Legal Info Regarding Using Open Proxies

Networking/Security Forums -> Anonymity // Privacy // Spam

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Thu Oct 24, 2002 12:16 pm    Post subject: Legal Info Regarding Using Open Proxies
    ----
Is it legal to surf the web through these proxies?

As far as we can tell, the answer is yes. The primary argument against open proxies is that their owners may not have intended for them to be used by the public. However, by running a service on a machine accessible to the public, without restricting access to that service, the machine's administrator is implicitly consenting for that service to be used by the public. A proxy server is just like a web server, an FTP server, or any other net service: if it's running and accepting connections, it's fair game. The internet is a public network.

With regard to US law in particular, 18 USC 1030 (which covers computer-related fraud and theft) applies only when the user has knowingly accessed a computer without authorization or has knowingly exceeded his authorized access on that computer. Because an open HTTP proxy, by default, allows connections and use of the service by anyone in the world, the proxy's administrator has essentially "authorized" everyone to use the service. There's no intentional bypassing of security taking place. Just as you don't need Google's express written permission to connect to google.com, you don't need a proxy admin's express written permission to use his open proxy server.

Naturally it's not legal to use a proxy for illegal purposes, but if that's your cup of tea, the proxy is probably the least of your worries!

From: http://www.winfosec.com/proxies/info.php#faq6


Last edited by ShaolinTiger on Thu Dec 12, 2002 6:59 pm; edited 1 time in total

Author: Jhonbus PostPosted: Sun Nov 10, 2002 2:11 pm    Post subject:
    ----
Just thought I'd post about this case which is a possible legal precedent to the use of open proxies. I can't seem to find anything about it online (not that I've looked hard - just reuters and the new scientist website) but I will quote (rip off) the article in the new scientist:

Quote:

Guessing a Web address need not make you a hacker

IF YOU guess the address of a compan's Web page when there are no links to it anywhere on their website, are you hacking? A Swedish company thinks so.
Software developer Intentia International of Stockholm last week filed a criminal complaint against news agency Reuters, after one if its reporters guessed a URL and accessed Intentia's financial results before their scheduled release. Intentia alleges that the Reuters report on its financial performance resulted from hacking.
Reuters says that the figures were public as soon as Intentia pposted it to its Web server, whether there was a link or not. The reporter simply guessed the URL based on those of its previous quarterly reports, a Reuters spokeswoman says.
Instead of being mounted on a staging server, where a Web page can be checked and kept before bing posted to a public server, Intentia's third-quarter report was placed on the public server ahead of time. The firm intended to "release" it later by placing a link to it on its home page.
The company has since improved security, an Intentia spokesman said.
While Reuters did not break any security measires such as password protection, anti-hacking laws guard so broadly against unauthorised access that they might not help its case. Intentia maintains that Reuters' access was unauthorised.
But all docuiments on the Web are assumed to be public, says Lee Tien, staff attorney for San Fransico-based pressure group Electronic Frontier Foundation. "This is no different than someone putting something in a flimsy wrapper on the street and hoping no one will notice it."


I'll try to find out more about this case, and hopefully it will go in Reuters' favour.

Author: Jason PostPosted: Sun Nov 10, 2002 3:03 pm    Post subject:
    ----
I think that Reuters have not done anything wrong.

What gets me is how did they know the exact address of the document if there was no link to it anywhere?

J

Author: Jhonbus PostPosted: Sun Nov 10, 2002 3:25 pm    Post subject:
    ----
They guessed it because the URL was the same format as the previous releases - probably something like

q42001.html
q12002.html
q22002.html

so it's logical to guess that the 3rd quarter release is going to be published at q32002.html

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Sun Nov 10, 2002 4:40 pm    Post subject:
    ----
Uhuh, the Reuters case is mentioned in this thread:

http://www.security-forums.com/forum/viewtopic.php?t=1504&start=15

Author: Jhonbus PostPosted: Sun Nov 10, 2002 4:47 pm    Post subject:
    ----
So it is Embarassed
Sorry, I'm new to this forum so I haven't read all the older threads yet.
Well I guess it's no harm to have a link to that here, given the parallels.
BTW, *great* forum you've got here, fellas!

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Sun Nov 10, 2002 5:51 pm    Post subject:
    ----
No worries dude, no harm done Smile

Thanks and enjoy your stay.

Author: GuardianLocation: UK PostPosted: Sat Apr 19, 2003 4:37 pm    Post subject:
    ----
I think there is room to argue and there are other issues involved.

