RE: CRIME More identity theft "goodness"

From: Zot O'Connor (zot@private)
Date: Thu Sep 11 2003 - 16:17:38 PDT

Next message: Gunderson_Dane: "RE: CRIME Electronic Voting Security"

Previous message: Marc Schuette: "Re: CRIME Electronic Voting Security"
In reply to: Scott Hoffman: "RE: CRIME More identity theft "goodness""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2003-09-09 at 09:03, Scott Hoffman wrote:

> Disclaimer:  IANAL
> 
> This particular situation is, I think, a bit more troubling than BackOrifice
> or other malware that compromises a system without the owner's permission.
> 
> It's my understanding that some of the most common cybercrime prosecution
> tools relate to, "unauthorized access", as this may be much easier to prove
> than other charges related to actual damage of systems.  If a system owner
> intentionally installs a program to allow public access, and even if
> unintentional and through ignorance, offers sensitive files via that
> application, one could argue that any access of those files was not
> unauthorized, but was in fact expressly authorized - precluding prosecution
> for mere access.
> 

This is an excellent point for the defence.  Defining authorized use
*after* the fact is painful.

However there a few mitigating factors.

If the sharing program shares certain directories, and you gain access
to others, you have exceeded the expectations of the user.  If my office
opens to a public lobby, I do not expect that you will use that door to
gain access to the private areas.

If the sharing program indicates that only those directories are shared,
then I think we can claim the user has authorized access to those
directories.

If the program license says otherwise, then perhaps we have authorized
access.

If the user clicks on a button that shares everything, we have
authorized access.

However I doubt a jury/judge would hold exploiting a vulnerability in a
P2P program much different than exploiting one in the OS.

However if the program running offers you access without you doing
anything strange, then you might not have "authorized" access, but you
do not explicit denial either.

An example of that is, well,  Network Neighborhood becomes the, well,
Neighborhood network over cable modems in promiscuous mode.

> I think most people would agree that voyeuring though other people's files
> is ethically troubling, and misusing that information to commit crimes such
> as identity theft could still be prosecuted under other laws.  None the less
> there could be a lot of damage and/or embarrassment within the law.
> 
> Perhaps we could prevail on some of our list members with legal or
> cybercrime prosecution experience to weigh in on the subject...  George?
> Mark?  Dick?

-- 
Zot O'Connor

http://www.ZotConsulting.com
http://www.WhiteKnightHackers.com

Next message: Gunderson_Dane: "RE: CRIME Electronic Voting Security"
Previous message: Marc Schuette: "Re: CRIME Electronic Voting Security"
In reply to: Scott Hoffman: "RE: CRIME More identity theft "goodness""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 11 2003 - 16:59:29 PDT