RE: CRIME EarthLink Password Security Story

From: Ray Robert (RayR@private)
Date: Fri Jun 21 2002 - 15:59:13 PDT

Next message: Brent Tucker: "RE: CRIME Study: Open, closed source equally secure"

Previous message: Crispin Cowan: "Re: CRIME Netcraft Ethics"
Maybe in reply to: Lyle Leavitt: "CRIME EarthLink Password Security Story"
Next in thread: SCRIMSHER,JOHN (HP-Corvallis,ex1): "RE: CRIME EarthLink Password Security Story"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ORS 164.377(1)(a) says that to "access" a system means merely to
"communicate" with it.  So section 4 that you cite prohibits "attempts at
unauthorized communication."
 
If I 'ping' your system am I a jailbird-to-be if (and only if) you have echo
turned off?  If my copy of Office sends a port 137 inquiry and your firewall
blocks it, did Mr. Gates or I commit a misdemeanor?  Or is it a misdemeanor
if your firewall doesn't block it but your NT server refuses it?  Is it a
misdemeanor if I send an e-mail to your postmaster if your e-mail server
isn't configured for one?  If your Web site says that your policy is to
require that e-mails must have a phone number included but I don't, am I
liable to be summoned for sending an unauthorized communication?  Does it
matter if I've actually seen the Web site?  If this section could be taken
at face value, it sounds like you have a great weapon against spammers.

Sections 2 (access for the purpose of theft, including theft of services)
and 3 (altering, damaging, or destroying) describe actions a reasonable
person would understand as being criminal.  IMHO, Section 4 is too vague to
give notice of prohibited behaviors, especially on Internet interfaces.

I think as well that there are some good First Amendment claims if one is
simply surveying systems for the purpose of reporting on security.  But I
agree that caution is advised.

Raymond L. Robert
System Administrator
Oregon Board of Medical Examiners
Ray.Robert@private
(503) 229-5873 x. 229
http://www.bme.state.or.us

-----Original Message-----
From: Tom Tintera [mailto:Tom_Tintera@private] 
Sent: Friday, June 21, 2002 10:38 AM
To: Seth Arnold; Lyle Leavitt; 'Phil Hochstetler'
Cc: CRIME
Subject: RE: CRIME EarthLink Password Security Story

Randal did use one of the passwords to copy a larger password file and also
installed a back door through Intel's firewall. 
However, ORS 164.377 states that:4) Any person who knowingly and without
authorization uses, accesses or attempts to access any computer, computer
system, computer network, or any computer software, program, documentation
or data contained in such computer, computer system or computer network,
commits computer crime. Class A misdemeanor. 

Caution is advised if there is no authorization.

Tom Tintera
Senior Deputy District Attorney
Washington County District Attorney
Hillsboro, Oregon  
503 846-3462
tom_tintera@private

Next message: Brent Tucker: "RE: CRIME Study: Open, closed source equally secure"
Previous message: Crispin Cowan: "Re: CRIME Netcraft Ethics"
Maybe in reply to: Lyle Leavitt: "CRIME EarthLink Password Security Story"
Next in thread: SCRIMSHER,JOHN (HP-Corvallis,ex1): "RE: CRIME EarthLink Password Security Story"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 16:58:06 PDT