RE: CRIME EarthLink Password Security Story

From: Ray Robert (RayR@private)
Date: Fri Jun 21 2002 - 15:59:13 PDT

  • Next message: Brent Tucker: "RE: CRIME Study: Open, closed source equally secure"

    ORS 164.377(1)(a) says that to "access" a system means merely to
    "communicate" with it.  So section 4 that you cite prohibits "attempts at
    unauthorized communication."
     
    If I 'ping' your system am I a jailbird-to-be if (and only if) you have echo
    turned off?  If my copy of Office sends a port 137 inquiry and your firewall
    blocks it, did Mr. Gates or I commit a misdemeanor?  Or is it a misdemeanor
    if your firewall doesn't block it but your NT server refuses it?  Is it a
    misdemeanor if I send an e-mail to your postmaster if your e-mail server
    isn't configured for one?  If your Web site says that your policy is to
    require that e-mails must have a phone number included but I don't, am I
    liable to be summoned for sending an unauthorized communication?  Does it
    matter if I've actually seen the Web site?  If this section could be taken
    at face value, it sounds like you have a great weapon against spammers.
    
    Sections 2 (access for the purpose of theft, including theft of services)
    and 3 (altering, damaging, or destroying) describe actions a reasonable
    person would understand as being criminal.  IMHO, Section 4 is too vague to
    give notice of prohibited behaviors, especially on Internet interfaces.
    
    I think as well that there are some good First Amendment claims if one is
    simply surveying systems for the purpose of reporting on security.  But I
    agree that caution is advised.
    
    Raymond L. Robert
    System Administrator
    Oregon Board of Medical Examiners
    Ray.Robert@private
    (503) 229-5873 x. 229
    http://www.bme.state.or.us
    
    -----Original Message-----
    From: Tom Tintera [mailto:Tom_Tintera@private] 
    Sent: Friday, June 21, 2002 10:38 AM
    To: Seth Arnold; Lyle Leavitt; 'Phil Hochstetler'
    Cc: CRIME
    Subject: RE: CRIME EarthLink Password Security Story
    
    Randal did use one of the passwords to copy a larger password file and also
    installed a back door through Intel's firewall. 
    However, ORS 164.377 states that:4) Any person who knowingly and without
    authorization uses, accesses or attempts to access any computer, computer
    system, computer network, or any computer software, program, documentation
    or data contained in such computer, computer system or computer network,
    commits computer crime. Class A misdemeanor. 
    
    Caution is advised if there is no authorization.
    
    Tom Tintera
    Senior Deputy District Attorney
    Washington County District Attorney
    Hillsboro, Oregon  
    503 846-3462
    tom_tintera@private
    



    This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 16:58:06 PDT