• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

When does using a public resource/hacking become illegal?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Thu Oct 24, 2002 9:05 pm    Post subject: Reply with quote

I would define "offering a service" in this instance as any software listening for incoming conections, to which it responds.

Any applications / services / daemons which can be accessed from the internet are available for public use, unless explicitly stated.

With regard to who is responsible, i dont know.

If for example a spammer mass mailed 100,000 people with the "Nigerian Scam" email, and one of the receptents handed over their bank details with which the spammer then used to extract money from the victim account, obviously your server has assisted in his/her illegal activities. I doubt you would be held responsible, as you did not commit the act of fraud and you did not **knowingly** assist, unless of course it could be proved that you machine was placed on the internet for such purposes.

What does everyone else think?

I am still interested to hear about peoples thoughts on how uploading other files to a vunerable machines hard disk, without explicit permission stands with the law. Please feel free to give an opinion even if it only applies to your country.

What can we activites / actions are definatly illegal to perform against another machine without the owners permission?

J
Back to top
View user's profile Send private message Send e-mail
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Thu Oct 24, 2002 10:55 pm    Post subject: Reply with quote

Good statement!

I can't agree tho.

I think we are reaching the level of IT bullies if we go down this road.

"If you can't take care of yourself, we'll take advantage of you."
(hacking, security vendor, AV)

Question Question

Or am I being too much of a devils advocate?
Back to top
View user's profile Send private message Send e-mail
enigman
Just Arrived
Just Arrived


Joined: 09 Oct 2002
Posts: 0
Location: Sydney

Offline

PostPosted: Fri Oct 25, 2002 1:30 am    Post subject: Reply with quote

b4rtm4n wrote:
I'm trying to get a baseline for what "offering a service" actually is.


It could depend on your definition of 'implied' or 'explicit' offering of a service. If one of my hosts is running a web server that is publicly accessible on the Internet and I've solicited visits by promoting it then I'm explicitly offering connections via http etc. If the same server has the ftp service running, is publicly accessible but is not promoted, no links on web pages saying you can download/upload files etc then it could be construed that is an implied offering of the service. That is, on the web server I've explicitly given permission for users to access the service. For ftp on the other hand, a visitor could imply that I'm offering the service on the basis that it is running on the same publicly accessible host that had promoted it's web site (even if it were an oversight on my part.)

If however, a banner was displayed when attempting to connect to a particular service that explicitily states who can use that service it's a different matter. If it had something saying that it was exclusively for the use of particular parties and that if you are not one of the members of that group you can't use the service then you have been explicitly warned on that service.

If I had a message on my web site stating that the only services a visitor could access is http, https, smtp and that connection to other services should not be attempted then I have implied that connecting to the ftp service (or any other service not explicitly mentioned) is forbidden.

If an ordinary user has accidentally offered all or some of their services on their PC while connected to the Internet could it be classed as explicit or implicit offering? If they put home pages on their web server and change the default so that people could access it then it could be construed as explcitly granting access. If however, it's accidentally enabled and only default pages from the web server are present then it could possibly be construed as implied permission to access the service (if not morally so).

b4rtm4n wrote:
The opinion seems to be that by connecting a machine to the net you are immediately offering the services running on that machine for public use and it is down to you to stop/protect any services you do notwish others to use.


Actually I wouldn't consider that the case. Just because I drive on a freeway doesn't mean that I am offering my vehicle for public use. If I I am aware of and take reasonable measures to protect my car (like locking it etc) then I could reasonable expect that someone hasn't taken it. The problem is that most OS's and applications haven't been designed for security, they have been designed for ease of use. A person who is not that PC literate could reasonably expect that because their machine is physically secured within their home that security measures provided by the OS would protect them while connected to the Internet. A person who is more PC literate would know this is not the case.

