RE: CRIME More identity theft "goodness"

From: Zot O'Connor (zot@private)
Date: Thu Sep 11 2003 - 16:17:38 PDT

  • Next message: Gunderson_Dane: "RE: CRIME Electronic Voting Security"

    On Tue, 2003-09-09 at 09:03, Scott Hoffman wrote:
    
    > Disclaimer:  IANAL
    > 
    > This particular situation is, I think, a bit more troubling than BackOrifice
    > or other malware that compromises a system without the owner's permission.
    > 
    > It's my understanding that some of the most common cybercrime prosecution
    > tools relate to, "unauthorized access", as this may be much easier to prove
    > than other charges related to actual damage of systems.  If a system owner
    > intentionally installs a program to allow public access, and even if
    > unintentional and through ignorance, offers sensitive files via that
    > application, one could argue that any access of those files was not
    > unauthorized, but was in fact expressly authorized - precluding prosecution
    > for mere access.
    > 
    
    This is an excellent point for the defence.  Defining authorized use
    *after* the fact is painful.
    
    However there a few mitigating factors.
    
    If the sharing program shares certain directories, and you gain access
    to others, you have exceeded the expectations of the user.  If my office
    opens to a public lobby, I do not expect that you will use that door to
    gain access to the private areas.
    
    If the sharing program indicates that only those directories are shared,
    then I think we can claim the user has authorized access to those
    directories.
    
    If the program license says otherwise, then perhaps we have authorized
    access.
    
    If the user clicks on a button that shares everything, we have
    authorized access.
    
    However I doubt a jury/judge would hold exploiting a vulnerability in a
    P2P program much different than exploiting one in the OS.
    
    However if the program running offers you access without you doing
    anything strange, then you might not have "authorized" access, but you
    do not explicit denial either.
    
    An example of that is, well,  Network Neighborhood becomes the, well,
    Neighborhood network over cable modems in promiscuous mode.
    
    
    > I think most people would agree that voyeuring though other people's files
    > is ethically troubling, and misusing that information to commit crimes such
    > as identity theft could still be prosecuted under other laws.  None the less
    > there could be a lot of damage and/or embarrassment within the law.
    > 
    > Perhaps we could prevail on some of our list members with legal or
    > cybercrime prosecution experience to weigh in on the subject...  George?
    > Mark?  Dick?
    
    
    -- 
    Zot O'Connor
    
    http://www.ZotConsulting.com
    http://www.WhiteKnightHackers.com
    



    This archive was generated by hypermail 2b30 : Thu Sep 11 2003 - 16:59:29 PDT