From an anonymous contributor. BB > --Message--> > > This discussion has brought 2 points to my attention. Firstly, the port > scanning being classified as an offence/attack. This *must* have some kind > of limitations set on it. For example, my ISP conducts routine scans on > their customers machines to ensure people aren't running public servers for > eg., which would be in breach of the T&C of the service. Under this bill, > because my ISP is probing my machine, does that make their actions illegal? > I doubt I'd have any luck trying to bring a prosecution against them under > this law. This would therefore set a precedent, which any good lawyer will > be able to manipulate. This happens with any new and "radical" law - test > cases come before the courts, and the results of these have a huge bearing > on the interpretation of the statutes. However, ignoring that for the > moment, consider an organisation like ORBS. Are they now in contravention of > this law by scanning random machines outside of their control for a specific > (excuse the loose phrase) "exploit", ie: open relay? > > But onto the more worrying part of this. From the message below: > > > To qualify, an intrusion or attack would > > have to cause one > > of the following: > <snip> > > 2) physical injury to any person; > > 3) a threat to public health or safety > > This is a problem. A *BIG* problem. In my country we have 2 legal "tests", > to assist in determining innocense or guilt. Firstly, the "Reasonable Man" > test. This states that under the circumstances in question, what would any > normal, reasonable human being do. For example, I try to telnet to my own > server, and mistype the IP. I end up connecting to somebody else's server, > and r00t it by accident. The "Reasonable Man" test says that I should > disconnect from the system and possibly inform the system owner. Secondly, > the "Egg Shell Skull" rule. This rule states that you are responsible for > the end result of your actions regardless of whether they were intended or > not. For example: "egg shell skull" is a medical condition where the > sufferer has an extremely thin skull. If I was to hit a *normal* person > round the head with an empty plastic bag, they may fall down but not sustain > any injury. However, if I hit a person with an egg shell skull in the same > way, I would kill them. In court, you would be tried on the basis of > murder/manslaughter - it is irrelevant that you never intended to kill this > person, and you had no way of knowing what the outcome of your actions were. > > Excuse the long description, however there is a reason. I work for a company > that provides support to a company that sells "items" to the public (sorry > for the obfuscation). These items will almost certainly cause death or > serious injury if the stringent safety procedures are not met. Because we > support the networks of this company, we have direct access from our offices > via WAN links to the company in question. This means we can access the > servers that are responsible for the manufacturing & safety processes. > > Now, imagine if an attacker tried to penetrate our network. There is nothing > immediately obvious to warn an attacker of the above information. Assume > they got past the first firewall and no further. Any good lawyer could > present an argument that showed the attacker had broken rules 2 and 3 above. > Using the reasonable man test, the attacker is guilty (a reasonable human > would not try to hack a private system). Also, by penetrating the network, > the attacker has no way of knowing what downstream effects they have caused > (say the attacker changed the system clock on a server to mask his > presence). It would be fairly easy to show that changing the time affected > time based transaction systems, which in turn affected machines controlling > safety procedures, which in turn means that the safety compliance status > cannot be verified, thus causing a threat to public health & safety. Using > the egg shell skull rule, this attacker is in serious danger of being > prosecuted for manslaughter (you are responsible for the end result, > regardless of your intentions), and they've not even touched anything. > > Now you may consider this a little far fetched or a stretch, and admittedly > the last manslaughter part may be. However, look at Mitnick, SK8, and the > multitude of others in their position. All treated with rules that bend more > than my flexible American Express friend. Plenty of people look at > contemporary legal decisions and quite rightly call them insane, illogical > or bizzare. But these decisions stand nonetheless. Lawyer: "But Mr hacker, > can you prove beyond all reasonable doubt that your accessing of this > network did not in any way affect any other systems". Hacker: "No, I can't". > Judge: "Here, have 25 to life"..... > > Just my opinion.
This archive was generated by hypermail 2b30 : Tue Oct 16 2001 - 09:47:33 PDT