RE: [ISN] Warchalking is theft, says Nokia

From: InfoSec News (isnat_private)
Date: Mon Sep 23 2002 - 23:24:12 PDT

  • Next message: InfoSec News: "[ISN] Pocket PC doesn't make security grade, Gartner says"

    Forwarded from: Marjorie Simmons <lawyerat_private>
    [Disclaimer:	weekend muse -- this is not legal advice
    		so do not take it as such.]
    Drawing on a building is something we in the US have historically
    considered 'graffiti'. Graffiti is generally considered a misdemeanor,
    last time I checked anyway, (unless John Ashcroft has been busy again.
    Perhaps now its seditious.)
    More importantly, in the US, if an act is defined at law as criminal
    (aka, not misdemeanor), it requires criminal intent.  Criminal intent
    is borne in the perpetrator's state of mind, not the victim's. Extreme
    example: what if the 9-11 terrorists chalked the trade towers as a hit
    target before Sept 11?  Does that make the denizens of the towers
    responsible for their fate because they didn't notice, or because they
    did notice but took no action because the actual result was
    If a victim, any victim, is careless, or if they are a dolt who should
    know better than to expose their business secrets to the world via an
    unsecured wireless network, such carelessness does not magically morph
    the victim into a position of criminal responsibility for the purpose
    of assessing the criminality of someone else's act performed upon him.
    The marking of a target can provide evidence for the prosecution of a
    wrongful act later committed, but by itself does not necessarily
    constitute a criminal act. Although chalking by itself constitutes no
    theft that I can identify, services-theft or data-theft following such
    chalking certainly may be assessed as criminal. If the chalker(s) are
    also participants in such theft or intend that such marking be used by
    others for such theft -- and such theft actually occurs -- such
    chalking could be considered as part of a methodology of the criminal
    act. Its pretty hard to prove a murder though, without the body, thus,
    if there has been no access, or theft of data or services, such
    graffiti seems to me simply graffiti.
    Perhaps a person's carelessness directly results in his becoming a
    crime victim, but though we bemoan such carelessness, the law does not
    assign criminal responsibility to the victim without evidence of some
    intent on the victim's part that the opening of a door to crime be
    intended to actually result in that crime. A more general
    carelessness, of course, usually subjects the victim to other pains.
    Seems to me Pete's on the right track. Pete's offered some good
    examples ... consider this one:
    Lawyer A and Lawyer B are on opposite sides of a negotiation. Lawyer C
    represents a company which is a stakeholder in the outcome of the
    negotiation between A & B, but C is not a party to the negotiation.  
    C has never broken the law or any of the legal ethics rules, and his
    friends think him a bore. C's client company is desperate to find out
    the details of A & B's communication before any deal is struck as the
    deal could destroy C's company.  (C's client company, btw, makes
    widgets free for the poor.)
    C learns that A & B do not use encrypted communications by A & B
    telling him so at an unrelated convention that they all attend. C
    decides to hire a competent geek to do a bit of selective wardriving
    in order to find out what A & B are up to.  C's geek chalks a good
    spot for the job and then C's geek sends her one-time contract
    employee to grab some in-the-clear data from A & B during
    transmission. C thereby learns that A & B's deal, if done, will indeed
    destroy C's client company.
    C, armed with this new information, takes remedial measures that save
    C's client's south end, but that do not disrupt the deal between A &
    B.  A & B successfully complete their deal and never find out that
    their communications have been compromised. They lose nothing as to
    the outcome of their deal and C's client company is saved. C never
    again resorts to such measures, and retires on his bonus for saving
    his client. C's geek gets religion the next day and races off to
    dogooder heaven in Timbuktu. Her contract employee goes back to his
    day job as a firefighter in a major American city.
    Where is the wrongdoing here?  Is it with A & B uncaringly putting C's
    client out of business but for C's intervention, or are moral analyses
    even relevant?  Is it with C's directive to C's geek to
    surreptitiously peek at the data?  Is it with C's geek's contract
    employee in actually accessing data?  Is C's geek's guilt measured the
    same as C's, or as C's geek's contract employee?  If C and agents only
    got as far as chalking and then stopped -- has a crime been committed?  
    Is there any wrongdoing with A & B's carelessness in not protecting
    their transmissions? If so, does it change the nature of C's (and his
    agents') acts?  Is there a conspiracy here?  Do A & B's clients at
    least lose the attorney-client privilege as to this deal because their
    lawyers were fools?  (Certain Florida courts have ruled so.)  If so,
    does that after-the-fact result change the nature of any prior
    criminal act by others at all?
    A helpful approach is not to simply ask where the wrongdoing is in any
    given situation, but to analyze the nature of each of the wrongful
    acts in order to determine what the proper responses and remedies
    might be. In so doing, one may more easily sort out responsibility for
    the criminal and for the simply careless, and the larger moral
    observations from the more compartmentalized ethical obligations of
    certain individuals, e.g., due care.  Otherwise we end up chasing
    butterflies with sledgehammers.
    These are the questions that are, unfortunately, not being assessed
    too carefully of late in certain US government circles. With regard to
    what constitutes criminality, and with resolve to rectify
    vulnerability while keeping within the bounds of Constitutional law in
    the US, it seems to me that not since the Civil War have US citizens
    had a more compelling need to consider these questions such that
    definitions of criminal acts and responses to them may be crafted
    Marjorie Simmons
    On Monday, September 23, 2002 1:02 am, InfoSec News [SMTP:isnat_private] wrote:
    | Forwarded from: Pete Lindstrom <plindstromat_private>
    | Hmmm, not sure if "due care" is a legal term or not, nor whether it
    | applies to criminal activity.. It seems to me that "due care" can
    | easily fly in the face of personal freedom.
    | I would argue that I have every right to hang an ethernet cable out my
    | window on my property and not expect someone else to tap in, just like
    | I would argue I should be able to leave my keys in the ignition
    | without having my car stolen, women should be able to wear thongs at
    | the beach without risking a pinch, I should be allowed to let certain
    | people use my bike but not others, and I should be able to write
    | run-on sentences if I want to (;-)). As long as I am not infringing on
    | someone else's rights or creating a dangerous situation, etc., why
    | shouldn't I be allowed to?
    | Now, does that make me smart? well, no. Naive? Probably (or more
    | likely just plain dumb), 
     . . . snip
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 02:35:39 PDT