If a person has exposed shares on their machine does that give someone the right to take advantage of that fact? Let's say you are very PC literate and have secured your PC to the best of your ability. Now along comes Mr Black Hat who uses an obscure hole to punch through your security measures and do what he wants. Oh no, he's a bad person because he has explicitly bypassed your security measures. Oh no, he responds, "It's up to you to make sure your host is secured and it obviously wasn't. As you hadn't secured against Obscure Security Hole #57 then you obviously weren't adopting best practice and I implied from that you were allowing me access."

The problem is that use of the Internet doesn't necessarily reflect community standards. Something that is viewed as acceptable by some Internet users would not be considered acceptable by society as a whole. Just as a person doesn't expect an uninvited guest to walk in the front door or through the window and rummage through their belongings, the average person would not expect an unwelcome guest to come through their internet connection and rummage through their hosts files.

b4rtm4n wrote:
Would it also follow that you become responsible for any missuse of these services?


You raise an interesting point. And I think it's something that will start to hit home over the next few years. As part of due diligence, organisations should ensure that their hosts, services etc are secure (especially if they are publicly listed companies.) If a company hasn't taken reasonable measures to protect it's systems against being used to attack another host or network then they may find themselves being sued by the victim of a DDOS attack etc.

I'll stop my ranting now.
----
Keyboard not connected . . . . Press F1 to continue.
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Fri Oct 25, 2002 12:05 pm    Post subject: Reply with quote

Applause!

It is the aim of ISO17799 to set the framework for industry best practise.

Ideally the same practises should apply to the individual but the knowledge & tools are not readily available at this level.
Back to top
View user's profile Send private message Send e-mail
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Fri Oct 25, 2002 12:57 pm    Post subject: Reply with quote

Thanks enigman, some pretty strong ideas there Smile

I can understand the part about suing over DDOS attacks and other similer instances, though you would proberly need to be conributing a hell of a lot to the total bandwidth consumption to be selected / singled out for legal action.

Has anyone heard of such cases where a successful prosicution has occured against the owner of a compromised machine used in such attacks?

What about other types of attack or illegal activity that may have occured through a compromised machine?

J
Back to top
View user's profile Send private message Send e-mail
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Fri Oct 25, 2002 1:54 pm    Post subject: Reply with quote

I'm not aware of any prosecutions for compromised machines used in attacks.

There has been a couple of instances where compromised machines have been used to store illegal data where action has been taken against the businesses involved. I haven't got any details on these tho. only a vague recollection Confused
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Fri Oct 25, 2002 2:01 pm    Post subject: Reply with quote

There was one guy prosecuted for having his machine used in a DDoS attack, but it was due to the fact they thought he was involved in some way and was hacking other people's machines and that his claims of being comprimised were just an attempted cover-up.
Back to top
View user's profile Send private message Visit poster's website
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Fri Oct 25, 2002 2:11 pm    Post subject: Reply with quote

Could we take a guess on the likely success rate of legal action (suing) taken against a machines owner in the case of his machine being used in DDOS attacks, without his consent or knowledge?

What sort of evidence would be needed?

What laws (if any) would help decide the outcome of the case?

J
Back to top
View user's profile Send private message Send e-mail
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Fri Oct 25, 2002 3:52 pm    Post subject: Reply with quote

I'd say you'd have a near zero prosecution rate.

It may be treated the same way as if your car had been stolen, used in a hit and run, and returned to your door before you noticed. (unlikely Laughing )

Just as long as you can prove that you didn't commit the crime then you should be OK.
Back to top
View user's profile Send private message Send e-mail
flw
Forum Fanatic
Forum Fanatic


Joined: 27 May 2002
Posts: 16777215
Location: U.S.A.

Offline

PostPosted: Fri Oct 25, 2002 6:12 pm    Post subject: Reply with quote

Quote:
So the same thing could be said if you connected to another computers harddrive via an unprotected netbios share?

If they have shared the root of their harddrive, and have put no password on it, and have connected that machine to the internet, does this mean they want anyone to view their files / use their hd space etc?

