Re: CRIME EarthLink Password Security Story

From: Zot O'Connor (zot@private)
Date: Sun Jun 23 2002 - 03:23:52 PDT

  • Next message: Zot O'Connor: "Re: CRIME Netcraft Ethics"

    More importantly, the law (fed at least) does not have a Good Samaritan
    clause.  That means if you accidentally exceeded authority, knowingly m
    and you report it it, you are still liable.
    
    What the hell you ask?
    
    Try doing a Vulnerability Assessment, just to find out the Client
    doesn't have *that* IP address.  Now what.....
    
    
    On Fri, 2002-06-21 at 13:58, T. Kenji Sugahara wrote:
    > Tom,
    > 
    > Does the intent element deal with the actual intent to access or does it 
    > deal with knowingly committing an act which results in access?  e.g. 
    > where you would still be found liable if you didn't intend to commit the 
    > culpable act but intended the action which resulted in act?  This may be 
    > splitting legal hairs, but if a person commits an act where they didn't 
    > mean to access a computer, but intended to use the software which 
    > resulted in access, the person could still be found liable.
    > 
    > 
    > On Friday, June 21, 2002, at 10:37  AM, Tom Tintera wrote:
    > 
    > > Randal did use one of the passwords to copy a larger password file and 
    > > also
    > > installed a back door through Intel's firewall.
    > > However, ORS 164.377 states that:4) Any person who knowingly and without
    > > authorization uses, accesses or attempts to access any computer, 
    > > computer
    > > system, computer network, or any computer software, program, 
    > > documentation
    > > or data contained in such computer, computer system or computer network,
    > > commits computer crime. Class A misdemeanor.
    > >
    > > Caution is advised if there is no authorization.
    > >
    > > Tom Tintera
    > > Senior Deputy District Attorney
    > > Washington County District Attorney
    > > Hillsboro, Oregon
    > > 503 846-3462
    > > tom_tintera@private
    > >
    > >
    > >
    > >> ----------
    > >>
    > >> I don't know how people on this list feel about the Randal Schwartz
    > >> trial, but I think the facts are a bit different than "he didn't even
    > >> try any of them".   He did use them and his intent was to bypass the
    > >> system administrators attempts to enforce their policy.  You can read
    > >> more lots of places.  For example:
    > >>
    > >> http://www.cs.uidaho.edu/~frincke/research/security/articles/schwartz3.t
    > >> xt
    > >>
    > >> BTW, I knew randal in the early 80's when he worked at Sequent.
    > >> --phil
    > >>
    > >>
    > >>
    > >
    > >
    > T. Kenji Sugahara
    > Chief Operating Officer
    > counterclaim
    > Phone:  541-484-9235
    > Fax:  541-484-9193
    > 
    -- 
    Zot O'Connor
    
    http://www.ZotConsulting.com
    http://www.WhiteKnightHackers.com
    



    This archive was generated by hypermail 2b30 : Sun Jun 23 2002 - 04:38:18 PDT