When does using a public resource/hacking become illegal?
Goto page Previous  1, 2  :||:
Networking/Security Forums -> General Security Discussion

Author: b4rtm4nLocation: Bi Mon Sci Fi Con PostPosted: Thu Oct 24, 2002 10:55 pm    Post subject:
    ----
Good statement!

I can't agree tho.

I think we are reaching the level of IT bullies if we go down this road.

"If you can't take care of yourself, we'll take advantage of you."
(hacking, security vendor, AV)

Question Question

Or am I being too much of a devils advocate?

Author: enigmanLocation: Sydney PostPosted: Fri Oct 25, 2002 1:30 am    Post subject:
    ----
b4rtm4n wrote:
I'm trying to get a baseline for what "offering a service" actually is.


It could depend on your definition of 'implied' or 'explicit' offering of a service. If one of my hosts is running a web server that is publicly accessible on the Internet and I've solicited visits by promoting it then I'm explicitly offering connections via http etc. If the same server has the ftp service running, is publicly accessible but is not promoted, no links on web pages saying you can download/upload files etc then it could be construed that is an implied offering of the service. That is, on the web server I've explicitly given permission for users to access the service. For ftp on the other hand, a visitor could imply that I'm offering the service on the basis that it is running on the same publicly accessible host that had promoted it's web site (even if it were an oversight on my part.)

If however, a banner was displayed when attempting to connect to a particular service that explicitily states who can use that service it's a different matter. If it had something saying that it was exclusively for the use of particular parties and that if you are not one of the members of that group you can't use the service then you have been explicitly warned on that service.

If I had a message on my web site stating that the only services a visitor could access is http, https, smtp and that connection to other services should not be attempted then I have implied that connecting to the ftp service (or any other service not explicitly mentioned) is forbidden.

If an ordinary user has accidentally offered all or some of their services on their PC while connected to the Internet could it be classed as explicit or implicit offering? If they put home pages on their web server and change the default so that people could access it then it could be construed as explcitly granting access. If however, it's accidentally enabled and only default pages from the web server are present then it could possibly be construed as implied permission to access the service (if not morally so).

b4rtm4n wrote:
The opinion seems to be that by connecting a machine to the net you are immediately offering the services running on that machine for public use and it is down to you to stop/protect any services you do notwish others to use.


Actually I wouldn't consider that the case. Just because I drive on a freeway doesn't mean that I am offering my vehicle for public use. If I I am aware of and take reasonable measures to protect my car (like locking it etc) then I could reasonable expect that someone hasn't taken it. The problem is that most OS's and applications haven't been designed for security, they have been designed for ease of use. A person who is not that PC literate could reasonably expect that because their machine is physically secured within their home that security measures provided by the OS would protect them while connected to the Internet. A person who is more PC literate would know this is not the case.

If a person has exposed shares on their machine does that give someone the right to take advantage of that fact? Let's say you are very PC literate and have secured your PC to the best of your ability. Now along comes Mr Black Hat who uses an obscure hole to punch through your security measures and do what he wants. Oh no, he's a bad person because he has explicitly bypassed your security measures. Oh no, he responds, "It's up to you to make sure your host is secured and it obviously wasn't. As you hadn't secured against Obscure Security Hole #57 then you obviously weren't adopting best practice and I implied from that you were allowing me access."

The problem is that use of the Internet doesn't necessarily reflect community standards. Something that is viewed as acceptable by some Internet users would not be considered acceptable by society as a whole. Just as a person doesn't expect an uninvited guest to walk in the front door or through the window and rummage through their belongings, the average person would not expect an unwelcome guest to come through their internet connection and rummage through their hosts files.

b4rtm4n wrote:
Would it also follow that you become responsible for any missuse of these services?


You raise an interesting point. And I think it's something that will start to hit home over the next few years. As part of due diligence, organisations should ensure that their hosts, services etc are secure (especially if they are publicly listed companies.) If a company hasn't taken reasonable measures to protect it's systems against being used to attack another host or network then they may find themselves being sued by the victim of a DDOS attack etc.

I'll stop my ranting now.
----
Keyboard not connected . . . . Press F1 to continue.

Author: b4rtm4nLocation: Bi Mon Sci Fi Con PostPosted: Fri Oct 25, 2002 12:05 pm    Post subject:
    ----
Applause!

It is the aim of ISO17799 to set the framework for industry best practise.

Ideally the same practises should apply to the individual but the knowledge & tools are not readily available at this level.

Author: Jason PostPosted: Fri Oct 25, 2002 12:57 pm    Post subject:
    ----
Thanks enigman, some pretty strong ideas there Smile

I can understand the part about suing over DDOS attacks and other similer instances, though you would proberly need to be conributing a hell of a lot to the total bandwidth consumption to be selected / singled out for legal action.

Has anyone heard of such cases where a successful prosicution has occured against the owner of a compromised machine used in such attacks?

What about other types of attack or illegal activity that may have occured through a compromised machine?

J

Author: b4rtm4nLocation: Bi Mon Sci Fi Con PostPosted: Fri Oct 25, 2002 1:54 pm    Post subject:
    ----
I'm not aware of any prosecutions for compromised machines used in attacks.

