RE: CRIME EarthLink Password Security Story

From: Jordan Gackowski (jgackowski@private)
Date: Fri Jun 21 2002 - 14:12:45 PDT

  • Next message: Justin Kurynny: "RE: CRIME EarthLink Password Security Story"

    If you keep the constraints of your argument to a publicly addressed web
    server on port 80 it is an interesting situation. It is supposed to be
    public.  It would be equivalent to having a store front w/ a neon open sign
    blinking and an open door.  Then trying to prosecute people for coming on
    the property.  Taking/breaking thinks is still illegal but you can't slap
    the cuffs on anyone who walks in the door.
    
    Using a method to access data that you normally wouldn't be able to access
    (such at the dir x-versal you mention) would (should) still be illegal.
    Like taking the money out of a cash register and using the excuse that it
    had a crappy lock so it was OK to get in there.
    
    Web servers represent publicly accessible space and information by design
    and intent...  not that I want to be a test case and set any precedent.
    
    ~Jordan
    
    
    
    |---------+---------------------------->
    |         |           "SCRIMSHER,JOHN  |
    |         |           (HP-Corvallis,ex1|
    |         |           )"               |
    |         |           <john_scrimsher@h|
    |         |           p.com>           |
    |         |           Sent by:         |
    |         |           owner-crime@private|
    |         |           x.edu            |
    |         |                            |
    |         |                            |
    |         |           06/21/2002 12:35 |
    |         |           PM               |
    |         |                            |
    |---------+---------------------------->
      >------------------------------------------------------------------------------------------------------------------------|
      |                                                                                                                        |
      |       To:       "'Tom Tintera'" <Tom_Tintera@private>, "'Seth Arnold'" <sarnold@private>, "'Lyle         |
      |        Leavitt'" <lylel@private>, "'Phil Hochstetler'" <Phil.Hochstetler@private>                            |
      |       cc:                                                                                                              |
      |       Subject:  RE: CRIME EarthLink Password Security Story                                                            |
      >------------------------------------------------------------------------------------------------------------------------|
    
    
    
    
    This raises an interesting legality question.  If a server is publicly
    available for use as, for instance, a web server.  Can we assume then that
    all sites / pages on that server that are publicly available without use of
    an authentication mechanism imply authorization to access said system via
    the channel offered for access, in this instance port 80.
    
    If the authorization to access the system via port 80 to a publicly
    available document is implied through its availability, then would you be
    truly acting illegally to utilize vulnerabilities such as directory
    traversal to access more data, including the execution of programs on the
    system?  My point is that some vulnerabilities require no special hacking
    skills, merely the ability to walk through the open door.
    
    Alteration and or destruction of data would be illegal, I believe, no
    matter
    the method of access.  But merely walking in the door that is open to the
    public.... Would that also be illegal?
    
    John
    
    > -----Original Message-----
    > From: Tom Tintera [mailto:Tom_Tintera@private]
    >
    > Randal did use one of the passwords to copy a larger password
    > file and also installed a back door through Intel's firewall.
    > However, ORS 164.377 states that:4) Any person who knowingly
    > and without authorization uses, accesses or attempts to
    > access any computer, computer system, computer network, or
    > any computer software, program, documentation or data
    > contained in such computer, computer system or computer
    > network, commits computer crime. Class A misdemeanor.
    >
    > Caution is advised if there is no authorization.
    



    This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 15:10:56 PDT