         if I attempt to inject SQL into a database to return data, but
>         this data has not been marked sensitive (i.e. the 
> site security
>         policy is not communicated to the user) am I 
> committing a crime?
>         I suppose other laws come into play at this point 
> (DPA). But if
>         am unaware as to the nature of the data, is the site in
>         olation by not affording the information adequate protection?
>         (At this point I suppose I should report this to the DP
>         Commissioner, but what is my legal position?).
>
>     4.  What if I attempt to validate the controls in place, i.e. I do
>         not attempt to exploit a weakness but I do check for the 
>         existence of one (e.g. I test for error codes;). In this 
>         instance, have I committed a crime by putting the 
> system into a 
>         state where it generates an error code (assume the system has 
>         not been damaged/modified/etc due to this activity). Many real
>         word analogies to this one (e.g. checking a door to 
> see if it is 
>         locked), etc.
>
> I suppose the underlying question is:
>
>     What is misuse and must I be informed of what constitutes 
> misuse on
>     each website I visit?
>
> As a reference, I offer section Section 1 of the Computer 
> Misuse Act, 1990 (c. 18) [UK] states:
>
> Unauthorised Access to Computer Material
>
> 1. - (1) A person is guilty of an offence if -
>
>         (a) he causes a computer to perform any function with intent
>             to secure access to any program or data held in any
>             computer;
>
>         (b) the access he intends to secure is unauthorised; and
>
>         (c) he knows at the time when he causes the computer 
> to perform
>             the function that that is the case
>
>     (2) The intent a person has to have to commit an offence under
>         this section need not be directed at -
>
>         (a) any particular program or data;
>
>         (b) a program or data of any partciular kind; or
>
>         (c) a program or data held in any particular computer
>
> Thanks in advance for your opinions (or pointers to the 
> obvious answers I may have missed).
>
> Kind Regards,
> Dave.
>
> --
> http://dave.mongers.org