After all, they have "provided" an annonymas service on their machine available to anyone who wants it.

What happens if they only intended it to be shared with the local network, but lack of knowledge means that they didnt unbind file sharing on the internet connection adapter.

They have not "authorised" or given explicit permission for you to access their resources, they just f**k.. up.

As long as you dont steal any of their stuff is it ok?

** end of brain strain **

other thoughts people?


The real answer is it depends on where you live. i.e. various laws etc...

On the netbios share, I think in terms of wireless access as well. Looking at a network login screen is where a authorized vs authenticated come into play. Just because you are authenticated does not imply you are authorized. When you begin to utilized a systems resources and are not "authorized" or are annonymasly authenticated (by mistake of the end user) or not annonymasly you have broken the law in some locations, even if "just looking". Would it be legal to "look" into one of the British Intelligance angencies if a unnkown door was left open? Depends on your laws etc...

If you are using someones resources without thier direct authorization it is illegal in the U.S. i.e. If I take your car because you left the keys in it, does that make my actions legal. No.

Again local laws, case law or the lack of any laws really do determine where the line is. In the U.S. its a combination of Federal, State, County and municiple laws/Ordinances determine the law.

fastlanwan
Back to top
View user's profile Send private message Visit poster's website
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Tue Oct 29, 2002 12:02 pm    Post subject: Reply with quote

Another interestesting development in this area..

If you go to a web page that is not linked anywhere, are you illegally accessing the page?

http://slashdot.org/article.pl?sid=02/10/29/0023241

Of course not, it's on a public web server, not password protected or encrypted...it's free for all Smile
Back to top
View user's profile Send private message Visit poster's website
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Thu Oct 31, 2002 3:33 pm    Post subject: Reply with quote

As another follow-up Reuters response to the 'hacking' claims:

Responding to accusations of "hacking" from Swedish software company Intentia, the Reuters news agency has claimed that it merely downloaded information from a publicly accessible section of the company's Web site. On Saturday, Intentia alleged that Reuters had accessed its computers without authorization. In a company announcement they openly accused the news agency of "breaking in to" its systems.
Reuters did not deny that it had downloaded and reported on Intentia's third quarter profit results prior to their scheduled release. Reuters said that the profit results it was accused of stealing were made available to anyone that typed in the correct URL, or address, into a Web browser, and were therefore already public.
Back to top
View user's profile Send private message Visit poster's website
G!zm0
Just Arrived
Just Arrived


Joined: 15 Oct 2002
Posts: 0
Location: Belgium

Offline

PostPosted: Thu Oct 31, 2002 4:53 pm    Post subject: Reply with quote

After reading that stuff about Reuters, there's only one thing that comes to mind:

Me standing naked in my frontyard and sueing people passing by for invading my privacy... Shocked
Back to top
View user's profile Send private message
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Thu Oct 31, 2002 5:12 pm    Post subject: Reply with quote

If you're a man thats indecent exposure!

You can only sue if female! Laughing
Back to top
View user's profile Send private message Send e-mail
deadfall
Just Arrived
Just Arrived


Joined: 15 Oct 2002
Posts: 0
Location: San Diego

Offline

PostPosted: Sun Nov 17, 2002 3:05 am    Post subject: Reply with quote

Begin $.02:
jasonlambert wrote:
Has anyone heard of such cases where a successful prosicution has occured against the owner of a compromised machine used in such attacks?

No. I couldn't imagine them being liable for anything in he eyes of the law, which is pretty gray on such things. Depending on the size of the attack and damage it caused, the person initiating said DoS (distributed or otherwise) through any machine could or could not be investigated by the authorities. This applies to access attempts and systems compromised by cracking attacks. You don't just "call the law" and trust that the authorities are going to care or even be able to do anything about it.

Anyone truly interested in the subject should read this website. It documents a series of attacks and the lengths to which the author went to find out his legal options, how the attacker did it, and how he got into thier world. It's a fascinating read.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register