Re: CRIME EarthLink Password Security Story

From: Zot O'Connor (zot@private)
Date: Sun Jun 23 2002 - 03:23:52 PDT

Next message: Zot O'Connor: "Re: CRIME Netcraft Ethics"

Previous message: Zot O'Connor: "RE: CRIME Study: Open, closed source equally secure"
In reply to: T. Kenji Sugahara: "Re: CRIME EarthLink Password Security Story"
Next in thread: SCRIMSHER,JOHN (HP-Corvallis,ex1): "RE: CRIME EarthLink Password Security Story"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More importantly, the law (fed at least) does not have a Good Samaritan
clause.  That means if you accidentally exceeded authority, knowingly m
and you report it it, you are still liable.

What the hell you ask?

Try doing a Vulnerability Assessment, just to find out the Client
doesn't have *that* IP address.  Now what.....


On Fri, 2002-06-21 at 13:58, T. Kenji Sugahara wrote:
> Tom,
> 
> Does the intent element deal with the actual intent to access or does it 
> deal with knowingly committing an act which results in access?  e.g. 
> where you would still be found liable if you didn't intend to commit the 
> culpable act but intended the action which resulted in act?  This may be 
> splitting legal hairs, but if a person commits an act where they didn't 
> mean to access a computer, but intended to use the software which 
> resulted in access, the person could still be found liable.
> 
> 
> On Friday, June 21, 2002, at 10:37  AM, Tom Tintera wrote:
> 
> > Randal did use one of the passwords to copy a larger password file and 
> > also
> > installed a back door through Intel's firewall.
> > However, ORS 164.377 states that:4) Any person who knowingly and without
> > authorization uses, accesses or attempts to access any computer, 
> > computer
> > system, computer network, or any computer software, program, 
> > documentation
> > or data contained in such computer, computer system or computer network,
> > commits computer crime. Class A misdemeanor.
> >
> > Caution is advised if there is no authorization.
> >
> > Tom Tintera
> > Senior Deputy District Attorney
> > Washington County District Attorney
> > Hillsboro, Oregon
> > 503 846-3462
> > tom_tintera@private
> >
> >
> >
> >> ----------
> >>
> >> I don't know how people on this list feel about the Randal Schwartz
> >> trial, but I think the facts are a bit different than "he didn't even
> >> try any of them".   He did use them and his intent was to bypass the
> >> system administrators attempts to enforce their policy.  You can read
> >> more lots of places.  For example:
> >>
> >> http://www.cs.uidaho.edu/~frincke/research/security/articles/schwartz3.t
> >> xt
> >>
> >> BTW, I knew randal in the early 80's when he worked at Sequent.
> >> --phil
> >>
> >>
> >>
> >
> >
> T. Kenji Sugahara
> Chief Operating Officer
> counterclaim
> Phone:  541-484-9235
> Fax:  541-484-9193
> 
-- 
Zot O'Connor

http://www.ZotConsulting.com
http://www.WhiteKnightHackers.com

Next message: Zot O'Connor: "Re: CRIME Netcraft Ethics"
Previous message: Zot O'Connor: "RE: CRIME Study: Open, closed source equally secure"
In reply to: T. Kenji Sugahara: "Re: CRIME EarthLink Password Security Story"
Next in thread: SCRIMSHER,JOHN (HP-Corvallis,ex1): "RE: CRIME EarthLink Password Security Story"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 23 2002 - 04:38:18 PDT