When does using a public resource/hacking become illegal?
Goto page 1, 2  Next  :||:
Networking/Security Forums -> General Security Discussion

Author: Jason PostPosted: Thu Oct 24, 2002 1:55 pm    Post subject: When does using a public resource/hacking become illegal?
    ----
(Branched from http://www.security-forums.com/forum/viewtopic.php?t=1500 )

** Just a few thoughts **

So the same thing could be said if you connected to another computers harddrive via an unprotected netbios share?

If they have shared the root of their harddrive, and have put no password on it, and have connected that machine to the internet, does this mean they want anyone to view their files / use their hd space etc?

After all, they have "provided" an annonymas service on their machine available to anyone who wants it.

What happens if they only intended it to be shared with the local network, but lack of knowledge means that they didnt unbind file sharing on the internet connection adapter.

They have not "authorised" or given explicit permission for you to access their resources, they just fucked up.

As long as you dont steal any of their stuff is it ok?

** end of brain strain **

other thoughts people?

J

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Thu Oct 24, 2002 2:02 pm    Post subject:
    ----
Well yes, if someone has shared their whole hard drive over the Internet legally you can look at it I would think, it's part of the Internet and therefore the Public domain, as long as you don't delete anything or damage anything you aren't breaking any laws.

They have not authorised the use but they haven't disallowed it which is more important.

Unless you put a sign saying "No you can't do this" then what's to stop people doing it?

As long as you don't attempt to break anything that stops you accessing a resource, e.g. you can just stroll in go for it.

That's my thought..


Last edited by ShaolinTiger on Thu Oct 24, 2002 2:17 pm; edited 1 time in total

Author: hadsLocation: New Zealand PostPosted: Thu Oct 24, 2002 2:15 pm    Post subject:
    ----
Would have to agree with ShaolinTiger on that...

Ignorance is no defence as far as any laws go.

(I think I've been watching too many lawyer shows)

Author: Jason PostPosted: Thu Oct 24, 2002 2:39 pm    Post subject:
    ----
Scenario:

A person / company puts an IIS web server on the internet, and fail for whatever reason to apply the latest service packs and hot fixes, leaving them vunerable to various Unicode "exploits". They do not put any sort of warning banner in the http header.

Could exploiting the "vunerability", be classed as illegal? ie the "vunerability" is there, they have left it there, they have not explicity "dissallowed" access to the rest of the machine through the "vunerability". they have not said they "DO NOT PERMIT" it.

I use the word "vunerability" cautiously, as they (presumably) purchased the OS/Web Server, "as is". The "vunerability" is then a part of that product, even though it can be exploited and used for mallicious intent. How do you draw the line between "vunerabilities" and "features" of the product?

After all, as in my eariler post i gave the example of open and unpassworded netbios shares. Netbios in general i would consider a "feature" of Windows. Set up incorrectly it is a vunerability.

Once again, as long as you dont steel or delete anything from the machine, is exploiting the vunerability illegal?

Thoughts?

J

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Thu Oct 24, 2002 5:16 pm    Post subject:
    ----
Well if you can exploit without causing any damage (folder traversal) and you don't open any programs or cause any degredation to the system (bandwidth or cpu usage) I can't see how it's illegal.

It's only 1 step up from port scanning which is admittedly a grey area regarding legalities but certainly is classed by most as not strictly legal but not actionable.

There are no such things as vunerabilites, just undesirable features Wink

You could say NetBIOS over TCP/IP is a vunerability in itself, but it's also a feature...

Author: b4rtm4nLocation: Bi Mon Sci Fi Con PostPosted: Thu Oct 24, 2002 5:25 pm    Post subject:
    ----
.....

If I leave my pc unattended in the front garden and someone steals it they are breaking the law.

If I leave my pc unattended on the internet and someone connects to it and copies my mail from it.....??

Unfortunately the law and commonsense have little in common.

I know I work with solicitors. Laughing

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Thu Oct 24, 2002 5:28 pm    Post subject:
    ----
Yeh but the lawn aint public property, the Internet is a public domain, if you leave your Computer in the street over night and expect it to be there in the morning, you got another thing coming..

You won't get far with the police either..

"Yes office I just left it on the lawn over night and someone came along and took it! The bastards!"

Author: b4rtm4nLocation: Bi Mon Sci Fi Con PostPosted: Thu Oct 24, 2002 5:38 pm    Post subject:
    ----
Don't stop it bein illegal tho.

Just impossible to prosecute (or persuade the dibble to do anything as you say).

Similarly if you don't put a lock on your door and someone comes in and takes your stuff (the door being analogous to the net connection) they are breaking the law but you won't get any joy from dibble & co.

