Slashdot Mirror

← Back to Stories (view on slashdot.org)

Legally Defining "Unauthorized" Computer Access

Posted by michael on from the breaking-and-entering dept.

SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."

2 of 359 comments (clear)

  1. Court case by DNS-and-BIND · · Score: 5, Informative
    I was involved in a federal case where the defendant was accused of unauthorized access because he used EXPN and VRFY to determine a range of email addresses to mailbomb. I thought it was bullshit, and faxed them a copy of this page (God forbid they use email) indicating that these commands were publically availible to anyone on the internet, but the prosecutors weren't particularly interested and were rather disappointed at my opinion.

    The charge was eventually dropped at any rate.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  2. Re:Popups? by Frater+219 · · Score: 5, Informative
    Of course it's authorized. Your browser preferences allow pop-up to be displayed, or you'd never see them.

    That isn't at all an "of course" issue. If I place an unpatched default installation of Red Hat 6.2 on an Internet-connected host, my "preferences" (read: installed software) by default allow remote users to obtain root access. No matter how stupid or negligent I would be to do so, I would still expect that for someone to take advantage of those "preferences" to r00t the b0x0r would indeed be illegal. Similarly, just because Jane Winecooler's browser by default allows the installation of spyware and the forced display of popup spam, does not authorize anyone to set up booby-trapped Web sites which do such things to her browser.

    The idea that any access that my host does not block is by default an authorized access is compelling to the hacker (in the old sense) since it means that everything one can do, one may do, provided it is not obviously harmful. Under this construction, if you leave your box r00table, then I may r00t it -- but I may not (for instance) delete your files or use your host to DoS someone. However, I do not think this is a solid foundation for a polity which must include non-hacker computer users. Such people expect that unless they intend to grant access, nobody may access their computers.

    I hold host operators responsible for their own hosts' behavior and security. However, I also hold abusers responsible for their behavior in exploiting vulnerable hosts to do things that they know would be unwelcome to those hosts' owners. Spyware, abusive popup spam, r00ting, email spam, and the many other unwelcome abuses of people's systems are all simply different degrees of unwelcome, unauthorized access.