There has been a couple of instances where compromised machines have been used to store illegal data where action has been taken against the businesses involved. I haven't got any details on these tho. only a vague recollection Confused

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Fri Oct 25, 2002 2:01 pm    Post subject:
    ----
There was one guy prosecuted for having his machine used in a DDoS attack, but it was due to the fact they thought he was involved in some way and was hacking other people's machines and that his claims of being comprimised were just an attempted cover-up.

Author: Jason PostPosted: Fri Oct 25, 2002 2:11 pm    Post subject:
    ----
Could we take a guess on the likely success rate of legal action (suing) taken against a machines owner in the case of his machine being used in DDOS attacks, without his consent or knowledge?

What sort of evidence would be needed?

What laws (if any) would help decide the outcome of the case?

J

Author: b4rtm4nLocation: Bi Mon Sci Fi Con PostPosted: Fri Oct 25, 2002 3:52 pm    Post subject:
    ----
I'd say you'd have a near zero prosecution rate.

It may be treated the same way as if your car had been stolen, used in a hit and run, and returned to your door before you noticed. (unlikely Laughing )

Just as long as you can prove that you didn't commit the crime then you should be OK.

Author: flwLocation: U.S.A. PostPosted: Fri Oct 25, 2002 6:12 pm    Post subject:
    ----
Quote:
So the same thing could be said if you connected to another computers harddrive via an unprotected netbios share?

If they have shared the root of their harddrive, and have put no password on it, and have connected that machine to the internet, does this mean they want anyone to view their files / use their hd space etc?

After all, they have "provided" an annonymas service on their machine available to anyone who wants it.

What happens if they only intended it to be shared with the local network, but lack of knowledge means that they didnt unbind file sharing on the internet connection adapter.

They have not "authorised" or given explicit permission for you to access their resources, they just f**k.. up.

As long as you dont steal any of their stuff is it ok?

** end of brain strain **

other thoughts people?


The real answer is it depends on where you live. i.e. various laws etc...

On the netbios share, I think in terms of wireless access as well. Looking at a network login screen is where a authorized vs authenticated come into play. Just because you are authenticated does not imply you are authorized. When you begin to utilized a systems resources and are not "authorized" or are annonymasly authenticated (by mistake of the end user) or not annonymasly you have broken the law in some locations, even if "just looking". Would it be legal to "look" into one of the British Intelligance angencies if a unnkown door was left open? Depends on your laws etc...

If you are using someones resources without thier direct authorization it is illegal in the U.S. i.e. If I take your car because you left the keys in it, does that make my actions legal. No.

Again local laws, case law or the lack of any laws really do determine where the line is. In the U.S. its a combination of Federal, State, County and municiple laws/Ordinances determine the law.

fastlanwan

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Tue Oct 29, 2002 12:02 pm    Post subject:
    ----
Another interestesting development in this area..

If you go to a web page that is not linked anywhere, are you illegally accessing the page?

http://slashdot.org/article.pl?sid=02/10/29/0023241

Of course not, it's on a public web server, not password protected or encrypted...it's free for all Smile

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Thu Oct 31, 2002 3:33 pm    Post subject:
    ----
As another follow-up Reuters response to the 'hacking' claims:

Responding to accusations of "hacking" from Swedish software company Intentia, the Reuters news agency has claimed that it merely downloaded information from a publicly accessible section of the company's Web site. On Saturday, Intentia alleged that Reuters had accessed its computers without authorization. In a company announcement they openly accused the news agency of "breaking in to" its systems.
Reuters did not deny that it had downloaded and reported on Intentia's third quarter profit results prior to their scheduled release. Reuters said that the profit results it was accused of stealing were made available to anyone that typed in the correct URL, or address, into a Web browser, and were therefore already public.

Author: G!zm0Location: Belgium PostPosted: Thu Oct 31, 2002 4:53 pm    Post subject:
    ----
After reading that stuff about Reuters, there's only one thing that comes to mind:

Me standing naked in my frontyard and sueing people passing by for invading my privacy... Shocked

Author: b4rtm4nLocation: Bi Mon Sci Fi Con PostPosted: Thu Oct 31, 2002 5:12 pm    Post subject:
    ----
If you're a man thats indecent exposure!

You can only sue if female! Laughing

Author: deadfallLocation: San Diego PostPosted: Sun Nov 17, 2002 3:05 am    Post subject:
    ----
Begin $.02:
jasonlambert wrote:
Has anyone heard of such cases where a successful prosicution has occured against the owner of a compromised machine used in such attacks?

No. I couldn't imagine them being liable for anything in he eyes of the law, which is pretty gray on such things. Depending on the size of the attack and damage it caused, the person initiating said DoS (distributed or otherwise) through any machine could or could not be investigated by the authorities. This applies to access attempts and systems compromised by cracking attacks. You don't just "call the law" and trust that the authorities are going to care or even be able to do anything about it.

Anyone truly interested in the subject should read this website. It documents a series of attacks and the lengths to which the author went to find out his legal options, how the attacker did it, and how he got into thier world. It's a fascinating read.



Networking/Security Forums -> General Security Discussion


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Goto page Previous  1, 2  :||:
Page 2 of 2

Powered by phpBB 2.0.x © 2001 phpBB Group