Security Basics mailing list archives
RE: application for an employment
From: "Craig Wright" <cwright () bdosyd com au>
Date: Mon, 3 Apr 2006 08:18:48 +1000
Hi,
I don't know why you are taking a private conversation back on-list, but so be it.
As I am having the same conversation with multiple people on and off the list it is simpler to have it on the list.
In particular; Article 6: Misuse of devices/possession and misuse of systems and tools that are suitable for carrying out an action as in Article 2-5.
Ansgar Wrote: "You obviously fail to understand that for these articles to apply I have to actually do something illegitimate. However, contrary to your belief using a portscanner to find out what services a host provides, or even using an open relay to send out mail (as long as it's not spam, but this is covered by other laws), is NOT illegal." Actually, you fail to comprehend that these are being setup as strict liability offenses. This is similar to how a parking ticket is strict liability as a simplistic way of explaining the concept. Just as you do not need to have intent to get a parking ticket - you do not need intent for the A 2.5 issues. I will send a new thread "What is an illegal act" to cover this - so please read the following thread as well. Ansgar wrote: "No. This is exactly the point where you are wrong. I do have the right to access a host without getting explicit permission beforehand, so these laws simply don't apply." EM paragraphs 47-48, 58, 62, 68 and 77 also make clear that the use of such tools for the purpose of security testing authorized by the system owner is not a crime. You are not the system owner or as a member of the public authorised. Ansgar wrote:"However, what service a host on the Internet is running, does in no way qualify as privacy-related data." Actually it can and generally does - just as a system has some public facing pages does not make it all public information. Article 6 is: Article 6 - Misuse of devices 1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right: a the production, sale, procurement for use, import, distribution or otherwise making available of: i a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5; ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches. 2 This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system. 3 Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article. Article 5 - transmitting data without right that causes harm. If the port scanner intentionally or not causes a system to reboot for whatever reason, then there is an offence. What you feel, like want - irrelevant. Regards, Craig -----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: 2 April 2006 9:27 To: Craig Wright Cc: security-basics () securityfocus com Subject: Re: application for an employment I don't know why you are taking a private conversation back on-list, but so be it. On 2006-04-02 Craig Wright wrote:
The European Convention on Cybercrime was adopted by the Minister Committee of the European Council on November 8, 2001. It was signed by Germany and other member states of the European Council. It is, however, yet to be ratified in Germany. This does not change the status of the bill.
I am aware of that.
The Bill is open to horizontal action and an individual in Germany (or any other member state) could take the issue to the European court of justice to force the German Govt. to enforce the provisions. A person from any other member state could also enforce this against action from an individual in other member states. This does not help with action to/from non-member states.
I am aware of that either.
In particular; Article 6: Misuse of devices/possession and misuse of systems and tools that are suitable for carrying out an action as in Article 2-5.
You obviously fail to understand that for these articles to apply I have to actually do something illigitmate. However, contrary to your belief using a portscanner to find out what services a host provides, or even using an open relay to send out mail (as long as it's not spam, but this is covered by other laws), is NOT illegal.
This article does not, however, refer to the unauthorized use of security tools that are used for protective purposes, such as penetration tests when authorised. However - this does forclude general use of the said tools without explicit authorization.
No. This is exactly the point where you are wrong. I do have the right to access a host without getting explicit permission beforehand, so these laws simply don't apply. Things would be different in a case where I try to break an encryption, bypass an authorization mechanism or tamper with data. But I expressly stated from the beginning that I was NOT talking about such cases.
The fact that the German courts in 2000 dismissed a case based on port scanning as the CLCA did not have provisions for use of the tools used for port-scanning is irrelivant due to the signing of the convention in 2001.
Wrong. Even the Cybercrime Convention does NOT prohibit the use of port scanners, nor does it require explicit permission to use them.
