Security Basics mailing list archives
RE: Vulnerabilites in new laws on computer hacking
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 23 Feb 2006 07:54:51 +1100
First I agree with some of the other posts in that this should be on Security basics. So I have cross posted in an attempt to move this discussion to the (in this instance) more relevant forum. Dave demonstrates the point I was attempting to make. The trespass argument is analogous to the computer crime in ways that seem to be missed. In the US, UK and Australia there are a variety of computer mis-use laws. I will not go into all the various US regs (there are over 50 jurisdictions), but to take an example from one Australian criminal code: <start legal quote> "Section 170(1) of the Criminal Law Consolidation Act 1935 ("the Act") provides that a person who commits a serious criminal trespass in a place of residence is guilty of an offence. Section 170(3) defines a "place of residence". It is convenient to note all of the terms of s 170. It provides: (1) A person who commits a serious criminal trespass in a place of residence is guilty of an offence. Maximum penalty: Imprisonment for 15 years." </start legal quote> Trespass is not always just a fine and a slap on the wrist either. I consider a 15 year goal term to be severe. What it is important to note on all these is that the MAXIMUM term is exactly that it is the maximum only. The judiciary has discression to issue a lesser term. Daniel Cuthbert in the UK was let off easily and would have been punished even less if he had told the truth from the start. Judges take a hard view to lying under oath. They see it as an affront to their authority. For non-repeat offenders it is oft the best defence (if one has done the deed) to take the "it's a fair cop" approach and plead how sorry you are etc. I do agree that all laws are not fair. Nor have I stated this. As trespass CAN result in an extended gaol term your point that an attacker should get nothing more than trespass could be seen as more harsh - 15 years for the basic access is far more extreme than most computer misuse offences have as a max. penalty. People start stating that there is NO damage. This is never the case - next rant... Regards, Craig -----Original Message----- From: dave [mailto:fla.linux () gmail com] Sent: 23 February 2006 3:17 To: Craig Wright Subject: Re: Vulnerabilites in new laws on computer hacking Ignorance of the law??? The poster made an analogy between cracking a computer and trespassing. So I responded in kind. Yes in Canada, England or where ever, they might see cracking a computer as a serious felony and prosecute accordingly...here in the US it almost considered terrorism. Just because lands have inacted these laws doesnt make them right or fair! THAT is the issue. Cracking a computer should be eqated to trespassing and not B&E. Although I am no *criminal* I have been arrested for trespassing a few times...I assure you I am not ignorant of the (local) law in these matters...I just dont always agree with it! I have a friend that *accidently* killed a man in a bar fight. He was charged with manslaughter and did 4.5 years in a New Jersey state prison. Now...from what I read about current computer laws it is possible for me to get more time by breaking into a computer or writing a virus etc...this is insanity! Bottom line...whatever your current laws on computer hacking are they are probably to harsh (despite all the 'neato' latin words). Understanding the law doesnt mean it is a fair law! We all know how serious authorities take computer crimes. We do not necessarily need to know the statutes by heart to know that "if I get caught doing this I'm going to do some time". These crazy laws are the reason for the original post. Is accessing some server somehwere and poking around really the same as breaking into someones home? I mean, if I found someone poking around in my server I would take appropriate actions. I can pull the server from the net cause I have a backup server ready to go and I would just start forensics to see what the attacker did. If I find someone in my home I will shoot them on site without question. the laws in this matter are quite different. Breaking into someones home IS serious (beyond invasion of privacy)...it is way more serious then cracking some server and one should not face the same charges or punishment...period. Simply breaking into a computer is no more serious than simple trespassing (as long as nothing harmful was done), accidents happen and should be dealt with accordingly. On the flip side one must remember that once an incedent report is created a process must be undertaken by the admin of the system. The admin must pull the cracked machine and dig around and try to find out what the atttacker did and how far he got within the internal network. This costs companies a lot of money! This is why companies get mad even if you did nothing wrong. Big companies spend a crazy amount of money every year in responding to these incedent reports. So yea...if you HAVE to break into a computer system to learn about something or satisfy your curiosity then choose wisely. Yo can cost a company hundreds or even thousands of dollars even if you didnt do anything. The next bottom line...If someone breakes into a computer system and looks around and gets caught they should AT THE MOST be charged with trespassing if nothing malicious was done. Hey accidents happen so yes sometimes production servers can go down etc...well THEN the intruder will have to deal with aspect of their crime. Why should someone pay for a crime that *might* have happened. When I was 15 some girls and myself broke into this building to drink and have some fun. We got caught, I was charged with trespassing...I paid my fine and went home. If I had accidently caused a fire because I was drunk and stupid THEN the crime would no longer be simple trespassing. I would then have to attempt to make up for the damage. If I got caught breaking into the building again (repeat offender) or if I was an adult with a prior history The prosecutors would then push for B&E. I have a relative who works as a prosecutor in the state attorneys office (Florida)...so yes, I understand how the law actually works in these areas, not just what is written down. Craig Wright wrote:
Hello, First on the trespass angle. In reality this would equate to more of a break and enter violation. The UK and EU laws in this respect have a good grounding in fitting the sentence to the crime. The range is based
on the resultant effect. In the UK, the Computer Misuse Act 1990 (c.18) has a variant scale from
6months and/or fine to 5 years and/or fine. This allows for a range of punishments from a suspended sentence to gaol. Canada in the "Criminal Code (RS 1985, c. C-46), Part XI: Wilful and Forbidden Acts in respect of Certain Property" Mischief in relation to data (s. 430(1.1)) uses a sliding scale from 2 years max imprisonment and/or fine to life where the action causes actual danger to life. Again this is not fixed. This offers judicial review and possible leeway in exceptional cases. Many of the acts also require that ACTUS NON FACIT REUM, NISI MENS SIT REA (The act itself does not constitute guilt unless done with a guilty intent) to be in effect. In effect there are defences against either severity or the charge in many cases. Many of the so called valid acts mentioned however mirror "real world" crimes in a number of ways. As an example, an attacker going to a site owner and stating they have probed the site and found a number of vulnerabilities. That they will tell the site owner what they are for a
fee breaks several non-online rules of law. First, many jurisdictions have a requirement to give aide. There is no defence to a charge of "failure to provide assistance" in I offered for
a price but they would not pay. Next there is a general expectation of property rights in most of the western world that is well defined and understood. In many places (eg some of Canada) a large number of people still leave their doors unlocked. This is their right. By going into the from door and looking around the house you are violating the property rights of the owner of the property. This can get you several years in gaol. IGNORANTIA JURIS NEMINEM EXCUSAT (Ignorance of the law excuses no one). Not understanding the law in general is no excuse to apply this to the online world. Regards Craig -----Original Message----- From: dave [mailto:fla.linux () gmail com] Sent: 17 February 2006 11:36 To: bugtraq () securityfocus com Subject: Re: Vulnerabilites in new laws on computer hacking Marcus, You use the analogy of trespassing to describe unauthorized access to a
computer system or it's resources. I agree with you but I think a point
was missed... The laws being passed today against *cyber crime* far exceed the basic property laws. If someone gains access to a system he does not have permission to access yes he has broken a law. But the punishment should
fit the crime. To use your analogy: If I wandered into your field and I
was caught and prosecuted I would face charges for basic trespassing...I would pay a fine and go about my business. If I was a repeat offender I might do 30 days. Let's say I cut a small hole in the
fence so I could easily return (that pond of your has some great fish!)
I would also be made to pay for the fence to be repaired etc... Now, If
I cracked your server and poked around a bit (yea...in the wee hours of
the morning) let's say I even set up a small backdoor so I could return
again...If prosecuted what kind of punishment should I receive? Would you be content if i payed the court a 150 dollar fine? Also, can this act be classified as *cyber terrorism*? Too many this seems to be the direction the government will and is taking...even towards minor criminal offenses such as simple trespassing. I think what the poster was saying is this, "If a teenager could face possible *cyber terrorism* (or any serious felony) charges for trying to break into computer networks simple to learn then things have gone too far". Yes it is wrong and unethical but there is a ring of truth to
his thought process (even if his post was ridiculous overall)...hey you
might not care of the intentions of the trespasser but I do! To me there is a big difference between someone cracking my server to look around and more or less do nothing and someone looking to set up a warez site or use my server to host a phishing scam etc... Unauthorized access is unauthorized access and is never ok from a legitimate security (white hat) point of view. But whether or not the intruder had malicious intentions should weigh in too. I do NOT think it is ok to *cross the line*. But in the past I have played a prank or two that could probably be refered to as *crossing the line* but I am certainly no criminal. just my two cents...
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: Vulnerabilites in new laws on computer hacking Craig Wright (Feb 22)
- Re: Vulnerabilites in new laws on computer hacking Kelly Martin (Feb 22)