I posted some notes at Scanning and Law and Advice Needed Urgently! regarding scanning and BF.

The same arguments apply to the use of proxies.

Use of Proxies has the additional aspect of bandwidth theft. Users using a proxy on someone else's server are utilising the bandwidth allocated and paid for the authenticated users thus limiting the legitimate use by users.

I am sure there are many who would disagree, but that is their prerogative.

Wink


Last edited by Guardian on Wed Oct 20, 2004 10:33 am; edited 1 time in total

Author: o0O-neo-O0oLocation: London UK PostPosted: Wed Aug 27, 2003 2:14 pm    Post subject:
    ----
Jhonbus wrote:
Just thought I'd post about this case which is a possible legal precedent to the use of open proxies. I can't seem to find anything about it online (not that I've looked hard - just reuters and the new scientist website) but I will quote (rip off) the article in the new scientist:

Quote:

Guessing a Web address need not make you a hacker

IF YOU guess the address of a compan's Web page when there are no links to it anywhere on their website, are you hacking? A Swedish company thinks so.
Software developer Intentia International of Stockholm last week filed a criminal complaint against news agency Reuters, after one if its reporters guessed a URL and accessed Intentia's financial results before their scheduled release. Intentia alleges that the Reuters report on its financial performance resulted from hacking.
Reuters says that the figures were public as soon as Intentia pposted it to its Web server, whether there was a link or not. The reporter simply guessed the URL based on those of its previous quarterly reports, a Reuters spokeswoman says.
Instead of being mounted on a staging server, where a Web page can be checked and kept before bing posted to a public server, Intentia's third-quarter report was placed on the public server ahead of time. The firm intended to "release" it later by placing a link to it on its home page.
The company has since improved security, an Intentia spokesman said.
While Reuters did not break any security measires such as password protection, anti-hacking laws guard so broadly against unauthorised access that they might not help its case. Intentia maintains that Reuters' access was unauthorised.
But all docuiments on the Web are assumed to be public, says Lee Tien, staff attorney for San Fransico-based pressure group Electronic Frontier Foundation. "This is no different than someone putting something in a flimsy wrapper on the street and hoping no one will notice it."


I'll try to find out more about this case, and hopefully it will go in Reuters' favour.



In responce to this and after reading it i thought about it and Routers are right

anyone could of got this info and not by guessing the URL either

the trusted good old "google hack" would of found these results in one hit

LOL

so no one is hacking here - if you ask me - maybe being a little sneaky and maybe a little cheeky but if it is on the web it is public domain and if you didnt secure against the google hack its your fault (hardline way of thinking i know) anyone one care to take me up on this and discuss further ?

email me --> o0O-neo-O0o@filetopia3.com

thanks

Laughing

Author: o0O-neo-O0oLocation: London UK PostPosted: Wed Aug 27, 2003 2:18 pm    Post subject:
    ----
jasonlambert wrote:
I think that Reuters have not done anything wrong.

What gets me is how did they know the exact address of the document if there was no link to it anywhere?

J


ok ok here is how it is done...

go to google and type the following

inurl: and any text you want here (what ya searching for)

ie "inurl:3Aq42001.html"

and that will give you this

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=inurl%3Aq42001.html

now spend enough time looking through those links and tell me if ya find the doc they wanted not to be found

LOL

for more info on the GooGle hack do a search on google and read up about it - it is a very interesteing read!!

Rolling Eyes

Author: ryansuttonLocation: San Francisco, California PostPosted: Thu Sep 30, 2004 11:26 pm    Post subject:
    ----
Guardian wrote:
I think there is room to argue and there are other issues involved.

I posted some notes at Scanning and Law and Advice Needed Urgently! regarding scanning and BF.

The same arguments apply to the use of proxies.

Use of Proxies has the additional aspect of bandwidth theft. Users using a proxy on someone else's server are utilising the bandwidth allocated and paid for the authenticated users thus limiting the legitimate use by users.

I am sure there are many who would disagree, but that is their prerogative.

Wink


In reference to your comment about bandwidth, that does not apply in this situation as (already stated) the document was on a web server. Now if this was a private or restricted server you would have a valid point, However if you have something stored on a public server AKA www.mydomain.com/whatever then you cannot single out certain people and say they can't access it as it is public.



Networking/Security Forums -> Anonymity // Privacy // Spam


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group