As for access to any web server, Sec. 3 ZKDSG [prohibition of commercial intervention to circumvent access control services] covers this. Sec. 3 ZKDSG [prohibition of commercial intervention to circumvent access control services]: "1.) The production, import and distribution of circumvention facilities for commercial purposes, 2.) the possession, technical installation, maintenance and exchange of circumvention facilities for commercial purposes and 3.) the promotion of circumvention facilities are prohibited."
Irrelevant. This section applies only to commercial services and tools. And I was explicitly NOT talking about cases where one would have to bypass authorization mechanisms. That would indeed be trespassing and is covered by german criminal laws (i.e. §§ 202a StGB).
An access-controlled service is, for example, a password-protected WWW or FTP server. The purpose of a penetration test is to circumvent an existing security mechanism.
And I expressly said several times, that I am not talking about cases where bypassing of security mechanisms was required. Why do you keep ignoring what I'm saying?
This means that as soon as tools are used to perform the penetration test (circumvention facilities), an infringement of the ZKDSG is unavoidable.
Wrong, because it only applies in commercial cases. This section of the ZKDSG does not apply to private citizens.
Thus it is advisable to obtain the relevant permission from the authorized user in case of any acts that could constitute a criminal offense.
Maybe advisable, but still not required in the cases we were discussing here.
There is an exclusion for valid testing services. This requires the express authorisation of the site owner in writing. I suggest that you have a read of the Treaty on European Union i.e. the Maastricht Treaty Also read the Single European Act (SEA) 1987 The directives on rights Article I-33 of the constitution for Europe
I already suggested that you read them yourself, so you will understand that none of these bear any (direct or remote) reference to the matter discussed here.
PPS I hate looking up German law.
Then don't bring them into the discussion.
Grundgesetz, Artricle 18 in respect to artilce 14 on property rights.
You entirely failed to understand both article 14 and 18. Article 18 states that anyone using the listed rights to bring down the german constitution (for lack of a better word, as our Grundgesetz is not exactly a constitution) will forfeit them. Article 14 specifies that a right of property exists, with its details and limitations being specified by other laws. However, I never claimed there was no right of property (though you seem to assume that for some reason), but that a host put on the Internet is no longer private property in the same sense e.g. the furniture in your home is. We are talking about a situation where I'm walking through a Mall. Looking at the stores or entering the stores is neither illegal, nor does it require explicit permission, because there already is an implicit permission. I may count the stores, I may make a list of stores, I may even take stuff from the stores (like e.g. flyers). The fact that I may be held liable when I try to trespass protected areas, break windows or stuff in the store, or try to steal something from the store, does in no way diminish the implicit rights mentioned above.
Gesetz zum Schutz vor Misbrauch personenbezogener Daten bei der Datenverarbeitung
You also entirely failed to understand the purpose of the Bundesdaten- schutzgesetz. It's intention is the protection of privacy. However, what service a host on the Internet is running, does in no way qualify as privacy-related data.
Telekommunikationsgesetz (Telecommunications Act), see provisions under s.5
And sure enough you entirely failed to understand the purpose of the TKG as well. Please (re-)read its first section: | § 1 Purpose of the law | | Purpose of this law is to regulate the competition in the field of | telecommunications independently from technologies, to support | [implementation of] efficient telecommunications infrastructure, and | to guarantee sufficient and adequate [telecommunications] services all | over the country. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: application for an employment, (continued)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- RE: application for an employment David Gillett (Apr 04)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- Re: application for an employment D. Bolliger (Apr 05)
- Re: application for an employment Micheal Espinola Jr (Apr 05)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- Re: application for an employment Anthony Ettinger (Apr 03)
- RE: application for an employment Mike Fetherston (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Raoul Armfield (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- RE: application for an employment Ramsdell, Scott (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 05)
- RE: application for an employment John E. Fleming (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 05)
- RE: application for an employment onowlin (Apr 03)
- RE: application for an employment Craddock, Larry (Apr 03)