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Thu Oct 24, 2002 5:47 pm    Post subject:
    ----
Yeh but what if the door is open and it's not clear it's a house, it looks somewhat like a shop or perhaps a public toilet and someone wonders in?

They don't know any different, yes ignorance is no defence but they are commiting any felonies, only possible trespassing..

Surely then it's you that are at fault, not the person who stumbled into your property..

Author: Jason PostPosted: Thu Oct 24, 2002 5:56 pm    Post subject:
    ----
ShaolinTiger wrote:


Well if you can exploit without causing any damage (folder traversal) and you don't open any programs or cause any degredation to the system (bandwidth or cpu usage) I can't see how it's illegal.



Would this include taking a directory listing via a Unicode type of exploit? for this you need to make cmd.exe execute with additional peramiters.

Once again, cmd.exe is a feature of the system, and you may have access to it via entering what an unpatched IIS server sees a a legitimate URL. Obviously this requires correct access permissions on the file. Cmd.exe has no problems with returing the information to you.

With regard to bandwidth and CPU usage, this is just like any other web request, as all requests require CPU and bandwidth, though i do see what you are saying from using the machine for DDOS against other systems.

What about uploading other files to the vunerable machines hard disk.

Where does this fall as far as law is concerned?
What can we identify as being 100% illegal and prosicutable with the right evidence - data theft?
J

Author: b4rtm4nLocation: Bi Mon Sci Fi Con PostPosted: Thu Oct 24, 2002 6:10 pm    Post subject:
    ----
If you have the basic skills to connect to another pc and look around it's contents then it's highly unlikely that you didn't know what you were connecting too.

"Sorry officer I thought it was a public toilet!" Won't quite cut it there.

It could even be taken that having a DNS entry for a service is tantamount to offering it for public use. Not having a DNS entry for a service could mean that it's not intended for public use.

What do you think?

Author: Jason PostPosted: Thu Oct 24, 2002 6:15 pm    Post subject:
    ----
I assuming that you are highlighting the fact that if you do not have a domain name, why should people be connecting to a web server or other service on you "annonymas" machine?

I think it comes back to you are still offering the service on your machine, big TV advertising campaign or other wise. If you connect your machine to the internet, you should accept that your machine with have incoming connections.

On the lack of knowledge area, i dont believe it is how much you know, what it comes down to is wether or not you commit a criminal offence.

J

Author: b4rtm4nLocation: Bi Mon Sci Fi Con PostPosted: Thu Oct 24, 2002 7:10 pm    Post subject:
    ----
I'm trying to get a baseline for what "offering a service" actually is.

The opinion seems to be that by connecting a machine to the net you are immediately offering the services running on that machine for public use and it is down to you to stop/protect any services you do notwish others to use.

Would it also follow that you become responsible for any missuse of these services?

Author: chrisLocation: ~/security-forums PostPosted: Thu Oct 24, 2002 8:21 pm    Post subject:
    ----
ShaolinTiger wrote:
Yeh but what if the door is open and it's not clear it's a house, it looks somewhat like a shop or perhaps a public toilet and someone wonders in?



What did I tell you about shaolin....george michael ...cough.cough

Smile


Smile


Last edited by chris on Thu Oct 24, 2002 8:40 pm; edited 1 time in total

Author: b4rtm4nLocation: Bi Mon Sci Fi Con PostPosted: Thu Oct 24, 2002 8:28 pm    Post subject:
    ----
I'm gonna still be laughing in the morning!

Laughing Laughing Laughing Laughing Laughing Laughing Laughing Laughing Laughing

Author: Jason PostPosted: Thu Oct 24, 2002 9:05 pm    Post subject:
    ----
I would define "offering a service" in this instance as any software listening for incoming conections, to which it responds.

Any applications / services / daemons which can be accessed from the internet are available for public use, unless explicitly stated.

With regard to who is responsible, i dont know.

If for example a spammer mass mailed 100,000 people with the "Nigerian Scam" email, and one of the receptents handed over their bank details with which the spammer then used to extract money from the victim account, obviously your server has assisted in his/her illegal activities. I doubt you would be held responsible, as you did not commit the act of fraud and you did not **knowingly** assist, unless of course it could be proved that you machine was placed on the internet for such purposes.

What does everyone else think?

I am still interested to hear about peoples thoughts on how uploading other files to a vunerable machines hard disk, without explicit permission stands with the law. Please feel free to give an opinion even if it only applies to your country.

What can we activites / actions are definatly illegal to perform against another machine without the owners permission?

J



Networking/Security Forums -> General Security Discussion


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Goto page 1, 2  Next  :||:
Page 1 of 2

Powered by phpBB 2.0.x © 2001 phpBB Group