Forwarded From: 7Pillars Partners <partnersat_private> http://www.wired.com/news/news/politics/story/17024.html Let the Web Server Beware by Christopher Jones 2:00 p.m. 23.Dec.98.PST In a decision that sets a precedent in the realm of hacking, the Norwegian supreme court ruled Tuesday that probing computer networks linked to the Internet is not illegal. The University of Oslo charged a private security-software company, Norman Data Defense Systems, with attempted break-ins and disruptions on machines linked to its computer network. Norman Data conducted the network probes in 1995 on behalf of a Norwegian public news network, which was filming a program about the Internet and wanted to demonstrate the inner workings of open systems and the pitfalls therein. "The essence of [the ruling] is that if you want to join the Internet, you have to assure that you're protected," said Gunnel Wullstein, president and CEO of Norman Data Security. "If you don't want to be visited, close your ports." The case also illustrates the fine line between hackers and crackers. The former describes those who merely want to explore computer systems, while the latter refers to intruders with malicious intent. They exploit networks using specialized tools and tricks of the trade, including unauthorized access operations. During the experiment, the company's engineers used finger commands to find out which users were logged on to the university's machines and information related to their session. They used telnet - a remote login command - to verify email addresses on the university's mail port. They also ran scans to see if any ports were open. The University of Oslo could not be contacted in time for this story. One of the engineers involved in the experiment, who asked not to be identified, stressed that all of these operations are based on open protocols and were not designed to break into systems. Rather, the test was done to show what information is freely available from machines hooked to the Internet. During the experiment, he said, no user IDs or other such information was retrieved. We wanted to help [the news service] tell the world that when you surf you leave your IP address all over the place, especially if you use the same machine," said the engineer. "This information can be used to find out quite a bit about you." Hackers and crackers will often use commercial port-scanning tools, or war dialers, as a way to identify easy entries into computer networks. Norman Data said it only limited port scans and found no open ports during the experiment. "I would say that it's not hacking [to show] if you go on the Internet, you expose yourself," said Wullstein. "It is up to you to decide which part you want to be exposed and which you do not." When an Oslo court first ruled in the case, it found the company guilty of an attempted break-in on a computer network and misuse of other people's machine resources, causing inconvenience. Both charges carried a steep fine, and the company was also ordered to pay for repairs to the university's network. After Norman appealed the decision, a district court overturned the more serious break-in charge, but upheld the misuse charge. In Tuesday's supreme court decision, however, the engineer and the company were cleared on both charges. "This is very principal, the first time the [supreme] court has taken a standpoint in a case like this," said Frode Pedersen, news editor at Aftenposten, a daily newspaper in Oslo. "The high court said that if you have a service on the Internet not directly protected, you have to stand for people searching for security holes." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:14:35 PDT